NAIH (Hungary) - NAIH-2020-2546-5: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Hungary |DPA-BG-Color=background-color:#7f0037; |DPAlogo=LogoHU.jpg |DPA_Abbrevation=NAIH |DPA_With_Country=NAIH (Hungary) |Case_Number_Name=N...")
 
No edit summary
Line 54: Line 54:
}}
}}


NAIH held that the controller processed copies of documentation containing personal data (including health data) without a legal basis, unlawfully and not in line with the purpose of processing. The processing was further not in line with the controller's legal obligation to require and process certain information concerning the provision of childbirth incentive loan. NAIH imposed a fine of HUF 35,000,000 (approx. EUR 97,430).
The Hungarian DPA (NAIH) held that the controller processed copies of documentation containing personal data (including health data) without a legal basis and not in line with the purpose of processing. The processing was also not in line with the controller's legal obligation to process information on the provision of childbirth incentive loan. NAIH imposed a fine of approx. €97,430.


== English Summary ==
==English Summary==


=== Facts ===
===Facts===
Two parents turned to NAIH in connection with their credit institute’s processing of personal data regarding their “Childbirth incentive loan”.
Two parents turned to NAIH in connection with their credit institute’s processing of personal data regarding their “Childbirth incentive loan”.


Line 69: Line 69:
NAIH found that the controller processed the personal data in question excessively and unlawfully, and therefore had breached multiple GDPR provisions. As a consequence, NAIH imposed a data protection fine of HUF 35,000,000 on the controller.
NAIH found that the controller processed the personal data in question excessively and unlawfully, and therefore had breached multiple GDPR provisions. As a consequence, NAIH imposed a data protection fine of HUF 35,000,000 on the controller.


=== Dispute ===
===Dispute===
Is the controller’s general data processing practice in compliance with the GDPR in connection with collecting personal data from pregnancy booklets and patient records for the purpose of reviewing the eligibility of a couple for repayment suspension for a “childbirth incentive loan” construction?  
Is the controller’s general data processing practice in compliance with the GDPR in connection with collecting personal data from pregnancy booklets and patient records for the purpose of reviewing the eligibility of a couple for repayment suspension for a “childbirth incentive loan” construction?  


=== Holding ===
===Holding===
The conditions of a special loan called as “childbirth incentive loan” are set out in a respective Hungarian Government Decree. According to the relevant rules, parents, or parents expecting a child are eligible for suspension of repayment, where specific criteria are met, including that the fetus is at least 12 weeks old.
The conditions of a special loan called as “childbirth incentive loan” are set out in a respective Hungarian Government Decree. According to the relevant rules, parents, or parents expecting a child are eligible for suspension of repayment, where specific criteria are met, including that the fetus is at least 12 weeks old.


Line 90: Line 90:




== Comment ==
==Comment==
NAIH has already considered the copying of personal and other documents and processing identification documents by controllers in multiple cases. According to NAIH's practice, copying of documents is generally not necessary for concluding a contract or for pre-contractual screening. Processing of identification documents and relevant identification numbers is also generally unnecessary for the given purpose of processing, unless it is prescribed by law.
NAIH has already considered the copying of personal and other documents and processing identification documents by controllers in multiple cases. According to NAIH's practice, copying of documents is generally not necessary for concluding a contract or for pre-contractual screening. Processing of identification documents and relevant identification numbers is also generally unnecessary for the given purpose of processing, unless it is prescribed by law.


== Further Resources ==
==Further Resources==
''Share blogs or news articles here!''
''Share blogs or news articles here!''


== English Machine Translation of the Decision ==
==English Machine Translation of the Decision==
The decision below is a machine translation of the Hungarian original. Please refer to the Hungarian original for more details.
The decision below is a machine translation of the Hungarian original. Please refer to the Hungarian original for more details.



Revision as of 09:23, 3 March 2021

NAIH - NAIH-2020-2546-5
LogoHU.jpg
Authority: NAIH (Hungary)
Jurisdiction: Hungary
Relevant Law: Article 5(1)(c) GDPR
Article 6(1) GDPR
Article 9(1) GDPR
Article 12(1) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 16.12.2020
Published:
Fine: 35000000 HUF
Parties: n/a
National Case Number/Name: NAIH-2020-2546-5
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Hungarian
Original Source: NAIH (in HU)
Initial Contributor: Hunprivacy

The Hungarian DPA (NAIH) held that the controller processed copies of documentation containing personal data (including health data) without a legal basis and not in line with the purpose of processing. The processing was also not in line with the controller's legal obligation to process information on the provision of childbirth incentive loan. NAIH imposed a fine of approx. €97,430.

English Summary

Facts

Two parents turned to NAIH in connection with their credit institute’s processing of personal data regarding their “Childbirth incentive loan”.

The couple applied for suspension of repayment, for which they were eligible under the condition that the fetus is at least 12 weeks old. In order to certify this fact, the administrator of the credit institute copied their pregnancy booklet in its entirety.

The parents were of the opinion that this is unnecessary for the purpose of certifying the age of the fetus, as the pregnancy booklet contains a number of sensitive information.

Following this situation, NAIH conducted an ex officio investigation. In order to have all the necessary and relevant information, NAIH collected statements from the controller.

NAIH found that the controller processed the personal data in question excessively and unlawfully, and therefore had breached multiple GDPR provisions. As a consequence, NAIH imposed a data protection fine of HUF 35,000,000 on the controller.

Dispute

Is the controller’s general data processing practice in compliance with the GDPR in connection with collecting personal data from pregnancy booklets and patient records for the purpose of reviewing the eligibility of a couple for repayment suspension for a “childbirth incentive loan” construction?

Holding

The conditions of a special loan called as “childbirth incentive loan” are set out in a respective Hungarian Government Decree. According to the relevant rules, parents, or parents expecting a child are eligible for suspension of repayment, where specific criteria are met, including that the fetus is at least 12 weeks old.

In order to verify this, certain documents must be presented. The controller in this case requested, amongst others, the copy of the complete pregnancy booklet, with all the information in it, as well as the patient records.

The pregnancy booklet contains a wide range of personal data regulated specifically in a ministerial decree, e.g., detailed information about the health status of the mother, including data related to possible previous pregnancies, details about the circumstances of previous childbirth, or miscarriages.

Regarding the legal basis of the above data processing, NAIH highlighted, that the fact of being pregnant is in itself health data, and as such, can only be processed if one of the legal bases in Article 6 (1) and an additional criterion under Article 9 (2) of the GDPR apply.

Article 9 (2) of the GDPR does not contain an exception that would explicitly allow the processing of health data for the purpose of performing a contract. According to Article 9 (2) (a) of the GDPR, health data may be processed if data subjects give their explicit consent. Pursuant to Section 9 (2) of the relevant Government Decree, the spouses must expressly state in the loan agreement that they consent to the processing of data regarding the 12th week of pregnancy and the expected date of childbirth. By this, the Government Decree settles the legal basis for the processing of health data. However, NAIH raised issues as to the validity of the consent. NAIH is of the opinion that it is questionable whether the consent is freely given, since without the prior consent of the contractor, no loan agreement would be concluded.

NAIH concluded, that the controller violated the principle of data minimization by copying the entire pregnancy booklet, containing excessive health data and other highly sensitive data, as it is not strictly necessary in light of the purpose of the processing. In addition to the excessive collection of special categories of personal data, NAIH highlighted that the affected individuals were in an extremely vulnerable situation.

