NAIH (Hungary) - NAIH-13-10/2022: Difference between revisions
(shortened the facts, mentioned relevant GDPR Article in short summary, small linguistic changes, otherwise great summary) |
(→Facts) |
||
(One intermediate revision by one other user not shown) | |||
Line 65: | Line 65: | ||
}} | }} | ||
The Hungarian DPA | The Hungarian DPA reprimanded a public body responsible for child protection for obstructing the exercise of the right of access to an audio recording containing the data subject’s voice in violation of [[Article 5 GDPR|Articles 5]] and [[Article 6 GDPR|6 GDPR]]. | ||
== English Summary == | == English Summary == | ||
Line 75: | Line 75: | ||
On 14 June 2021, the data subject exercised their right of access with the controller in person. As the audio material was not made available during the visit, the data subject requested it to be sent via e-mail. The controller refused to provide the file despite multiple further requests by the data subject. | On 14 June 2021, the data subject exercised their right of access with the controller in person. As the audio material was not made available during the visit, the data subject requested it to be sent via e-mail. The controller refused to provide the file despite multiple further requests by the data subject. | ||
However, in a letter dated 1 July 2021, the controller informed the data subject that the audio material requested by him was not physically part of the file, but it | However, in a letter dated 1 July 2021, the controller informed the data subject that the audio material requested by him was not physically part of the file, but it was available in file format. The audio material was then sent electronically to the competent Child Welfare Centre and subsequently deleted. The data subject therefore requested the DPA to declare that the controller unlawfully processed and transmitted their personal data to the Child Welfare Centre and that it unlawfully refused him request for access. | ||
In its reply to the DPA, the controller stated that it stored the audio recording. Allegedly, the complete file was transferred to the Child Welfare Centre pursuant to [[Article 6 GDPR#1e|Article 6(1)(e) GDPR]]. The controller also stated that it subsequently considered the storage and transmission of the audio recording to be an error, and therefore took immediate action to delete the e-mail containing the audio recording. | In its reply to the DPA, the controller stated that it stored the audio recording. Allegedly, the complete file was transferred to the Child Welfare Centre pursuant to [[Article 6 GDPR#1e|Article 6(1)(e) GDPR]]. The controller also stated that it subsequently considered the storage and transmission of the audio recording to be an error, and therefore took immediate action to delete the e-mail containing the audio recording. | ||
Line 83: | Line 83: | ||
The DPA stated that an audio recording containing the voice of the estranged wife and the voice of the data subject is considered to be personal data shared between the data subject and the estranged wife. | The DPA stated that an audio recording containing the voice of the estranged wife and the voice of the data subject is considered to be personal data shared between the data subject and the estranged wife. | ||
The DPA further stated that the controller, as a family and child welfare | The DPA further stated that the controller, as a family and child welfare centre, performs a public task related to the protection of children. Therefore, it is entitled to process the data of parents in relation to the upbringing of children. As the audio recording submitted as evidence by one of the parents in the guardianship proceedings is part of the file, the DPA considered that the data controller's processing was lawful. Therefore, the DPA rejected the part of the complaint seeking a redress for the unlawful transfer. | ||
However, in the DPA's view, following the transfer of the file on 17 June 2021, the further processing of this audio recording by the controller became unnecessary due to lack of competence. By failing to take action after the transfer, the controller unlawfully processed the audio recording in the period between the transfer of the file and the deletion of the audio recording on 2 July 2021. The controller thereby infringed [[Article 5 GDPR#1b|Articles 5(1)(b) GDPR]] and [[Article 6 GDPR#1|6(1) GDPR]]. | However, in the DPA's view, following the transfer of the file on 17 June 2021, the further processing of this audio recording by the controller became unnecessary due to lack of competence. By failing to take action after the transfer, the controller unlawfully processed the audio recording in the period between the transfer of the file and the deletion of the audio recording on 2 July 2021. The controller thereby infringed [[Article 5 GDPR#1b|Articles 5(1)(b) GDPR]] and [[Article 6 GDPR#1|6(1) GDPR]]. |
Latest revision as of 14:49, 12 October 2022
NAIH - NAIH-13-10/2022 | |
---|---|
Authority: | NAIH (Hungary) |
Jurisdiction: | Hungary |
Relevant Law: | Article 5(1)(a) GDPR Article 5(1)(b) GDPR Article 6(1) GDPR |
Type: | Complaint |
Outcome: | Partly Upheld |
Started: | 07.06.2021 |
Decided: | 25.08.2022 |
Published: | 25.08.2022 |
Fine: | n/a |
Parties: | Óbuda Family Counselling and Child Protection Centre |
National Case Number/Name: | NAIH-13-10/2022 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Hungarian |
Original Source: | NAIH (in HU) |
Initial Contributor: | Abel Kaszian |
The Hungarian DPA reprimanded a public body responsible for child protection for obstructing the exercise of the right of access to an audio recording containing the data subject’s voice in violation of Articles 5 and 6 GDPR.
English Summary
Facts
On 7 June 2021, the data subject filed a complaint with the DPA, as they became aware that the data controller – the Family Counselling and Child Protection Centre of Budapest, District III (Óbuda) – forwarded an audio recording of domestic violence (abuse) to the competent Child Welfare Centre, and this recording also contained the voice of the data subject. The recording was originally made and sent by the data subject’s estranged wife.
