NAIH (Hungary) - NAIH-4137- 8/2022: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Hungary |DPA-BG-Color=background-color:#7f0037; |DPAlogo=LogoHU.jpg |DPA_Abbrevation=NAIH |DPA_With_Country=NAIH (Hungary) |Case_Number_Name=N...")
 
No edit summary
Line 69: Line 69:
}}
}}


The Hungarian DPA fined a gynecologist €1,400 for not ensuring effective exercise of data subject rights in violation of Articles Articles 5(1)(a), 12(2) and 13(1)(a)(b) GDPR.
The Hungarian DPA fined a gynecologist €1,400 for not ensuring effective exercise of data subject rights in violation of  [[Article 12 GDPR|Articles 12(2)]] and [[Article 13 GDPR|13(1)(a)(b) GDPR]]. Moreover, the documentation practices were not transparent as required by [[Article 5 GDPR|Article 5(1)(a) GDPR]].


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The data subject was the patient of a gynecologist (the controller), who owned a private practice, and requested access to their complete medical records. Within a span of over two months, the data subject sent two letters requesting a copy of the records, both with no response. Consequently, they lodged a complaint with the Hungarian DPA in order to obtain access to the data.  
The data subject was the patient of a gynecologist (the controller), who owned a private practice, and requested access to their medical records. The requested documentation related to the data subject's maternity care and pregnancy, which ended in the death of the fetus. Within a span of two months, the data subject sent two letters requesting a copy of the records, both with no response. Consequently, they lodged a complaint with the Hungarian DPA in order to obtain access to the data.  


The DPA initiated a procedure and asked the controller to clarify the facts of the case. The controller responded that it managed the practice without any administrative help and due to the Covid-19 pandemic, struggled with minor administrative shortcomings. Consequently, it did not become aware of the data subject's request on time. The controller largely relied on paper records rather than an electronic patient database and only maintained the statutory mandatory electronic records. At the request of the DPA, the controller provided a copy of the documents, signed and sealed, to the data subject. However, the file was not complete as several medical test results were missing.
The DPA initiated a procedure and asked the controller to clarify the facts of the case. The controller responded that it managed the practice without any administrative help and due to the Covid-19 pandemic, struggled with minor administrative shortcomings. Consequently, it did not become aware of the data subject's request on time. The controller largely relied on paper records rather than an electronic patient database and only maintained the statutory mandatory electronic records. At the request of the DPA, the controller provided a copy of the documents, signed and sealed, to the data subject. However, the file was not complete as several medical test results were missing. The data subject requested the DPA to order the controller to send a copy of the missing records.  


The DPA examined whether the controller acted lawfully in considering the request for access to medical records. The requested
The DPA examined whether the controller acted lawfully in considering the request for access to medical records. The DPA also examined ex officio the general data management practices of the controller.
documentation related to the data subject's maternity care and pregnancy, which ended in the death of the fetus. The DPA also examined ex officio the general data management practices of the controller.


=== Holding ===
=== Holding ===
Line 86: Line 85:
Second, the DPA noted that maintaining paper records is still considered processing of personal data under the GDPR if the data are part of a filing system, in line with [[Article 2 GDPR#1|Article 2(1) GDPR]]. [[Article 4 GDPR#6|Article 4(6) GDPR]] defines a filing system as "any structured set of personal data, which are accessible according to specific cirteria". Accordingly, the DPA held that, in the present case, the patient files maintained by the controller in the context of providing private healthcare fell within the scope of the GDPR.  
Second, the DPA noted that maintaining paper records is still considered processing of personal data under the GDPR if the data are part of a filing system, in line with [[Article 2 GDPR#1|Article 2(1) GDPR]]. [[Article 4 GDPR#6|Article 4(6) GDPR]] defines a filing system as "any structured set of personal data, which are accessible according to specific cirteria". Accordingly, the DPA held that, in the present case, the patient files maintained by the controller in the context of providing private healthcare fell within the scope of the GDPR.  


Third, the DPA noted the obligations of the controller under Articles 12(2) and 15 GDPR to provide the details of the right to access as well as a copy of the requested data. Respectively, the copies of medical records sent to the data subject were not complete and the controller did not respond at all to two consequtive requests. The DPA pointed out that, according to the principle of accountability in [[Article 5 GDPR#2|Article 5(2) GDPR]], the controller is responsible for compliance with the GDPR and must be able to demonstrate it.  
Third, the DPA noted the obligations of the controller under [[Article 12 GDPR|Articles 12(2)]] and [[Article 15 GDPR|15 GDPR]] to provide the details of the right to access as well as a copy of the requested data. Respectively, the copies of medical records sent to the data subject were not complete and the controller did not respond at all to two consequtive requests. The DPA pointed out that, according to the principle of accountability in [[Article 5 GDPR#2|Article 5(2) GDPR]], the controller is responsible for compliance with the GDPR and must be able to demonstrate it.  


Fourth, the DPA noted that, contrary to the requirements of Article 13(1)(a)(b) GDPR, it was difficult to find the correct address for submissions of access requests because the controller's Privacy Notice with contact information was not provided to the data subject.  
Fourth, the DPA noted that, contrary to the requirements of [[Article 13 GDPR|Article 13(1)(a)(b) GDPR]], it was difficult to find the correct address for submissions of access requests because the controller's Privacy Notice with contact information was not provided to the data subject.  


The Hungarian DPA had to reject the data subject's request to order the controller to submit the missing documents as they turned out to be missing from the medical documentation overall. However, on its own initiative, the DPA concluded that the controller did not ensure an effective exercise of data subject rights in violation of Articles 5(1)(a), 12(2) and 13(1)(a)(b) GDPR. The DPA imposed a €1,400 fine for these violations.
Fifth, the DPA took a closer look at the controller's documentation practices. In this context, the DPA indicated that the controller provided wrong information about how it stored patients' data. First, it had stated that it does not keep electornic records. Later, the controller stated that it created electronic records when required by national law. Therefore, the controller was not transparent with regards to the means of processing personal data, in breach of [[Article 5 GDPR|Article 5(1)(a) GDPR]].
 
The Hungarian DPA had to reject the data subject's request to order the controller to submit the missing documents as they turned out to be missing from the medical documentation overall. However, on its own initiative, the DPA concluded that the controller did not ensure an effective exercise of data subject rights in violation of [[Article 12 GDPR|Articles 12(2)]] and [[Article 13 GDPR|13(1)(a)(b) GDPR]]. The controller also did not process personal data in a transparent manner in violation of [[Article 5 GDPR|Article 5(1)(a) GDPR]]. The DPA imposed a €1,400 fine for these violations.


== Comment ==
== Comment ==

Revision as of 09:06, 18 October 2022

NAIH - NAIH-4137- 8/2022
LogoHU.jpg
Authority: NAIH (Hungary)
Jurisdiction: Hungary
Relevant Law: Article 5(1)(a) GDPR
Article 5(2) GDPR
Article 12(2) GDPR
Article 13(1)(a) GDPR
Article 13(1)(b) GDPR
Article 15 GDPR
Type: Complaint
Outcome: Rejected
Started:
Decided:
Published:
Fine: 1,400 EUR
Parties: n/a
National Case Number/Name: NAIH-4137- 8/2022
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Hungarian
Original Source: NAIH (in HU)
Initial Contributor: n/a

The Hungarian DPA fined a gynecologist €1,400 for not ensuring effective exercise of data subject rights in violation of Articles 12(2) and 13(1)(a)(b) GDPR. Moreover, the documentation practices were not transparent as required by Article 5(1)(a) GDPR.

English Summary

Facts

The data subject was the patient of a gynecologist (the controller), who owned a private practice, and requested access to their medical records. The requested documentation related to the data subject's maternity care and pregnancy, which ended in the death of the fetus. Within a span of two months, the data subject sent two letters requesting a copy of the records, both with no response. Consequently, they lodged a complaint with the Hungarian DPA in order to obtain access to the data.