NAIH also held, that the data controller had, in fact, no appropriate legal basis for the processing.

NAIH held that the continuous nature of the violation of the data subjects’ rights, and the large number of affected individuals were aggravating factors in the case. On the other hand, NAIH acknowledged the fact that the controller reconsidered and changed its data processing operations, and ended its unlawful practice of keeping copies of pregnancy booklets and patient records.


Comment

NAIH has already considered the copying of personal and other documents and processing identification documents by controllers in multiple cases. According to NAIH's practice, copying of documents is generally not necessary for concluding a contract or for pre-contractual screening. Processing of identification documents and relevant identification numbers is also generally unnecessary for the given purpose of processing, unless it is prescribed by law.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Hungarian original. Please refer to the Hungarian original for more details.

Case number: NAIH / 2020/2546/15. Subject: Decision


                                            H A T Á R O Z A T



Before the National Authority for Data Protection and Freedom of Information (hereinafter referred to as the Authority), the […]
hereinafter referred to as the “Customer”) prior to the conclusion of contracts for the provision of a baby waiting loan,

or, during the term of the contracts, the lending, the related discounts,
the handling of documents containing personal data in connection with grants, and

the lawfulness of information on data processing during the granting of a baby waiting loan, the general
ex officio data protection to verify compliance with the Data Protection Regulation
In administrative proceedings, the Authority shall take the following decisions:


I. Finds that the Customer


    (1) infringed Article 5 (1) (c) of the General Data Protection Regulation (GDPR);

        the principle of data saving in accordance with the principle of non - compliance with
        personal data, including health data, in copies of final reports

        managed that were not necessary to achieve the purpose of the data processing;

    (2) handled without a legal basis prepared pregnancy books and prepared final reports
        personal data, including health data, recorded in copies

        Article 6 (1) of the GDPR and, in the case of health data, Article 9 of the GDPR.
        Article 1 (1);


    (3) did not provide clear and transparent information to those concerned about the baby waiting loan
        and the processing of data during the life of the concluded loan agreements

        Article 12 (1) of the GDPR.

II. Instructs Customer to do so within 60 days of this decision becoming final


    (1) delete any pregnancy books and final reports still available
        destroy electronic copies, paper copies, and have done so

        credibly to the Authority.

    (2) reshape the baby waiting loan application as well as the contracts concluded

        information management practices in a manner consistent with Article 12 of the GDPR.
        transparency requirement under Article 1 (1).


III. Due to the unlawful data processing, the Customer shall be informed of the 30th day after the final adoption of this decision
within a day


                               HUF 35,000,000, ie thirty-five million forints
                                           data protection fine


obliges to pay.

 _______________________________________________________________________________________________________________

1055 Budapest Tel .: +36 1 391-1400 ugyfelszolgalat@naih.hu
Falk Miksa utca 9-11. Fax: +36 1 391-1410 www.naih.hu 2






                                                      * * *


    The fine was imposed on the Authority’s centralized revenue collection forint settlement account (10032000-
    01040425-00000000 Centralized direct debit account IBAN: HU83 1003 2000 0104 0425 0000 0000)

    to be paid for. When transferring the amount, NAIH / 2020/2546. JUDGE. should be referred to.


    If the Customer fails to meet its obligation to pay the fine within the time limit, a late payment surcharge
    obliged to pay. The rate of late payment is the statutory interest, which is the calendar affected by the delay
    equal to the central bank base rate valid on the first day of the first half of the year.


    A II. obligation under point III. non - payment of the fine and penalty for late payment in accordance with point
    In that case, the Authority shall order the enforcement of the decision.


    Until the expiry of the time limit for bringing an action against the decision, or an administrative action
    until the final decision of the court, the data involved in the disputed data processing shall not
    can be deleted or not destroyed.


    A II. within 8 days of the implementation of the measures provided for in point
    together with supporting evidence, shall notify the Authority. To the Customer
    as evidence, it must be accompanied by a document fully documenting the fact and IT circumstances of the cancellations

    a record (s) and a statement that all copies of the said data
    deleted.


    There shall be no administrative appeal against this Decision, but it shall be subject to a right of appeal within 30 days of notification
    An appeal addressed to the Metropolitan Court may be challenged in an administrative lawsuit within one day. THE

    The application shall be submitted to the Authority, electronically, which shall forward it together with the case file to the
    court. For those who do not receive a full personal tax exemption, there is an administrative lawsuit fee

    HUF 30,000, the lawsuit is subject to the right to record material taxes. In the proceedings before the Metropolitan Court, the legal
    representation is mandatory.



                                              I N D O K O L Á S


    I. Procedure

(1) The Authority has received a notification in the public interest in which the notifier has submitted that

        took a loan with his spouse from the Client. The applicant and his spouse have requested the Client to
        suspension of loan repayment. The Customer's administrator copied the entire

        a pregnancy care book to prove that the fetus was 12 weeks old.

(2) On the basis of the notification in the public interest, the circumstance giving rise to the initiation of the official inspection came to the

        Authority, so that the Authority, on 24 January 2020, issued NAIH / 2020/1156. case number of the Customer
        initiated a formal inspection to verify that the Customer
        whether its general data management practices in relation to baby loans are in line with a

        GDPR requirements.

3. The Authority shall make a declaration at the same time as it notifies the initiation of the official control

        called the Customer. The Client's statement was received by the Authority on 14 February 2020. 3





(4) Based on the Client's statement and additional information revealed during the official inspection
        it was probable that the Client had breached the provisions of the GDPR, therefore the Authority is

        In its case, NAIH / 2020/2546 initiated ex officio data protection proceedings on 28 February 2020.
        case number. The investigation period covered the period from 1 July 2019 to 28 February 2020.


(5) In addition to the notification of the data protection authority procedure, the Authority shall clarify the facts
        In order to do so, he invited the Client to make a statement, and in his order he reserved the ones already concluded
        loan transactions performed by the Client on the maternity books, the adoption

        paper - based decisions, abortion or stillbirth documents, and
        electronic copies. The Authority left the seized copies of the documents in the custody of the Client. THE

        It was necessary to order a seizure because, on the basis of the Client's statement, its
        there is a risk that the copies of the records, in the context of the Client's own review of
        deleted before the end of the data protection authority procedure.


(6) In its statement dated 15 May 2020 (NAIH / 2020/2546/2), the Client informed the
        Authority to comply with the attachment order, the paper - based and

        destruction of electronic copies of documents, deletion from systems upon receipt of the order
        suspended after.


(7) On 22 June 2020, the Authority adopted Decision NAIH / 2020/2546/3. clarification of the facts in its order no
        In order to do so, he invited the Client to make a statement and send various copies of the documents.


(8) In the Client's letter dated 8 July 2020, the deadline for reply is an additional 15
        The Authority requested the extension of the application by NAIH / 2020/2546/5. No.
        in his order. The Client's statement and the requested documents are electronic, with a password

        A copy of the protected copies was received by the Authority on 30 July 2020.

(9) In order to clarify the facts, the Authority should amend NAIH / 2020/2546/9. in his order no

        invited the client to make a statement on October 20, 2020. Customer Statement November 2020
        He arrived at the Authority on the 25th.


