NAIH (Hungary) - NAIH-642-4/2022: Difference between revisions
(Created page with "{{DPAdecisionBOX |Jurisdiction=Hungary |DPA-BG-Color=background-color:#7f0037; |DPAlogo=LogoHU.jpg |DPA_Abbrevation=NAIH |DPA_With_Country=NAIH (Hungary) |Case_Number_Name=NAIH-642-4/2022 |ECLI= |Original_Source_Name_1=NAIH-642-4/2022 |Original_Source_Link_1=https://naih.hu/hatarozatok-vegzesek?download=706:onkormanyzat-kozfeladatai-ellatasahoz-szukseges-adatkezeleseinek-jogi-megfelelese%20 |Original_Source_Language_1=Hungarian |Original_Source_Language__Code_1=HU |Or...") |
No edit summary |
||
(7 intermediate revisions by 2 users not shown) | |||
Line 69: | Line 69: | ||
|Appeal_To_Link= | |Appeal_To_Link= | ||
|Initial_Contributor= | |Initial_Contributor=sh | ||
| | | | ||
}} | }} | ||
The Hungarian DPA charged a local municipality for how it conducted a survey on the vaccination status of its local residents. It fined the controller 3 million Hungarian Forints for the breach of Articles 5(1)(b)(c) GDPR, 6(1) GDPR, 12(1) GDPR, 7(2) GDPR, 9(1) GDPR, 13 GDPR and 14 GDPR. | The Hungarian DPA charged a local municipality for how it conducted a survey on the vaccination status of its local residents. It fined the controller 3 million Hungarian Forints (around €7,80) for the breach of [[Article 5 GDPR|Articles 5(1)(b)(c) GDPR]], [[Article 6 GDPR#1|6(1) GDPR,]] [[Article 12 GDPR|12(1) GDPR]], [[Article 7 GDPR#2|7(2) GDPR,]] [[Article 9 GDPR#1|9(1) GDPR]], [[Article 13 GDPR|13 GDPR]] and [[Article 14 GDPR|14 GDPR.]] | ||
== English Summary == | == English Summary == | ||
Line 79: | Line 79: | ||
=== Facts === | === Facts === | ||
Independent of any instructions from the XVIII District Office of the Government of Budapest, the municipality of Pestszentlőrinc‑Pestszentimre carried out a survey on the COVID-19 vaccination status of its local citizens. The controller aimed to produce anonymised statistics on the basis of which municipal decisions in relation to the pandemic could be made. | Independent of any instructions from the XVIII District Office of the Government of Budapest, the municipality of Pestszentlőrinc‑Pestszentimre carried out a survey on the COVID-19 vaccination status of its local citizens. The controller aimed to produce anonymised statistics on the basis of which municipal decisions in relation to the pandemic could be made. | ||
To send the questionnaire, the controller lawfully obtained the names and addresses of all adult residents in the area. The questionnaire, on the other hand, was deemed non-compliant. It did not make clear that data subjects’ name, telephone number and email address were optional. It did not specify that | |||
To send the questionnaire, the controller lawfully obtained the names and addresses of all adult residents in the area. The questionnaire, on the other hand, was deemed non-compliant. It did not make clear that data subjects’ name, telephone number and email address were optional. It did not specify that the name, telephone number and email address, when provided, would be processed alongisde the health data. Lastly, consent to processing was only available upon completion of the questionnaire, when the data had already been submitted. | |||
After a public interest notification, the case was referred to the Hungarian DPA under Hungarian national law. | |||
=== Holding === | === Holding === | ||
The controller carried out the processing based on its own decision making it an independent controller under [[Article 4 GDPR#7|Article 4(7) GDPR]]. | The controller carried out the processing based on its own decision making it an independent controller under [[Article 4 GDPR#7|Article 4(7) GDPR]]. | ||
The controller failed to provide adequate information on the data processing to the data subjects in the questionnaire under Articles 12(1) and 14 GDPR. | |||
Processing the personal data that was optionally added to the questionnaire resulted in excessive processing under [[Article 5 GDPR#1b|Article 5(1)(b) GDPR]] and 5(1)(c) | The controller failed to provide adequate information on the data processing to the data subjects in the questionnaire under [[Article 12 GDPR|Articles 12(1)]] and [[Article 14 GDPR|14 GDPR.]] | ||
The DPA | |||
Processing the personal data that was optionally added to the questionnaire resulted in excessive processing under [[Article 5 GDPR#1b|Article 5(1)(b) GDPR]] and [[Article 5 GDPR|5(1)(c) GDPR.]] It also breached [[Article 12 GDPR#1|Article 12(1) GDPR]] and [[Article 13 GDPR|13 GDPR]] as the data subject was not informed of this additional processing. The COVID-19 status of the residents was considered health data under [[Article 9 GDPR#1|Article 9(1) GDPR]]. Mixing the processing of the optionally provided data with the health data muddied consent breaching [[Article 7 GDPR#2|Article 7(2) GDPR]]. This meant that the controller no longer had a legal basis under [[Article 6 GDPR#1|Article 6(1) GDPR]]. | |||
The DPA fined the controller 3 million Hungarian Forint, equivalent to around €7,800, under [[Article 58 GDPR#2|Article 58(2) GDPR]]. | |||
== Comment == | == Comment == |
Latest revision as of 15:22, 29 August 2023
NAIH - NAIH-642-4/2022 | |
---|---|
Authority: | NAIH (Hungary) |
Jurisdiction: | Hungary |
Relevant Law: | Article 5(1)(c) GDPR Article 5(1)(b) GDPR Article 6(1) GDPR Article 7(2) GDPR Article 9(1) GDPR Article 12(1) GDPR Article 13 GDPR Article 14 GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | |
Published: | |
Fine: | 3000000 HUF |
Parties: | n/a |
National Case Number/Name: | NAIH-642-4/2022 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Hungarian |
Original Source: | NAIH-642-4/2022 (in HU) |
Initial Contributor: | sh |
The Hungarian DPA charged a local municipality for how it conducted a survey on the vaccination status of its local residents. It fined the controller 3 million Hungarian Forints (around €7,80) for the breach of Articles 5(1)(b)(c) GDPR, 6(1) GDPR, 12(1) GDPR, 7(2) GDPR, 9(1) GDPR, 13 GDPR and 14 GDPR.
English Summary
Facts
Independent of any instructions from the XVIII District Office of the Government of Budapest, the municipality of Pestszentlőrinc‑Pestszentimre carried out a survey on the COVID-19 vaccination status of its local citizens. The controller aimed to produce anonymised statistics on the basis of which municipal decisions in relation to the pandemic could be made.
To send the questionnaire, the controller lawfully obtained the names and addresses of all adult residents in the area. The questionnaire, on the other hand, was deemed non-compliant. It did not make clear that data subjects’ name, telephone number and email address were optional. It did not specify that the name, telephone number and email address, when provided, would be processed alongisde the health data. Lastly, consent to processing was only available upon completion of the questionnaire, when the data had already been submitted.
After a public interest notification, the case was referred to the Hungarian DPA under Hungarian national law.
Holding
The controller carried out the processing based on its own decision making it an independent controller under Article 4(7) GDPR.
The controller failed to provide adequate information on the data processing to the data subjects in the questionnaire under Articles 12(1) and 14 GDPR.