The DPA initiated a procedure and asked the controller to clarify the facts of the case. The controller responded that it managed the practice without any administrative help and due to the Covid-19 pandemic, struggled with minor administrative shortcomings. Consequently, it did not become aware of the data subject's request on time. The controller largely relied on paper records rather than an electronic patient database and only maintained the statutory mandatory electronic records. At the request of the DPA, the controller provided a copy of the documents, signed and sealed, to the data subject. However, the file was not complete as several medical test results were missing. The data subject requested the DPA to order the controller to send a copy of the missing records.

The DPA examined whether the controller acted lawfully in considering the request for access to medical records. The DPA also examined ex officio the general data management practices of the controller.

Holding

First, the DPA recalled that the GDPR defines data relating to the health and healthcare of a data subject as personal data, including special categories of personal data under Article 9 GDPR.

Second, the DPA noted that maintaining paper records is still considered processing of personal data under the GDPR if the data are part of a filing system, in line with Article 2(1) GDPR. Article 4(6) GDPR defines a filing system as "any structured set of personal data, which are accessible according to specific cirteria". Accordingly, the DPA held that, in the present case, the patient files maintained by the controller in the context of providing private healthcare fell within the scope of the GDPR.

Third, the DPA noted the obligations of the controller under Articles 12(2) and 15 GDPR to provide the details of the right to access as well as a copy of the requested data. Respectively, the copies of medical records sent to the data subject were not complete and the controller did not respond at all to two consequtive requests. The DPA pointed out that, according to the principle of accountability in Article 5(2) GDPR, the controller is responsible for compliance with the GDPR and must be able to demonstrate it.

Fourth, the DPA noted that, contrary to the requirements of Article 13(1)(a)(b) GDPR, it was difficult to find the correct address for submissions of access requests because the controller's Privacy Notice with contact information was not provided to the data subject.

Fifth, the DPA took a closer look at the controller's documentation practices. In this context, the DPA indicated that the controller provided wrong information about how it stored patients' data. First, it had stated that it does not keep electornic records. Later, the controller stated that it created electronic records when required by national law. Therefore, the controller was not transparent with regards to the means of processing personal data, in breach of Article 5(1)(a) GDPR.

The Hungarian DPA had to reject the data subject's request to order the controller to submit the missing documents as they turned out to be missing from the medical documentation overall. However, on its own initiative, the DPA concluded that the controller did not ensure an effective exercise of data subject rights in violation of Articles 12(2) and 13(1)(a)(b) GDPR. The controller also did not process personal data in a transparent manner in violation of Article 5(1)(a) GDPR. The DPA imposed a €1,400 fine for these violations.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Hungarian original. Please refer to the Hungarian original for more details.

Case number: NAIH-4137-8/2022
           (NAIH-4935/2021)

                                                                  Subject: rejecting the application,
                                                                  ex officio finer
                                                                  decision




The National Data Protection and Freedom of Information Authority (hereinafter: Authority) [...]
(residential address: [...]; hereinafter: Applicant) authorized representative is […] lawyer
by ([…]#cegkapu) on May 13, 2021 […] with an obstetrician-gynecologist specialist
business seat: […]; hereinafter: Respondent) against the Applicant healthcare
in the official data protection proceedings regarding access to its documentation,

makes the following decisions:

I. In the Authority's decision

I.1. rejects the Applicant's requests.


I.2. The Authority ex officio determines that the Respondent violated the natural
on the protection of persons with regard to the management of personal data and such
on the free flow of data and the repeal of Directive 95/46/EC
Regulation (EU) 2016/679 (hereinafter: General Data Protection Regulation) Article 5 (1)
point a) of paragraph 12, paragraph 2 of Article 13 and points a)-b) of paragraph 1 of Article 13.


I.3. I.2. due to the violations established in point

                            600,000 HUF, i.e. six hundred thousand forints
                                    data protection fine


obliged to pay.

II. In an order, the Authority terminates the part of the procedure that aimed to a
Authority to establish the Civil Code. 2:51 a.m. § (1) point a) violation.


The data protection fine shall be imposed within 30 days from the date of the finalization of this decision
Authority's centralized revenue collection target settlement HUF account (10032000-
01040425-00000000 Centralized direct debit account IBAN: HU83 1003 2000 0104 0425
0000 0000) must be paid. When transferring the amount, NAIH-4137/2022. FINE. for number
must be referred to.



If the Respondent does not fulfill his obligation to pay the fine within the deadline, he is in default
must pay an allowance. The amount of the late fee is the legal interest, which is a
corresponds to the central bank base rate valid on the first day of the calendar semester affected by the delay
yes.

I.3. in the case of non-payment of the fine and the late fee, the Authority

orders the execution of the decision.

There is no place for administrative appeal against this decision and order, but it is
within 30 days from the notification, with a letter of claim addressed to the Capital Court

……………………………………………………………………………………...…………


Falk Miksa utca 9-11 Fax: +36 1 391-14100 www.naih.hualat@naih.hu 2


can be challenged in an administrative lawsuit. The claim must be submitted to the Authority,
electronically, which forwards it to the court together with the case documents. The complete personal

for those who do not receive a tax exemption, the fee for the administrative lawsuit is HUF 30,000, the lawsuit
is subject to the right of material levy record. Legal representation in proceedings before the Metropolitan Court
obligatory.


                                      I N D O C O L A S



    I. The course of the procedure:

I.1. On May 13, 2021, the Applicant submitted an application to the Authority, in which he presented
that in a registered letter sent on January 15, 2021, through its representative, it requested from the Application
It rained between January 1, 2020 and September 20, 2020, for maternity care
issue of your complete medical documentation. Due on March 4, 2021
he repeated his request in his letter sent as a consignment, the requests were sent to the [...] clinic [...]

sent to postal address. Your application, sent with a return receipt, was returned with a "not searched" mark
to it. He did not receive a response from the Application, nor did he receive a copy of the Requested documents
provided.

In the letters sent, the Applicant requested private obstetrics and gynecology from the Applicant
under care during your pregnancy care - either at the [...] clinic or elsewhere locally -
generated, stored in an electronic system or outside of it

documentation, including the consent form, patient information sheet, imaging
recordings, expert opinion, written/electronic communication with the Applicant.

The Applicant asked the Authority to establish the violation, Eütv. of § 24
violation of the Civil Code 2:51 a.m. Based on § (1) point a), oblige the Applicant to a
To fulfill the applicant's request for the issuance of documents, as well as against the Application
impose a fine.


I.2. At the request of the Applicant, on the right to self-determination of information and that
CXII of 2011 on freedom of information. Act (hereinafter: Infotv.) Section 60 (1)
based on paragraph NAIH-4935/2021. case number on May 14, 2021, data protection authorities
proceedings have been initiated.

In order to clarify the facts, the Authority called on him to make a statement on June 7, 2021

the Applicant.

I.3. The legal representative of the Respondent is a client of […] individual lawyer ([…]#cegkapu) - eg
all healthcare workers - due to workload, NAIH-4935-4/2021. for number
in its letter dated July 14, 2021, the response deadline is thirty days
requested an extension, which was issued by the Authority on July 29, 2021
allowed.


I.4. The Respondent's response to the invitation to clarify the facts was received on August 11, 2021 and
NAIH-4935-6/2021. was registered.





1 The NAIH_K01 form is used to initiate the administrative lawsuit: NAIH_K01 form (16.09.2019)
The form can be filled out using the general form filling program (ÁNYK program). 3


I.5. NAIH-4935-7/2021 order of the Authority dated in order to further clarify the facts.
number was sent on September 21, 2021, the Requested on October 4, 2021

took over.

I.6. The Respondent's response to this call was received on October 18, 2021, NAIH-4935-8/2021.
registration number.

I.7. NAIH-4935-9/2021. mailed on October 27, 2021 and by the Applicant in 2021.
In its order received on November 2, the Authority requested the Applicant's statement on the above

by answering questions and sending documents.