(10) The Authority shall, in the course of loan transactions already concluded by the Client in the care of pregnant women
        books, adoption decisions, proof of miscarriage or stillbirth
        seizure of paper and electronic copies of documents on 14 December 2020

        terminated by order of.

    II. Clarification of the facts


(11) Decree 44/2019 on the baby waiting allowance. (III.12.) Government Decree (hereinafter: Government Decree)

        under the baby waiting loan interest subsidized, the transaction interest on behalf of the state to the Treasury
        disbursed to the credit institution.

(12) Beneficiaries - ie the spouses with whom the financial institution is expecting a baby loan

        are entitled to a suspension of repayment - other
        after the 12th week of pregnancy, including the post-natal period

        or if they adopt a child together.

(13) Beneficiaries are entitled to a non-refundable fee in the event of the second or third child
        childbirth allowance, the amount of which is for the second child from the baby-waiting loan

        30% of the outstanding debt and, in the case of a third child, the remaining 4





       amount corresponding to the loan debt. Childbirth allowance to suspend repayment
       similarly after the 12th week of pregnancy, including the postpartum period, or

       can be requested in case of adoption.

(14) An application for suspension of repayment and child-raising allowance should be submitted to the credit institution.

       to be submitted, which must be accompanied by the provisions of Section 9 (2) (b) and (c) of the Government Decree.
       which are as follows:

                     • the 12th week of pregnancy and the expected date of delivery

                         to prove the maternity care book, the data content of which is
                         26/2014 on maternity care. (IV. 8.) Annex 1 of the EMMI Decree

                         (or, after 1 July 2020, in the Government Decree
                         a document issued by the treating physician with a specific content);
                     • in the case of a blood child, proof of birth: the child's birth

                         birth certificate, official certificate of residence and
                         tax ID;

                     • in the case of an adopted child, the final authorizing the adoption
                         decision, the official identity card of the child and the
                         tax ID;

                     • a statement in full private evidence from the beneficiaries stating that
                         that they live in a household;

                     • in the case of stillbirth or miscarriage, the document certifying the occurrence,
                         In client practice, the final report was (fetal death as of July 1, 2020)

                         in the case of a document pursuant to Annex 3 of the Government Decree; stillbirth
                         on the examination of the dead and the procedure relating to the dead
                         in the case of a document according to a government decree, or in the event of the death of a child born alive

                         death certificate).

(15) In order to suspend repayment and apply for childbirth allowance, the Client shall use the same a

       systematized the form. For these requests, the original of the above documents
       demanded a presentation, of which he made a copy, not including in a household
       declaration of origin, as it required it to be submitted in the original. This

       […] Of the Regulations (hereinafter: the Product Regulations).

(16) Electronic copies of the above documents shall be sent to the Customer on or after 1 November 2019

       prior to that, its predecessors recorded and stored them in their process management systems.

(17) […] From 1 November 2019, paper-based documents in the customer files in the branches

       have been placed.

(18) With regard to the handling of paper-based documents and copies of documents, since 1 November 2019, the

       The practice of the Customer 's bank branches is uniform, it is stated in Annex […] of the Product Regulations and
       regulated by its annexes […].


(19) In the course of the procedure, the Client referred to the previous decision of the Authority - Data Protection Officers 2019.
       conference, received from data protection officials, not in the context of video presentations
       expressed in question 25 of the document "Answered questions" that "A

       Authority shall accept copies if the employer, as data controller, is such
       develop a practice of making copies only of data whose 5





        otherwise entitled to handle it. In this case, copy the data on the document
        data management operation, but not a new data management purpose compared to the original purpose of data collection, but

        a way of collecting data for the original purpose of data processing and the related legal basis,
        which otherwise helps to ensure the accuracy of the data. "


(20) The Client shall list and make available on the […] website the information related to the baby waiting loan
        documents, including documents governing data management, e.g. […].


(21) The Client informed the Authority that between 1 July 2019 and 30 January 2020 in total
        […] Persons applied for a baby waiting loan from him, of which […] granted a baby waiting loan to a person,
        which means a total of […] transactions. […] Transaction was suspended during the repayment of the first

        after child and […] supported couple claimed childbirth allowance for the second or
        after the third child.


(22) Upon receipt of the Client's order to initiate official control
        reviewed its rules of procedure and the forms requested. Of this
        abolished the pregnancy books, the adoption permit

        copies of decisions, documents certifying miscarriage or stillbirth, and this information,
        prepared separate model certificates to prove the circumstances, on which the beneficiary declares the

        on the correctness of the data ordered by the Government Decree on the basis of the presented documents.
        To prove this, the statement is accompanied by the amended […] Product Regulations
        in […] of which the Client has expressly stated that it is to be presented

        documents (maternity care book, adoption decision, stillbirth or birth certificate)
        abortion certificate) is strictly forbidden. In addition to these, the Authority

        made available the amended annexes - [kidolg] - and the newly developed certificates - to the
        […] - patterns as well.


(23) The Client has also reviewed the documents of the baby waiting loan from the point of view of data protection,
        which were not affected by the Authority's request. On the implementation of the amendments on 15 May 2020
        informed the Authority, the amended Product Regulations, in its statement dated […]

        application for support and to verify the data in the […] pregnancy care book
        attached to his statement of 27 July 2020.


(24) The Client has stated that in respect of the transactions already concluded in which
        In the absence of legal authorization, copies were made pursuant to Section 9 (2) (b) and (b) of the Government Decree
        c), decided to make copies of paper-based documents

        on the annulment of the decision, on the recording of the fact of the destruction, and on the
        the indication of the data required by law and the deletion of electronic copies of documents, and

        has begun to do so, following an order by the Authority ordering a seizure
        suspended.


(25) At the request of the Authority, the Client provided the Authority with the information from 1 July 2019 to 2019.
        1 August 2020 and 1 January 2020-2020. in the periods between January 30 and pregnancy
        copies of books.


(26) No copy of the adoption decision was made during the period under review, while abortion or death
        A total of 2 copies were made of the birth certificate - the final report - the other two

        In this case, the abortion has already been verified with a sample of the certificate prepared by the Client, which
        only the natural identity data, address of the pregnant woman, 6 of the 12th week of pregnancy





        miscarriage or stillbirth and to identify the specialist
        contain the necessary details and signature.


(27) In order to verify the actual application of the new amended certificates, the Client shall
        5 from the period from 1 February to 15 March 2020, signed by the parties concerned, a

        a copy of the certificate marked with the number […] certifying the presentation of the maternity care book
        made available to him.

    III. Applicable legal provisions


    Following the period under review, the Government Decree was amended several times. The Authority is the Government.

    Regulation took into account the provisions in force during the period under review on the lawfulness of data processing
    in its assessment.


    Pursuant to Article 2 (1) of the GDPR, the GDPR applies to the processing of data in the present case.

    The relevant provisions of the GDPR in the present case are the following:


    GDPR Recital 35: Personal health data include the data subject

    health data which provide information on the past,
    current or future physical or mental health. These include: a
    personal data relating to a natural person which are provided to the individual in accordance with Directive 2011/24 / EU

    for the purposes of healthcare referred to in Directive (9) of the European Parliament and of the Council
    during registration or provision of such services, the natural person

    number, sign or data assigned to it for individual identification for health purposes,
    any part of the body or constituent material of the body, including genetic data and biological samples
    - information resulting from testing or examination, and any, such as the data subject

    illness, disability, disease risk, medical history, clinical treatment or
    information on its physiological or biomedical condition, whatever its source, which
    it can be, for example, a doctor or other healthcare professional, a hospital, a medical device or in vitro

    diagnostic test.