On 14 June 2021, the data subject exercised their right of access with the controller in person. As the audio material was not made available during the visit, the data subject requested it to be sent via e-mail. The controller refused to provide the file despite multiple further requests by the data subject.
However, in a letter dated 1 July 2021, the controller informed the data subject that the audio material requested by him was not physically part of the file, but it was available in file format. The audio material was then sent electronically to the competent Child Welfare Centre and subsequently deleted. The data subject therefore requested the DPA to declare that the controller unlawfully processed and transmitted their personal data to the Child Welfare Centre and that it unlawfully refused him request for access.
In its reply to the DPA, the controller stated that it stored the audio recording. Allegedly, the complete file was transferred to the Child Welfare Centre pursuant to Article 6(1)(e) GDPR. The controller also stated that it subsequently considered the storage and transmission of the audio recording to be an error, and therefore took immediate action to delete the e-mail containing the audio recording.
In relation to the data subject's requests for a copy of the audio recording, the controller stated that on 17 and 18 June 2021, it wrongly refused to disclose the audio recording. The controller contemplated at first that it was not competent to process the information of the data subject and because if that, it was transferred to the Child Welfare Centre. As for the audio recording, the controller instead found that it was not entitled to process the audio recording is and therefore deleted it based on Article 5(1)(b) GDPR.
Holding
The DPA stated that an audio recording containing the voice of the estranged wife and the voice of the data subject is considered to be personal data shared between the data subject and the estranged wife.
The DPA further stated that the controller, as a family and child welfare centre, performs a public task related to the protection of children. Therefore, it is entitled to process the data of parents in relation to the upbringing of children. As the audio recording submitted as evidence by one of the parents in the guardianship proceedings is part of the file, the DPA considered that the data controller's processing was lawful. Therefore, the DPA rejected the part of the complaint seeking a redress for the unlawful transfer.
However, in the DPA's view, following the transfer of the file on 17 June 2021, the further processing of this audio recording by the controller became unnecessary due to lack of competence. By failing to take action after the transfer, the controller unlawfully processed the audio recording in the period between the transfer of the file and the deletion of the audio recording on 2 July 2021. The controller thereby infringed Articles 5(1)(b) GDPR and 6(1) GDPR.
The DPA further emphasised that the controller wrongly claimed that the audio recording was not part of the file, i.e. that it had not acted fairly, thus infringing Article 5(1)(a) GDPR on transparent and fair processing. The DPA considered the non-disclosure of personal data to be such a serious infringement that it was justified to publish the present decision with the name of the controller included.
However, the DPA also took into consideration several mitigating factors, such as that the controller provides social and child welfare services for persons in need. It also took into account that the controller itself admitted that it had wrongly claimed that the audio recording was not part of the file. For these reasons, the DPA decided not to impose a fine and to issue a warning.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Hungarian original. Please refer to the Hungarian original for more details.
Registration number: NAIH-13-10/2022. Subject: partially granting the request History: NAIH-6003/2021. decision DECISION The National Data Protection and Freedom of Information Authority (hereinafter: Authority) [...] at the request of the applicant (hereinafter: Applicant), the Óbuda Family Counseling and Child Protection Opposite Központ (address: 1035 Budapest, Váradi u. 9-11, hereinafter: Applicant) audio recording regarding unauthorized processing and forwarding, as well as unauthorized refusal of data subject requests makes the following decisions in the initiated data protection official procedure: I.1. The Authority partially grants the Applicant's request and finds that the Applicant by failing to comply with the Applicant's access request, he violated the natural on the protection of persons with regard to the management of personal data and such data 2016/679/EU on free circulation and repealing Directive 95/46/EC Regulation (hereinafter: general data protection regulation) Article 15 (3) and Article 5 (1) point a) of paragraph 1, and also by making the personal data of the Respondent June 17 and July 2021 between 2. without purpose, handled without authorization, violated point b) of Article 5 (1) and Article 6 (1) paragraph. I.2. The Authority ex officio condemns the Applicant for violating the data protection regulation Violating the requirement of accountability according to Article 5 (2) about the fact of data management and did not provide the Applicant with false information about its essential circumstances the transparency of its data management process, and since it denied that the audio recording was a is available. I.3. The Authority is the I.1. and I.2. due to legal violations established in point - with the fact that another data protection in the event of a violation of the law, when determining the legal consequences, the present violation, as antecedents will be taken into account with increased weight - Requested ex officio in a warning favors I.4. The Authority ex officio orders this decision with the Applicant's identification data - the Authority its publication on its website. II. The part of the request for the Authority to establish that the Respondent was unlawfully forwarded the audio recording containing his personal data to the [...] Children's Welfare Center rejects. There is no place for administrative appeal against the decision, but the 30th from the date of notification can be challenged in an administrative lawsuit within days with a claim addressed to the Metropolitan Court. You must submit the statement of claim electronically to the Authority, which will submit it together with the case documents forward to the court. The request to hold a hearing must be indicated in the statement of claim. The entire for those who do not receive a personal tax exemption, the fee for the administrative lawsuit is HUF 30,000, the lawsuit is subject to the right of material levy record. Legal representation is mandatory in proceedings before the Metropolitan Court. 