NAIH (Hungary) - NAIH-642-4/2022: Difference between revisions

From GDPRhub
mNo edit summary
No edit summary
 
(6 intermediate revisions by 2 users not shown)
Line 69: Line 69:
|Appeal_To_Link=
|Appeal_To_Link=


|Initial_Contributor=Sophia Hassel
|Initial_Contributor=sh
|
|
}}
}}


The Hungarian DPA charged a local municipality for how it conducted a survey on the vaccination status of its local residents. It fined the controller 3 million Hungarian Forints for the breach of [[Article 5 GDPR|Articles 5(1)(b)(c) GDPR]], [[Article 6 GDPR#1|6(1) GDPR,]] [[Article 12 GDPR1|12(1) GDPR]], [[Article 7 GDPR2|7(2) GDPR,]] [[Article 9 GDPR#1|9(1) GDPR]], [[Article 13 GDPR|13 GDPR]] and [[Article 14 GDPR|14 GDPR.]]
The Hungarian DPA charged a local municipality for how it conducted a survey on the vaccination status of its local residents. It fined the controller 3 million Hungarian Forints (around  €7,80) for the breach of [[Article 5 GDPR|Articles 5(1)(b)(c) GDPR]], [[Article 6 GDPR#1|6(1) GDPR,]] [[Article 12 GDPR|12(1) GDPR]], [[Article 7 GDPR#2|7(2) GDPR,]] [[Article 9 GDPR#1|9(1) GDPR]], [[Article 13 GDPR|13 GDPR]] and [[Article 14 GDPR|14 GDPR.]]


== English Summary ==
== English Summary ==
Line 80: Line 80:
Independent of any instructions from the XVIII District Office of the Government of Budapest, the municipality of Pestszentlőrinc‑Pestszentimre carried out a survey on the COVID-19 vaccination status of its local citizens. The controller aimed to produce anonymised statistics on the basis of which municipal decisions in relation to the pandemic could be made.  
Independent of any instructions from the XVIII District Office of the Government of Budapest, the municipality of Pestszentlőrinc‑Pestszentimre carried out a survey on the COVID-19 vaccination status of its local citizens. The controller aimed to produce anonymised statistics on the basis of which municipal decisions in relation to the pandemic could be made.  


To send the questionnaire, the controller lawfully obtained the names and addresses of all adult residents in the area. The questionnaire, on the other hand, was deemed non-compliant. It did not make clear that data subjects’ name, telephone number and email address were optional. It did not specify that the health data and the name, telephone number and email address would be processed for different purposes and under different conditions. Lastly, consent was only available upon completion of the questionnaire.  
To send the questionnaire, the controller lawfully obtained the names and addresses of all adult residents in the area. The questionnaire, on the other hand, was deemed non-compliant. It did not make clear that data subjects’ name, telephone number and email address were optional. It did not specify that the name, telephone number and email address, when provided, would be processed alongisde the health data. Lastly, consent to processing was only available upon completion of the questionnaire, when the data had already been submitted.  


After a public interest notification, the case was referred to the Hungarian DPA under Hungarian national law.
After a public interest notification, the case was referred to the Hungarian DPA under Hungarian national law.
Line 89: Line 89:
The controller failed to provide adequate information on the data processing to the data subjects in the questionnaire under [[Article 12 GDPR|Articles 12(1)]] and [[Article 14 GDPR|14 GDPR.]]  
The controller failed to provide adequate information on the data processing to the data subjects in the questionnaire under [[Article 12 GDPR|Articles 12(1)]] and [[Article 14 GDPR|14 GDPR.]]  


Processing the personal data that was optionally added to the questionnaire resulted in excessive processing under [[Article 5 GDPR#1b|Article 5(1)(b) GDPR]] and 5(1)(c) GPDR. It also breached [[Article 12 GDPR#1|Article 12(1) GDPR]] and 13 GDPR as the data subject was not informed of this additional processing. The COVID-19 status of the residents was considered health data under [[Article 9 GDPR#1|Article 9(1) GDPR]]. Mixing the processing of the optionally provided data with the health data muddied consent breaching [[Article 7 GDPR#2|Article 7(2) GDPR]]. This meant that the controller no longer had a legal basis under [[Article 6 GDPR#1|Article 6(1) GDPR]].  
Processing the personal data that was optionally added to the questionnaire resulted in excessive processing under [[Article 5 GDPR#1b|Article 5(1)(b) GDPR]] and [[Article 5 GDPR|5(1)(c) GDPR.]] It also breached [[Article 12 GDPR#1|Article 12(1) GDPR]] and [[Article 13 GDPR|13 GDPR]] as the data subject was not informed of this additional processing. The COVID-19 status of the residents was considered health data under [[Article 9 GDPR#1|Article 9(1) GDPR]]. Mixing the processing of the optionally provided data with the health data muddied consent breaching [[Article 7 GDPR#2|Article 7(2) GDPR]]. This meant that the controller no longer had a legal basis under [[Article 6 GDPR#1|Article 6(1) GDPR]].  


The DPA fines the controller 3 million Hungarian Forint, equivalent to around 7,800 euros, under [[Article 58 GDPR#2|Article 58(2) GDPR]].
The DPA fined the controller 3 million Hungarian Forint, equivalent to around €7,800, under [[Article 58 GDPR#2|Article 58(2) GDPR]].


== Comment ==
== Comment ==

Latest revision as of 15:22, 29 August 2023

NAIH - NAIH-642-4/2022
LogoHU.jpg
Authority: NAIH (Hungary)
Jurisdiction: Hungary
Relevant Law: Article 5(1)(c) GDPR
Article 5(1)(b) GDPR
Article 6(1) GDPR
Article 7(2) GDPR
Article 9(1) GDPR
Article 12(1) GDPR
Article 13 GDPR
Article 14 GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published:
Fine: 3000000 HUF
Parties: n/a
National Case Number/Name: NAIH-642-4/2022
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Hungarian
Original Source: NAIH-642-4/2022 (in HU)
Initial Contributor: sh

The Hungarian DPA charged a local municipality for how it conducted a survey on the vaccination status of its local residents. It fined the controller 3 million Hungarian Forints (around €7,80) for the breach of Articles 5(1)(b)(c) GDPR, 6(1) GDPR, 12(1) GDPR, 7(2) GDPR, 9(1) GDPR, 13 GDPR and 14 GDPR.

English Summary

Facts

Independent of any instructions from the XVIII District Office of the Government of Budapest, the municipality of Pestszentlőrinc‑Pestszentimre carried out a survey on the COVID-19 vaccination status of its local citizens. The controller aimed to produce anonymised statistics on the basis of which municipal decisions in relation to the pandemic could be made.

To send the questionnaire, the controller lawfully obtained the names and addresses of all adult residents in the area. The questionnaire, on the other hand, was deemed non-compliant. It did not make clear that data subjects’ name, telephone number and email address were optional. It did not specify that the name, telephone number and email address, when provided, would be processed alongisde the health data. Lastly, consent to processing was only available upon completion of the questionnaire, when the data had already been submitted.

After a public interest notification, the case was referred to the Hungarian DPA under Hungarian national law.

Holding

The controller carried out the processing based on its own decision making it an independent controller under Article 4(7) GDPR.

The controller failed to provide adequate information on the data processing to the data subjects in the questionnaire under Articles 12(1) and 14 GDPR.