    GDPR Article 4, point 15: "health data" means the physical or mental health of a natural person
    personal data, including health care provided to the natural person
    services that also carry information about the natural person’s health

    status.


    GDPR Article 5 (1) (c): Personal data for the purposes of data processing
    they must be appropriate and relevant and limited to what is necessary
    (“Data saving”).


    GDPR Article 6 (1) (b) and (c) and (3): Processing of personal data only
    lawful if and to the extent that at least one of the following is met:

    (b) the processing is necessary for the performance of a contract to which one of the parties is a party, or
    necessary to take steps at the request of the data subject before concluding the contract;

    (c) processing is necessary for compliance with a legal obligation to which the controller is subject;
    3. The legal basis for the processing referred to in points (c) and (e) of paragraph 1 shall be determined by:
    (a) Union law, or

    (b) the law of the Member State to which the controller is subject. 7





The purpose of the processing shall be defined by reference to this legal basis or in paragraph 1 (e)
with regard to the processing of such data, it must be necessary in the public interest or in the public interest

task performed in the framework of the exercise of a public authority delegated to a data controller
to implement. This legal basis may include adjustments to the application of the rules contained in this Regulation
provisions governing the lawfulness of data processing by the controller

conditions, the type of data which are the subject of the processing, the data subjects, the legal
with which personal data may be communicated and the purposes of such communication for the purpose of data processing

restrictions on the duration of data storage and data processing operations, as well as other
data management procedures so as to ensure lawful and fair data management
measures, including those set out in Annex IX. for other specific data management situations as defined in Chapter

for. Union or Member State law must pursue a public interest objective and be proportionate
for the legitimate aim pursued.


GDPR Article 9 (1): Racial or ethnic origin, political opinion, religion or belief
personal data referring to worldviews or trade union membership, and

genetic and biometric data for the unique identification of natural persons, health
data and on the sexual life or sexual orientation of natural persons
the processing of personal data is prohibited.


GDPR Article 12 (1): The controller shall take appropriate measures to ensure that

referred to in Articles 13 and 14 concerning the processing of personal data
information and Articles 15 to 22. and 34, each information in a concise, transparent, comprehensible and
in an easily accessible form, in a clear and comprehensible manner, in particular:

for any information addressed to children. The information shall be provided in writing or otherwise -
including, where appropriate, the electronic route. Oral information at the request of the data subject

provided that the identity of the data subject has been otherwise established.

Article 58 (2) (b), (d) and (i) GDPR: Acting in the corrective power of the supervisory authority:

(b) condemn the controller or the processor if his or her data processing activities have infringed this
provisions of this Regulation;
(d) instruct the controller or processor to carry out its data processing operations, where applicable

in a specified manner and within a specified period, in accordance with the provisions of this Regulation;
(i) impose an administrative fine in accordance with Article 83, depending on the circumstances of the case

in addition to or instead of the measures referred to in paragraph 1;

Article 83 (1) to (2) and (5) (a) to (b) of the GDPR: 1. Each supervisory authority shall ensure that:

infringements of this Regulation referred to in paragraphs 4, 5, 6
administrative fines should be effective, proportionate and dissuasive in each case.


2. Administrative fines shall be imposed in accordance with Article 58 (2) (a) to (2), depending on the circumstances of the case.
It shall be imposed in addition to or instead of the measures referred to in points (h) and (j). When deciding that

whether it is necessary to impose an administrative fine or the amount of the administrative fine
In each case, due account shall be taken of the following:


(a) the nature, gravity and duration of the breach, taking into account the nature of the processing in question;
the scope or purpose of the infringement and the number of persons affected by the infringement and by them

the extent of the damage suffered;
(b) the intentional or negligent nature of the infringement; 8





(c) the mitigation of damage suffered by the data subject by the controller or the processor
any measures taken to

(d) the extent of the responsibility of the controller or processor, taking into account the
Technical and organizational measures taken pursuant to Article 32;
(e) relevant infringements previously committed by the controller or the processor;

(f) the supervisory authority to remedy the breach and the possible negative effects of the breach
the extent of cooperation to alleviate

(g) the categories of personal data affected by the breach;
(h) the manner in which the supervisory authority became aware of the infringement, in particular
whether the controller or processor reported the breach and, if so, in what detail;

(i) if, previously against the controller or processor concerned, on the same subject matter,
ordered one of the measures referred to in Article 58 (2), the

compliance with measures;
(j) whether the controller or processor has considered itself approved in accordance with Article 40
codes of conduct or approved certification mechanisms in accordance with Article 42; and

(k) other aggravating or mitigating factors relevant to the circumstances of the case, such as:
financial gain obtained or avoided as a direct or indirect consequence of the infringement
loss.


5. Infringements of the following provisions in accordance with paragraph 2 shall not exceed 20 000 000

With an administrative fine of EUR 1 million or, in the case of undertakings, the previous financial year in full
amounting to a maximum of 4% of its annual worldwide turnover,
a higher amount should be charged:

(a) the principles of data processing, including the conditions for consent, in accordance with Articles 5, 6, 7 and 9;
(b) the rights of data subjects under Articles 12 to 22. in accordance with Article


Infotv. Pursuant to Section 2 (2), the General Data Protection Decree is indicated therein
shall apply with the additions provided for in


Infotv. Pursuant to Section 60 (1), the enforcement of the right to the protection of personal data
In order to do so, the Authority may initiate ex officio data protection proceedings. The data protection authority

procedure CL of the General Administrative Procedure of 2016. Act (hereinafter: Act)
rules shall apply with the additions specified in the Information Act and the general data protection

with derogations under this Regulation.

Infotv. Section 61 (6): Until the expiry of the time limit for bringing an action open to challenge the decision,

or, in the case of the initiation of an administrative lawsuit, until the final decision of the court is involved in the disputed data processing
data cannot be deleted or destroyed.


Infotv. Section 71 (2): The Authority shall obtain a document or data lawfully obtained in the course of its proceedings
you may use another means of proof in another procedure.


Infotv. 75 / A. § the Authority in Article 83 (2) - (6) of the General Data Protection Regulation
shall exercise its powers in accordance with the principle of proportionality, in particular by:

legislation on the processing of personal data or in a binding act of the European Union
for the first time in the event of a breach of the rules, to remedy the breach

in accordance with Article 58 of the General Data Protection Regulation, in particular the controller or
by alerting the data controller. 9





Section 9 (2) (b) and (c) of the Government Decree (in force between 1 July 2019 and 29 February 2020)
time status): The loan agreement contains the beneficiaries

(b) a statement that the 12th week of pregnancy and the expected date of confinement
are certified by the maternity care book and contribute to the management of this data,
(c) a statement that, if not after the birth or adoption of the child

claim family support or, if they are claimed at a family
the child's birth certificate, official certificate proving the address and tax certificate,

or, in the case of an adopted child, the final decision authorizing the adoption, and
an official identity card and a tax certificate proving the residence of the adopted child, and
in a private document of full probative value

living in the household or, in the event of the death of the fetus, in accordance with Annex 3
a document with a specific content, in the case of stillbirth, on the examination of the dead and with the dead

or a child born alive
in the event of his death, a death certificate certifying that this has taken place, within a maximum of 60 days
presented to the credit institution and consent to the management of that data.