1https://www.naih.hu/kozig-hatarozat-birosagi-felulvizsgalata. The NAIH_K01 form is used to initiate the administrative lawsuit: NAIH_K01 form (16.09.2019) The form can be filled out using the general form filling program (ÁNYK program). JUSTIFICATION I. Procedure The Applicant submitted a request for an official data protection procedure to the Authority on June 7, 2021 in, according to which he became aware that the Respondent had transmitted such a recording to […] For the Children's Welfare Center (hereafter: Children's Welfare Center), which is also His voice included. For this reason, on June 14, 2021, he sent a written inquiry to the Respondent, who on 2021 responding to your inquiry on June 17, informed that they could not provide the requested audio material to be forwarded to him, because it is not part of the documents. After that, the Applicant on June 17, 2021 and contacted the Applicant again on 18 June 2021, during which the Applicant on 18 June 2021 he replied to his part that he did not receive audio material. In the Applicant's letter dated July 1, 2021 however, he informed the Applicant that the audio material he requested was not in the physical sense it is part of the documents handled by him, because it was not on physical data carriers, but in electronic form to be sent to you. He transmitted the audio material electronically to the Child Welfare Center, and subsequently deleted it. Because of all this, the Applicant requested that the Authority establish that the Respondent was unlawfully managed and forwarded your personal data to the Children's Welfare Center, as well as illegally denied your access request. NAIH-6003-2/2021 of the Authority dated July 13, 2021. in order no Applicant, as the application did not contain the allegations related to the alleged infringement supporting facts and their evidence, when and when the applicant submitted this access request with what content did you send it to the Applicant On July 15, July 20 and July 28, 2021, the Applicant responded to the Authority's notice responded and attached a copy to the access requests sent to the Respondent and to the Authority the responses received from the Petitioner to his inquiries referred to in his request. The Authority NAIH-6003-6/2021. No., dated July 29, 2021, notified the Requested that, based on the Applicant's request, a data protection official proceeding against him started and invited him to make a statement in order to clarify the facts. In its response to the Authority's inquiry received on August 23, 2021, the Respondent made a statement and attached his correspondence with the Applicant. This information was provided by The applicant added it on September 30, 2021. The Authority NAIH-6003-10/2022 dated December 9, 2021. and NAIH-6003-11/2022. with his orders notified the Applicant and the Respondent that the evidence in the procedure was completed and called, that he can get to know the uncovered evidence and make further evidentiary motions. On December 13, 2021, the Applicant stated that he wished to exercise his right to inspect documents, which the Authority NAIH-6003-13/2021. limited by order no., it cannot be recognized by him performed while masking personal data. Thereafter, the Applicant on January 3, 2022 made a statement and also requested that the Authority extend the procedure [...] From the attached documents and statements, it was not clear to the Authority that a audio recording before or after the Respondent exercises the rights of the Applicant canceled it, therefore it was revoked by NAIH-6003/10/2021 on March 31, 2022. Order No. and contacted the Applicant to prove with documents that the audio recording was filed and the date of its deletion, as well as the time and place of receipt of all documents created in the case a along with treatment notes. 2 The Authority also contacted the Child Welfare Center to verify when the the audio recording for him, and when and how he released it to the Applicant. At the request of the Authority, the Applicant made a statement on April 13, 2022, and also sent the 658/2021/ÓCSTGYVK archived in the file management system and archive copies of all your documents. The Child Welfare Center responded to the Authority's request on April 13, 2022. The Authority NAIH-13-6/2022 dated August 2, 2022. and NAIH-13-7/2022. with his orders notified the Applicant and the Respondent that the evidence in the procedure was completed and called, that he can get to know the uncovered evidence and make further evidentiary motions. On August 2, 2022, the Applicant requested that the Authority provide him with access to documents, which the Authority issued in NAIH-13-8/2022. limited by order no., it cannot be recognized by him in addition to concealing personal data, and in the child protection procedure, the parent is a the right to information about your child is guaranteed by law and in official procedures August 15, 2022, with the exception of documents that can be known based on the right of access to documents or that have been known. performed on the day II. Fact In its application for the data protection authority procedure, the Applicant stated that the Respondent is forwarded an audio recording to the Child Welfare Center, which also contains his voice. On June 14, 2021, the Applicant exercised its right to inspect the documents of the Respondent. Document inspection became aware that in the procedure [...] on May 14, 2021, the abuse he attached visual and audio material to support it. Because the audio during document review it was not made available to him, so he requested that it be sent to him additionally by e-mail. In its letter dated June 17, 2021, in response to the request for document inspection, the Respondent informed the Applicant that it is not possible to release the requested audio material, because it is not part of the documentation. Subsequently, on June 17, 2021, the Applicant requested the sound recording release. The Respondent replied to the request on June 18, 2021 that it had not received audio material, therefore, it is not part of the document material, therefore it cannot be transmitted that to the Applicant. In response to the Respondent's rejection, in the Applicant's letter dated June 18, 2021, another submitted an access request, in which he referred to the fact that "I obtained it while copying documents to inform you that an audio file, which is my audio material, has been sent to your email address included. I trust that it has not been deleted and that it will be handed over to me in accordance with the GDPR!" In its response letter dated July 1, 2021, the Respondent repeatedly rejected the access request with reference to the fact that the requested audio material was not physically handled by him part of the document, because it was not sent on a physical data carrier, but in electronic form for. He sent the audio material electronically to the Children's Welfare Center, this after deleting it from your electronic system. Because of all