Processing the personal data that was optionally added to the questionnaire resulted in excessive processing under Article 5(1)(b) GDPR and 5(1)(c) GDPR. It also breached Article 12(1) GDPR and 13 GDPR as the data subject was not informed of this additional processing. The COVID-19 status of the residents was considered health data under Article 9(1) GDPR. Mixing the processing of the optionally provided data with the health data muddied consent breaching Article 7(2) GDPR. This meant that the controller no longer had a legal basis under Article 6(1) GDPR.
The DPA fined the controller 3 million Hungarian Forint, equivalent to around €7,800, under Article 58(2) GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Hungarian original. Please refer to the Hungarian original for more details.
File number: NAIH-642-4/2022 Subject: decision History case number: NAIH-8594/2021 DECISION The National Data Protection and Freedom of Information Authority (hereinafter: Authority) a Budapest Capital XVIII. district with the Pestszentlőrinc - Pestszentimre Municipality (a hereinafter: Customer) vis-à-vis the Customer ex officio on November 26, 2021 Distributed on the website "www.bp18.hu/vakcina" (hereinafter: Website) and by mail regarding the data management of the "vaccine questionnaire" (hereinafter: Questionnaire) - initiated makes the following decisions in official data protection proceedings: I. The Authority determines that the Client did not provide adequate information to the persons concerned about the acquisition and use of their name and address data from external sources at the time of first contact, this is the name and address used to send the Questionnaire in terms of data, natural persons have been violated by the processing of their personal data regarding its protection and the free flow of such data, as well as 95/46/EC Directive 2016/679/EU on repealing the directive (hereinafter: general data protection regulation) to provide information according to Article 12 (1) and Article 14 obligation. II. The Authority determines that the Customer has provided adequate prior information, specifically in the absence of a specific purpose and a valid legal basis, it was handled by the contact information collected with the Questionnaire personal data in relation to thousands of stakeholders and thereby violated it purpose limitation according to Article 5 (1) point b) of the General Data Protection Regulation principle, the principle of data saving according to Article 5 (1) point c), Article 12 (1) paragraph and Article 13 of the obligation to provide prior information, as well as in the absence of valid consent due to the above, Article 6 (1) of the General Data Protection Regulation paragraph and paragraph 2 of Article 7. III. The Authority determines that the Customer's prior information is adequate and valid in the absence of a legal basis, handled the health data collected with the Questionnaire unnecessarily, and thereby violating the provisions of Article 5(1)(c) of the General Data Protection Regulation the principle of data saving, prior information according to Article 12 (1) and Article 13 due to the lack of valid consent due to the above Article 6 (1), Article 7 (2) and Article 9 of the General Data Protection Regulation (1) paragraph. ARC. The Authority based on Article 58 (2) point d) of the General Data Protection Regulation ex officio instructs the Customer to modify the contact information collected with the Questionnaire accordingly practices related to the management of personal data to comply with the general of the data protection regulation, i.e. indicate a corresponding specific goal or goals, for that obtain the consent of those concerned in advance with the help of contact information in addition to providing direct information, and delete the contact data collected with the Questionnaire personal data that the general data protection was not aware of in the above manner to obtain valid consent in accordance with the regulation. About the right to informational self-determination and CXII of 2011 on freedom of information. Act (hereinafter: Infotv.) § 61. (6) 2 until the expiry of the time limit open for challenging the decision pursuant to paragraph and in case of initiation of a public administrative lawsuit, until the final decision of the court data affected by data management cannot be deleted or destroyed. A. The Authority ex officio the Customer due to the above data protection violations HUF 3,000,000, i.e. three million forints data protection fine obliged to pay. The IV. the fulfillment of the obligation prescribed by the Customer towards this decision must be in writing within 60 days of the expiration of the legal remedy deadline - the supporting document together with the presentation of evidence - to prove it to the Authority. Data management exclusively in addition to defining the appropriate scope of data, for real and specific purposes, a valid legal basis, and it is possible to continue with the proof of the maximum guarantee of the rights of the stakeholders, otherwise case, the Customer must prove the termination of the data processing in question to the Authority a within the above deadline. The fine according to point V within 30 days from the date of this decision becoming final the Authority's centralized revenue collection target clearing account (10032000- 01040425-00000000 Centralized direct debit account IBAN: HU83 1003 2000 0104 0425 0000 0000) must be paid. When transferring the amount, "NAIH-642/2022 BÍRS." for number must be referred to. If the Customer does not fulfill his obligation to pay the fine within the deadline, he is in default is obliged to pay a penalty. The rate of penalty is the legal interest, which is is the same as the central bank base rate valid on the first day of the relevant calendar semester. Non-payment of the fine and late fee, as well as the above IV. obligation according to point in case of non-compliance, the Authority orders the implementation of the decision. There is no place for administrative appeal against this decision, but from the announcement within 30 days from the date of issue, with a letter of claim addressed to the Capital Tribunal can be challenged in a lawsuit. The claim must be submitted to the Authority electronically, which forwards it to the court together with the case documents. A hearing can be held in the statement of claim to ask. For those who do not receive the full personal tax exemption, the administrative lawsuit the fee is HUF 30,000, the lawsuit is subject to the right to record fees. Before the Metropolitan Court legal representation is mandatory in the procedure. Infotv. Pursuant to § 61, subsection (2), point a), the Authority publishes this decision a Authority website. JUSTIFICATION I. Procedure and clarification of the facts I.1. History matters 1. Public interest in case history No. NAIH-3566/2021 (hereinafter: Case History) a notification was received by the Authority on March 25, 2021, which is the Questionnaire used by the Customer contested the legality of its data processing. The Questionnaire to the "www.bp18.hu/vakcina" website refers to, which redirects to the website "https://www.bp18.hu/onkormanyzat/vakcina". 3 2. Following the public interest announcement, the Authority launched an ex officio investigation on April 14, 2021 in the History Case. 3. In the History Case, the Client received the Authority's inquiry on May 3, 2021, In his reply letter sent under NAIH-3566-4/2021, the following, from the point of view of the decision made relevant statements: (i) In relation to the Questionnaire, the Customer is considered a data controller. (ii) The Customer only hired an external service provider to prepare the mail and the envelopes used as a data processor, it was not used for the returned Questionnaires data processor. (iii) The Customer is the Budapest XVIII. Citizens provide the names and addresses of adult residents of the district LXVI of 1992 on the registration of your personal data and residential address. law (a hereinafter: Residential address.) obtained on the basis of point a) of § 21. (iv) The Customer managed the names and addresses of the recipients until the Questionnaire was mailed, after that deleted it. The legal basis for this data management is Article 6 (1) of the General Data Protection Regulation point e) was. (v) The Customer collected the following personal data in the Questionnaires: name, telephone number, email address (filling them in is optional according to the Customer's statement, its legal basis is general data protection decree Article 6 (1) point a) data subject consent). On this in addition, the answers to the following health data questions were collected a On the questionnaire: have you registered for vaccination, have you received the vaccine, have you been infected with coronavirus. The The processing time for health data is 1 week after the receipt of the questionnaire, the contact the data processing period is the period until the withdrawal of consent, its legal basis is the general one data protection regulation Article 6 (1) point a) and Article 9 (2) point a) stakeholder consent according to Indicated on the Questionnaire (no longer in operation) On the "www.bp18.hu/vakcina" website, the data management information for the Customer is general contains a link to its data management information, also indicated on the Questionnaire (www.bp18.hu/kozerdeku/adatvedelmi-informáciok). In addition, he wrote as much as "www.bp18.hu/vakcina" website, that the contact data is managed by the Customer for the purpose of until the consent is withdrawn to "keep in touch for the purpose of exchanging information". (vi) There are 97,687 inhabitants in the territory of the Customer. The Customer sent 54,469 letters to which By April 28, 2021, 4,856 residents had responded. (vii) The Customer provides information about data management exclusively on the paper Questionnaire It was provided by indicating a link to the customer's website (www.bp18.hu/kozerdeku/adatvedelmi-informáciok) 4. In the History Case, upon the request of the Authority, the Client on September 16, 2021 in his reply letter sent to NAIH-3566-8/2021, the following, the decision made relevant statements in terms of: (i) Requesting name and address information and sending envelopes containing the Questionnaire the Client's use of the 2011 Act on local governments in Hungary CLXXXIX. Act (hereinafter referred to as the Act) existing on the basis of Section 23, Paragraph (5), Point 9 it was done in order to carry out its municipal task. It confirms this about health care solo CLIV of 1997. also § 35 of the Act (hereinafter: Eütv.). (ii) The health data has been deleted, only the contact data of those persons already managed by the Customer based on the consent of the parties concerned. 