Government Decree § 14 (1) and (4): Beneficiaries to suspend repayment
eligible

(a) after a fetus of at least 12 weeks of gestation, if the gestation is due to the loan application
on or after the date of submission of the loan and at the latest from the disbursement of the loan

reaches the 12th week of pregnancy within a period of 5 years, or
(b) adopted after the entry into force of this Regulation and adopted jointly by the beneficiaries
after the child, if the decision authorizing the adoption after the submission of the loan application, but

it will become final no later than 5 years after the disbursement of the loan.
4. An application for suspension of repayment shall be submitted to the credit institution. Attach to the application

the documents specified in Section 9 (2) (b) and (c), respectively.

Section 19 (1), (2), (5), (7), (8) of the Government Decree: The supported persons in paragraph (2)

meets certain conditions
(a) in the case of their second child, 30% of the outstanding debt under this Regulation
amount,

(b) in the case of their third child, corresponding to the total outstanding debt under this Regulation
amount

are entitled to a non-refundable childbirth allowance.
(2) Childbirth allowance
(a) in the event of pregnancy occurring on or after the date on which the loan application is submitted,

may be claimed after a fetus of at least 12 weeks of gestation for beneficiaries, and
(b) adopted after the entry into force of this Regulation and adopted jointly by the beneficiaries

may be applied for after a child if the decision authorizing adoption is the submission of a loan application
becomes final after.
5. An application for child-raising allowance shall be submitted to the credit institution. Attach to the application

the documents specified in Section 9 (2) (b) and (c), respectively.
(7) The fulfillment of the eligibility conditions shall be established by the credit institution on the basis of the submitted certificates.
(8) In the case of recourse to childbirth allowance with regard to the fetus, the childbirth allowance

the expected date of confinement must be indicated when the allowance is fixed.


26/2014 on pregnant care. (IV. 8.) of EMMI Decree 1
the contents of a pregnancy care book. 10





About the identification methods that replace the personal identification mark and the use of identification codes
XX of 1996 (hereinafter: Szaztv.) Section 7 (2): The data controller who is appointed by law

does not authorize the use of an identification code, the identification code specified in § 6 can only be used by the citizen
preliminary, in accordance with Article 4 (11) of Regulation (EU) 2016/679 of the European Parliament and of the Council
with your consent or with the consent given in the administrative order.


The Szaztv. § 23 determines which bodies are entitled to manage the TAJ number and for what purpose.


ARC. Decision:


IV.1. The need to process personal data recorded in the pregnancy care book

(28) Pursuant to Section 9 (2) (b) of the Government Decree - in force at the beginning of the official proceedings -

      the beneficiaries must declare at the time of concluding the loan agreement that:
      the 12th week of pregnancy and the expected date of delivery with a pregnancy care book
      verify and consent to the processing of this data. The 12th week of pregnancy and the

      proof of the expected date of confinement is required if the fetus is 12 weeks old
      the assisted couple wishes to claim a discount, ie to suspend the repayment, or

      childbirth allowance.

(29) Section 14 (4) and Section 19 (5) of the Government Decree provide that the repayment

      application for childcare allowance or childbirth allowance a
      must be submitted to a credit institution providing a baby waiting loan, to which the Government Decree must be attached
      Documents pursuant to Section 9 (2) (b) and (c). The Government Decree does not define that submission

      how the term is to be understood, as a presentation at the bank branch when submitting the application or as a document
      a copy to the application. Subject to Section 9 (2) (b) of the Government Decree

      which is only expected for the 12th week of pregnancy and childbirth
      and that from 13 June 2020 the Government Decree § 9 (2)
      In accordance with paragraph 2 (b), the above data shall relate to obstetrics with the content specified in Annex 2.

      may also be attested by a certificate issued by a gynecologist, in the opinion of the Authority
      submission shall be construed in a narrower sense as a presentation.


(30) What data should be recorded and what data can be recorded in pregnancy care
      26/2014 on Pregnancy Care. (IV. 8.) EMMI Decree (hereinafter: EMMI
      Regulation). In the pregnancy care book, the pregnant woman is natural

      In addition to the personal identification data, the social security number is indicated
      sign, place of residence, place of residence, place of work, occupation, education, telephone number, a

      the name and address of the next of kin (page 1). They shall also indicate:
      data on those involved in maternity care, ie the area nurse, the GP, the obstetrician, the
      various details of a gynecologist or midwife, e.g. name, address, phone number, email address

      (Page 2).

(31) At the expected time of confinement or in addition to the fact that the obstetrician-gynecologist

      in which week the pregnant woman appeared - from which it can be calculated that the 12th week of pregnancy
      when loaded - a number of additional details will be recorded in the pregnancy care book,
      some of which are health data. The pregnancy care book contains the pregnant woman

      blood group, risk classification of pregnancy, data on previous births and pregnancies (3.
      side). These data include that if a pregnant woman has already given birth,

      when was she born, in how many weeks of pregnancy, how many grams was the newborn born, what was it like 11





      whether its position - cranial position, pelvic end, transverse position - was there any
      complication during labor, vaginal delivery - episiotomy or barrier protection, or

      by gripping surgery or vacuum extraction - or by cesarean section, or that the child
      what state of health you are in when you are admitted to another pregnancy.


(32) Data on ‘failed pregnancies’ indicate in which year, the number of pregnancies
      how many weeks and how the pregnancy was terminated: with an artificial or spontaneous abortion, or whether it was
      angina or ectopic pregnancy in a pregnant woman.


(33) In addition to the above, a history of diseases, diseases,
      surgeries - developmental disorders in the parents' family, inherited diseases,

      drug sensitivity or test finding (page 4). It is also recorded by the dentist
      study findings (page 4), records of those involved in pregnancy care (pages 8-13),

      in which they record when, in what week of pregnancy the size of the pregnant woman was
      body weight, blood pressure, heart rate, abdominal circumference and the position of the fundus, as well as
      symptoms observed during the studies and the therapy or measure recommended for them.


(34) Also included in the Pregnancy Care Book (pages 6-7) according to the EMMI Regulation
      free, mandatory examinations - e.g. various blood tests, urine tests, ultrasound

      tests or genetic testing (page 14) if the pregnant woman is 37 years of age at conception
      assessment and any specialist comments, and when it was
      the first day of the last menstrual period, usually how long a menstrual cycle is and what the birth is

      expected date.

(35) The Authority notes that there is no explicit section in the Pregnancy Care Book in which

      it could be indicated when the 12th week of pregnancy was loaded, it can only be calculated
      may be from when, in what week of pregnancy the proof of pregnancy occurred.

      This should or can be listed in two places in the pregnancy care book, first inside it
      on page 7, which is completed by the nurse, and on page 7, “The ultrasound of intrauterine pregnancy
      examination ’, completed by the obstetrician and gynecologist performing the examination.


(36) As acknowledged by the customer, the Client supported it in accordance with its general practice during the period considered
      on a women’s pregnancy care book who, along with their spouses, applied for a baby-waiting loan

      suspension of childbirth or childbirth allowance
      made a copy for the 12th week of pregnancy, sometimes to varying degrees.