I.8. The Applicant's statement received on November 5, 2021 is NAIH-4935-10/2021. number
was filed.

I.9. The Authority deemed it necessary to further clarify the facts, to this end NAIH-
4935-11/2021. sent an order to the Respondent on November 18, 2021, which

Received on December 6, 2021.

I.10. The Respondent responded to the order in a letter received on December 23, 2021, and
Authority NAIH-4935-12/2021. registered.

I.11. The Authority supplemented the procedure with an examination of the Respondent's general practice,
this Application was issued on March 28, 2022 and received by him on April 11, 2022

informed him in his order, and at the same time called on him to make another statement.

I.12. The Applicant NAIH-4137-2/2022. Your answer was registered on April 27, 2022
arrived.

I.13. Acting administrator NAIH-4137-3/2022. his note no. dated May 4, 2022.


I.14. On May 26, 2022, the Authority notified customers that the proof procedure
completed and clients can see the documents of the procedure. The Authority at the request of the Applicant
On June 9, 2022, he sent it to a party that did not originate from him and did not arise during the procedure
copies of all documents sent by making the protected data unknowable.


    II. Clarification of the facts


II.1. In his reply given through his legal representative, the Respondent submitted the following:

The [...] clinic operating as the location of your order is a fictitious name for the purpose of the order
he rents premises based on a verbal agreement from […] an obstetrician-gynecologist, who
you cannot attach a document relating to the legal relationship. To manage your patient's data
the relevant data controller is the Requested person, the submission of data subject requests

provides the possibility at the registered office of the individual entrepreneur - […] - as well as the data management
information sheet and the sole proprietorship register.

In relation to the examined access request, he provided information that the request
together with many other doctors regularly provides health care services at his address,
however, he only carries out medical prescription activities there, and for the sake of administration a
no one is employed on site. He did not receive the requests from the stakeholders, to respond to them

he didn't know either.

According to the statement, the Applicant also performs health and medical tasks in both
[…] In a teaching hospital, both in private practice. The highest in the last period is 4


The coronavirus epidemic also required an increased effort from the application to provide patients with professional services
and in order to properly care for him, he was forced to prioritize his tasks due to the workload, thus

primarily, in accordance with his medical oath, all his capacity to care for patients
translated. Due to these circumstances, it could happen that with the appropriate administration
on the other hand, he placed the emphasis on the care of patients, thus - despite all his efforts, by him
also acknowledged - minor administrative deficiencies may have occurred in its activities.

You have attached a copy of your data management policy to your reply.


II.2. Questions asked in the following order sent to the Authority during the clarification of the facts
during his response, the Respondent submitted that the Authority was sent to the […] clinic
addressee's letter was delivered in such a way that the related notice was ordered by someone else there
he received it from a colleague, who, seeing that it was an official document, took it in good faith
at the post office. The Requested does not send inquiries related to data management to this address
is accepted, as only one room is rented at the place of order during the order period
duration, so he cannot ensure the reception of inquiries there. With the assistant

is in a contractual relationship, his task is to give the appointment based on a telephone request,
is not present on the order. You have no other agreement with the lessor apart from renting the premises,
there is no joint administration at the given address. Patients are informed about data management in Data Management
it is informed by means of the information contained in the information sheet, which can also be found on its website ([…]), and a
it is also available at the place of order at the time of ordering. The data management information sheet has the
He cannot prove that he was acquainted with the applicant.


The Respondent at the request of the Authority - in which the Authority is the Applicant
requested the part of his documentation on which the first data collection took place, or on which
there is an official signature - he checked his records, however, it concerns the Applicant
no documentation found. The previously cited reason for the administrative deficiency
he cited workload caused by the coronavirus epidemic, according to which the patients are adequate
spent its limited capacities on health care and the fight against the epidemic, and
in such a medically and humanly difficult situation he considered that the administration

is of secondary importance. Despite all this, administration and documentation
aware of its importance and regretted the omission.

II.3. The Authority invited the Applicant to make a statement, and the maternity care
to attach a copy of your booklet, in which information about the data controller –
date of care, name of healthcare provider providing care, doctor's seal, etc.
- its visibility had to be ensured. This was sent by the Applicant, his statement is further

and informed the Authority on which dates ([…].) he carried out the
She requested her pregnancy care as part of a private order at the [...] clinic. performed by
that on the occasion of these meetings, ultrasound examinations were also carried out, the data of which a
they were recorded in a maternity care booklet, written with a pen, signed and sealed. […]-
he was received by the Applicant at the […] Hospital, the results of the examination were recorded in the outpatient card
for recording. On […], at the clinic on [...] street, he determined that the fetus was no longer there
heartbeat.


According to the Applicant's statement, the Applicant submitted the results of the examinations, ultrasound examinations,
as well as the dates of the next meetings and check-ups in the pregnancy care book
recorded, signed and sealed.

Attached by the Applicant from the Electronic Health Services Area (EESZT)
requested documentation, in which during the private ordering occasions indicated above

generated data, findings are not found. She also stated that her pregnancy care
during, on examinations and ultrasound examinations carried out within the framework of the Respondent's private order
did not receive findings or test results either on paper or in electronic form, the 5


After the stitches were removed, the Respondent became unavailable to him, and he had no contact with him
he couldn't move, he didn't answer his messages, he didn't answer his phone calls.


II.4. At the Authority's further request, the Respondent submitted that the patient data of the procedure
it is recorded by means of the "Condition assessment form for patients" document already sent during
which is recorded on paper. (The Authority notes that this document has not been published
to be sent to the Authority.) He stores the patient documentation at his headquarters, that's it
place of data management, and if necessary uploads it to the EESZT system. Electronic
does not keep records.


At the request of the Authority, it inspected its records, however, in relation to the Applicant
no documentation is included. The Applicant's test results in the maternity care
recorded in a book, as he did in other cases.

The cause of the documentation deficiencies was the previously explained epidemic situation
cited difficulties and asked the Authority to understand that the case
take this into account when considering your circumstances. At the request of the Authority, he attached […]
a certificate signed by the chief physician of the department, in which the chief physician certifies that the Applicant

intensively participates in the increased patient care in the ward, as well as before
not a few, the number of patients on duty has also increased significantly.

II.5. In the Authority's next order, the Respondent answered the question that - subject to
to his statement of December 21, 2021, according to which he does not keep electronic records -
in the absence of electronic records, how does it comply with the requirements for recording in the EESZT
submitted in response to his obligation, according to which, clarifying his previous statement, the EESZT

in addition to the mandatory electronic data upload, other electronic records
doesn't drive. Therefore, according to his point of view, there is no contradiction in the Data Management Information
6.1.4. between his point and his actual practice according to his statement dated December 21, 2021
regarding the electronic registration of data.

By the wording "if necessary" written in your previous answer, you mean that the data
it is uploaded to the EESZT if required by law. The Authority
to his question about the detailed information regarding the Electronic Health Services Area

39/2016 on rules. (XII. 21.) to the regulation according to § 19 (2) of the EMMI Decree
how and in which cases it complies, he did not give an answer.

He sent the "Condition assessment sheet for patients". document sample, he declared
that the information before the already sent Data Management information from January 2020
applied - a copy of which was also attached - which information was made available on its website,
moreover, he was also available at the place of the order at the time of the order, and stated that

He treated 68 patients in 2020 and 196 patients in 2021 in private practice, of which
its income was HUF 1,220,000 in 2020 and HUF 3,962,000 in 2021, the
he also attached an extract from the relevant tax return.


III. Legal provisions applicable in the case:

On the protection of natural persons with regard to the management of personal data

and on the free flow of such data, as well as outside the scope of Directive 95/46/EC
Regulation (EU) 2016/679 (hereinafter: General Data Protection Regulation)
for data management under the scope of Infotv. According to Section 2 (2), general data protection
regulation shall be applied with additions in the provisions indicated there.