these, the Applicant requested in his application for the data protection authority procedure that a Authority to determine that the Respondent handled and forwarded his personal data without authorization 3 audio recording for the Children's Welfare Center, as well as unlawfully refused the fulfilling your access request. The Applicant is Authority NAIH-6003-6/2021. sent on August 23, 2021 for order no in his answer, he stated that he had stored the recording containing the Applicant's voice, which the Applicant his ex-wife sent it to him by e-mail. Given that the Petitioner is a minor child and the child's mother moved to Budapest III in June 2021. about their district address and the The applicant's area of competence is exclusively III. covers the district, therefore the entire document material is was handed over to the Children's Welfare Center on the basis of Article 6 (1) point e) of the General Data Protection Regulation for. The Respondent also stated that the storage and transmission of the audio recording he subsequently assessed it as a wrong step, so the e-mail containing the audio recording took immediate action and to the deletion of the audio recording contained therein. The Respondent with the Petitioner's requests to issue a copy of the audio recording stated that on June 17 and 18, 2021, he wrongly refused to issue them on the grounds that in the absence of competence they were not entitled to treat the Applicant relevant information and were therefore handed over to the Child Welfare Center. The sound recording in relation to what was described in the Respondent's response letters sent in July 2021 instead considers it well-founded, that is, that he is not authorized to handle the audio recording anyway, and that is what it is for was deleted on the basis of Article 5 (1) point b) of the General Data Protection Regulation. The Respondent also sent the Authority a copy of the Applicant's requests. On September 30, 2021, the Applicant supplemented the above statement by stating that the Authority NAIH-2639/2021. according to the general information provided on February 17, 2021 in case no. "a the child is an employee of a child welfare center as an institution providing child welfare services in order to protect his interests, by revealing the causes of the child's vulnerability during the performance of his or her (public) duties, he is entitled to inspect and during the guardianship proceedings, or to use the recordings in question to initiate other guardianship proceedings, which otherwise, they are considered the same source as a private document or a client statement would attach.” According to the Applicant, based on the above, as well as Gyvt. Paragraph (1) of § 134 and Ákr. Section 27 (3) according to paragraph, the Respondent is generally entitled to handle audio and video recordings if they are used for the procedure to be conducted to protect the rights of children in order to need In the specific case, the use and storage of the audio recording that came into his possession according to the Respondent's opinion, the data management is in the public interest or is a public authority entrusted to the data controller however, it was not necessary to carry out the task performed in the context of exercising a driver's license, you acted accordingly when you deleted it. In the statement received by the Authority on January 3, 2022, the Applicant stated that the a copy of the audio recording was made available by the Child Welfare Center on July 21, 2021. At the same time, the Applicant requested that the Authority distribute it regarding the transmission of the audio material the process […] and get your statement about who made the audio, who and what stored it in a way before transmitting it to the Respondent, why did you transmit the audio material to without his consent, as well as to whom and when he transmitted it in the time since recording. According to the documents sent by the Applicant and the Child Welfare Center on April 13, 2022 the audio material, accompanied by a letter dated July 1, 2021, at 9:32 a.m. on July 2 sent it by e-mail to the Child Welfare Center. Subsequently, Applicant July 2, on July 7 and July 8, he requested access to the audio recording from the Child Welfare Center, which It was sent to the Applicant by e-mail on July 21, 2021. On July 27, 2021, the Children's Welfare Center sent the audio recording by e-mail in the absence of jurisdiction sent it back to the Applicant, who sent it again on July 29, 2021 to the Child Welfare Center. The Child Welfare Center sent it back for the second time on August 2, 2021 the document to the Applicant with reference to the fact that he did not receive a request from the guardianship authority in the case of the Applicant's minor child, and therefore has no jurisdiction. The Applicant finally Government Office of Budapest Capital III. District Office BP-03/104/783-31/2021. considered based on the order ordering the transfer, on August 4, 2021, the documents were again sent to the For the Child Welfare Center. In order to confirm the deletion of the audio recording, the Applicant dated April 8, 2022 sent a report to the Authority, in which it was recorded that the audio recording was was deleted from its filing system and mail system on July 1, 2021. III. Applicable legal provisions CXII of 2011 on the right to information self-determination and freedom of information. law (a hereinafter: Infotv.) According to Section 2 (2), the general data protection regulation is indicated there shall be applied with additions in provisions. Article 2 (1) of the General Data Protection Regulation according to paragraph 1, the regulation must be applied to personal data in whole or in part automated processing, as well as the non-automated processing of that data for handling, which are part of a registration system, or which are a they want to make it part of the registration system. Infotv. Validation of the right to the protection of personal data based on § 60, paragraph (1). in order to do so, the Authority initiates an official data protection procedure at the request of the data subject and may initiate official data protection proceedings ex officio. Infotv. According to § 60, paragraph (2), the request to initiate the official data protection procedure a It can be submitted in the case specified in Article 77 (1) of the GDPR. Article 77 (1) of the General Data Protection Regulation: Other administrative or judicial without prejudice to legal remedies, all parties concerned are entitled to file a complaint with a supervisory authority authority - in particular your usual place of residence, place of work or suspected infringement in the Member State where it is located - if, according to the judgment of the data subject, the personal data relating to him handling violates this regulation. In the absence of a different provision of the General Data Protection Regulation, data protection initiated upon request for official procedure CL of 2016 on the general administrative procedure. law (a hereinafter: Ákr.) provisions shall be applied with the deviations specified in Infotv. The Akr. According to Section 35 (1), the request is a declaration by the client with which an official procedure conduct, or requests a decision from the authority in order to enforce his right or legitimate interest. The Akr. According to § 62, paragraph (2), all evidence can be used in the official procedure, which is suitable for clarifying the facts. It cannot be used as evidence by the authority, evidence obtained by violation of the law. The Akr. Based on § 62, paragraph (4), the authority freely chooses the method of proof, and a evaluates the available evidence according to his free conviction. 