4 (iii) Compared to the number of Questionnaires sent out, the number of respondents is almost 10%. THE based on international standards, the results of the Questionnaire can serve as a basis for the Customer for decision preparation during its municipal tasks. It was referred to in this round for the following study: Christman, M.C. – LAN, F. [2001]: Inverse Adaptive Cluster Sampling, Biometrics, vol. 57 No. 4 (hereinafter: Study). (iv) The Customer made the decision based on the analysis and continuous monitoring of the data about the opening hours of kindergartens, and informed 17 schools in the district about the data operating Klebelsberg Institutional Maintenance Center. In connection with this, one is attached an unsigned and unidentified reminder dated March 31, 2021, according to which the on the basis of information, a decision is made later on public information campaigns and about filters. (v) The Customer used the data obtained through the analysis in connection with its epidemiological decisions during the decision on the project for testing district schoolchildren, free antibody screening during its organization. (vi) The Customer based on verbal consultation with the head of the competent Government Office undertook to conduct a survey regarding the vaccination status of the district residents. (vii) Correspondence between the Client and various ministries attached by the Client is a The authority did not take it into account during the decision, as they were not significantly influenced by it the fulfillment of data controller obligations and the legality of data management. 5. In the Precedent Case, at the request of the Authority, the Government Office of Budapest Capital XVIII. District Office received on November 12, 2021, sent under NAIH-3566-11/2021 in his reply letter, he made the following statements relevant to the decision: (i) Government Office of Budapest Capital XVIII. District Office neither orally nor in writing did not ask the Client to prepare a survey on the vaccination status of local residents. (ii) Government Office of Budapest Capital XVIII. District Office did not receive a Questionnaire result from the processing of data from the Customer. (iii) Government Office of Budapest Capital XVIII. The district office did not receive any other Budapest office no such data from local governments either. (iv) Government Office of Budapest Capital XVIII. one of the organizational units of the District Office However, you cannot make a statement on behalf of the Government Office of Budapest Capital City. 6. Based on the information revealed in the Background Case, the general data protection regulation arose direct risk of violation of several articles in connection with the data management under investigation a The ex officio procedure of the authority and its action with official means were justified. The arose data protection issues concern the Customer's general data management practice, not a specific one are linked to the person concerned. In view of the above, the Authority approves Infotv. Section 55 (1) point a) based on subsection ab) closed the History Case and ex officio initiated the present data protection official procedure regarding the Customer's data management related to the Questionnaire. I.2. This data protection official procedure 1. In this data protection official procedure, upon request of the Authority, Budapest Capital City Received by your government office on December 30, 2021, sent under NAIH-8594-6/2021 in his reply letter, he made the following statements relevant to the decision: 5 (i) The Government Office of the Capital City of Budapest has been confirmed by the Government Office of the Capital City of Budapest XVIII sent by the district office, received under number NAIH-3566-11/2021 statements. (ii) Government Office of Budapest Capital XVIII. Statements made by the District Office a They are also valid for the Government Office of the Capital City of Budapest. 2. In this data protection authority procedure, upon request of the Authority, the Customer January 2022 In his reply letter received on the 12th, sent under number NAIH-642-1/2022, the decision below made relevant statements in terms of: (i) The Customer reserves the statements made in the Case of History. (ii) The net sales revenue of the Customer in 2021 was HUF 19,598,010,463. Requested by the Client to take into account that due to the higher expenses in 2021 there is a shortage of HUF 3,906,975,340 was, and all of its budget was for the performance of public tasks, part of it was for epidemics turns it into defense. (iii) Maintains I.1 above. his statement according to subsection 4.(vi), however, in his opinion, a The role of the government office is not significant in this case, the survey is mainly the Client served to fulfill his duties. 3. Recorded by the Authority on February 8, 2022 in the internet archive (The Wayback Machine) of its content, the following two archived contents about the previous state of the Website: (i) April 2021 of the https://bp18.hu webpage on data protection information 14's status (https://web.archive.org/web/20210414165038/https://bp18.hu/kozerdeku/adatvedelmi- informations) (ii) indicated on the data protection information subpage of the website https://bp18.hu "ADATKEZELESI_TAJEKOZTATO_BP18_v4_RF_20201125.pdf" can be downloaded A screenshot of the state of document 4 on May 7, 2021. page (points 2.3 and 3), which was from the above sub-page on data protection information available with this filename 4. CL of 2016 on the general administrative order. Act (hereinafter: Act) Based on § 76, there is no need to call for another statement, since the Customer and all the information on which the decision is based comes from the Customer's website. II. Legal provisions applicable in the case According to Article 2 (1) of the General Data Protection Regulation, the general data protection regulation must be applied to personal data in part or in whole in an automated manner processing, as well as the non-automated processing of data that are part of a registration system or which are a registration system want to be part of. You are identified as "personal data" on the basis of Article 4, point 1 of the General Data Protection Regulation any information relating to an identifiable natural person ("data subject"), including also the online ID. 6 According to Article 4, point 2 of the General Data Protection Regulation, "data management" is personal any performed on data or data files in an automated or non-automated manner operation or a set of operations, such as collection, recording, organization, segmentation, storage, transformation or change, query, insight, use, transmission of information, by means of distribution or other means of making available, coordination or connection, restriction, deletion or destruction. Pursuant to Article 4, point 7 of the General Data Protection Regulation, "data controller" is the natural or legal entity, public authority, agency or any other body that is personal determines the purposes and means of data management independently or together with others. If that the purposes and means of data management are determined by EU or member state law, the data manager or special considerations for the designation of the data controller by the EU or the Member States can also be determined by law Pursuant to Article 4, point 11 of the General Data Protection Regulation, it is "the consent of the data subject". of the will of the person concerned, based on voluntary, specific and adequate information and clear declaration by which the relevant statement or confirmation is unambiguously expressed indicates by action that he gives his consent to the processing of his personal data. Based on Article 4, point 15 of the General Data Protection Regulation, "health data" is a personal data concerning the physical or mental health of a natural person, including health services provided to natural persons also data that carries information about the health status of the natural person According to Article 5 (1) point b) of the General Data Protection Regulation, personal data should only be collected for specific, clear and legitimate purposes and should not be processed in a manner inconsistent with these purposes; in accordance with Article 89 (1). is not considered incompatible with the original purpose for the purpose of archiving in the public interest, further data management for scientific and historical research purposes or for statistical purposes ("goal-boundness"). Purposes of data management according to Article 5 (1) point c) of the General Data Protection Regulation they must be appropriate and relevant and must be necessary be limited ("data saving"). According to Article 6(1)(e) of the General Data Protection Regulation, it may be legal to processing of personal data, if the data processing is in the public interest or is entrusted to the data controller necessary for the execution of a task performed in the context of the exercise of public authority. According to Article 7 (2) of the General Data Protection Regulation, if the consent of the data subject given in the context of a written statement that also applies to other matters, a request for consent in a way that is clearly distinguishable from these other cases must be presented in an understandable and easily accessible form, with clear and simple language. The any part of such statement containing the consent of the affected person which violates e decree does not have binding force. Based on Article 9 (1) of the General Data Protection Regulation, racial or ethnic you are based on your origin, political opinion, religious or worldview conviction personal data referring to trade union membership, as well as genetic data, natural biometric data aimed at unique identification of persons, health data and personal regarding the sexual life or sexual orientation of natural persons processing of data is prohibited. 