(37) The Authority examined the pregnancy books provided by the Client
      made copies showing that […] the practice of each account was not uniform
      the extent to which a copy of the pregnancy care book was made. Some […]

      accounts copied the entire pregnancy care book, others only natural
      pages with personal information and the expected date of delivery. Also a copy

      attached is the Client, which was made exclusively from the page of the pregnancy care book on which the
      specialist indicates the expected date of delivery. However, in addition to these, there are also copies
      were made which did not contain the pages on which the expected date of confinement was given

      or from which the 12th week of pregnancy could have been calculated.

(38) The data content of the copies of the pregnancy books of each beneficiary varies according to the

      depending on the personal circumstances of the spouses, the number of their children or whether
      at what stage of pregnancy did the Client turn to suspend the repayment, or 12





      application for childbirth allowance, as the more advanced the pregnancy, the more
      several test results are recorded in the pregnancy care book.


(39) In addition to the data specified in the EMMI Regulation, nurses and general practitioners are unique
      comments have also been included in pregnancy books, e.g. how many days was the

      the menstrual cycle of a pregnant woman at the age of 15 or the age of her first child
      breastfed.


(40) The processing of data listed in the above paragraphs, in particular health data, is not
      necessary to complete the 12th week of pregnancy and the expected date of delivery a
      supported by the Client are certified to the Client, i.e. by the Client in the Pregnancy Books

      data handled in copies - excluding the expected date of delivery and the pregnancy is loaded
      are not appropriate for the purpose of data processing and are not

      relevant, they go far beyond the required range of data and the Authority therefore concludes that
      that the Customer has violated the principle of data protection pursuant to Article 5 (1) (c) of the GDPR.

IV.2. Handling of personal information contained in copies of maternity care books

      legal basis

(41) Certain conditions for the use of the baby waiting loan and related aid are a

      Government Decree, in addition to in accordance with Section 4 (4) of the Government Decree
      a loan agreement may be concluded only with claimants who are covered by the credit institution's general internal rules

      according to which it qualifies as creditworthy for the borrowing requested.

(42) According to Section 9 (2) (b) of the Government Decree in force during the period under review, the repayment

      pause and childbirth allowance for the 12th week of pregnancy
      and the expected date of confinement must be evidenced by the pregnancy record book if the
      to apply for discounts to the Customer to submit the child

      takes place before birth.

(43) The processing of this data by the Client is necessary in order to be able to ascertain the

      the eligibility of applications for benefits and the benefits
      can ensure the use of this data between the beneficiaries and the
      necessary to fulfill the contracts concluded between the beneficiaries. That doesn't change that

      nor that as a condition for the use of the grant the processing of these data by Government Decree
      makes it binding on the Client within the framework of the contractual relationship. Therefore, the

      data on the completion of the 12th week of pregnancy and the expected date of delivery, which
      the legal basis for the processing of a pregnant woman's personal data under Article 6 of the GDPR is Article 6 (1) of the GDPR
      paragraph (b).


(44) It should also be emphasized that the fact of pregnancy is in itself the health of the pregnant person
      including how many weeks of pregnancy you are going and when you are expected to

      to give birth. According to Article 9 of the GDPR, personal data are personal data
      and their handling is, in principle, prohibited. Health data legally

      they can only be dealt with if one of the legal bases set out in Article 6 (1) of the GDPR
      In addition, there is a circumstance within the meaning of Article 9 (2) of the GDPR.

(45) Article 9 (2) of the GDPR does not contain an exception which is expressly a contract

      would allow the processing of health data in order to meet Article 9 (2) of the GDPR
      (a), health data may be processed if one or more of the specific data subject 13





      express consent. According to Section 9 (2) of the Government Decree, the spouses a
      they must expressly state in the loan agreement that the 12th week of pregnancy

      contribute to the processing of data on the loading and expected date of confinement,
      that is, the Government Decree apparently settles the legal basis for the processing of health data. THE
      In the Authority's view, the contribution is voluntary as one of the contributions

      whether the condition of validity is fully enforced during the data management is questionable, since a
      without the prior consent of the contracter at the time of conclusion of the contract

      no loan agreement would be concluded.

(46) The Client may not review or act on the laws of the Member States which govern it

      on the contrary, the Authority finds that in the case of spouses who have
      they wish to take advantage of the benefit provided for in the Government Decree with regard to their fetuses,
      legally manages the 12th week of pregnancy and the expected date of delivery

      data.

(47) The Client shall lawfully manage the data contained in the pregnancy care book in addition to the

      spouses ’natural identity and contact information, and the pregnant woman
      data on the occupation and education of the Client, which is managed by the Client and the
      necessary for the performance of a contract between spouses, including before the conclusion of the contract

      credit assessment - and, on the other hand, to fulfill its various legal obligations, e.g. money laundering and
      contributing to the prevention and deterrence of terrorist financing. These

      the Client has an appropriate purpose and legal basis for its management.

(48) The Authority has a copy of the TAJ number of the pregnant woman in the copy of the pregnancy care book

      considers it necessary to emphasize that the TAJ number is in line with the Szaztv. according to
      an identification code that is handled and transmitted only by statutory rules
      that is, that is, the data controller who is not authorized by law to use the TAJ number

      only with the consent of the GDPR concerned in accordance with Article 4 (11). The Szaztv. Section 23
      also determines which bodies are authorized to manage the TAJ number, for what purpose,

      however, no financial institutions are listed among them, nor is there any other sectoral law
      authorizes them, and the parties concerned have not demonstrably contributed to the TAJ
      for their handling by the Client, ie they are managed by the Client without a legal basis.


(49) Section III.1 of the Decision. The treatment of the health data described in
      (45), supplemented by the fact that the processing of these data is not limited to Article 9 of the GDPR.

      None of the circumstances set out in Article 2 (2) apply, but also to the Client
      admittedly, it does not have a legal basis under Article 6 of the GDPR. In the Pregnancy Care Book
      pregnant women have not demonstrably contributed to the processing of the health data

      they are not necessary for the fulfillment of the loan agreement - not including the pregnancy
      12th week and the expected date of delivery - their management by the Client

      not necessary to fulfill its legal obligation. In addition, the Customer is in the public interest
      does not perform a task, does not exercise public power, the data management of the data subjects or other natural
      protection of personal vital interests is not necessary, as well as the Customer these

      cannot present a legitimate interest in the management of those concerned
      rights and freedoms.


(50) The findings made in the previous paragraph with regard to Article 6 (1) of the GDPR are as follows:
      personal data not mentioned as hitherto, which do not qualify as health data - who is the pregnant woman
      GP, nurse, dentist. 14





(51) In the Authority’s view, the Client should have recognized that the Government Decree
      It shall apply subject to the provisions of the GDPR and in conjunction with that legislation

      a prudent, proportionate data management practice in line with the principles of data management
      to design.


(52) On the basis of the above, the Authority concludes that by the 12th week of pregnancy, the expected
      with the exception of the data referred to in point (47) of the Decision
      all additional data in pregnancy books, including health data

      the Client did not have an adequate legal basis for dealing with the breach, in breach of Article 6 (1) of the GDPR.
      as well as Article 9 (1) of the GDPR as regards health data.


IV.3. Necessity and legal basis for the processing of the data recorded in the final reports

(53) According to Section 9 (2) (c) of the Government Decree - in force during the period under review - the subsidized

      persons must also declare their commitment, dead, when concluding the loan agreement
      in the case of birth or miscarriage, a certificate certifying that this has taken place within a maximum of 60 days a
      presented to the credit institution and contribute to the management of that data.