5 According to Article 4, point 1 of the General Data Protection Regulation, personal data is the identified or any information relating to an identifiable natural person ("data subject"); it is possible to identify the a a natural person who, directly or indirectly, in particular an identifier, for example name, number, location data, online identifier or physical, physiological, one or more related to your genetic, intellectual, economic, cultural or social identity can be identified based on a factor. According to Article 4, Point 2 of the General Data Protection Regulation, data management is based on personal data any operation performed on data files in an automated or non-automated manner or set of operations, such as collection, recording, organization, segmentation, storage, transformation or changing, querying, viewing, using, communicating, transmitting, distributing or otherwise by making it available, coordinating or connecting, limiting, deleting, or destruction. According to Article 4, point 7 of the General Data Protection Regulation, the data controller is the natural or legal one person, public authority, agency or any other body that is the personal data determines the goals and means of its management independently or together with others; if the data management its purposes and means are determined by EU or Member State law, the data controller or the data controller EU or member state law can also determine special aspects for its designation. Personal data management according to Article 5 (1) point a) of the General Data Protection Regulation it must be carried out legally and fairly, as well as in a transparent manner for the data subject ("legality, due process and transparency"). Collection of personal data based on Article 5 (1) point b) of the General Data Protection Regulation only for specific, clear and legitimate purposes, and they should not be treated with these purposes inconsistently. ("goal-boundness"). Based on Article 5 (2) of the GDPR, the data controller is responsible for compliance with paragraph (1), and must be able to demonstrate this compliance ("accountability").The general Article 15 (3) of the data protection decree states that the data controller is the data processing provides a copy of the subject personal data to the data subject, as it can be implemented in this way and actual and most complete access to personal data. The Authority is Infotv. 58 of the General Data Protection Regulation with regard to point a) of § 61, paragraph (1). can apply the legal consequences according to paragraph (2) of Article Pursuant to Article 58 (2) b) and i) of the General Data Protection Regulation, the supervisory authority acting in its corrective capacity: b) condemns the data manager or the data processor if his data management activities violated e the provisions of the decree; i) imposes an administrative fine in accordance with Article 83, depending on the circumstances of the given case, e in addition to or instead of the measures mentioned in paragraph Article 83 (1)-(2) and (5) points a)-b) of the General Data Protection Regulation: (1) All supervisory authorities ensure that the provisions referred to in paragraphs (4), (5), (6) of this decree administrative fines imposed on the basis of this article due to its violation are effective in each case, be proportionate and dissuasive. (2) Depending on the circumstances of the given case, the administrative fines are subject to Article 58 (2) a)– must be imposed in addition to or instead of the measures mentioned in points h) and j). In deciding whether whether it is necessary to impose an administrative fine, and the amount of the administrative fine in each case, the following must be taken into account: 6a) the nature, severity and duration of the infringement, taking into account the nature of the data processing in question, its scope or purpose, as well as the number of persons affected by the infringement, as well as by them extent of damage suffered; b) the intentional or negligent nature of the infringement; c) mitigating the damage suffered by the data controller or the data processor any action taken in order to; d) the extent of the responsibility of the data manager or data processor, taking into account the 25 and technical and organizational measures implemented on the basis of Article 32; e) relevant violations previously committed by the data controller or data processor; f) with the supervisory authority to remedy the violation and the possible negative effects of the violation extent of cooperation to mitigate; g) categories of personal data affected by the infringement; h) the manner in which the supervisory authority became aware of the violation, in particular the fact that whether the data controller or the data processor reported the violation, and if so, in what detail; i) if against the relevant data manager or data processor previously - in the same matter - one of the measures referred to in Article 58 (2) was ordered, the one in question compliance with measures; j) whether the data controller or the data processor considered itself approved according to Article 40 to codes of conduct or approved certification mechanisms pursuant to Article 42; as well as k) other aggravating or mitigating factors relevant to the circumstances of the case, for example a financial benefit obtained or avoided as a direct or indirect consequence of a violation loss. (5) Violation of the following provisions - in accordance with paragraph (2) - at most 20,000,000 with an administrative fine in the amount of EUR, and in the case of businesses, the previous financial year is a full year shall be subject to an amount of no more than 4% of its world market turnover, with the provision that of the two a higher amount must be imposed: a) the principles of data management - including the conditions of consent - in accordance with Articles 5, 6, 7 and 9; b) the rights of the data subjects in Articles 12–22. in accordance with article Pursuant to Article 83 (7) of the General Data Protection Regulation, supervisory authorities Article 58 (2) without prejudice to its corrective powers according to paragraph, each member state may determine the the rules regarding whether the public authority or other public task based in the given member state whether an administrative fine can be imposed on a provider, and if so, to what extent. Infotv. Pursuant to Section 61 (1) point bg) in the data protection official procedure in its decision, the Authority may impose a fine. Infotv. Fine imposed according to Article 83 of the General Data Protection Regulation based on Section 61 (4). the amount can range from one hundred thousand to twenty million forints, if it was brought in a data protection official procedure budget body obliged to pay the fine imposed in the decision. Infotv. On the basis of paragraph (2) of § 61, the Authority may order the decision of the data controller or disclosure by publishing the identification data of the data processor, if b) it was brought in connection with the activities of a body performing a public task, or c) the severity of the infringement justifies disclosure. Infotv. 