7 Based on Article 9(2)(a) of the General Data Protection Regulation, Article 9(1) paragraph does not apply, among other things, in the event that the data subject expressly consented to the use of said personal data for one or more specific purposes for its management, unless EU or Member State law provides that Article 9 (1) the prohibition referred to in paragraph cannot be lifted with the consent of the data subject. Based on Article 12 (1) of the General Data Protection Regulation, the data controller is compliant takes measures in order to allow the data subject to process personal data all relevant information mentioned in Articles 13 and 14 and Articles 15-22 and Article 34 according to each information is concise, transparent, comprehensible and easily accessible provide it in a clear and comprehensible form, especially to children for any information received. Based on Article 13 (1) and (2) of the General Data Protection Regulation, if the personal data were obtained from the data subject, the data controller makes the data available to the data subject following information: a) the identity of the data controller and, if any, the representative of the data controller and your contact information; b) contact details of the data protection officer, if any; c) the purpose of the planned processing of personal data and the legal basis of data processing; d) based on point f) of Article 6 (1) of the General Data Protection Regulation in the case of data management, the legitimate interests of the data controller or a third party; e) where applicable, recipients of personal data, or categories of recipients, if any; f) where appropriate, the fact that the data controller is in a third country or international organization wishes to forward the personal data to, and the Commission the existence or absence of a compliance decision, or general data protection regulation in Article 46, Article 47 or Article 49 (1) second in the case of data transfer referred to in subsection, the appropriate and suitable guarantees designation, as well as methods for obtaining a copy of i.e. or those reference to your contact information; g) on the duration of storage of personal data, or if this is not possible, on this aspects of determining the duration; h) on the data subject's right to request from the data controller the personal data relating to him access to data, their correction, deletion or restriction of processing, and may object to the processing of such personal data, as well as the data subject about your right to data portability; i) point a) of Article 6 (1) of the General Data Protection Regulation or Article 9 (2) in the case of data processing based on point a) of paragraph 1, the consent at any time the right to withdraw, which does not affect consent before the withdrawal the legality of data processing carried out on the basis of; j) on the right to submit a complaint to the supervisory authority; k) that the provision of personal data is legal or contractual whether it is based on an obligation or a prerequisite for the conclusion of a contract, as well as whether the person concerned whether you are required to provide personal data, and how it is possible failure to provide data may have consequences; 8 l) automated referred to in Article 22 (1) and (4) of the General Data Protection Regulation the fact of decision-making, including profiling, and at least in these cases understandable information on the applied logic and that such data management what significance it has and what expected consequences it has for the person concerned. Based on Article 13(4) of the General Data Protection Regulation, Article 13(1)-(3) it does not have to be applied if and to what extent the data subject already has the information. Based on Article 14 (1) and (2) of the General Data Protection Regulation, if the personal data was not obtained from the data subject, the data controller makes it available to the data subject the following information: a) the identity of the data controller and, if any, the representative of the data controller and your contact details; b) contact details of the data protection officer, if any; c) the purpose of the planned processing of personal data and the legal basis of data processing; d) categories of personal data concerned; e) recipients of personal data, or categories of recipients, if any; f) where appropriate, the fact that the data controller is a recipient from a third country or wishes to transfer personal data to an international organization, also the existence or absence of the Commission's conformity decision, or the 46. referred to in Article 47 or the second subparagraph of Article 49 (1) in the case of data transfer, indicating the appropriate and suitable guarantees, as well as these a reference to the means of obtaining a copy or their availability; g) the period of storage of personal data, or if this is not possible, this period aspects of its definition; h) if the data management is based on point f) of paragraph (1) of Article 6, you are the data controller about the legitimate interests of third parties; i) the data subject's right to request from the data controller the personal data relating to him access to data, their correction, deletion or restriction of processing, and can object to the processing of personal data, as well as to the data portability concerned his right; j) based on point a) of Article 6 (1) or point a) of Article 9 (2) in the case of data processing, the right to withdraw consent at any time, which does not affect the data processing carried out on the basis of consent before the withdrawal legality; k) the right to submit a complaint addressed to a supervisory authority; l) the source of the personal data and, where appropriate, whether the data is publicly available whether they come from accessible sources; and m) the fact of automated decision-making referred to in paragraphs (1) and (4) of Article 22, including also profiling, and at least in these cases to the applied logic and that comprehensible information regarding the significance of such data management and what are the expected consequences for the person concerned. 9 Based on Article 14(5) of the General Data Protection Regulation, Article 14(1)-(4) shall not apply if and to the extent that: a) the data subject already has the information; b) providing the information in question proves to be impossible, or would require a disproportionate amount of effort, especially for archiving in the public interest, for scientific and historical research purposes or for statistical purposes, Article 89 (1) data management taking into account the conditions and guarantees contained in paragraph in the case of, or if the obligation referred to in paragraph (1) of this article would probably make this data management impossible or seriously jeopardize it achieving its goals. In such cases, the data controller must take appropriate measures - including making information publicly available - the rights of the data subject, to protect your freedoms and legitimate interests; c) expressly requires the acquisition or disclosure of data to be applicable to the data controller EU or Member State law, which is adequate to protect the legitimate interests of the data subject provides for measures; obsession d) professional confidentiality of personal data prescribed by an EU or member state law on the basis of an obligation, including the obligation of confidentiality based on law, must remain confidential. For data management under the scope of the General Data Protection Regulation, Infotv. Section 2 (2) according to paragraph of the general data protection regulation in the provisions indicated there must be used with included additions. Infotv. Validation of the right to the protection of personal data based on § 60, paragraph (1). in order to do so, the Authority initiates an official data protection procedure at the request of the data subject and may initiate official data protection proceedings ex officio. Infotv. According to § 61, paragraph (1), point a), it was made in the official data protection procedure in its decision, the Authority issued Infotv. Data management defined in paragraph (2) of § 2 in connection with operations defined in the general data protection regulation may apply legal consequences. Infotv. Pursuant to § 71, paragraph (2), the Authority lawfully obtained during its procedures can use documents, data or other means of proof in other proceedings. Infotv. 