6 of the General Data Protection Regulation


       According to point 1 of Article 4, "personal data": identified or identifiable natural
any information relating to a person ("data subject"); the natural person can be identified,

who directly or indirectly, in particular an identifier such as name, number,
location data, online identifier or physical, physiological,
one concerning your genetic, intellectual, economic, cultural or social identity
can be identified based on several factors;
       According to point 15 of Article 4, "health data" means the physical state of a natural person
personal data regarding your mental health, including the natural person
also data relating to the health services provided to him, which information

carries about the state of health of the natural person;
       According to Article 4, point 2, "data management": you are on personal data
any operation performed on data files in an automated or non-automated manner or
set of operations, such as collection, recording, organization, segmentation, storage, transformation
or change, query, insight, use, communication, transmission, distribution
or otherwise by making available, coordinating or connecting,
restriction, deletion or destruction;

       According to point 7 of Article 4, "data controller": the natural or legal person, public authority
body, agency or any other body that aims to manage personal data
and determines its assets independently or together with others; if the purposes of data management and
its means are determined by EU or member state law, the data controller or the data controller
EU or Member State law also lays down special considerations for its designation
can define;



  According to Article 5 of the General Data Protection Regulation:

(1) Personal data:
  a) handling legally and fairly, as well as in a transparent manner for the data subject

must be carried out ("legality, due process and transparency");
  b) it should be collected only for specific, clear and legal purposes, and not those
be treated in a manner inconsistent with these purposes; of Article 89 (1).
accordingly, the public interest is not considered incompatible with the original purpose
for archiving purposes, for scientific and historical research purposes or for statistical purposes
further data processing ("target binding");
  c) they must be appropriate and relevant in terms of the purposes of data management, and

they must be limited to what is necessary ("data sparing");
  d) they must be accurate and, if necessary, up-to-date; all reasonable measures
must be done in order to ensure that it is inaccurate in terms of the purposes of data management
have personal data promptly deleted or corrected ("accuracy");
  e) must be stored in a form that allows the identification of the data subjects only a
enables the processing of personal data for the time necessary to achieve its goals; the
Personal data may only be stored for a longer period of time if

insofar as the processing of personal data is in accordance with Article 89 (1).
for the purpose of archiving in the public interest, for scientific and historical research purposes or for statistical purposes
will take place for the purpose of protecting the rights and freedoms of those affected in this regulation
for the implementation of appropriate technical and organizational measures
subject to ("limited shelf life");
  f) must be handled in a way that is technically or organizationally appropriate
adequate security of personal data should be ensured by applying measures, that is

unauthorized or illegal processing, accidental loss or destruction of data
or protection against its damage ("integrity and confidentiality").
(2) the data controller is responsible for compliance with paragraph (1), and must also be able
to demonstrate this compliance ("accountability").

Pursuant to Article 12 of the General Data Protection Regulation 7


  (1) The data controller takes appropriate measures to ensure that the data subject
for the processing of personal data referred to in Articles 13 and 14

all information and 15-22. and each information according to Article 34 is concise,
in a transparent, comprehensible and easily accessible form, in a clear and understandable way
provide it in writing, especially in the case of any information addressed to children.
The information in writing or in another way - including, where applicable, the electronic way -
must be given. Verbal information can also be given at the request of the data subject, provided that it is done in another way
the identity of the person concerned was verified.
  (2) The data controller facilitates the relevant 15-22. the exercise of his rights according to art. The 11.

in the cases referred to in paragraph (2) of Article 15-22, the data controller your rights under Art
may not refuse to fulfill your request for exercise, unless you prove that
that the person concerned cannot be identified.
  (3) The data controller without undue delay, but in any case the request
within one month of its receipt, informs the person concerned of the 15-22 according to article
on measures taken following a request. If necessary, taking into account the request
complexity and the number of applications, this deadline is extended by two more months

can be extended. Regarding the extension of the deadline, the data controller explains the reasons for the delay
indicating within one month from the receipt of the request
concerned. If the person concerned submitted the request electronically, the information is possible
must be provided electronically, unless the data subject requests otherwise.
  (4) If the data controller does not take measures following the data subject's request, it is a delay
without, but at the latest within one month from the receipt of the request
data subject about the reasons for the failure to take action, as well as whether the data subject complained

can submit it to a supervisory authority and exercise its right to judicial redress.

Based on Article 13 of the General Data Protection Regulation:
Information to be made available if personal data is collected from the data subject
  (1) If personal data concerning the data subject is collected from the data subject, the data controller a
at the time of obtaining personal data, provides the data subject with a

all of the following information:
  a) the identity of the data controller and - if any - the data controller's representative and
your contact information;
  b) contact details of the data protection officer, if any;

Based on Article 15 of the General Data Protection Regulation:
  (3) The data controller shall provide the data subject with a copy of the personal data that is the subject of data management

makes available. For additional copies requested by the data subject, the data controller is responsible
may charge a reasonable fee based on administrative costs. If it is affected
submitted the application electronically, the information was widely used
must be made available in electronic format, unless the data subject requests otherwise.
  (4) The right to request a copy referred to in paragraph (3) shall not be affected
adversely affect the rights and freedoms of others


According to Article 39 of the General Data Protection Regulation:
Duties of the data protection officer
  (1) The data protection officer performs at least the following tasks:
  a) the data manager or the data processor provides information and professional advice, and

for employees performing data management, this regulation, as well as other EU or
in relation to their obligations according to the data protection provisions of the Member States;
  b) checks the compliance with this regulation and other EU or Member State data protection regulations
provisions, as well as personal data of the data controller or data processor
compliance with its internal rules regarding its protection, including responsibilities
designation, raising the awareness of personnel involved in data management operations and
training, as well as related audits;* 8


  c) upon request, provides professional advice regarding the data protection impact assessment, as well as
monitors the completion of the impact assessment in accordance with Article 35;*

  d) cooperates with the supervisory authority; and
  e) in matters related to data management - including the preliminary notice referred to in Article 36
consultation - serves as a point of contact for the supervisory authority, as well as given
consults with him on any other issue.
  (2) The duties of the data protection officer are the risk associated with data management operations
taking into account the nature, scope, circumstances and purpose of data processing
also takes into account


CLIV of 1997 on health. the relevant provisions of the Act (Eütv.):

§ 3 f) healthcare provider: regardless of the form of ownership and provider, all
for the provision of health services and issued by the state health administration body
individual healthcare entrepreneur, legal person or legal entity entitled on the basis of an operating license

entity without personality;

The Eütv. Paragraph (2) of § 26 states that the patient - if his state of health
enables - obligates the abilities of the healthcare workers involved in its care
and to your knowledge cooperate as follows:
  a) informing them of everything necessary to establish the diagnosis is appropriate
to create a treatment plan and carry out interventions, so especially everything

about your previous illness, medical treatment, medicine or medicinal product
about its use and health-damaging risk factors.

  The Eütv. § 24 (1) The patient has rights in the health documentation prepared for him
to learn about the contents - taking into account the provisions of § 135. (2) The patient's
the rights of natural persons related to their personal data

on the protection of personal data in terms of processing and that such data is free
flow, as well as repealing Regulation 95/46/EC (general data protection
Regulation) of April 27, 2016 (EU) 2016/679 of the European Parliament and of the Council, and
on the management and protection of health and related personal data
the provisions of the Act on


  (3) The patient is entitled
  a) upon discharge from the inpatient hospital according to point a) of Section 137
to receive a final report,
  b) according to the provisions of point b) of § 137, outpatient specialist care activities
receive an outpatient care card upon completion.
  § 136. (1) Data related to the examination and medical treatment of the patient is
included in medical documentation. Medical records must be kept in such a way that
so that it reflects the care process in accordance with reality.