75/A. According to §, the Authority in paragraphs (2)-(6) of Article 83 of the General Data Protection Regulation exercises its powers taking into account the principle of proportionality, in particular by a relating to the processing of personal data - by law or by the European Union as a mandatory law in the case of the first violation of the regulations specified in the act, the violation for its remedy - in accordance with Article 58 of the General Data Protection Regulation - primarily the takes action with the warning of a data controller or data processor. 7 XXXI of 1997 on the protection of children and guardianship administration. law (hereinafter: Gyvt.) According to § 39, paragraph (1), the child welfare service is one that protects the interests of the child special personal social service, which is the methods and tools of social work it is used for the child's physical and mental health and upbringing in the family promotion, prevention of the child's vulnerability, the created vulnerability its termination or the return of a child removed from his family. The Gyvt. Based on point b) of § 39, paragraph (3), the task of the child welfare service is the child in order to prevent its endangerment, the investigation of the causes causing the endangerment and making a proposal to solve them. The Gyvt. 40/A. Based on § (1) and (2) point b), the family and child welfare center is independent as an institution, or as an independent institutional unit from an organizational and professional point of view a children related to official measures within the framework of child protection care carries out protection activities, in the framework of which: ba) initiates the child's protection or, in case of a more serious risk, a the temporary placement and education of a child, bb) prepares a proposal for taking the child into protection according to the degree of vulnerability, and for the provision of family allowance in kind, the child's compulsory schooling to promote its fulfillment, to remove the child from the family, the future care to its place or to change it, as well as to omit preventive protection of the child, ordering, maintaining and terminating. 149/1997 on guardianship authorities and child protection and guardianship procedures. (IX.10.) Pursuant to point b) of § 8, paragraph (2) of Government Decree (hereinafter: Child), the guardianship authority initiates the procedure, if it is carried out by the family and child welfare service in the case of child endangerment, a family and child welfare center or the Gyvt. body defined in paragraph (1) of § 17, initiated by a person. The Gyvt. Pursuant to § 135, subsection (1), point a), the official tasks and duties ensuring the protection of children a body exercising powers is entitled to enforce the rights specified in this law for the purpose of processing the data specified in paragraph (2). The Gyvt. According to § 135, paragraph (2), the bodies specified in point (1) are eligible b) * the parent, legal representative, host parent ba) * personal identification number and social security identification number, bb) relating to your financial situation, workplace, education and relationships, bc) related to child rearing, so especially to his lifestyle and educational behavior concerning bd) relating to your state of health, be) concerning his criminal record, bf) * concerning the circumstances of his victimization, the Ást. Section 16, paragraph (2), points a)-c). for the treatment of your specific data. ARC. Decision The Applicant requested that the Authority establish that the Respondent handled it without authorization and forwarded his personal data to the Children's Welfare Center and unlawfully refused your access request. IV.1. The legality of the handling and transmission of the audio recording 8IV.1.1. According to Article 4, point 1 of the General Data Protection Regulation, it is the voice of a natural person personal data, the transmission and storage of the audio file containing the audio recording is the general rule according to article 4, point 2 of the data protection decree, it is considered data management. According to the document attached by the Applicant, on May 19, 2021, he registered the […] sent by email on May 14, 2021, entitled "support of abuse.mp3" audio file. The audio recording containing the voice of the victim and the Applicant is the Applicant and the it is classified as the shared personal data of the victim. The Applicant, as a family and child welfare center, within the framework of child protection care performs a public task related to the protection of children related to official measures, during which the Gyvt. On the basis of § 135, subsection (2), point b), parents are entitled to raise children to manage your related data, especially regarding your lifestyle and educational behavior. The Respondent later considered that the handling of the audio recording was illegal, as Gyvt. according to or other official procedure was not necessary. Because in the guardianship proceedings, or for the purpose of initiating the guardianship proceedings, one of the parents the audio recording submitted as evidence by - in the same way as the document or the statement - the document material are part of, therefore the Data processing of the Respondent was lawful according to the Authority. Based on the above, the Authority determined that the child was the Applicant of the audio file handled it in the course of fulfilling its public duty related to the investigation of the causes of its endangerment, and it was forwarded as part of the documents by the competent Children's Welfare Center for, therefore the Respondent did not violate Article 6 (1) of the General Data Protection Regulation paragraph, since for its management until the existence of its competence, after that according to Article 6 (1) point (e) of the General Data Protection Regulation had a legal basis. For this reason, the Authority