75/A. Based on § 83 of the General Data Protection Regulation, Article 83 (2)–(6) exercises its powers in accordance with the principle of proportionality, especially with the fact that you are in the law regarding the handling of personal data The regulations defined in the mandatory legal act of the European Union are being implemented for the first time in case of violation, to remedy the violation - with Article 58 of the General Data Protection Regulation in accordance with - takes action primarily with the warning of the data manager or data processor. It is ordered by the Authority based on Article 58 (2) point d) of the General Data Protection Regulation the data manager or the data processor to perform its data management operations - where applicable in a specified manner and within a specified period of time - harmonized by this regulation with its provisions. On the basis of Article 58 (2) point i) of the General Data Protection Regulation, the Authority has the 83. imposes an administrative fine in accordance with Article, depending on the circumstances of the given case in addition to or instead of the measures mentioned in this paragraph. 10 Based on Article 83 (1) of the General Data Protection Regulation, all supervisory authority ensures that due to the violation mentioned in paragraphs (4), (5), (6) of this regulation the administrative fines imposed on the basis of this article are effective in each case, be proportionate and dissuasive. According to Article 83 (2) of the General Data Protection Regulation, administrative fines depending on the circumstances of the given case, Article 58 (2) of the General Data Protection Regulation must be imposed in addition to or instead of the measures mentioned in points a)-h) and j) of paragraph When deciding whether it is necessary to impose an administrative fine or a sufficiently in each case when determining the amount of the administrative fine the following should be taken into account: a) the nature, severity and duration of the infringement, taking into account the one in question the nature, scope or purpose of data processing, as well as the number of data subjects affected by the breach affected, as well as the extent of the damage they suffered; b) the intentional or negligent nature of the infringement; c) damage suffered by data subjects on the part of the data controller or data processor any measures taken to mitigate; d) the extent of the responsibility of the data controller or data processor, taking into account the technical and organizational measures; e) relevant violations previously committed by the data controller or data processor; f) the remedy of the violation with the supervisory authority and the possible negative nature of the violation extent of cooperation to mitigate its effects; g) categories of personal data affected by the infringement; h) the manner in which the supervisory authority became aware of the violation, in particular whether the data controller or the data processor has reported the breach, and if so, in what detail; i) if against the relevant data manager or data processor previously - in the same a subject matter - ordered referred to in Article 58 (2) of the General Data Protection Regulation one of the measures, compliance with the measures in question; j) whether the data manager or the data processor has observed general data protection for approved codes of conduct under Article 40 of the Decree or the general for approved certification mechanisms under Article 42 of the Data Protection Regulation; as well as k) other aggravating or mitigating factors relevant to the circumstances of the case, for example, financial gain as a direct or indirect consequence of the infringement or avoided loss. Pursuant to Article 83 (7) of the General Data Protection Regulation, the supervisory authorities 58. without prejudice to its corrective powers under paragraph (2) of Article, each member state can establish the rules regarding the fact that the public authority with its registered office in the given member state or whether an administrative fine can be imposed against another body performing a public task, and if yes, to what extent. Infotv. Article 83 of the General Data Protection Regulation based on § 61 (4) point b). in the case of a fine imposed according to to pay the fine imposed in the decision made in the official data protection procedure obliged budget body. In the absence of a different provision of the General Data Protection Regulation, the request was initiated for official data protection procedure, Art. provisions shall be applied in Infotv with certain deviations. Lakcímtv. Based on point a) of § 21, the bodies of local governments are in law for the performance of their duties defined in the municipal decree, Lakcímtv. Section 17 (2) are entitled to request data according to paragraph b), which are natural personal identification data and address data, citizenship, marital status, marriage or the place of establishment of a registered partnership, the gender is from the register reason, place and time of exclusion. The Mötv. Based on § 23, subsection (5), point 9, among others, the task of the district self-government consists of basic health care and services aimed at helping a healthy lifestyle. The Eütv. Based on § 35, paragraph (1), public health is state and local government bodies, mainly implemented with the participation of economic and civil organizations and individuals activities aimed at population groups and communities, health protection and development, to prevent disease, injury and disability. The purpose of public health is to population health monitoring, health problems and priorities definition, elaboration and implementation of public health measures by government, in cooperation with professional and civil organizations. The Eütv. Based on § 35, paragraph (2), public health activity includes: a) health is a scientifically based natural and social environment (a hereinafter together: environmental) conditions, health development, diseases prevention is effective, accessible and based on adequate evidence methods, as well as the establishment and operation of the necessary institutional system the definition of the conditions, b) the health behavior of the population and the environmental factors influencing it regular analysis, c) the health-damaging effects based on the data revealed during the analysis according to point b). assessing its risk and prioritizing the corresponding problems and priorities, d) the public health strategy in accordance with international guidelines and this the development of an action plan promoting its implementation, which is predetermined and measurable defines health goals in order to improve health, and also includes a interventions aimed at prevention and reduction of health-damaging effects, e) in order to implement the tasks, health promotion, health protection, provision of disease prevention, healing and medical rehabilitation services, f) the efficiency, effectiveness, accessibility and others of the services regular evaluation according to their quality characteristics. The Eütv. Pursuant to § 35, paragraph (3), the goals of social and health policy public health must be relied upon when determining and preparing decisions to data revealed during the activity. 12 The Eütv. On the basis of paragraph (4) of § 35, the population is informed about the public health situation, the arising about problems, the causative factors, the expected consequences, the solution its possibilities and limitations must be regularly informed. III. Decision III.1. Description of data management 1.1. The Data Controller 1. The Customer could not substantiate his claim that he is a third party to the data management person, at the request of the competent government office, and this was done by both the district and the capital government office denied. The Customer arrived on January 12, 2022, number NAIH-642-1/2022 also confirmed in his reply letter that the relevant government office did not have it meaningful role in the design of data management. 2. The Customer voluntarily undertook the data management in connection with the municipal task, his own based on his decision, its conditions were not determined by either EU or Hungarian legislation yes. 3. Based on the above, in the case of all data processing examined in this case, with the data processing all related decisions, their necessity, method and means are made by the Customer determined, thus, based on Article 4, point 7 of the General Data Protection Regulation, he is considered a Customer as an independent data controller. 1.2. Data management related to name and address data obtained from third parties is the main one characteristics 1. In preparation for data management with the Questionnaire, the Customer must provide personal data and Lakcímtv from the residential address register. § 21 point a), the Act. § 23, subsection (5), point 9, and the Eütv. Pursuant to paragraph (1) of Section 35, all Budapest XVIII. district adult resident name and address data. 2. This data management is subject to Article 6 (1) point (e) of the General Data Protection Regulation of the Customer founded, i.e. for epidemiological assessment and prevention due to the covid-19 pandemic was necessary for the performance of its related public duty. 3. The name and address data used for addressing are provided by the Customer after mailing the Questionnaires deleted, they were only handled for a short time in the month of March 2021 exclusively for Questionnaires for the purpose of benefit. No circumstances to the contrary arose during the procedure. 1.3. The main characteristics of data management related to the contact data received in the Questionnaire 1. On the Questionnaire, the Customer requested to provide the following contact details, but no indicated that entering them is optional: name, phone number, email address. They are not in substance were separable from the requested health data, it was not clear from the Questionnaire that this data is used according to different purposes and conditions. 