(54) Section 14 (4) and Section 19 (5) of the Government Decree provide that the repayment
      application for childcare allowance or childbirth allowance a

      must be submitted to a credit institution providing a baby waiting loan, to which the Government Decree must be attached
      Documents pursuant to Section 9 (2) (b) and (c). The Government Decree does not define that submission

      how the term is to be understood, as a presentation at the bank branch when submitting the application or as a document
      a copy to the application. Section 9 (2) (c) of the Government Decree expressly
      it provides for the presentation, not the copying, of the documents listed there.


(55) The Client made a copy of the final report on the miscarriage of two subsidized women to the
      period in order to verify the above. The final report is a natural identity for women

      In addition to the data, it includes the tests performed, the therapy used, and the tests performed
      description of the intervention. The health status of women, the examinations, their results, the performed

      information on interventions, as well as the fact of miscarriage, Article 4 (15) of the GDPR
      health data which are not necessary for the fact of a miscarriage
      inappropriate and irrelevant to achieve the purpose of the data processing, therefore the

      Authority finds that by handling these, the Client has violated Article 5 (1) of the GDPR
      (c).


(56) The Authority finds that, as explained in point (49) of this Decision, the Client does not
      in addition to the fact of the abortion and the date thereof, in the final report
      in breach of Article 6 (1) of the GDPR,

      and Article 9 (1).

IV.4. Information on data management during the application and granting of a baby waiting loan

transparency

(57) The Client provides information in several different documents regarding the application for the baby waiting loan, respectively

      in the case of the conclusion of a loan agreement, of the data processing carried out in the course of that agreement, which
      documents on the Client 's website, under the […] tab, collected in a clickable form and
      grouped under […] addresses are easily accessible. 15





(58) The Authority shall assess the adequacy of the information provided by the Client on the processing of personal data a
      examined on the basis of the following documents: […] prospectus; […] Prospectus (a

      hereinafter referred to as the Data Management Information); […] (Hereinafter: Application Form); […] (hereinafter:
      Business Rules).


(59) According to the Code of Conduct […], the purpose, legal basis and processing of personal data
      detailed rules, the data management rights of the Clients on the website and at the bank branches
      detailed in the data management information provided. The Terms and Conditions expressly a

      no further information on data management in connection with a baby waiting loan
      contain.


(60) The prospectus […] is of a general nature and covers data processing of a general nature carried out by […],
      thus also for the data management performed by the Client in connection with the baby waiting loan - in which

      intends to provide data subjects with information on the aspects of the processing of their personal data.

(61) Section […] of the prospectus sets out the possible processing of data by group members.
      objectives in a general way, such as “interest in a service, requesting a service

      procedure "or" conclusion of a contract, performance of a contract ". Data management is possible
      its legal bases are listed in point […]. The scope of managed data under the title is managed data

      categories are described, for example […].

(62) In Section […], the Data Protection Prospectus describes in a similar way to Prospectus […] the

      the possible purposes of data management, which are detailed in […].

(63) In […], the Customer defines the processed data for data management purposes, their

      "Types", the legal basis for the processing and the retention period uniformly for all […]
      in connection with the service. This means that the prospectus is not broken down into individual financials
      products separately, e.g. mortgage loan, personal loan, baby waiting loan, family

      home creation discount, etc. As a result, any personal data or personal information
      data category is listed among the managed data for which you have some type of credit or

      necessary for the performance of the contract by the Client during the provision of a cash loan.

(64) In the Authority's view, the definition of the purpose of data processing alone is' with the Bank
      data processing required for the performance of a contract ”is too broad, not specific, precise and

      final, it is difficult to determine what the aspects of the contract are and
      related data management is included because e.g. […] the provision and provision of the service

      for the customer as a separate data management purpose, although the general meaning of the words, and
      Chapter according to the concept of contract, performance of the contract is nothing more than under contract
      provision of a service to be performed.


(65) In the Authority's view, in order for the data management to be transparent to the Client
      set more specific data management goals, such as the 12th week of pregnancy and

      the purpose of the processing of personal data concerning the expected date of delivery is that the Client sets
      be able to verify the legitimacy of the claim or subsequently verify that the grant is supported

      persons wish to take advantage of the benefits provided for in the Government Decree with regard to their fetus. THE
      Authority does not dispute whether the suspension of repayment or childbirth allowance
      is provided within the contractual relationship during the performance of the contract, but the

      in the absence of a sufficiently specific definition of data management purposes for data subjects
      it is clear why they need to make some of their data available to the Client. 16





(66) In the Authority’s view, the data and categories of data processed in the Data Management Information Sheet […]
      its listing in this way does not meet the requirement of transparency either, since it is there

      approximately all personal information that the Customer has any credit is listed
      or in connection with a loan agreement. As a result, it is difficult for those involved to be convinced
      that the fulfillment of their credit or loan agreement with the Client, certain aspects thereof

      exactly what information they will need to provide. In the present case, for example, a
      Beneficiaries do not have to provide a

      details of their property insurance or details of their property sold to the Client within five years, as
      these data are irrelevant to the credit they use, while, for example, fetal data is one
      they are not relevant in a personal loan agreement. In this regard, the Authority also

      notes that it is not entirely clear exactly what data the Client understands
      fetal data, as the fetus is not yet legal, the 12th week of pregnancy and the

      data on the expected date of delivery are the health data of the mother.

(67) In addition, the Data Protection Information Statement states that the purpose of data processing is to:
      fulfillment of the reporting obligation to the Hungarian State Treasury (hereinafter: MÁK).

      It does not appear from the Data Protection Information that such a reporting obligation is
      When it exists for a customer, it affects what kind of contract stakeholders.


(68) Section 26 of the Government Decree also prescribes the obligation to provide information to the MÁK for control purposes, and
      specifies which of the persons supported or the child born

      must transfer your personal data to the Customer. Defined in the Privacy Policy
      the scope of data does not correspond to the scope of data specified in the Government Decree, e.g. the Data Management
      is not indicated in the prospectus of the identity card of the supported persons, travel

      document or card format driving license number as data to be transmitted [Gov.
      Section 26 (1) (bd) of the Decree].


(69) The Application Form must indicate the identity of the applicants for the baby loan, the credit assessment
      necessary personal data, data of the requested loan, statements according to the Government Decree,

      which are necessary to establish the eligibility conditions, and […].

(70) Under the heading “[…]”, the Client essentially agrees with the contract, its conclusion and conditions.
      provides information on a total of […] points. The Government has been inserted in point […].

      statements concerning data processing pursuant to Section 9 (2) of the Decree. According to point […]
      and [consent to the processing of their personal data]. In the Authority 's view,

      privacy statements should have been separated by the Customer from other contractual
      provisions in the interests of transparency. Furthermore, the wording of point […] is incorrect
      may give the impression to those concerned that their personal data provided on the Application Form

      their legal basis for their management.

(71) In the light of the above, the […] prospectus, the Privacy Notice and the Application Form

      The information provided by the customer on the handling of personal data is not transparent, not sufficiently
      specific and not suitable for the persons concerned to know and see through the personal

      process of handling their data and be aware of exactly which Customer is
      for what purpose and on what legal basis they process their personal data. The Authority finds that
      Customer does not provide clear and transparent information to those concerned about the baby waiting loan

      and the processing of data during the life of the concluded loan agreements
      Article 12 (1) of the GDPR 17





IV.5. Legal consequences

(72) The Authority finds that the Client has infringed Article 5 (1) (c) GDPR, Article 6

      Article 9 (1), Article 9 (1) and Article 12 (1).