rejects the request for unlawful data transmission rejected the directed part. According to the Authority's point of view, after the transfer of the documents on June 17, 2021, jurisdiction in its absence, the further processing of this audio recording by the Requested has become pointless, therefore, because of the transmission did not take action until July 1, 2021, or until July 2, 2021, the Applicant's personal audio recording containing your data between the transfer of the documents and the deletion of the audio recording on July 2, 2021 handled it without authorization during the period, thereby violating Article 5 (1) of the General Data Protection Regulation b) and Article 6 (1). For this reason, the Authority considers the request illegal approved the part aimed at establishing data management. IV.1.2 According to the constant and consistent practice of the Authority, the data controller is responsible for what he has done for the legality of data management. According to Article 5 (2) of the General Data Protection Regulation, essentially articulating the data controller's objective responsibility and increased due diligence requirements arising from the basic requirement of accountability, the data controller is obliged to do so confirmation that the conditions for the legality of data processing - from the start of data processing - they exist continuously. The data controller can only reasonably trust that in all respects meets the legal requirements for data management, if it is able to fulfill its obligation to certify this to do, and provides sufficient certainty for the Authority, the trial court, and also for the data subject able to demonstrate the existence of these conditions. It follows that if the data controller cannot prove that the data subject has objected its data management would have met the data protection requirements during the examined period, it does not fulfills the basic requirement of accountability, thereby violating general data protection Article 5 (2) of the Decree. For data controllers, it is from the planning of data management 9 from the start of data processing until the deletion of personal data they must perform an operation in such a way that they can prove how they answered at any moment and data protection regulations. The principle of accountability is, therefore, not just a process in general can be interpreted at the level, all specific data management activities, a specific stakeholder also applies to the management of your personal data. Since the purpose of the data management has ceased, the Requested party is justified in deleting the audio material performed, but during the procedure he was unable to properly confirm the date of deletion to the Authority, because he attached to the Authority a protocol prepared after the Authority's inquiry, in which you have marked a delete date when the audio file has not actually been transmitted by the For the Child Welfare Center. Taking this into account, the Authority ex officio established that a With this behavior, the respondent violated Article 5 (2) of the General Data Protection Regulation the principle of accountability according to paragraph IV.2. Fulfillment of the Applicant's stakeholder request Inspection of the documents created at the child protection institution, Gyvt. 136/A. based on § a the parent exercising parental custody, the child's legal representative and the limited customer procedural license for a child who is capable of acting and who has reached the age of majority. With regard to data management, the data subject has the rights granted in the general data protection regulation in the exercise of rights, pursuant to Article 15, you have the right to request access to the data relating to you, this essentially means information about data management. General data protection during access a document copy can also be requested based on Article 15 (3) of the Decree. However, this is a copy of the data management within the framework of a given information, it may only contain parts relevant to the data subject, to another person no relevant data. The acting authority to provide a copy ensuring the visibility of the data subject can be obliged by referring to the above provision, however, depending on the content of the document, this is the most in this case, it is not equal to the complete document copy. On June 14, 2021, the Applicant exercised its right to inspect documents at the registered office of the Respondent, 21 made a copy of the document. The occurrence and content of the information provided during document review a Acknowledgment of receipt of the copies of documents issued during the document inspection, confirmed by the applicant's signature was made. It was then that he became aware that […] he had attached an audio material. Since the document review this audio material was not made available to him, he requested that it be replaced and sent to him to. This request of the Applicant does not qualify as a violation of Article 15 of the relevant data protection regulation stakeholder request. In its requests of June 17 and 18, the Respondent requested the general data protection regulation sending a copy of the audio material from the Application, which requests are subject to data protection are considered an access request according to Article 15 (3) of the Regulation. The Applicant 2021. in his answers written on June 18 and July 1, he rejected these requests citing that the audio is not part of the documentation, and the documentation was forwarded by the Children's Welfare Center for, subsequently deleted from his electronic system. According to the attached documents, the Applicant dated June 24, 2021, 658/68/2021/ÓCSTGYVK. handed over the documents created in the case of the Applicant's minor child with case transfer form no Children's Welfare Center, but the audio is only dated July 1, 2021, 658/70/2021/ OCTGYVK. on July 2, 2021 as an attachment to his letter no deleted an e-mail containing an audio recording from your mail system. So the audio recording is a The Respondent was available at the times when the Applicant had access submitted his requests. 10 Based on the above, the Authority established that since the Respondent was the Applicant on June 17 and 18 he was in possession of the audio recording at the time of submitting his application, so the Applicant has a copy of it should have made available. By the fact that the Respondent did not fulfill the Applicant data subject's request, violated Article 15 (3) of the General Data Protection Regulation. 