2. Contact information received on the Questionnaire is available to the Customer - only when filling it out online - according to his information, the consent is managed based on the consent of the data subject until its withdrawal for the purpose of "keeping in touch for the purpose of exchanging information" on this with the data subjects providing data on the Questionnaire. 13 3. Based on the above, those who send Questionnaires by post or online, approx. Of the 5,000 people involved, the name, telephone number, and email address of the data subjects providing contact information is currently still managed by it Customer. 1.4. Data management related to the health data received in the questionnaire is the main one characteristics 1. The Questionnaire included the following questions: (i) have you registered for vaccination, (ii) whether you have received the vaccine, (iii) whether you have been infected with coronavirus. 2. Pursuant to point 15 of Article 4 of the General Data Protection Regulation, health data is one personal data concerning the physical or mental health of a natural person, including health services provided to natural persons also data that carries information about the health status of the natural person. Above The Customer did not dispute the nature of answers to questions as health data during the procedure, Article 9 (2) of the General Data Protection Regulation was also referred to in this regard also to point a). The broad interpretation of health data is confirmed, among others, by the European Also the practice of the Court of Justice of the Union, according to which any reference to physical or mental health data can be health data. 3. The Customer handled the above health data only temporarily, however for data subjects who also provided contact data, these are identifiable persons were temporarily treated. Medical related to the person data was deleted by the Customer one week after receipt. The opposite is the case did not arise during the procedure. 4. The purpose of handling health data was to produce anonymous statistics based on which the Client wanted to make local government decisions with the covid-19 pandemic in connection. III.2. Obligation to provide appropriate information 1. According to Article 12 (1) of the General Data Protection Regulation, the Customer is considered independent the obligation of the data controller to take appropriate measures to ensure that concerning the processing of personal data for those concerned, referred to in Articles 13 and 14 all information and 15-22. and each information according to Article 34 is concise, in a transparent, comprehensible and easily accessible form, in a clear and understandable way provide it formulated. 2. The system of appropriate information in the general data protection regulation serves to so that the data subject can be aware of which personal data, which data controller and for which purpose, how you will handle it. This is essential to be in a position to to be able to meaningfully exercise its stakeholder rights. 1 see e.g. Decision No. C-101/01 (Lindqvist case): https://curia.europa.eu/juris/liste.jsf?num=C-101/01 14 3. Data management based on point e) of Article 6 (1) of the General Data Protection Regulation due to the more vulnerable stakeholders, there is an increased expectation of information performing public authority tasks, performing data management regardless of the consent of the data subject against a data controller compared to a data controller that is the data subject's right of disposal manages the personal data of the data subject. In the absence of adequate information, by definition the data subject is not in a position to properly exercise his data subject rights. 4. Data management based on point a) of Article 6 (1) of the General Data Protection Regulation based on Article 4, point 11 of the General Data Protection Regulation, not only the data management beginning, but before obtaining consent, the data controller is obliged to to provide information on the basis of which informed consent can be given. 5. In relation to the legal basis of data subject consent according to the General Data Protection Regulation it is important to emphasize that it does not mean that the data controller is subject to other legal obligations applies as a general authority regardless of conditions that at any time and can handle any personal data without limits for any reason. For data management stakeholder consent can only be valid if it is for specific purpose(s) - per purpose can be specified separately - they ask, and before that they provide adequate information, which in such a situation brings the data subject to be able to make an appropriate decision about giving consent, and complies with all other validity conditions prescribed in the General Data Protection Regulation requirement. Article 12 (1) of the General Data Protection Regulation specifically imposes a performance obligation on the data controller, i.e. the data subject needs such help provide, so that all stakeholders can exercise their rights in an informed manner. 6. As explained above, the obligation to provide information is not a mere "paperwork" is an obligation in the General Data Protection Regulation. Everything contained in the preamble, all the articles of the General Data Protection Regulation require the data manager to achieve results in determining its obligations, not just a specified minimum effort confirmation by the data controller. The purpose of the information is to put you in such a situation data subject to be in the appropriate decision-making position by exercising the data subject's rights in connection. 7. The Customer has no merit in the Questionnaire, and is easily accessible by those concerned did not provide information about data management to the affected parties, nor did it provide any other information purposes, neither the legal bases nor the durations were revealed, and the source of the name and address data didn't mark it either. It was also not revealed that filling in contact information is optional. It is paper based in the case of data management, the provision of substantive information in its entirety online is usually not it is transparent and easily accessible to the stakeholders who receive the Questionnaire by post and return it for. Thus, this alone prevented the valid consent of those concerned be able to give. 8. It is available to the Customer with a link indicated in writing on the Questionnaire and also when filling it out online general data management available at www.bp18.hu/kozerdeku/adatvedelmi-informáciok information at the time of sending out the Questionnaires and when they are returned by those concerned - which is According to customer statements, there was a short period around March 2021 - none it did not contain information about any of the examined data management. At the request of the Authority information sent at the web address www.bp18.hu/kozerdeku/adatvedelmi-informáciok only After May 7, 2021, the above I.2. Based on the web archive according to point 3, it prior to this, there was no information regarding any data management. Bar subsequent information does not play a role in the determination of illegality, the Authority notes that, subsequently exchanged by the Customer on the Website, 2.4. and 2.5. with points supplementary information also did not include the source of the data, as well as basic information about specific goals. The file name, content, and version number of this on the Website are not 15 corresponds to the version available at the time of the examined data management. However, due to the above, 2.4. and 2.5. in case of earlier availability of new information supplemented with points, its content, as well as It would not have been made suitable due to the lack of easy accessibility together with the questionnaire the information, at least its basic information, should have been provided on the Questionnaire. The the purpose and nature of data management was not so complex that it would have significantly hindered this. III.3. Evaluation of the data management required to send the Questionnaire 1. Based on Article 6 (1) point e) of the General Data Protection Regulation a necessary for the performance of public authority and other public duties defined by law has the right to contact district residents. 2. However, it is also necessary in the case of the application of the above legal basis - and any other legal basis to comply with all provisions of the General Data Protection Regulation, in this case with particular regard to the obligation under Article 14 of the General Data Protection Regulation. This based on the Customer at the latest when sending the Questionnaire, together with at least to provide information to those concerned about where it comes from their name and address data, and this data is no longer managed. The Customer is responsible for this – the above III.2. taking into account what was explained in point - he did not fulfill it, and this also played a big role played a role in the fact that several stakeholders made public interest announcements due to the Questionnaire. 3. None of the exceptions according to Article 14 (5) of the General Data Protection Regulation apply in the present case, it does not constitute a disproportionate expectation and would not make it impossible the purpose of data management is to provide at least adequate concise information on or alongside the Questionnaire about the most basic conditions of data management. 