Processing the personal data that was optionally added to the questionnaire resulted in excessive processing under Article 5(1)(b) GDPR and 5(1)(c) GDPR. It also breached Article 12(1) GDPR and 13 GDPR as the data subject was not informed of this additional processing. The COVID-19 status of the residents was considered health data under Article 9(1) GDPR. Mixing the processing of the optionally provided data with the health data muddied consent breaching Article 7(2) GDPR. This meant that the controller no longer had a legal basis under Article 6(1) GDPR.

The DPA fined the controller 3 million Hungarian Forint, equivalent to around €7,800, under Article 58(2) GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Hungarian original. Please refer to the Hungarian original for more details.

File number: NAIH-642-4/2022 Subject: decision
History case number: NAIH-8594/2021





                                      DECISION




The National Data Protection and Freedom of Information Authority (hereinafter: Authority) a
Budapest Capital XVIII. district with the Pestszentlőrinc - Pestszentimre Municipality (a
hereinafter: Customer) vis-à-vis the Customer ex officio on November 26, 2021
Distributed on the website "www.bp18.hu/vakcina" (hereinafter: Website) and by mail
regarding the data management of the "vaccine questionnaire" (hereinafter: Questionnaire) - initiated
makes the following decisions in official data protection proceedings:


I. The Authority determines that the Client did not provide adequate information to the persons concerned
about the acquisition and use of their name and address data from external sources
at the time of first contact, this is the name and address used to send the Questionnaire
in terms of data, natural persons have been violated by the processing of their personal data
regarding its protection and the free flow of such data, as well as 95/46/EC
Directive 2016/679/EU on repealing the directive (hereinafter: general

data protection regulation) to provide information according to Article 12 (1) and Article 14
obligation.

II. The Authority determines that the Customer has provided adequate prior information, specifically
in the absence of a specific purpose and a valid legal basis, it was handled by the contact information collected with the Questionnaire
personal data in relation to thousands of stakeholders and thereby violated it
purpose limitation according to Article 5 (1) point b) of the General Data Protection Regulation

principle, the principle of data saving according to Article 5 (1) point c), Article 12 (1)
paragraph and Article 13 of the obligation to provide prior information, as well as
in the absence of valid consent due to the above, Article 6 (1) of the General Data Protection Regulation
paragraph and paragraph 2 of Article 7.

III. The Authority determines that the Customer's prior information is adequate and valid
in the absence of a legal basis, handled the health data collected with the Questionnaire unnecessarily, and

thereby violating the provisions of Article 5(1)(c) of the General Data Protection Regulation
the principle of data saving, prior information according to Article 12 (1) and Article 13
due to the lack of valid consent due to the above
Article 6 (1), Article 7 (2) and Article 9 of the General Data Protection Regulation
(1) paragraph.

ARC. The Authority based on Article 58 (2) point d) of the General Data Protection Regulation

ex officio instructs the Customer to modify the contact information collected with the Questionnaire accordingly
practices related to the management of personal data to comply with the general
of the data protection regulation, i.e. indicate a corresponding specific goal or goals, for that
obtain the consent of those concerned in advance with the help of contact information
in addition to providing direct information, and delete the contact data collected with the Questionnaire
personal data that the general data protection was not aware of in the above manner
to obtain valid consent in accordance with the regulation. About the right to informational self-determination

and CXII of 2011 on freedom of information. Act (hereinafter: Infotv.) § 61. (6) 2





until the expiry of the time limit open for challenging the decision pursuant to paragraph
and in case of initiation of a public administrative lawsuit, until the final decision of the court
data affected by data management cannot be deleted or destroyed.

A. The Authority ex officio the Customer due to the above data protection violations


                           HUF 3,000,000, i.e. three million forints
                                     data protection fine

                                  obliged to pay.

The IV. the fulfillment of the obligation prescribed by the Customer towards this decision

must be in writing within 60 days of the expiration of the legal remedy deadline - the supporting document
together with the presentation of evidence - to prove it to the Authority. Data management exclusively
in addition to defining the appropriate scope of data, for real and specific purposes, a valid legal basis,
and it is possible to continue with the proof of the maximum guarantee of the rights of the stakeholders, otherwise
case, the Customer must prove the termination of the data processing in question to the Authority a
within the above deadline.


The fine according to point V within 30 days from the date of this decision becoming final
the Authority's centralized revenue collection target clearing account (10032000-
01040425-00000000 Centralized direct debit account IBAN: HU83 1003 2000 0104 0425
0000 0000) must be paid. When transferring the amount, "NAIH-642/2022 BÍRS." for number
must be referred to.

If the Customer does not fulfill his obligation to pay the fine within the deadline, he is in default

is obliged to pay a penalty. The rate of penalty is the legal interest, which is
is the same as the central bank base rate valid on the first day of the relevant calendar semester.

Non-payment of the fine and late fee, as well as the above IV. obligation according to point
in case of non-compliance, the Authority orders the implementation of the decision.

There is no place for administrative appeal against this decision, but from the announcement

within 30 days from the date of issue, with a letter of claim addressed to the Capital Tribunal
can be challenged in a lawsuit. The claim must be submitted to the Authority electronically, which
forwards it to the court together with the case documents. A hearing can be held in the statement of claim
to ask. For those who do not receive the full personal tax exemption, the administrative lawsuit
the fee is HUF 30,000, the lawsuit is subject to the right to record fees. Before the Metropolitan Court
legal representation is mandatory in the procedure.


Infotv. Pursuant to § 61, subsection (2), point a), the Authority publishes this decision a
Authority website.

                                       JUSTIFICATION

I. Procedure and clarification of the facts


I.1. History matters

1. Public interest in case history No. NAIH-3566/2021 (hereinafter: Case History)
a notification was received by the Authority on March 25, 2021, which is the Questionnaire used by the Customer
contested the legality of its data processing. The Questionnaire to the "www.bp18.hu/vakcina" website
refers to, which redirects to the website "https://www.bp18.hu/onkormanyzat/vakcina". 3






2. Following the public interest announcement, the Authority launched an ex officio investigation on April 14, 2021
in the History Case.

3. In the History Case, the Client received the Authority's inquiry on May 3, 2021,

In his reply letter sent under NAIH-3566-4/2021, the following, from the point of view of the decision
made relevant statements:

   (i) In relation to the Questionnaire, the Customer is considered a data controller.

   (ii) The Customer only hired an external service provider to prepare the mail and the envelopes
   used as a data processor, it was not used for the returned Questionnaires
   data processor.

   (iii) The Customer is the Budapest XVIII. Citizens provide the names and addresses of adult residents of the district
   LXVI of 1992 on the registration of your personal data and residential address. law (a
   hereinafter: Residential address.) obtained on the basis of point a) of § 21.

   (iv) The Customer managed the names and addresses of the recipients until the Questionnaire was mailed, after that
   deleted it. The legal basis for this data management is Article 6 (1) of the General Data Protection Regulation
   point e) was.

   (v) The Customer collected the following personal data in the Questionnaires: name, telephone number,
   email address (filling them in is optional according to the Customer's statement, its legal basis is general
   data protection decree Article 6 (1) point a) data subject consent). On this
   in addition, the answers to the following health data questions were collected a
   On the questionnaire: have you registered for vaccination, have you received the vaccine, have you been infected with coronavirus. The
   The processing time for health data is 1 week after the receipt of the questionnaire, the contact
   the data processing period is the period until the withdrawal of consent, its legal basis is the general one

   data protection regulation Article 6 (1) point a) and Article 9 (2) point a)
   stakeholder consent according to Indicated on the Questionnaire (no longer in operation)
   On the "www.bp18.hu/vakcina" website, the data management information for the Customer is general
   contains a link to its data management information, also indicated on the Questionnaire
   (www.bp18.hu/kozerdeku/adatvedelmi-informáciok). In addition, he wrote as much as
   "www.bp18.hu/vakcina" website, that the contact data is managed by the Customer for the purpose of
   until the consent is withdrawn to "keep in touch for the purpose of exchanging information".