  (2) It must be indicated in the health documentation
  a) on the treatment of the patient's health and related personal data
and personal identification data specified in the Act on Protection,
  b) in the case of a patient capable of acting, the person to be notified, and - if the patient requests - a
the name, address and contact information of the supporter according to the Act on Supported Decision-Making,
also a minor, or partially or completely restricting the capacity to act
in the case of a patient under guardianship, the name, address and contact information of the legal representative,

  c) medical history, medical history,
  d) the result of the first examination,
  e) examination results establishing the diagnosis and treatment plan, a
the date of carrying out the tests,
  f) the name of the disease justifying the treatment, which serves as the basis for its development
disease, concomitant diseases and complications, 9


   g) other diseases that do not directly justify care, or risk factors
name,

   h) the time of the performed interventions and their results,
   i) medicinal and other therapy and its results,
   j) data on the patient's drug hypersensitivity,
   k) the name of the healthcare worker making the registration and the date of the registration,
   l) information provided to the patient or other person entitled to information
recording its content,
   m) the consent [15. § (3)], or the fact of refusal (§ 20-23), as well as

their date,
   n) all other data and facts that may influence the patient's recovery.
   (3) The following must be kept as part of the health documentation:
   a) the findings of each examination,
   b) documents generated during medical treatment and consultation,
   c) nursing documentation,
   d) recordings of imaging diagnostic procedures, as well as

   e) tissue samples taken from the patient's body.
   § 137 The healthcare provider
   a) at the end of a connected care process consisting of several sub-activities or inpatient
after hospital care, a final report summarizing the care data,
   b) at the end of the outpatient specialist care activity, with the care of the patient and
ambulatory care sheet containing summary data related to medical treatment
prepares and - with the exception of the case specified in Section 14 (1) - hands it over to the patient.


The Eütv. According to paragraph (2) of § 126, the doctor - provided that his professional competence and
he is entitled to this based on his preparation - he examines the patient who comes to him. Paragraph (3).
pursuant to which the examination of the patient covers everything brought to the attention of the attending physician
complaint, medical history and individual circumstances affecting the patient's recovery
to explore. Deviating from the provisions of paragraphs (2)-(3) is only for the patient's life
may be necessary in the case of interventions that cannot be postponed (§ 126 of the Eütv.

(4)).

The Eütv. Pursuant to § 77, paragraph (3), all patients - to use care
regardless of its legal title - with the care expected from those involved in its care, as well as a
must comply with professional and ethical rules and guidelines.

On the management and protection of health and related personal data

XLVII of 1997 according to law (Eüak.):

   35/B. § (1) To connect to the EESZT through its authorized IT system
obliged
   a) for the provision of health services by the state health administration body
based on an issued operating license, a health service provider who is financing
obliged to submit a report or provide electronic data,

   b) the pharmacy,
   c) the state ambulance service,
   d) state administrative bodies and other organizations defined by the minister in a decree,
   e) the distributor of medical aids with a price subsidy contract.
   (2) Data controllers belonging to the health care network and not covered by paragraph (1).
they can join the EESZT under the conditions specified in the minister's decree.


About the detailed rules related to the Electronic Health Services Area
39/2016. (XII. 21.) Pursuant to EMMI Regulation 10


  § 2 (1) The Eüak. 35/B. According to point d) of paragraph (1) of the EESZT, information technology
state administrative bodies obliged to join the system:

  a) the National Health Insurance Fund Manager,
  b) the Ministry of Human Resources,
  c) the National Center for Public Health,
  d) the National Pharmaceutical and Food Health Institute.
  (1a) The Eüak. 35/B. Others required to join pursuant to point d) of paragraph (1) of §
organization is Eüak. 35/B. Medical or not falling within the scope of § (1) point a).
healthcare provider with an operating license for dental work.

  § 22. (1) Obligations related to joining
  f) the health care provider according to § 2, paragraph (1a) is obliged until January 1, 2020
complete.

  Section 19 (1) Health registered through the EESZT and specified in Annex 4
within the framework of the obligation to provide information regarding documents, the joined
data controller

  a) transmits in accordance with the technical requirements published by the operator a
documents, or
  b) in case of compliance with the technical requirements published by the operator a
of documents from the health IT system of the connected data controller
provided by forwarding a link that enables direct access.
  (2) Data provision specified in this § relating to the transmission of documents
obligation

  a) in the case of a document handed over to a patient, handing over the document to the patient,
  b) in the case of a document not handed over to the patient, the approval of the document,
  c) in the case of a document already transferred to the register of the EESZT
change
immediately after, but no later than in Annex 4 in relation to individual documents
must be completed within a specified period of time.
  (3) From the register of health documents, the operator is Eüak. Section 4 (1)

is only entitled to access the data for the purpose specified in paragraph a)-d).
provides sector users with access to the relevant healthcare
to document.


                    Annex 4 to 39/2016 (XII. 21.) to EMMI decree

                       Record of health documents


                      A B C


 1 Document type Deadline Document
                                                         forwarding
 3 The Eütv. 1 hour according to point b) of § 137 is mandatory

    outpatient card 11


26/2014 on maternity care. (IV. 8.) EMMI regulation:

§ 1 (1) The purpose of prenatal care is to preserve the health of the pregnant woman and the fetus
promoting healthy development and healthy birth, a
risks and the prevention of complications, as well as in a timely manner
recognition, as well as for childbirth, the child's early attachment, breastfeeding and
preparation for infant care.

(2) Antenatal care begins when the obstetrician-gynecologist is on the uterus
determines intrauterine pregnancy, carries out the risk classification and informs the pregnant woman accordingly
gives proof.
Section 4 (1) An obstetrician-gynecologist or midwife who, in Section 1 (2)
takes care of the pregnant woman after the prescribed classification and is considered a responsible person.
(2) The responsible person in the care book of the expectant mother according to Annex 1 (a
hereinafter: pregnancy care book) in Annex 1, point 1.1.2. referred to in subsection

indicates data and signs it.
§ 10. Apart from the provisions of paragraphs (2)-(4) of § 4, the responsible person:
  a) informs the pregnant woman against the other fees specified in the professional guidelines
about the possibility of available tests,
  b) records in the pregnancy care book that the information according to point a) has been provided,
and the pregnant woman confirms with her signature that she has received the information,
  c) performs the necessary examinations and their results in the pregnancy care book

document it.

Act V of 2013 on the Civil Code (Ptk.)
2:51 a.m. § [Sanctions independent of prosecution]
  (1) A person whose personal rights are violated, based on the fact of the violation - during the statute of limitations
within - you can demand based on the circumstances of the case

  a) the court finding that the violation has occurred;

Infotv. According to § 60, paragraph (1), the right to the protection of personal data
in order to enforce it, the Authority, at the request of the person concerned, data protection
initiates official proceedings.

Infotv. Pursuant to § 60, paragraph (2), for the initiation of official data protection proceedings

request in the case specified in Article 77 (1) of the General Data Protection Regulation
can be submitted.

In the absence of a different provision of the General Data Protection Regulation, the application was initiated
for official data protection procedure CL. of 2016 on general public administrative order.
the provisions of the Act (hereinafter referred to as the Act) specified in Infotv shall be applied
with differences.


The Akr. According to § 17, the authority's powers and jurisdiction are all the proceedings
examines ex officio in the If you notice a lack of one, and without a doubt
the authority with jurisdiction over the case can be determined, the case will be transferred to it
in its absence, the application is rejected or the procedure is terminated.


The Akr. According to paragraph (1) of § 35, the request is a declaration by the client with which the official
request the conduct of a procedure or a decision of the authority for his right or legitimate interest
in order to enforce it.

The Akr. According to § 35, paragraph (3), a decision made on the subject at the client's request
until it becomes final. 12


The Akr. According to paragraph (4) of § 62, the authority freely chooses the method of proof,
and evaluates the available evidence according to his free conviction.