4. This data management is closely related to the Questionnaire, however, the legal basis and the data are different due to its external source, different provisions are required compared to the other examined data management comply, for this reason the Authority classified it separately. Article 6 of a self-governing municipality The legal basis for this, based on point e) of paragraph (1), is smaller compared to other violations an omission does not make it invalid, however, regardless of this, the Customer would have been obliged to e to act in accordance with the general data protection regulation. 5. Based on the above, the Customer violated Article 12 (1) of the General Data Protection Regulation and the obligation to provide information according to Article 14. III.4. Evaluation of the handling of contact personal data 1. The principles in Article 5 (1) of the General Data Protection Regulation do not only apply to they serve to make theoretical findings with the implementation of data management in connection. These principles cover specific obligations that can be held accountable in specific cases on the data controllers. 2. According to Article 5 (1) point b) of the General Data Protection Regulation, personal data should only be collected for specific, clear and legitimate purposes and should not be processed in a manner inconsistent with these purposes; in accordance with Article 89 (1). is not considered incompatible with the original purpose for the purpose of archiving in the public interest, further data management for scientific and historical research purposes or for statistical purposes. In this case, it is not a law, but a unique statistic based on the Customer's decision, thus the precise and clear definition of the data management purpose and from other purposes it would have been the Customer's responsibility to ensure its distinctiveness. 16 3. The Customer fulfills the above obligation - the revealed facts and the above III.2. also explained in point attention - neither the Authority nor the stakeholders did not fulfill it. Contact details the goal of its treatment should not be an elusive goal such as general contact. It is necessary to indicate in some way what the contact is specifically like means sending information of the kind, and in the case of "exchange of information", what kind of information are expected from the stakeholders. Mixing this data management with health data, they are one collection on the page raises the prohibition according to Article 7 (2) of the General Data Protection Regulation also his grievance, according to which the request for consent is clearly separated from other matters must be presented in a distinguishable manner, especially when their mixing is severe would raise data protection issues. 4. According to Article 5 (1) point c) of the General Data Protection Regulation, data management they must be appropriate and relevant for its purposes and must be necessary be limited. The optional nature of the contact as a whole, as well as the contact information in the event of your choice, the right to freely choose individual communication channels (that is enough to enter a type of contact data) should have been clearly and clearly stated from the information provided to those concerned, however, the Customer has no merit in this regard did not provide information to those concerned. The Customer did not substantiate with anything that for which reason it is not enough if the individual maintains contact only on one communication channel with stakeholders, even if several contact channels are specified, why would you need more than one for several types of access to contact a data subject and for which purposes this is necessary without time limit, even after the end of the epidemic. 5. Based on Article 4, point 11 of the General Data Protection Regulation, the consent of the data subject is one suitable for data processing without a specific purpose and unreasonably determined in time is not valid in the absence of information, and the above circumstances are also affected individually would lead to invalidity of consent. In the absence of valid consent, it is data management does not comply with Article 6 (1) point a) of the General Data Protection Regulation according to the legal basis, and no other legal basis exists. 6. Based on the above, contact personal data collected by the Customer on the Questionnaire violated Article 5(1)(b) of the General Data Protection Regulation according to the purpose-related principle, data saving according to Article 5 (1) point c). principle, to provide prior information according to Article 12, paragraph (1) and Article 13 obligation, as well as in the absence of valid consent due to the above, the general Article 6 (1) and Article 7 (2) of the data protection regulation, and this point violations of the law still exist. III.5. Evaluation of the management of health data 1. The above III.2. and III.4. written in points, as explained below, are properly governing also for handling the health data collected on the Questionnaire, with the fact that in this case there was one legitimate purpose, the preparation of epidemiological statistics, and local government measures based on this and these data are no longer processed, they have been deleted. Because of this above III.4. from the points explained, there was no violation of the principle of purpose-boundness with regard to health data. 2. In the case of handling health data, Article 6 (1) of the General Data Protection Regulation Article 9 (2) of the General Data Protection Regulation is required in addition to one of the legal bases of according to paragraph - exceptions to the general treatment ban according to Article 9 (1) one of them must exist. In this case, the consent is defined in Article 17 of the General Data Protection Regulation According to Article 9(2)(a), the additional condition that the person concerned must be met has given his express consent to the said personal data for one or more specific purposes for treatment. Given that adequate information was not provided, as well as a necessity and suitability to achieve the goal does not exist for the reasons explained below, therefore this condition could not be met either. 3. Data saving according to Article 5 (1) point c) of the General Data Protection Regulation one of the conditions for its practical implementation is that data management is necessary and proportionate to achieve a given data management goal, and is also suitable for it. 4. Regarding the issue of suitability, the Authority emphasizes that the Client did not support it with anything below, exactly how he knew from a non-representative sample of less than 10% to draw accurate conclusions about the district residents as a whole. In addition, the statistics are one it was made at a moment in time in the middle of the vaccination campaign, its results are significantly different from week to week could have changed, and would not have given an accurate picture of the epidemic situation within a short period of time even if the would have been accurate when it was made. The Study referenced by the Customer is only a summary was available, but the Study does not support that it was collected on the Questionnaire to get accurate results by creating anonymous statistics from data, but that is small in the case of a large, non-representative sample, additional external – non-anonymous – information it would have been necessary to use it in relation to those who filled out the Questionnaire. Such the Customer did not indicate the acquisition of additional personal data, and this is data protection it would not have reduced the level of infringement, but rather increased it. Suitability in itself however, it would not significantly affect the legality of data management. 5. It is a question independent of the suitability of the generated statistics that the treated health data were classified as personal data because they potentially – even on a paper basis – they could be linked to the persons concerned. Apart from the Customer's statement, there is no organizational or other guarantee that could have technically excluded this connection. Is that questions were not asked separately from the contact identification data, unnecessarily linked them to a specific stakeholder. To a specific natural person with a non-binding random document identification number, it can be ensured that there is only one person concerned send back a reply which has no connection between document identification numbers and recipients would not be necessary at any step of data management (it is sufficient to ensure that that a document identification number is processed only once, which is indicated in the list), and the statistics could also have been prepared from anonymous data of a special category of personal without processing data. For this reason, this data management in no way complied with the necessity and proportionality criterion, which is the above III.2. as explained in point is an additional condition for the legality of data processing independent of the consent of the data subject. 6. Based on the above, the Customer manages the health data collected with the Questionnaire violated Article 5(1)(c) of the General Data Protection Regulation the principle of data saving, the advance notice according to Article 12 (1) and Article 13 obligation to provide information, as well as valid due to the above due to the lack of consent, Article 6 (1) of the General Data Protection Regulation, Article 7 (2) and (1) of Article 9. ARC. Legal consequences 1. The Authority complies with Article 58 (2) point i) and Article 83 (2) of the General Data Protection Regulation may impose a data protection fine instead of or in addition to the other measures. There was no doubt that in case of violation of the general data protection regulation, the general on the basis of Article 58 (2) point d) of the Data Protection Regulation, to oblige the data controller 18 necessary to bring data management into line with the general data protection regulation. Due to the time-consuming nature of obtaining consents and the nature of data management as a public task, a The authority set a deadline of 60 days instead of the usual 30 days. In addition to the In accordance with the governing judicial practice, the authority in imposing the fine in this case is among the aspects listed in Article 83 (2) of the General Data Protection Regulation presents what was taken into account in the justification of the decision. 