(73) Pursuant to Article 58 (2) (d) of the GDPR, the Authority instructs the Client to

      electronic of the pregnancy books and final reports available to him
      delete copies, destroy paper-based copies, and credit for doing so

      duly substantiated to the Authority.

(74) Pursuant to Article 58 (2) (d) of the GDPR, the Authority instructs the Client to restructure the

      application for a baby waiting loan and data management during the concluded contracts
      information practice in such a way as to comply with Article 12 (1) of the GDPR
      transparency requirements.


(75) The Authority has examined whether it is justified to impose a data protection fine on the Client. E
      In particular, the Authority considered all the circumstances of the case under Article 83 (2) of the GDPR.

      In view of the circumstances of the case, the Authority found that it had been identified in the present proceedings
      in case of infringement - Infotv. 75 / A. § - warning is disproportionate and dissuasive
      sanction and therefore a fine should be imposed.


(76) In particular, the Authority took into account that the nature of the infringements committed by the
      in accordance with Article 83 (5) (a) and (b) of the GDPR

      constitute an infringement falling within the category of fines.

(77) In setting the fine, the Authority took into account the following as aggravating circumstances:


       • Infringements committed by Customer are considered serious infringements as follows
          [Article 83 (2) (a) GDPR]:


                 o Infringements found - breach of the principle of data protection, legal basis
                     without prejudice to the transparency of data processing and the transparency of information,

                     were continuous in nature, given that during the period considered
                     persisted .;


                 o The infringement affects a large number of persons concerned [Article 83 (2) (a) GDPR]:
                         ▪ personal data in connection with the baby waiting loan

                            Infringement by inadequate information on the management of
                            Clients are all baby waiters who have a loan agreement or are waiting for a baby
                            affects your customer in need of a loan. The Client did it during an official inspection

                            According to the statement, during the period under review, […] persons requested a baby waiting room
                            a loan, of which the Client has entered into a contract with […] persons;
                         ▪ the health data in the pregnancy care book is illegal

                            treatment involved a total of […] women during the study period.

                 o The subject of the present case is a financial arrangement in which the Client

                     contractual partners in families or in any special life situation
                     women who are in their most personal life situation during childbearing

                     they come into contact with the Client to ensure the existential future of their family
                     in order to. The Authority considers the attached documents from the circumstances of the present case





                     on the basis of which he concluded that he was particularly violating his privacy by having children
                     personal and health data relating to such numbers are of a general nature
                     his treatment.


       • Customer has a significant amount of personal information that is a special category
          prepared health data on pregnancy books without a legal basis

          copies and the two final reports [Article 83 (2) (g) GDPR];

(78) The Authority considered the following as mitigating circumstances:


       • In connection with the personal data handled by the Client in the copies of the pregnancy books
          admitted to them - not including the 12th week of pregnancy and childbirth expected

          unlawfully handled and ordered the erasure of the copies,
          or destruction. [Article 83 (2) (c) GDPR];


       • Customer has reviewed its applicable data management practices and terminated the
          copying pregnancy books and final reports for the future. Sample certificates
          the introduction and application of which are suitable so that they cannot be avoided in the future

          line can again be used to process data in the context of a baby waiting loan
          grants which are not necessary to achieve the purpose of the processing and which

          has no legal basis for dealing with it. [Article 83 (2) (f) GDPR];

       • The Government Decree did not fully regulate the issues of data management, it did not decide

          clearly state how the data will be handled (eg submission under the word presentation or
          copying), thus creating an uncertain legal situation in matters of data management
          created at baby-waiting loan financial institutions, including the Client. The Authority

          considers it necessary to note that in such a case the data controller is concerned with the data processing
          decisions need to be made even more carefully when applying data protection legislation
          and in particular to enforce data protection principles. [Article 83 (2) GDPR

          paragraph (b) and (k)].

(79) In imposing the fine, the Authority also took into account that the Client had not committed

      previously relevant data breach. GDPR Article 83 (2) (e)]

(80) In imposing the fine, the Authority did not consider Article 83 (2) (d), (h),
      (i), (j), as they cannot be interpreted in the light of the specific case.


(81) The total amount of the Client's balance sheet in 2019 was HUF […] million, HUF […] million.


(82) The amount of the fine was determined by the Authority in accordance with its statutory discretion.

V. Other issues:


(83) The powers of the Authority are limited by Infotv. Section 38 (2) and (2a), its jurisdiction is
      covers the whole country.


(84) The decision is based on Article 80.-81. § and Infotv. It is based on Section 61 (1). The decision is based on Ákr. 82.
      § (1), it becomes final with its communication. 19





(85) Art. § 112 and § 116 (1) and § 114 (1), respectively
      there is a right of appeal against an administrative action.


(86) The rules of administrative litigation are laid down in Act I of 2017 on the Procedure of Administrative Litigation (a
      hereinafter: Kp.). A Kp. Pursuant to Section 12 (1) by a decision of the Authority

      The administrative lawsuit against the court falls within the jurisdiction of the court. Section 13 (3) a)
      The General Court has exclusive jurisdiction under subparagraph (aa) of A Kp. Section 27 (1)
      Legal representation shall be mandatory in proceedings falling within the jurisdiction of the General Court under paragraph 1 (b).

      A Kp. Pursuant to Section 39 (6), the filing of an application is an administrative act
      has no suspensive effect.


(87) A Kp. Section 29 (1) and with this regard Pp. Applicable pursuant to Section 604, electronic
      CCXXII of 2015 on the general rules of administration and trust services. Act (a

      hereinafter: E-Administration Act) pursuant to Section 9 (1) (b) of the Customer's legal representative
      obliged to communicate electronically.


(88) The time and place of the submission of the application are set out in Kp. Section 39 (1). THE
      Information on the possibility to request a hearing can be found in Kp. Section 77 (1) - (2)
      based on. The amount of the fee for an administrative lawsuit is set out in Act XCIII of 1990 on Fees. law

      (hereinafter: Itv.) 45 / A. § (1). From the advance payment of the fee is
      Itv. Section 59 (1) and Section 62 (1) (h) shall release the party initiating the proceedings.


(89) If the obligor fails to provide adequate evidence of compliance with the required obligation, the Authority will
      considers that it has failed to fulfill its obligations within the prescribed period. The Acre. According to § 132, if a

      the obligor has not complied with the obligation contained in the final decision of the authority, it shall be enforceable.
      The decision of the Authority Pursuant to Section 82 (1), it becomes final upon notification. The Acre.
      Section 133 of the Act - unless otherwise provided by law or government decree

      - ordered by the decision-making authority. The Acre. Pursuant to Section 134 of the Act - if law,
      a government decree or, in the case of a municipal authority, a local government decree otherwise
      does not have - is carried out by the state tax authority. Infotv. Pursuant to Section 60 (7) a

      Authority to carry out a specific act contained in a decision, specified
      the decision as to the obligation to conduct, tolerate or cease

      shall be carried out by the Authority.

    Budapest, December 16, 2020



                                                                     Dr. Attila Péterfalvi

                                                                             President
                                                                      c. professor