   (vi) There are 97,687 inhabitants in the territory of the Customer. The Customer sent 54,469 letters to which
   By April 28, 2021, 4,856 residents had responded.

   (vii) The Customer provides information about data management exclusively on the paper Questionnaire
   It was provided by indicating a link to the customer's website
   (www.bp18.hu/kozerdeku/adatvedelmi-informáciok)


4. In the History Case, upon the request of the Authority, the Client on September 16, 2021
in his reply letter sent to NAIH-3566-8/2021, the following, the decision
made relevant statements in terms of:

   (i) Requesting name and address information and sending envelopes containing the Questionnaire
   the Client's use of the 2011 Act on local governments in Hungary
   CLXXXIX. Act (hereinafter referred to as the Act) existing on the basis of Section 23, Paragraph (5), Point 9

   it was done in order to carry out its municipal task. It confirms this about health care
   solo CLIV of 1997. also § 35 of the Act (hereinafter: Eütv.).
   (ii) The health data has been deleted, only the contact data of those persons

   already managed by the Customer based on the consent of the parties concerned. 4





   (iii) Compared to the number of Questionnaires sent out, the number of respondents is almost 10%. THE
   based on international standards, the results of the Questionnaire can serve as a basis for the Customer
   for decision preparation during its municipal tasks. It was referred to in this round
   for the following study: Christman, M.C. – LAN, F. [2001]: Inverse Adaptive Cluster Sampling,
   Biometrics, vol. 57 No. 4 (hereinafter: Study).

   (iv) The Customer made the decision based on the analysis and continuous monitoring of the data
   about the opening hours of kindergartens, and informed 17 schools in the district about the data
   operating Klebelsberg Institutional Maintenance Center. In connection with this, one is attached

   an unsigned and unidentified reminder dated March 31, 2021, according to which the
   on the basis of information, a decision is made later on public information campaigns and
   about filters.

   (v) The Customer used the data obtained through the analysis in connection with its epidemiological decisions
   during the decision on the project for testing district schoolchildren, free antibody screening
   during its organization.

   (vi) The Customer based on verbal consultation with the head of the competent Government Office
   undertook to conduct a survey regarding the vaccination status of the district residents.
   (vii) Correspondence between the Client and various ministries attached by the Client is a
   The authority did not take it into account during the decision, as they were not significantly influenced by it

   the fulfillment of data controller obligations and the legality of data management.

5. In the Precedent Case, at the request of the Authority, the Government Office of Budapest Capital XVIII.
District Office received on November 12, 2021, sent under NAIH-3566-11/2021
in his reply letter, he made the following statements relevant to the decision:

   (i) Government Office of Budapest Capital XVIII. District Office neither orally nor in writing

   did not ask the Client to prepare a survey on the vaccination status of local residents.
   (ii) Government Office of Budapest Capital XVIII. District Office did not receive a Questionnaire
   result from the processing of data from the Customer.

   (iii) Government Office of Budapest Capital XVIII. The district office did not receive any other Budapest office
   no such data from local governments either.

   (iv) Government Office of Budapest Capital XVIII. one of the organizational units of the District Office
   However, you cannot make a statement on behalf of the Government Office of Budapest Capital City.


6. Based on the information revealed in the Background Case, the general data protection regulation arose
direct risk of violation of several articles in connection with the data management under investigation a
The ex officio procedure of the authority and its action with official means were justified. The arose
data protection issues concern the Customer's general data management practice, not a specific one
are linked to the person concerned. In view of the above, the Authority approves Infotv. Section 55 (1) point a)

based on subsection ab) closed the History Case and ex officio initiated the present data protection
official procedure regarding the Customer's data management related to the Questionnaire.

I.2. This data protection official procedure

1. In this data protection official procedure, upon request of the Authority, Budapest Capital City
Received by your government office on December 30, 2021, sent under NAIH-8594-6/2021

in his reply letter, he made the following statements relevant to the decision: 5





   (i) The Government Office of the Capital City of Budapest has been confirmed by the Government Office of the Capital City of Budapest
   XVIII sent by the district office, received under number NAIH-3566-11/2021
   statements.

   (ii) Government Office of Budapest Capital XVIII. Statements made by the District Office a

   They are also valid for the Government Office of the Capital City of Budapest.

2. In this data protection authority procedure, upon request of the Authority, the Customer January 2022
In his reply letter received on the 12th, sent under number NAIH-642-1/2022, the decision below
made relevant statements in terms of:

   (i) The Customer reserves the statements made in the Case of History.


   (ii) The net sales revenue of the Customer in 2021 was HUF 19,598,010,463. Requested by the Client
   to take into account that due to the higher expenses in 2021 there is a shortage of HUF 3,906,975,340
   was, and all of its budget was for the performance of public tasks, part of it was for epidemics
   turns it into defense.

   (iii) Maintains I.1 above. his statement according to subsection 4.(vi), however, in his opinion, a

   The role of the government office is not significant in this case, the survey is mainly the Client
   served to fulfill his duties.

3. Recorded by the Authority on February 8, 2022 in the internet archive (The Wayback Machine)
of its content, the following two archived contents about the previous state of the Website:

   (i) April 2021 of the https://bp18.hu webpage on data protection information

   14's status
   (https://web.archive.org/web/20210414165038/https://bp18.hu/kozerdeku/adatvedelmi-
   informations)

   (ii) indicated on the data protection information subpage of the website https://bp18.hu
   "ADATKEZELESI_TAJEKOZTATO_BP18_v4_RF_20201125.pdf" can be downloaded
   A screenshot of the state of document 4 on May 7, 2021.
   page (points 2.3 and 3), which was from the above sub-page on data protection information
   available with this filename

4. CL of 2016 on the general administrative order. Act (hereinafter: Act)

Based on § 76, there is no need to call for another statement, since the Customer and
all the information on which the decision is based comes from the Customer's website.


II. Legal provisions applicable in the case

According to Article 2 (1) of the General Data Protection Regulation, the general data protection

regulation must be applied to personal data in part or in whole in an automated manner
processing, as well as the non-automated processing of data that
are part of a registration system or which are a registration system
want to be part of.

You are identified as "personal data" on the basis of Article 4, point 1 of the General Data Protection Regulation
any information relating to an identifiable natural person ("data subject"), including

also the online ID. 6





According to Article 4, point 2 of the General Data Protection Regulation, "data management" is personal
any performed on data or data files in an automated or non-automated manner
operation or a set of operations, such as collection, recording, organization, segmentation, storage,
transformation or change, query, insight, use, transmission of information,
by means of distribution or other means of making available, coordination or

connection, restriction, deletion or destruction.

Pursuant to Article 4, point 7 of the General Data Protection Regulation, "data controller" is the natural or
legal entity, public authority, agency or any other body that is personal
determines the purposes and means of data management independently or together with others. If that
the purposes and means of data management are determined by EU or member state law, the data manager
or special considerations for the designation of the data controller by the EU or the Member States

can also be determined by law

Pursuant to Article 4, point 11 of the General Data Protection Regulation, it is "the consent of the data subject".
of the will of the person concerned, based on voluntary, specific and adequate information and clear
declaration by which the relevant statement or confirmation is unambiguously expressed
indicates by action that he gives his consent to the processing of his personal data.