2. On the question of whether the imposition of a data protection fine is justified, the Authority made a decision based on statutory discretion, taking into account Infotv. Section 61 (1) to paragraph a), Infotv. 75/A. 83 of the General Data Protection Regulation. (2) and Article 58 (2) of the General Data Protection Regulation, which based on this, the conviction in itself would not be a proportionate and dissuasive sanction, therefore a fine must be imposed. In this case, the protection of personal data - which is the Authority task - it is not available based on the totality of the fine imposition circumstances detailed below without imposing a data protection fine. The imposition of fines is both special and general it also serves prevention, for which purpose the decision should also be published on the website of the Authority costs 3. The Authority did not consider mitigating factors regarding the necessity of the fine as a circumstance, the economic situation referred to by the Customer, since it is – indirectly, the annual through income - it only affects the amount of the fine if it is necessary, no whether it is necessary to impose the fine, the necessity of the violation and its circumstances determined in accordance with Article 83 (2) of the General Data Protection Regulation. E respect, the Authority took into account when determining the amount of the fine that the Customer Its net sales revenue in 2021 was HUF 19,598,010,463. The Authority is the Customer's bad material situation and the public interest related to the performance of his public duties, the amount of the fine taken into account as a mitigating circumstance when determining 4. The Authority also did not consider as a mitigating circumstance the fact that the Customer a With the authority during the procedure - not for damage mitigation, only for response in the procedure purpose - cooperated, as this is all based on Article 31 of the General Data Protection Regulation obligation of data controller and data processor, its absence could be taken into account as an aggravating circumstance. (General Data Protection Regulation Article 83 (2) point f) 5. When determining the amount of the data protection fine, the Authority as a mitigating circumstance took into account the following: (i) Compiling statistics to aid epidemic management is not illegal in itself During the operation of the municipality, only its access was not planned for data protection with awareness and inappropriately trying to reach it, as well as on contact details external data were deleted within a short time, and with regard to contact personal data based on all the circumstances of the case, the violation can be remedied according to the relevant part. (General Data Protection Regulation Article 83 (2) point a) (ii) The infringement is negligent, it was not aimed at harming the affected parties or for illegal profit-making (General Data Protection Regulation Article 83 (2) point b) (iii) Most of the personal data was deleted within a short period of time, thus remedying the violation the Customer has already partially done so – without affecting the occurrence of the previous infringement, and before that, it was used for statistical purposes separately from other data management health data (General Data Protection Regulation Article 83 (2) point c) (iv) The Authority has not previously established a data protection violation against the Client. (General Data Protection Regulation Article 83 (2) point e) 19 6. When determining the amount of the data protection fine, the Authority as an aggravating circumstance took into account the following: (i) By handling unnecessary personal data that does not take into account the will of the data subjects associated mass data processing violates the right to the protection of personal data and in general represents an unnecessary data security risk. (General Data Protection Regulation Article 83 (2) paragraph point a) (ii) The Client is a public authority, and the requirements for compliance with the legislation are increased, it would be the task of public bodies to set a good example for the private sector. (General Data Protection Regulation Article 83 (2) point d) (iii) There was no effective information available to the affected parties, so they had no chance was to exercise their stakeholder rights, to make an appropriate stakeholder decision. and this is at the principle level it was the result of insufficient data protection planning. (General Data Protection Regulation Article 83 (2) point d) (iv) The scope of personal data handled belongs to a special category personal health data that was linked unnecessarily – even temporarily – to specific stakeholders. (General Data Protection Regulation Article 83 (2) point g) (v) The Authority became aware of the violation through several public interest reports (general Article 83 (2) point h) of the Data Protection Regulation 7. Based on the above, the Authority imposes a data protection fine in the amount specified in the applicable section considered its imposition proportionate and dissuasive based on all the circumstances of the case. This does not mean that, in a similar case, the data protection fine against another data controller will not apply it could be significantly higher, especially for the purpose of general prevention to the additional circumstance of ignoring the published publication, as well as to that considering that in this case Infotv. The maximum fine based on § 61, paragraph (4) point b). was twenty million forints instead of the general maximum of the general data protection regulation. A. Other questions 1. Infotv. According to § 38, paragraph (2), the Authority is responsible for the protection of personal data, and the right to access data of public interest and public interest control and promotion of the validity of personal data in the European Union facilitating its free flow within. Infotv. According to Section 38 (2a), the general tasks and powers established for the supervisory authority in the data protection decree general data protection for legal entities under the jurisdiction of Hungary is exercised by the Authority as defined in the decree and this law. The Authority its jurisdiction covers the entire territory of Hungary. 2. The Art. Based on § 112, paragraph (1), § 114, paragraph (1) and § 116, paragraph (1), the a decision can be appealed through an administrative lawsuit. * * * 3. The rules of the administrative procedure are laid down in Act I of 2017 on the Administrative Procedure hereinafter: Kp.) is defined. The Kp. Based on § 12, paragraph (1), by decision of the Authority the administrative lawsuit against falls within the jurisdiction of the court, the lawsuit is referred to in the Kp. Section 13, paragraph (3) 20 Based on point a) subpoint aa), the Metropolitan Court is exclusively competent. The Kp. Section 27 (1) according to paragraph 1, legal representation is mandatory in administrative proceedings before the tribunal. The Kp. According to paragraph (6) of § 39, the submission of a claim is an administrative act does not have the effect of postponing its entry into force. 4. The Kp. Paragraph (1) of Section 29 and, in view of this, CXXX of 2016 on the Code of Civil Procedure. applicable according to § 604 of the Act, electronic administration and trust services CCXXII of 2015 on its general rules. according to § 9 (1) point b) of the Act, the the client's legal representative is obliged to maintain electronic contact. The submission of the statement of claim time and place of Kp. It is defined by § 39, paragraph (1). Request to hold the hearing information about the possibility of the Kp. It is based on paragraphs (1)-(2) of § 77. 5. The amount of the fee for the administrative lawsuit is determined by the XCIII of 1990 on fees. law (hereinafter: Itv.) 45/A. Section (1) defines. From the advance payment of the fee the Itv. Paragraph (1) of § 59 and point h) of § 62 (1) exempt the person initiating the procedure half. 6. If the Customer does not adequately certify the fulfillment of the prescribed obligations, the Authority considers that the obligations have not been fulfilled within the deadline. The Akr. According to § 132, if the Customer did not comply with the obligation contained in the Authority's final decision, that is can be executed. The Authority's decision in Art. according to § 82, paragraph (1) with the communication becomes permanent. The Akr. Pursuant to § 133, enforcement - if you are a law government decree does not provide otherwise - it is ordered by the decision-making authority. The Akr. 134. pursuant to § the execution - if it is a law, government decree or municipal authority the local government decree does not provide otherwise - the state tax authority undertakes. Infotv. Based on § 61, paragraph (7), contained in the Authority's decision, to carry out a specific act, to perform a specific behavior, to tolerate or regarding the obligation to stop, the Authority will implement the decision undertakes. dated: Budapest, according to the electronic signature In the absence of President Dr. Attila Péterfalvi: Dr. Győző Endre Szabó vice president