ARC. Evidence taken into account during the Authority's decision and their evaluation:

IV.1. In accordance with the contents of the application, the Authority examined whether the Applicant
whether the Applicant's healthcare provided in the framework of a private order was legal

access request for the release of medical documentation created during
during its assessment, and whether the Applicant must oblige the Applicant to comply with the Applicant's access request
to fulfill. The requested documentation concerns the Applicant's pregnancy care, which
pregnancy ended in the death of the fetus. The Authority also ex officio investigated the
You requested your general data management practices.

IV.2. The fact of data management, the person of the data manager


Based on the definition of the general data protection regulation, for the health of the data subject
and the data relating to your health care are personal data, including personal data
as data constituting a special category of data, any processing performed on personal data
operation is considered data management.

A data controller according to Article 4, point 7 of the General Data Protection Regulation, who is there

has substantive decision-making authority as defined - the purpose of data management
and its means may also be defined by member state law - and at the same time it bears responsibility
for the fulfillment of legal obligations related to data management. So, among other things, it is
the data controller must satisfy the data subject's demand for the exercise of rights
[general data protection decree 12-23 article].


According to the Respondent's statement, the patient data is included in the "Condition Assessment Sheet for Patients"
recorded by means of a document, which is registered on a paper basis. The patient documentation is a
it is stored at its headquarters, this is the place of data management, and if necessary, it is uploaded by the EESZT
into your system. No electronic records - or required by law

except for uploading data, no - leads.

According to Article 2 (1) of the General Data Protection Regulation, the regulation must be applied a
for processing personal data in a partially or fully automated manner, as well as
for the non-automated handling of data that is part of a registry
are part of a system or are intended to be part of a registration system.
The concept of data management is defined in point 2 of Article 4. The General Data Protection Regulation
According to preamble paragraph (15), the protection of natural persons is personal data

in addition to processing by means of automated means, it also applies to manual processing if a
personal data is stored or intended to be stored in a registration system. Documents that
and groups of documents and their cover pages that are not organized are specified
aspects, they do not fall under the scope of the regulation. Among these provisions are the following
they follow.

The general data protection regulation includes manual data processing

restrictive provision. Manual, i.e. non-automated (in other words: paper-based)
in the case of data management, the scope of the regulation only covers data that
are part of a registration system or are managed for registration purposes.

What constitutes a registration system is determined by Article 4, Point 6 of the GDPR,
according to which registration system personal data in any way – centralized,
decentralized or according to functional or geographical aspects – its staff, which is 13


accessible based on specific criteria. The concept of registration is therefore broad
can be interpreted, it can be any list or list in which the data is of any kind

they can be searched and grouped according to criteria.

In view of what has been described, private health care is provided by the Applicant regarding the data of its patients
during the general data protection regulation on a paper-based, manually kept record
applicable. The maintenance of this record is Article 4, Point 2 of the General Data Protection Regulation
according to data management, with regard to this activity, the Respondent is the general
according to Article 4, point 7 of the Data Protection Regulation, it is considered a data controller.


Among the other institutions and persons involved in the procedure, the "[…] clinic" is not legal
person, and therefore cannot be classified as a data controller, rents the premises of the clinic to the Applicant
tax […] does not participate in data management, so it is not considered a data controller either. Furthermore, the
The activity performed by the respondent during publicly funded care was not the application
subject, so it arose in the course of the Applicant's activities at the [...] Teaching Hospital
documents are not subject to the procedure, so the institution is not considered in the procedure either
data controller.



IV.3. Handling the access request

Pursuant to the provisions of Article 12 (2) of the General Data Protection Regulation,
data manager facilitates the concerned 15-22. the exercise of his rights according to art. Article 15
provides for the details of the right of access, including the data in Article 15 (3).

establishes the right to a copy.

As stated above, the provision of healthcare services includes patients
in general, and also in the present case […] an individual entrepreneur is considered a data controller,
as a health care provider who is the personal and health data of the patients concerned
during the care provided by him on a paper basis, and with regard to the mandatory data upload
is electronically documented, the fact of the quality of the data controller is also the statement of the Requested

records.

According to the introduction of the Data Management information of the Respondent dated 2020, “[…]
individual entrepreneur (headquarters: [...]; tax number: [...]; medical registration number: [...]; individual
business registration number: [...]) (hereinafter: Doctor) for its data management activities
related main regulations", while the Data Management Information dated 2021 a
according to the introduction, "[…] individual entrepreneur (headquarters: [...]; tax number: [...]; medical

registration number: […]; individual entrepreneur registration number: [...]) (hereinafter: Doctor)
details the main regulations related to its data management activities.

In point 9 of both information sheets, there is a provision on how to ensure the rights of stakeholders, a
9.1. discusses the exercise of the right to access. The regulations do not at this point
provides for the method and address of submission of requests, which is the general data protection
does not meet the requirements of Article 12 (1) of the Decree.


According to point 10 of both information sheets, data protection officer [...], address: [...]; e-mail: […]; and
can be found as an explanation that “with data protection issues or questions the above
you can contact a data protection officer". However, according to the Authority's point of view, it is not
it follows that the data subject's requests must also be sent to the data controller in this way, or that
according to Article 39 of the General Data Protection Regulation, it is not responsible for data protection either
providing officials with measures taken following stakeholder requests.


In addition to public health care, the Applicant is covered by the […] clinic […]
visited him several times in the framework of pregnancy care, private healthcare 14


service at this location. You sent your affected access requests to this address
twice, indicating the Applicant who regularly provides services there as recipient.


According to the Respondent's statement, he did not fulfill the access request because a
did not become aware of the request. He did not become aware of the request because a
addressed to the place of your private order, registered, then mailed with return receipt
he did not receive shipments.


According to Article 5 (2) of the General Data Protection Regulation, the data controller is responsible for (1)
for compliance with paragraph and must also be able to demonstrate this compliance
("accountability").

In the present examined case, the Respondent could not prove, according to the contents of his statement,
that the Applicant was familiar with the data management information, so the Applicant was not
in possession of the information on the address of the business headquarters of the service provider providing it,

where you could have otherwise sought the data protection officer. On the Applicant's website a
In the "Contact" menu item, at the time of initiation of the official procedure, the "Place of order:
[…] surgery - […]." designation was listed as the only title, so the Applicant from this source
nor was he able to learn about the place where the claims were submitted.

The Applicant does not include a copy of the pregnancy care book attached by the Applicant

business headquarters, such as receiving data protection problems, questions, or requests
the indication of the reporting address. That the Applicant was aware of the stakeholder requests
the address and method of submission, the Applicant could not verify, to the place of the order
and he did not ensure the reception of the submitted request.

According to the Authority's point of view, the data subject does not have to be aware that it is

the legal form in which the healthcare provider operates, its corporate headquarters
does it match the place of the order. If the person concerned, about the address for submission of applications
does not receive explicit and verifiable information, it is reasonable and unobjectionable if the request
it will be delivered to the address where you regularly visited the doctor for medical care.

The data controller's duty to facilitate the exercise of rights includes that
the data controller must cooperate with the data subject, in addition to the general data protection regulation

according to the data controller does not have the possibility to limit the rights of the data subject
the way of presentation.

If a data management information sheet has been presented to the data subject in a verifiable manner
contains the address of submission of data subject requests, in which case the data controller
you can claim that you helped assert the rights of the affected parties. if not

is included, or the data subject was not familiar with it, organizational measures must be taken
to help the data subject in order to receive his request properly.

According to the above findings of the Authority, the rights of the stakeholders were not ensured
the possibility of effective exercise in relation to the Applicant, thereby the Applicant
violated Article 12 (2) and Article 13 (1) of the General Data Protection Regulation

paragraph a-b).

Based on the inspection carried out on May 4, 2022, the Authority found that the Applicant
on its website after the initiation of the procedure, as the address for correspondence/claims a
business address.



IV.4. Management of health documentation, management of the Applicant's data 15



The General Data Protection Regulation defines the concept of data controller and data management
when defining it, it clearly states that the person who is personal is considered a data controller

manages data. The fulfillment of stakeholder requests regarding the subject of data management is general
Article 12 of the Data Protection Regulation is the body or person performing data management activities
makes it an obligation.