Based on Article 4, point 15 of the General Data Protection Regulation, "health data" is a
personal data concerning the physical or mental health of a natural person,
including health services provided to natural persons
also data that carries information about the health status of the natural person

According to Article 5 (1) point b) of the General Data Protection Regulation, personal data
should only be collected for specific, clear and legitimate purposes and should not be processed

in a manner inconsistent with these purposes; in accordance with Article 89 (1).
is not considered incompatible with the original purpose for the purpose of archiving in the public interest,
further data management for scientific and historical research purposes or for statistical purposes
("goal-boundness").

Purposes of data management according to Article 5 (1) point c) of the General Data Protection Regulation
they must be appropriate and relevant and must be necessary

be limited ("data saving").

According to Article 6(1)(e) of the General Data Protection Regulation, it may be legal to
processing of personal data, if the data processing is in the public interest or is entrusted to the data controller
necessary for the execution of a task performed in the context of the exercise of public authority.

According to Article 7 (2) of the General Data Protection Regulation, if the consent of the data subject

given in the context of a written statement that also applies to other matters, a
request for consent in a way that is clearly distinguishable from these other cases
must be presented in an understandable and easily accessible form, with clear and simple language. The
any part of such statement containing the consent of the affected person which violates e
decree does not have binding force.

Based on Article 9 (1) of the General Data Protection Regulation, racial or ethnic

you are based on your origin, political opinion, religious or worldview conviction
personal data referring to trade union membership, as well as genetic data, natural
biometric data aimed at unique identification of persons, health data and
personal regarding the sexual life or sexual orientation of natural persons
processing of data is prohibited. 7





Based on Article 9(2)(a) of the General Data Protection Regulation, Article 9(1)
paragraph does not apply, among other things, in the event that the data subject expressly
consented to the use of said personal data for one or more specific purposes
for its management, unless EU or Member State law provides that Article 9 (1)
the prohibition referred to in paragraph cannot be lifted with the consent of the data subject.


Based on Article 12 (1) of the General Data Protection Regulation, the data controller is compliant
takes measures in order to allow the data subject to process personal data
all relevant information mentioned in Articles 13 and 14 and Articles 15-22 and Article 34
according to each information is concise, transparent, comprehensible and easily accessible
provide it in a clear and comprehensible form, especially to children
for any information received.


Based on Article 13 (1) and (2) of the General Data Protection Regulation, if the personal
data were obtained from the data subject, the data controller makes the data available to the data subject
following information:

   a) the identity of the data controller and, if any, the representative of the data controller and
   your contact information;

   b) contact details of the data protection officer, if any;

   c) the purpose of the planned processing of personal data and the legal basis of data processing;

   d) based on point f) of Article 6 (1) of the General Data Protection Regulation
   in the case of data management, the legitimate interests of the data controller or a third party;

   e) where applicable, recipients of personal data, or categories of recipients, if any;
   f) where appropriate, the fact that the data controller is in a third country or international

   organization wishes to forward the personal data to, and the Commission
   the existence or absence of a compliance decision, or general data protection
   regulation in Article 46, Article 47 or Article 49 (1) second
   in the case of data transfer referred to in subsection, the appropriate and suitable guarantees
   designation, as well as methods for obtaining a copy of i.e. or those
   reference to your contact information;

   g) on the duration of storage of personal data, or if this is not possible, on this
   aspects of determining the duration;

   h) on the data subject's right to request from the data controller the personal data relating to him
   access to data, their correction, deletion or restriction of processing, and
   may object to the processing of such personal data, as well as the data subject

   about your right to data portability;
   i) point a) of Article 6 (1) of the General Data Protection Regulation or Article 9 (2)

   in the case of data processing based on point a) of paragraph 1, the consent at any time
   the right to withdraw, which does not affect consent before the withdrawal
   the legality of data processing carried out on the basis of;

   j) on the right to submit a complaint to the supervisory authority;

   k) that the provision of personal data is legal or contractual
   whether it is based on an obligation or a prerequisite for the conclusion of a contract, as well as whether the person concerned
   whether you are required to provide personal data, and how it is possible
   failure to provide data may have consequences; 8





   l) automated referred to in Article 22 (1) and (4) of the General Data Protection Regulation
   the fact of decision-making, including profiling, and at least in these cases
   understandable information on the applied logic and that such data management
   what significance it has and what expected consequences it has for the person concerned.


Based on Article 13(4) of the General Data Protection Regulation, Article 13(1)-(3)
it does not have to be applied if and to what extent the data subject already has the information.

Based on Article 14 (1) and (2) of the General Data Protection Regulation, if the personal
data was not obtained from the data subject, the data controller makes it available to the data subject
the following information:

   a) the identity of the data controller and, if any, the representative of the data controller and
   your contact details;

   b) contact details of the data protection officer, if any;

   c) the purpose of the planned processing of personal data and the legal basis of data processing;

   d) categories of personal data concerned;

   e) recipients of personal data, or categories of recipients, if any;

   f) where appropriate, the fact that the data controller is a recipient from a third country
   or wishes to transfer personal data to an international organization,
   also the existence or absence of the Commission's conformity decision, or the 46.
   referred to in Article 47 or the second subparagraph of Article 49 (1)
   in the case of data transfer, indicating the appropriate and suitable guarantees, as well as these
   a reference to the means of obtaining a copy or their availability;

   g) the period of storage of personal data, or if this is not possible, this period
   aspects of its definition;

   h) if the data management is based on point f) of paragraph (1) of Article 6, you are the data controller
   about the legitimate interests of third parties;

   i) the data subject's right to request from the data controller the personal data relating to him
   access to data, their correction, deletion or restriction of processing, and
   can object to the processing of personal data, as well as to the data portability concerned

   his right;
   j) based on point a) of Article 6 (1) or point a) of Article 9 (2)

   in the case of data processing, the right to withdraw consent at any time,
   which does not affect the data processing carried out on the basis of consent before the withdrawal
   legality;

   k) the right to submit a complaint addressed to a supervisory authority;

   l) the source of the personal data and, where appropriate, whether the data is publicly available
   whether they come from accessible sources; and

   m) the fact of automated decision-making referred to in paragraphs (1) and (4) of Article 22, including
   also profiling, and at least in these cases to the applied logic and that
   comprehensible information regarding the significance of such data management and
   what are the expected consequences for the person concerned. 9





Based on Article 14(5) of the General Data Protection Regulation, Article 14(1)-(4)
shall not apply if and to the extent that:

   a) the data subject already has the information;

   b) providing the information in question proves to be impossible, or
   would require a disproportionate amount of effort, especially for archiving in the public interest,
   for scientific and historical research purposes or for statistical purposes, Article 89 (1)
   data management taking into account the conditions and guarantees contained in paragraph
   in the case of, or if the obligation referred to in paragraph (1) of this article
   would probably make this data management impossible or seriously jeopardize it

   achieving its goals. In such cases, the data controller must take appropriate measures
   - including making information publicly available - the rights of the data subject,
   to protect your freedoms and legitimate interests;

   c) expressly requires the acquisition or disclosure of data to be applicable to the data controller
   EU or Member State law, which is adequate to protect the legitimate interests of the data subject
   provides for measures; obsession

   d) professional confidentiality of personal data prescribed by an EU or member state law
   on the basis of an obligation, including the obligation of confidentiality based on law,
   must remain confidential.

For data management under the scope of the General Data Protection Regulation, Infotv. Section 2 (2)

according to paragraph of the general data protection regulation in the provisions indicated there
must be used with included additions.