2021. on June 18, he replied that he did not receive audio material and on July 1, 2021, that the audio recording is not part of the document. With these misleading information, the Applicant as prevented a data subject from exercising his rights. Because it is about the fact of data management and its importance did not provide the Applicant with the data management by providing untrue information about his circumstances the transparency of its process and misleadingly claimed that the audio recording was not part of the documents, did not act fairly during data management, violated the general data protection regulation Article 5 (1) point a) for transparent and fair data management relevant provisions. In his statement to the Authority, the Respondent himself admitted that the June 2021 in their response letters, they denied the Applicant's requests with unjustified reasons, when they referred to that in the absence of jurisdiction, the audio recording was handed over to the Child Welfare Center. The Applicant hereby on the contrary, he considers what he wrote in his answers written in July 2021 to be a well-founded justification, according to which a audio recording due to unlawful data processing Article 5 (1) b) of the General Data Protection Regulation point, so it cannot be made available to the Applicant. However, the Respondent informed the Applicant on July 1, 2021 that it had canceled falsely stated the admission, a significant fact from the point of view of the case, since it was still on July 2, 2021 handled it. IV.3. Extension of the Applicant's request In the letter received by the Authority on January 3, 2022, the Applicant requested that the audio material regarding its transmission, the Authority should extend the procedure to [...] and examine who who made the audio material, who and how it was stored before transmission to the Requested Party, why you transmitted the audio material without your consent, and to whom and when you transmitted it audio in the time since recording. The Authority examines this request of the Applicant in a separate procedure. V. Legal Consequences V.1. The Authority condemns it on the basis of Article 58 (2) point b) of the General Data Protection Regulation the Applicant because he violated Article 6 (1) of the General Data Protection Regulation, Article 5 (1) points a) and b), Article 5 (2) and Article 15 (3). V.2. The Authority ex officio examined whether a data protection fine against the Application was justified imposition. In this context, the Authority is in accordance with Article 83 (2) of the General Data Protection Regulation and Infotv. 75/A. considered all the circumstances of the case based on § In doing so, the Authority as a significant circumstance took into account the fact that the Respondent's untrue statement about the cancellation of the recording, and the He deliberately obstructed the applicant with his deceptive behavior during his access requests the Applicant in exercising his rights. The Authority also considered as a special circumstance, that the Respondent, due to its core business, should have taken particular care to ensure that show an impartial, unbiased attitude in the event of a dispute between the two opposing parties. At the same time, the Authority took into account that the Authority significantly exceeded the 150-day period in the procedure administrative deadline, and that within the framework of the requested social and child welfare service including child welfare services, as well as being socially disadvantaged or for other reasons 11 provides care for needy persons. He also took into account that the Respondent himself admitted that he had wrongly claimed that the audio recording was not part of the record. Because of all this, the Authority waived the imposition of a fine and decided to apply a warning. However, the Authority assessed the non-disclosure of personal data management as such a serious violation of law, that Infotv. Based on points b) and c) of § 61. (2) the Respondent considers this decision to be justified disclosure by publishing your data. VI. Exceeding the administrative deadline During the procedure, the Authority exceeded Infotv. One hundred and fifty days according to paragraph (1) of § 60/A administrative deadline, therefore the Ákr. Based on point b) of § 51, the Applicant is entitled to HUF ten thousand. The Authority pays ten thousand forints to the Applicant - according to his choice to be indicated in writing - paid by bank transfer or postal order. VII. Other questions The competence of the Authority is set by Infotv. Article 38, Paragraphs (2) and (2a) defines it, the jurisdiction of the country covers its entire territory. This decision of the Authority is based on Art. 80-81. § and Infotv. It is based on paragraph (1) of § 61. That's the decision Acr. Based on § 82, paragraph (1), it becomes final upon its publication. The Akr. § 112 and § 116 (1) against the decision on the basis of paragraph and paragraph (4) point d) and § 114 paragraph (1) there is room for legal redress through an administrative lawsuit. The rules of the administrative trial are set out in Act I of 2017 on the Administrative Procedure hereinafter: Kp.) is defined. The Kp. Against the decision of the Authority based on Section 12 (1). administrative proceedings fall under the jurisdiction of the courts, the proceedings are governed by the Kp. § 13, paragraph (3), point a) aa) on the basis of subsection, the Metropolitan Court is exclusively competent. The Kp. Section 27, subsection (1), point b). in a legal dispute in which the court has exclusive jurisdiction, legal representation is mandatory. The Kp. According to paragraph (6) of § 39, the submission of a claim is an administrative act does not have the effect of postponing its entry into force. The Kp. Paragraph (1) of Section 29 and, in view of this, CXXX of 2016 on the Code of Civil Procedure. law 604, electronic administration and trust services are general CCXXII of 2015 on its rules According to Section 9 (1) point b) of the Act, the customer is legal representative is obliged to maintain electronic contact. The time and place of submitting the statement of claim is set by Kp. It is defined by § 39, paragraph (1). The trial information about the possibility of an application for keeping the Kp. It is based on paragraphs (1)-(2) of § 77. THE the amount of the fee for an administrative lawsuit is determined by Act XCIII of 1990 on fees. law (hereinafter: Itv.) 45/A. Section (1) defines. Regarding the advance payment of the fee, the Itv. Section 59 (1) paragraph and § 62 paragraph (1) point h) exempts the party initiating the procedure. The Akr. According to § 132 of the enough, it is enforceable. The Authority's decision in Art. according to § 82, paragraph (1) with the communication becomes permanent. The Akr. Pursuant to § 133, enforcement - if it is a law or government decree does not provide otherwise - it is ordered by the decision-making authority. The Akr. Pursuant to § 134 of enforcement - if it is a law, government decree or local government in the case of municipal authority does not provide otherwise - the state tax authority undertakes it. dated: Budapest, according to the electronic signature 12Dr. In the absence of President Attila Péterfalvi: Dr. Győző Endre Szabó vice president 13