The 2020 Data Management Information of the Requested 6.1.4. point contains the following:
"6.1.4. Management of relevant data generated during the provision of medical services:

Relevant data generated during the provision of the medical service Data manager closed IT
are recorded in its algorithm-protected system, for which only in point 8.1
specific persons have access rights.
If the given data is recorded on a paper basis, in that case
The data controller is located in a properly lockable building from a security point of view
premises, is systematically guarded, and only by the persons specified in point 8.1
have access rights.
The data manager reserves the right to make the data recording paper-based

also make a digital copy of the document. In such cases, the data is closed by the Data Controller,
are recorded in its system protected by an IT algorithm, for which only the 8.1
persons specified in point have access rights.
The data required by law are also included in the Data Controller's Patient "Pregnancy Care Book".
records"


The 2021 Data Management Information of the Requested 6.1.4. clause provides as follows:
"6.1.4. Management of relevant data generated during the provision of medical services:
Relevant data generated during the provision of the medical service Data manager closed IT
are recorded in its algorithm-protected system, for which only in point 8.1
specific persons have access rights.
If the given data is recorded on a paper basis, in that case

The data controller is located in a properly lockable building from a security point of view
premises, is systematically guarded, and only by the persons specified in point 8.1
have access rights.
The data manager reserves the right to make the data recording paper-based
also make a digital copy of the document. In such cases, the data is closed by the Data Controller,
are recorded in its system protected by an IT algorithm, for which only the 8.1
persons specified in point have access rights.

In addition to the above, the Data Controller - fulfilling its legal obligations - is the law
also records specific data in the EESZT. [...] The data required by law is the Data Manager
The patient "also records" in the Antenatal Care Book

However, according to the Respondent's statement in its records regarding the Applicant
no documentation is included. The "Condition Assessment Sheet" cannot be found on the Applicant either, and the
he also failed to enter his examination results in his records. The Applicant

she recorded her test results only in the Applicant's pregnancy care booklet.

Nor is the Applicant in relation to the care of the Applicant during pregnancy care
did not create electronic or paper-based documentation, data on the Applicant's care
was not forwarded to the EESZT, while according to the pregnancy care book, a
He provided healthcare services to the applicant at the times indicated there.

The data generated during the tests and the results of the tests shall be provided by the Applicant a
recorded in the pregnancy care book, which is a document in the pregnant woman's own treatment

there is, in addition, according to the Applicant's statement at the end of the investigation, the Respondent's finding is not
given and did not transmit the data to the EESZT system. 16 of the EESZT by the Applicant


among the documents downloaded from the system during the Respondent's private order, the specified
documentation created at test times was not included.


Consistent with this, the Respondent's statement states that the Applicant is a
no data or documents can be found in its records.

The data subject's rights and their exercise can only be interpreted if there is data management which
however, it was not in the specific case. As a result, the Respondent did not violate the
The applicant hereby waives its right to issue a copy pursuant to Article 15 (3) of the GDPR

in relation to recorded patient data, since the "Condition assessment sheet" kept by the Applicant
For patients" there was no data in the paper-based register that could be copied
and there is no other data that could be ordered to be released.

For this reason, the Eütv cannot be established. Violation of the provisions of § 24 - which section is it
the rules of the general data protection regulation are ordered to be applied by the health department
regarding access to documentation and providing copies.


As a result, the Authority rejected the Applicant's request that the Authority oblige a
Request for a copy of the documentation containing your health information
rejects it, since - in the absence of documentation - the Respondent does not
has documents containing such data.

The Authority may examine compliance with the general data protection regulation, Civil Code. 2:51 a.m. §
It does not have the authority to determine what is contained in point a) of paragraph (1), therefore a

in the relevant part of the application, the procedure is referred to in Art. on the basis of § 17, terminates it in an order.


IV.5. Findings regarding the documentation practices of the Applicant

Due to the present case, the data management information provided by the Respondent does not cover the reality
practice, because it states in its information that it keeps paper-based records,

creates an electronic record based on its own decision, it is its legal obligation
complies with the electronic data transmission circuit, in addition to all this, the
entry in the maternity care book as well.

In the data management information, the Respondent states that the data is a
registers it in the pregnancy care book, which also means that you are aware of
that you have to record the data in another form, and also your patients about this practice

informs.

On the contrary, it refers to the processing of data concerning the Applicant during the discovery of the facts
information did not arise, the existence of data management concerning the Applicant could not be verified.

Furthermore, the Respondent made a contradictory statement in the present proceedings when earlier
stated that he does not keep electronic records, later the mandatory data upload

acknowledged the fact of electronic data management in demanding cases. However, he did not comment
in detail about the cases in which electronic data transmission is sufficient
obligation, what is considered a necessary case. The Respondent therefore approached the Authority
also amended its declaration, which basically affects its data management
it referred to circumstances, thereby making its real practice difficult for the Authority
exploration.


As for the Authority, the Respondent is not transparent for the affected parties either
practice. Based on all these circumstances, the Authority concludes that a
Requested 17 prescribed in Article 5 (1) point a) of the General Data Protection Regulation


did not ensure the enforcement of the basic requirement of transparency, and the Respondent is
could not fully prove the legality of its data processing.


The Applicant stated that it was professional due to the emergency situation caused by the coronavirus
because of his additional tasks, he considered administration a task of secondary importance, for this reason
administrative failures may have occurred in its operation. So does the Respondent himself
states that "in certain cases" there were omissions, which the Authority
in its interpretation, it does not only mean the involvement of one person.


The Authority's position regarding administrative tasks is that the coronavirus
certain additional tasks due to an emergency may result in certain data management
postponement of the documentation obligation, however, this cannot mean the professional
according to the regulations, the documentation required in the Eütv to be kept about the patient/patients
complete neglect of the obligation, therefore, the complete management of health documentation
leaving.


The Respondent's practice in fulfilling its documentation obligation a
It had an impact on the processing of the applicant's data and his rights, as the data subject is exercising his rights
is closely related and made it impossible, so the Authority for this reason the facts
examined the issue during clarification.

To the bodies and persons involved in pregnancy care, in the pregnancy care book
26/2014. (IV. 8.) EMMI decree prescribes for the purpose of

that for the bodies providing care for pregnant women (specialists, family doctors, nurses, midwives) the
care process information is summarized in a document.

However, according to the Authority's point of view, the fulfillment of this requirement does not mean that the Eütv. § 137 b)
of the issue of findings according to point 39/2016. (XII. 21.) EMMI Decree § 19, paragraph (2).
according to, after the mandatory connection of the private service provider after January 1, 2020, the
The obligation to provide data to the EESZT system as a data controller requirement a

omission.

According to the Authority's point of view, the management of health documentation required by law a
during a coronavirus emergency, it cannot be considered an obligation that can be pushed into the background. Any
the patient's treatment history is essential for the doctor treating the affected person,
medical history study in the Eütv. Expected care according to § 77, paragraph (3) and a
for the sake of a professionally founded procedure, which cannot be ensured in the event that

the person concerned does not receive the required documentation about his treatment, so it may be a
it cannot be forwarded to another doctor later on.

The Eütv. Paragraph (2) of § 26 also mentions the patient's medical history as an obligation and
information about medical history, which the patient cannot fully comply with,
if he does not have the appropriate documentation for his care.


In the case of maternity care, data on the life and health of the mother and fetus
are the subject of medical documentation. In this case, during the private order
the processes leading to the tragedy by failing to fully record the generated data
documentation was lacking, for which the Applicant was not aware of the data subject's rights
practice and did not get hold of your important health data.

The fact that the Respondent, as a health care provider, is required to apply to him professionally

did you act in accordance with the rules when, in connection with pregnancy care, a
no documentation other than entries in the pregnancy care booklet
led, did not give a finding to the provided Applicant at the end of the supply events, or a
findings were not forwarded to the EESZT system, it is not the authority of the Authority to judge. 18



The examination of this question - the management of the Requested health documentation

monitoring the fulfillment of its obligations and related legal requirements - a
It is initiated ex officio by the authority at NEAK.