Infotv. Validation of the right to the protection of personal data based on § 60, paragraph (1).
in order to do so, the Authority initiates an official data protection procedure at the request of the data subject and
may initiate official data protection proceedings ex officio.


Infotv. According to § 61, paragraph (1), point a), it was made in the official data protection procedure
in its decision, the Authority issued Infotv. Data management defined in paragraph (2) of § 2
in connection with operations defined in the general data protection regulation
may apply legal consequences.

Infotv. Pursuant to § 71, paragraph (2), the Authority lawfully obtained during its procedures
can use documents, data or other means of proof in other proceedings.


Infotv. 75/A. Based on § 83 of the General Data Protection Regulation, Article 83 (2)–(6)
exercises its powers in accordance with the principle of proportionality,
especially with the fact that you are in the law regarding the handling of personal data
The regulations defined in the mandatory legal act of the European Union are being implemented for the first time
in case of violation, to remedy the violation - with Article 58 of the General Data Protection Regulation
in accordance with - takes action primarily with the warning of the data manager or data processor.


It is ordered by the Authority based on Article 58 (2) point d) of the General Data Protection Regulation
the data manager or the data processor to perform its data management operations - where applicable
in a specified manner and within a specified period of time - harmonized by this regulation
with its provisions.

On the basis of Article 58 (2) point i) of the General Data Protection Regulation, the Authority has the 83.

imposes an administrative fine in accordance with Article, depending on the circumstances of the given case
in addition to or instead of the measures mentioned in this paragraph. 10






Based on Article 83 (1) of the General Data Protection Regulation, all supervisory
authority ensures that due to the violation mentioned in paragraphs (4), (5), (6) of this regulation
the administrative fines imposed on the basis of this article are effective in each case,
be proportionate and dissuasive.


According to Article 83 (2) of the General Data Protection Regulation, administrative fines
depending on the circumstances of the given case, Article 58 (2) of the General Data Protection Regulation
must be imposed in addition to or instead of the measures mentioned in points a)-h) and j) of paragraph
When deciding whether it is necessary to impose an administrative fine or a
sufficiently in each case when determining the amount of the administrative fine
the following should be taken into account:

   a) the nature, severity and duration of the infringement, taking into account the one in question
   the nature, scope or purpose of data processing, as well as the number of data subjects affected by the breach
   affected, as well as the extent of the damage they suffered;

   b) the intentional or negligent nature of the infringement;

   c) damage suffered by data subjects on the part of the data controller or data processor
   any measures taken to mitigate;

   d) the extent of the responsibility of the data controller or data processor, taking into account the
   technical and
   organizational measures;

   e) relevant violations previously committed by the data controller or data processor;
   f) the remedy of the violation with the supervisory authority and the possible negative nature of the violation
   extent of cooperation to mitigate its effects;

   g) categories of personal data affected by the infringement;

   h) the manner in which the supervisory authority became aware of the violation, in particular
   whether the data controller or the data processor has reported the breach, and if so,
   in what detail;

   i) if against the relevant data manager or data processor previously - in the same a
   subject matter - ordered referred to in Article 58 (2) of the General Data Protection Regulation
   one of the measures, compliance with the measures in question;

   j) whether the data manager or the data processor has observed general data protection
   for approved codes of conduct under Article 40 of the Decree or the general
   for approved certification mechanisms under Article 42 of the Data Protection Regulation; as well as

   k) other aggravating or mitigating factors relevant to the circumstances of the case,
   for example, financial gain as a direct or indirect consequence of the infringement
   or avoided loss.

Pursuant to Article 83 (7) of the General Data Protection Regulation, the supervisory authorities 58.
without prejudice to its corrective powers under paragraph (2) of Article, each member state

can establish the rules regarding the fact that the public authority with its registered office in the given member state
or whether an administrative fine can be imposed against another body performing a public task, and if
yes, to what extent.

Infotv. Article 83 of the General Data Protection Regulation based on § 61 (4) point b).
in the case of a fine imposed according to





to pay the fine imposed in the decision made in the official data protection procedure
obliged budget body.

In the absence of a different provision of the General Data Protection Regulation, the request was initiated
for official data protection procedure, Art. provisions shall be applied in Infotv

with certain deviations.

Lakcímtv. Based on point a) of § 21, the bodies of local governments are in law
for the performance of their duties defined in the municipal decree, Lakcímtv. Section 17 (2)
are entitled to request data according to paragraph b), which are natural
personal identification data and address data, citizenship, marital status, marriage
or the place of establishment of a registered partnership, the gender is from the register

reason, place and time of exclusion.

The Mötv. Based on § 23, subsection (5), point 9, among others, the task of the district self-government
consists of basic health care and services aimed at helping a healthy lifestyle.

The Eütv. Based on § 35, paragraph (1), public health is state and local government bodies,
mainly implemented with the participation of economic and civil organizations and individuals

activities aimed at population groups and communities, health protection and development,
to prevent disease, injury and disability. The purpose of public health is to
population health monitoring, health problems and priorities
definition, elaboration and implementation of public health measures by government,
in cooperation with professional and civil organizations.

The Eütv. Based on § 35, paragraph (2), public health activity includes:

   a) health is a scientifically based natural and social environment (a
   hereinafter together: environmental) conditions, health development, diseases
   prevention is effective, accessible and based on adequate evidence

   methods, as well as the establishment and operation of the necessary institutional system
   the definition of the conditions,
   b) the health behavior of the population and the environmental factors influencing it

   regular analysis,
   c) the health-damaging effects based on the data revealed during the analysis according to point b).
   assessing its risk and prioritizing the corresponding problems and priorities,

   d) the public health strategy in accordance with international guidelines and this
   the development of an action plan promoting its implementation, which is predetermined and measurable
   defines health goals in order to improve health, and also includes a
   interventions aimed at prevention and reduction of health-damaging effects,

   e) in order to implement the tasks, health promotion, health protection,
   provision of disease prevention, healing and medical rehabilitation services,

   f) the efficiency, effectiveness, accessibility and others of the services
   regular evaluation according to their quality characteristics.

The Eütv. Pursuant to § 35, paragraph (3), the goals of social and health policy

public health must be relied upon when determining and preparing decisions
to data revealed during the activity. 12





The Eütv. On the basis of paragraph (4) of § 35, the population is informed about the public health situation, the arising
about problems, the causative factors, the expected consequences, the solution
its possibilities and limitations must be regularly informed.



III. Decision

III.1. Description of data management

1.1. The Data Controller

1. The Customer could not substantiate his claim that he is a third party to the data management

person, at the request of the competent government office, and this was done by both the district and the capital
government office denied. The Customer arrived on January 12, 2022, number NAIH-642-1/2022
also confirmed in his reply letter that the relevant government office did not have it
meaningful role in the design of data management.

2. The Customer voluntarily undertook the data management in connection with the municipal task, his own
based on his decision, its conditions were not determined by either EU or Hungarian legislation

yes.

3. Based on the above, in the case of all data processing examined in this case, with the data processing
all related decisions, their necessity, method and means are made by the Customer
determined, thus, based on Article 4, point 7 of the General Data Protection Regulation, he is considered a Customer
as an independent data controller.


1.2. Data management related to name and address data obtained from third parties is the main one
characteristics

1. In preparation for data management with the Questionnaire, the Customer must provide personal data and
Lakcímtv from the residential address register. § 21 point a), the Act. § 23, subsection (5), point 9, and
the Eütv. Pursuant to paragraph (1) of Section 35, all Budapest XVIII. district adult
resident name and address data.


2. This data management is subject to Article 6 (1) point (e) of the General Data Protection Regulation of the Customer
founded, i.e. for epidemiological assessment and prevention due to the covid-19 pandemic
was necessary for the performance of its related public duty.