IV.6. The Authority rejected the Applicant's request for a data protection fine
application, since the application of this legal consequence affects the right or legitimate interest of the Applicant
does not directly affect him, such a decision of the Authority does not create a right or obligation for him

arises, as a result of which this legal consequence falls within the scope of enforcing the public interest
the Applicant is not qualified for the imposition of a fine
for the client, the Akr. Based on § 10, paragraph (1). Since the Ákr. § 35, paragraph (1) no
corresponds, there is no place to submit an application in this regard, this part of the application
cannot be interpreted as a request. Application for the imposition of a data protection fine by the Authority
in connection with - preambular paragraphs (148) and (150) of the General Data Protection Regulation, 58.
and Article 83 (2) - further points out that the Supervisory Authority - the

depending on the circumstances of a given case - he is entitled to decide ex officio in his discretion
in order to protect personal data against the data manager/data processor
effective, proportionate and dissuasive measures to be applied, or instead of them
in addition to sanctions, such as the need to impose an administrative fine, and its imposition
in case of its extent.


V. Legal consequences:

V.1. The Authority rejected the Applicant's requests, established a violation ex officio, and a
On the basis of Article 58 (2) point b) of the GDPR, the Applicant is condemned for having violated it
Article 5 (1) point a), Article 12 (2) of the General Data Protection Regulation,
and points a)-b) of Article 13 (1).


V.2. The Authority rejects the Petitioner's request for the imposition of a fine
examined ex officio whether a data protection fine against the Application was justified
due to the established violations.

In this context, the Authority is in accordance with Article 83 (2) of the General Data Protection Regulation and Infotv.
75/A. considered all the circumstances of the case based on §. Given the circumstances of the case a

The authority established that in the case of the violation discovered during the present procedure, a
a warning is not a proportionate and dissuasive sanction, therefore the imposition of a fine
required.

Above all, the Authority took into account that the violation committed by the Respondent was
according to Article 83 (5) point b) of the General Data Protection Regulation, the higher amount
is considered a violation of the fine category, since it is the basic provision and

involved a violation of the rights of stakeholders.

According to the Authority's point of view, it is otherwise regularly there at the place of order
service provider through organizational measures (postal redirection, shipment
giving an order for on-site collection, delivery notification of registered shipment
forwarding to, etc.) ensure the receipt of stakeholder letters received, they did not depend on the
from the difficulties caused by the coronavirus emergency, as the measure is not intended to be regular

activity and did not cause an increase in the daily tasks of the data controller. From this
as follows, when the Authority determines the amount of the fine presented by the Respondent,
he did not consider the circumstances of increased workload for this violation
into account.

During the imposition of fines, the Authority considers the following circumstances as circumstances that increase the fine
rated by: 19


    • the violation is considered serious because the Respondent is exercising the rights of the affected party

       made it difficult, hindered or did not provide. Protection of personal data a
       to be interpreted in the context of the private sector. It has a special weight on them
       the protection and lawful handling of data, which is particularly the case in the private sector
       fall into his sensitive area. The pregnancy, the loss of the fetus and this
       its circumstances are so deeply and sensitively tied to the private sphere that the law
       nor does it ignore [GDPR Article 83 (2) point a]];
    • the lack of data also limits the possibility of further legal enforcement of the data subject

       limit [GDPR Article 83(2)(a)];
    • the infringement was proved in the case of one person in this procedure, but at the same time
       Findings regarding data management information are general for the Respondent
       their practice is affected [GDPR Article 83 (2) point a)]
    • the fact that the Respondent asserts the rights of the affected party indicates serious negligence
       did not ensure it with appropriate practical measures [Article 83 (2) GDPR

       point b)];
    • the established data protection law violation refers to special categories of personal data
       had an impact on the exercise of rights [GDPR Article 83 (2) point (g)];


During the imposition of fines, the Authority considers the following circumstances as mitigating circumstances

rated by:

    • on the website of the Applicant, the address for correspondence/claims is already listed
       the address of your business headquarters
    • the Respondent violated it for the first time in a data protection official procedure

       established that he did not comply with the provisions of the GDPR, he had not previously committed a relevant violation of law
       el [GDPR Article 83 (2) point (e)].
    • the period of the COVID-19 emergency [GDPR Article 83 (2) point (k)].
    • the Authority exceeded the procedural deadline prescribed for it

    - The Authority also took into account


    • that the Obligee was cooperative in responding to orders within the deadline
       with his given but at the same time contradictory statements, he made it difficult to reveal the facts
       [GDPR Article 83(2)(f)]
    • income data provided by the Respondent.


The amount of the fine was determined by the Authority acting within its statutory discretion
yes. The fine is 0.007% of the maximum fine that can be imposed.

Based on the above, the Authority decided in accordance with the provisions of the statutory part.

V.3. During the procedure, the Authority exceeded Infotv. One hundred and fifty according to paragraph (1) of § 60/A

day administrative deadline, therefore the Ákr. Based on point b) of § 51, HUF 10,000, i.e. ten thousand
HUF is due to the Applicant - at his choice - by transfer to a bank account or by post
with voucher.

VI. Other questions

The competence of the Authority is set by Infotv. Paragraphs (2) and (2a) of § 38 define it, and its competence is
covers the entire territory of the country.

The decision is in Art. 80-81. § and Infotv. It is based on paragraph (1) of § 61. The decision is in Art.

Based on § 82, paragraph (1), it becomes final upon its publication. The Akr. § 112, § 116 (1) 20


paragraph, and on the basis of § 114, paragraph (1), a public administrative lawsuit against the decision
there is room for legal redress.


                                             * * *

The rules of the administrative trial are set out in Act I of 2017 on the Administrative Procedure
hereinafter: Kp.) is defined. The Kp. Based on § 12, paragraph (1), by decision of the Authority
the administrative lawsuit against falls within the jurisdiction of the court, the lawsuit is referred to in the Kp. Section 13 (3)
Based on subparagraph a) point aa), the Metropolitan Court is exclusively competent. The Kp.
Pursuant to § 27, paragraph (1) point b) in a lawsuit within the jurisdiction of the court, the legal
representation is mandatory. The Kp. According to paragraph (6) of § 39, the submission of the statement of claim a

does not have the effect of postponing the entry into force of an administrative act.

The Kp. Paragraph (1) of § 29 and, in view of this, Pp. According to § 604, it is applicable
of 2015 on the general rules of electronic administration and trust services
CCXXII. According to Section 9 (1) point b) of the Act, the client's legal representative is electronic
obliged to maintain contact.


The time and place of submitting the statement of claim is set by Kp. It is defined by § 39, paragraph (1). THE
information on the possibility of a request to hold a hearing in Kp. Section 77 (1)-(2)
based on paragraph The amount of the administrative lawsuit fee is determined by the 1990 Law on Fees
XCIII. Act (hereinafter: Itv.) 45/A. Section (1) defines. The fee is in advance
from the payment of the Itv. Paragraph (1) of § 59 and point h) of § 62 (1) exempt it
party initiating the procedure.


If the obliged customer does not adequately certify the fulfillment of the prescribed obligations, a
The authority considers that the obligations have not been fulfilled within the deadline. The Akr. § 132
according to, if the obligee has not complied with the obligation contained in the final decision of the authority,
is enforceable. The Akr. Pursuant to § 133, enforcement - if you are a law
government decree does not provide otherwise - it is ordered by the decision-making authority. The Akr. 134.
pursuant to § the execution - if it is a law, government decree or municipal authority

the decree of the local government does not provide otherwise - the state tax authority
undertakes.

Dated: Budapest, according to the electronic signature






                                      Dr. Attila Péterfalvi
                                             president

                                      c. professor