3. The name and address data used for addressing are provided by the Customer after mailing the Questionnaires
deleted, they were only handled for a short time in the month of March 2021 exclusively for Questionnaires

for the purpose of benefit. No circumstances to the contrary arose during the procedure.

1.3. The main characteristics of data management related to the contact data received in the Questionnaire

1. On the Questionnaire, the Customer requested to provide the following contact details, but no
indicated that entering them is optional: name, phone number, email address. They are not in substance
were separable from the requested health data, it was not clear from the Questionnaire that this

data is used according to different purposes and conditions.

2. Contact information received on the Questionnaire is available to the Customer - only when filling it out online
- according to his information, the consent is managed based on the consent of the data subject
until its withdrawal for the purpose of "keeping in touch for the purpose of exchanging information" on this
with the data subjects providing data on the Questionnaire. 13






3. Based on the above, those who send Questionnaires by post or online, approx. Of the 5,000 people involved,
the name, telephone number, and email address of the data subjects providing contact information is currently still managed by it

Customer.

1.4. Data management related to the health data received in the questionnaire is the main one
characteristics


1. The Questionnaire included the following questions:
   (i) have you registered for vaccination,

   (ii) whether you have received the vaccine,

   (iii) whether you have been infected with coronavirus.

2. Pursuant to point 15 of Article 4 of the General Data Protection Regulation, health data is one
personal data concerning the physical or mental health of a natural person,
including health services provided to natural persons

also data that carries information about the health status of the natural person. Above
The Customer did not dispute the nature of answers to questions as health data during the procedure,
Article 9 (2) of the General Data Protection Regulation was also referred to in this regard
also to point a). The broad interpretation of health data is confirmed, among others, by the European
Also the practice of the Court of Justice of the Union, according to which any reference to physical or mental health
data can be health data.


3. The Customer handled the above health data only temporarily, however
for data subjects who also provided contact data, these are identifiable persons
were temporarily treated. Medical related to the person
data was deleted by the Customer one week after receipt. The opposite is the case
did not arise during the procedure.


4. The purpose of handling health data was to produce anonymous statistics based on which
the Client wanted to make local government decisions with the covid-19 pandemic
in connection.



III.2. Obligation to provide appropriate information

1. According to Article 12 (1) of the General Data Protection Regulation, the Customer is considered independent
the obligation of the data controller to take appropriate measures to ensure that
concerning the processing of personal data for those concerned, referred to in Articles 13 and 14

all information and 15-22. and each information according to Article 34 is concise,
in a transparent, comprehensible and easily accessible form, in a clear and understandable way
provide it formulated.

2. The system of appropriate information in the general data protection regulation serves to
so that the data subject can be aware of which personal data, which data controller and

for which purpose, how you will handle it. This is essential to be in a position to
to be able to meaningfully exercise its stakeholder rights.




1 see e.g. Decision No. C-101/01 (Lindqvist case): https://curia.europa.eu/juris/liste.jsf?num=C-101/01 14





3. Data management based on point e) of Article 6 (1) of the General Data Protection Regulation
due to the more vulnerable stakeholders, there is an increased expectation of information
performing public authority tasks, performing data management regardless of the consent of the data subject
against a data controller compared to a data controller that is the data subject's right of disposal
manages the personal data of the data subject. In the absence of adequate information, by definition

the data subject is not in a position to properly exercise his data subject rights.

4. Data management based on point a) of Article 6 (1) of the General Data Protection Regulation
based on Article 4, point 11 of the General Data Protection Regulation, not only the data management
beginning, but before obtaining consent, the data controller is obliged to
to provide information on the basis of which informed consent can be given.


5. In relation to the legal basis of data subject consent according to the General Data Protection Regulation
it is important to emphasize that it does not mean that the data controller is subject to other legal obligations
applies as a general authority regardless of conditions that at any time and
can handle any personal data without limits for any reason. For data management
stakeholder consent can only be valid if it is for specific purpose(s) - per purpose
can be specified separately - they ask, and before that they provide adequate information, which in such a situation
brings the data subject to be able to make an appropriate decision about giving consent, and

complies with all other validity conditions prescribed in the General Data Protection Regulation
requirement. Article 12 (1) of the General Data Protection Regulation specifically
imposes a performance obligation on the data controller, i.e. the data subject needs such help
provide, so that all stakeholders can exercise their rights in an informed manner.

6. As explained above, the obligation to provide information is not a mere "paperwork"
is an obligation in the General Data Protection Regulation. Everything contained in the preamble,

all the articles of the General Data Protection Regulation require the data manager to achieve results
in determining its obligations, not just a specified minimum effort
confirmation by the data controller. The purpose of the information is to put you in such a situation
data subject to be in the appropriate decision-making position by exercising the data subject's rights
in connection.

7. The Customer has no merit in the Questionnaire, and is easily accessible by those concerned

did not provide information about data management to the affected parties, nor did it provide any other information
purposes, neither the legal bases nor the durations were revealed, and the source of the name and address data
didn't mark it either. It was also not revealed that filling in contact information is optional. It is paper based
in the case of data management, the provision of substantive information in its entirety online is usually not
it is transparent and easily accessible to the stakeholders who receive the Questionnaire by post and return it
for. Thus, this alone prevented the valid consent of those concerned
be able to give.


8. It is available to the Customer with a link indicated in writing on the Questionnaire and also when filling it out online
general data management available at www.bp18.hu/kozerdeku/adatvedelmi-informáciok
information at the time of sending out the Questionnaires and when they are returned by those concerned - which is
According to customer statements, there was a short period around March 2021 - none
it did not contain information about any of the examined data management. At the request of the Authority
information sent at the web address www.bp18.hu/kozerdeku/adatvedelmi-informáciok only

After May 7, 2021, the above I.2. Based on the web archive according to point 3, it
prior to this, there was no information regarding any data management. Bar
subsequent information does not play a role in the determination of illegality, the Authority
notes that, subsequently exchanged by the Customer on the Website, 2.4. and 2.5. with points
supplementary information also did not include the source of the data, as well as basic information
about specific goals. The file name, content, and version number of this on the Website are not 15





corresponds to the version available at the time of the examined data management. However, due to the above, 2.4. and
2.5. in case of earlier availability of new information supplemented with points, its content, as well as
It would not have been made suitable due to the lack of easy accessibility together with the questionnaire
the information, at least its basic information, should have been provided on the Questionnaire. The
the purpose and nature of data management was not so complex that it would have significantly hindered this.



III.3. Evaluation of the data management required to send the Questionnaire

1. Based on Article 6 (1) point e) of the General Data Protection Regulation a
necessary for the performance of public authority and other public duties defined by law
has the right to contact district residents.


2. However, it is also necessary in the case of the application of the above legal basis - and any other legal basis
to comply with all provisions of the General Data Protection Regulation, in this case
with particular regard to the obligation under Article 14 of the General Data Protection Regulation. This
based on the Customer at the latest when sending the Questionnaire, together with at least
to provide information to those concerned about where it comes from
their name and address data, and this data is no longer managed. The Customer is responsible for this

– the above III.2. taking into account what was explained in point - he did not fulfill it, and this also played a big role
played a role in the fact that several stakeholders made public interest announcements due to the Questionnaire.

3. None of the exceptions according to Article 14 (5) of the General Data Protection Regulation apply
in the present case, it does not constitute a disproportionate expectation and would not make it impossible
the purpose of data management is to provide at least adequate concise information on or alongside the Questionnaire
about the most basic conditions of data management.


4. This data management is closely related to the Questionnaire, however, the legal basis and the data are different
due to its external source, different provisions are required compared to the other examined data management
comply, for this reason the Authority classified it separately. Article 6 of a self-governing municipality
The legal basis for this, based on point e) of paragraph (1), is smaller compared to other violations
an omission does not make it invalid, however, regardless of this, the Customer would have been obliged to e
to act in accordance with the general data protection regulation.


5. Based on the above, the Customer violated Article 12 (1) of the General Data Protection Regulation
and the obligation to provide information according to Article 14.


III.4. Evaluation of the handling of contact personal data


1. The principles in Article 5 (1) of the General Data Protection Regulation do not only apply to
they serve to make theoretical findings with the implementation of data management
in connection. These principles cover specific obligations that can be held accountable
in specific cases on the data controllers.

2. According to Article 5 (1) point b) of the General Data Protection Regulation, personal data
should only be collected for specific, clear and legitimate purposes and should not be processed

in a manner inconsistent with these purposes; in accordance with Article 89 (1).
is not considered incompatible with the original purpose for the purpose of archiving in the public interest,
further data management for scientific and historical research purposes or for statistical purposes.
In this case, it is not a law, but a unique statistic based on the Customer's decision,
thus the precise and clear definition of the data management purpose and from other purposes
it would have been the Customer's responsibility to ensure its distinctiveness. 16






3. The Customer fulfills the above obligation - the revealed facts and the above III.2. also explained in point
attention - neither the Authority nor the stakeholders did not fulfill it. Contact details
the goal of its treatment should not be an elusive goal such as general contact.
It is necessary to indicate in some way what the contact is specifically like

means sending information of the kind, and in the case of "exchange of information", what kind of information
are expected from the stakeholders. Mixing this data management with health data, they are one
collection on the page raises the prohibition according to Article 7 (2) of the General Data Protection Regulation
also his grievance, according to which the request for consent is clearly separated from other matters
must be presented in a distinguishable manner, especially when their mixing is severe
would raise data protection issues.


4. According to Article 5 (1) point c) of the General Data Protection Regulation, data management
they must be appropriate and relevant for its purposes and must be necessary
be limited. The optional nature of the contact as a whole, as well as the contact information
in the event of your choice, the right to freely choose individual communication channels (that is enough
to enter a type of contact data) should have been clearly and clearly stated
from the information provided to those concerned, however, the Customer has no merit in this regard
did not provide information to those concerned. The Customer did not substantiate with anything that

for which reason it is not enough if the individual maintains contact only on one communication channel
with stakeholders, even if several contact channels are specified, why would you need more than one
for several types of access to contact a data subject and for which purposes this is necessary
without time limit, even after the end of the epidemic.

5. Based on Article 4, point 11 of the General Data Protection Regulation, the consent of the data subject is one
suitable for data processing without a specific purpose and unreasonably determined in time

is not valid in the absence of information, and the above circumstances are also affected individually
would lead to invalidity of consent. In the absence of valid consent, it is
data management does not comply with Article 6 (1) point a) of the General Data Protection Regulation
according to the legal basis, and no other legal basis exists.

6. Based on the above, contact personal data collected by the Customer on the Questionnaire
violated Article 5(1)(b) of the General Data Protection Regulation

according to the purpose-related principle, data saving according to Article 5 (1) point c).
principle, to provide prior information according to Article 12, paragraph (1) and Article 13
obligation, as well as in the absence of valid consent due to the above, the general
Article 6 (1) and Article 7 (2) of the data protection regulation, and this point
violations of the law still exist.



III.5. Evaluation of the management of health data

1. The above III.2. and III.4. written in points, as explained below, are properly governing
also for handling the health data collected on the Questionnaire, with the fact that in this case there was one
legitimate purpose, the preparation of epidemiological statistics, and local government measures based on this
and these data are no longer processed, they have been deleted. Because of this
above III.4. from the points explained, there was no violation of the principle of purpose-boundness

with regard to health data.

2. In the case of handling health data, Article 6 (1) of the General Data Protection Regulation
Article 9 (2) of the General Data Protection Regulation is required in addition to one of the legal bases of
according to paragraph - exceptions to the general treatment ban according to Article 9 (1)
one of them must exist. In this case, the consent is defined in Article 17 of the General Data Protection Regulation





According to Article 9(2)(a), the additional condition that the person concerned must be met
has given his express consent to the said personal data for one or more specific purposes
for treatment. Given that adequate information was not provided, as well as a
necessity and suitability to achieve the goal does not exist for the reasons explained below, therefore
this condition could not be met either.


3. Data saving according to Article 5 (1) point c) of the General Data Protection Regulation
one of the conditions for its practical implementation is that data management is necessary and proportionate
to achieve a given data management goal, and is also suitable for it.

4. Regarding the issue of suitability, the Authority emphasizes that the Client did not support it with anything
below, exactly how he knew from a non-representative sample of less than 10%

to draw accurate conclusions about the district residents as a whole. In addition, the statistics are one
it was made at a moment in time in the middle of the vaccination campaign, its results are significantly different from week to week
could have changed, and would not have given an accurate picture of the epidemic situation within a short period of time even if the
would have been accurate when it was made. The Study referenced by the Customer is only a summary
was available, but the Study does not support that it was collected on the Questionnaire
to get accurate results by creating anonymous statistics from data, but that is small
in the case of a large, non-representative sample, additional external – non-anonymous – information

it would have been necessary to use it in relation to those who filled out the Questionnaire. Such
the Customer did not indicate the acquisition of additional personal data, and this is data protection
it would not have reduced the level of infringement, but rather increased it. Suitability in itself
however, it would not significantly affect the legality of data management.

5. It is a question independent of the suitability of the generated statistics that the treated health
data were classified as personal data because they potentially – even on a paper basis –

they could be linked to the persons concerned. Apart from the Customer's statement, there is no organizational
or other guarantee that could have technically excluded this connection. Is that
questions were not asked separately from the contact identification data,
unnecessarily linked them to a specific stakeholder. To a specific natural person
with a non-binding random document identification number, it can be ensured that there is only one person concerned
send back a reply which has no connection between document identification numbers and recipients
would not be necessary at any step of data management (it is sufficient to ensure that

that a document identification number is processed only once, which is indicated in the list), and
the statistics could also have been prepared from anonymous data of a special category of personal
without processing data. For this reason, this data management in no way complied with the
necessity and proportionality criterion, which is the above III.2. as explained in point
is an additional condition for the legality of data processing independent of the consent of the data subject.

6. Based on the above, the Customer manages the health data collected with the Questionnaire

violated Article 5(1)(c) of the General Data Protection Regulation
the principle of data saving, the advance notice according to Article 12 (1) and Article 13
obligation to provide information, as well as valid due to the above
due to the lack of consent, Article 6 (1) of the General Data Protection Regulation, Article 7
(2) and (1) of Article 9.



ARC. Legal consequences

1. The Authority complies with Article 58 (2) point i) and Article 83 (2) of the General Data Protection Regulation
may impose a data protection fine instead of or in addition to the other measures.
There was no doubt that in case of violation of the general data protection regulation, the general
on the basis of Article 58 (2) point d) of the Data Protection Regulation, to oblige the data controller 18





necessary to bring data management into line with the general data protection regulation.
Due to the time-consuming nature of obtaining consents and the nature of data management as a public task, a
The authority set a deadline of 60 days instead of the usual 30 days. In addition to the
In accordance with the governing judicial practice, the authority in imposing the fine in this case is
among the aspects listed in Article 83 (2) of the General Data Protection Regulation

presents what was taken into account in the justification of the decision.

2. On the question of whether the imposition of a data protection fine is justified, the Authority
made a decision based on statutory discretion, taking into account Infotv. Section 61 (1)
to paragraph a), Infotv. 75/A. 83 of the General Data Protection Regulation.
(2) and Article 58 (2) of the General Data Protection Regulation, which
based on this, the conviction in itself would not be a proportionate and dissuasive sanction, therefore

a fine must be imposed. In this case, the protection of personal data - which is the Authority
task - it is not available based on the totality of the fine imposition circumstances detailed below
without imposing a data protection fine. The imposition of fines is both special and general
it also serves prevention, for which purpose the decision should also be published on the website of the Authority
costs

3. The Authority did not consider mitigating factors regarding the necessity of the fine

as a circumstance, the economic situation referred to by the Customer, since it is – indirectly, the annual
through income - it only affects the amount of the fine if it is necessary, no
whether it is necessary to impose the fine, the necessity of the violation and its circumstances
determined in accordance with Article 83 (2) of the General Data Protection Regulation. E
respect, the Authority took into account when determining the amount of the fine that the Customer
Its net sales revenue in 2021 was HUF 19,598,010,463. The Authority is the Customer's bad material
situation and the public interest related to the performance of his public duties, the amount of the fine

taken into account as a mitigating circumstance when determining

4. The Authority also did not consider as a mitigating circumstance the fact that the Customer a
With the authority during the procedure - not for damage mitigation, only for response in the procedure
purpose - cooperated, as this is all based on Article 31 of the General Data Protection Regulation
obligation of data controller and data processor, its absence could be taken into account
as an aggravating circumstance. (General Data Protection Regulation Article 83 (2) point f)


5. When determining the amount of the data protection fine, the Authority as a mitigating circumstance
took into account the following:

   (i) Compiling statistics to aid epidemic management is not illegal in itself
   During the operation of the municipality, only its access was not planned for data protection
   with awareness and inappropriately trying to reach it, as well as on contact details
   external data were deleted within a short time, and with regard to contact personal data
   based on all the circumstances of the case, the violation can be remedied according to the relevant part.

   (General Data Protection Regulation Article 83 (2) point a)
   (ii) The infringement is negligent, it was not aimed at harming the affected parties or

   for illegal profit-making (General Data Protection Regulation Article 83 (2) point b)

   (iii) Most of the personal data was deleted within a short period of time, thus remedying the violation
   the Customer has already partially done so – without affecting the occurrence of the previous infringement,
   and before that, it was used for statistical purposes separately from other data management
   health data (General Data Protection Regulation Article 83 (2) point c)

   (iv) The Authority has not previously established a data protection violation against the Client.
   (General Data Protection Regulation Article 83 (2) point e) 19






6. When determining the amount of the data protection fine, the Authority as an aggravating circumstance
took into account the following:

   (i) By handling unnecessary personal data that does not take into account the will of the data subjects
   associated mass data processing violates the right to the protection of personal data and in general
   represents an unnecessary data security risk. (General Data Protection Regulation Article 83 (2)

   paragraph point a)

   (ii) The Client is a public authority, and the requirements for compliance with the legislation
   are increased, it would be the task of public bodies to set a good example for the private sector.
   (General Data Protection Regulation Article 83 (2) point d)

   (iii) There was no effective information available to the affected parties, so they had no chance
   was to exercise their stakeholder rights, to make an appropriate stakeholder decision. and this is at the principle level
   it was the result of insufficient data protection planning. (General Data Protection Regulation Article 83
   (2) point d)

   (iv) The scope of personal data handled belongs to a special category
   personal health data that was linked unnecessarily – even temporarily –
   to specific stakeholders. (General Data Protection Regulation Article 83 (2) point g)

   (v) The Authority became aware of the violation through several public interest reports (general

   Article 83 (2) point h) of the Data Protection Regulation

7. Based on the above, the Authority imposes a data protection fine in the amount specified in the applicable section
considered its imposition proportionate and dissuasive based on all the circumstances of the case. This
does not mean that, in a similar case, the data protection fine against another data controller will not apply
it could be significantly higher, especially for the purpose of general prevention
to the additional circumstance of ignoring the published publication, as well as to that

considering that in this case Infotv. The maximum fine based on § 61, paragraph (4) point b).
was twenty million forints instead of the general maximum of the general data protection regulation.


A. Other questions

1. Infotv. According to § 38, paragraph (2), the Authority is responsible for the protection of personal data,
and the right to access data of public interest and public interest

control and promotion of the validity of personal data in the European Union
facilitating its free flow within. Infotv. According to Section 38 (2a), the general
tasks and powers established for the supervisory authority in the data protection decree
general data protection for legal entities under the jurisdiction of Hungary
is exercised by the Authority as defined in the decree and this law. The Authority
its jurisdiction covers the entire territory of Hungary.


2. The Art. Based on § 112, paragraph (1), § 114, paragraph (1) and § 116, paragraph (1), the
a decision can be appealed through an administrative lawsuit.


                                              * * *

3. The rules of the administrative procedure are laid down in Act I of 2017 on the Administrative Procedure

hereinafter: Kp.) is defined. The Kp. Based on § 12, paragraph (1), by decision of the Authority
the administrative lawsuit against falls within the jurisdiction of the court, the lawsuit is referred to in the Kp. Section 13, paragraph (3) 20





Based on point a) subpoint aa), the Metropolitan Court is exclusively competent. The Kp. Section 27 (1)
according to paragraph 1, legal representation is mandatory in administrative proceedings before the tribunal. The Kp.
According to paragraph (6) of § 39, the submission of a claim is an administrative act
does not have the effect of postponing its entry into force.


4. The Kp. Paragraph (1) of Section 29 and, in view of this, CXXX of 2016 on the Code of Civil Procedure.
applicable according to § 604 of the Act, electronic administration and trust services
CCXXII of 2015 on its general rules. according to § 9 (1) point b) of the Act, the
the client's legal representative is obliged to maintain electronic contact. The submission of the statement of claim
time and place of Kp. It is defined by § 39, paragraph (1). Request to hold the hearing
information about the possibility of the Kp. It is based on paragraphs (1)-(2) of § 77.


5. The amount of the fee for the administrative lawsuit is determined by the XCIII of 1990 on fees. law
(hereinafter: Itv.) 45/A. Section (1) defines. From the advance payment of the fee
the Itv. Paragraph (1) of § 59 and point h) of § 62 (1) exempt the person initiating the procedure
half.

6. If the Customer does not adequately certify the fulfillment of the prescribed obligations, the Authority
considers that the obligations have not been fulfilled within the deadline. The Akr. According to § 132, if

the Customer did not comply with the obligation contained in the Authority's final decision, that is
can be executed. The Authority's decision in Art. according to § 82, paragraph (1) with the communication
becomes permanent. The Akr. Pursuant to § 133, enforcement - if you are a law
government decree does not provide otherwise - it is ordered by the decision-making authority. The Akr. 134.
pursuant to § the execution - if it is a law, government decree or municipal authority
the local government decree does not provide otherwise - the state tax authority
undertakes. Infotv. Based on § 61, paragraph (7), contained in the Authority's decision,

to carry out a specific act, to perform a specific behavior, to tolerate or
regarding the obligation to stop, the Authority will implement the decision
undertakes.

dated: Budapest, according to the electronic signature

                  In the absence of President Dr. Attila Péterfalvi:


                                                             Dr. Győző Endre Szabó
                                                                  vice president