NAIH (Hungary) - NAIH-4667-10/2022: Difference between revisions

From GDPRhub
(changed the summary to more clearly describe most important takeaways from the case, fixed hyperlinks in the holding, changed chronological order of facts (what happened prior to filing the complaint), also no need to write a separate sentence on who the parties in the case are, it is enough to integrate it in the facts, use the term 'controller' instead of 'data controller', edited the holding to contain more relevant information on the substantive assessment; use DPA instead of Authority)
(clarified which data was provided by the processor (Holding) and changed the short summary)
Line 75: Line 75:
}}
}}


The Hungarian DPA rejected a complaint regarding the right to access a student's grade editing history in the school's grade registration system. It held that the school correctly respondend to the request.   
The Hungarian DPA rejected a complaint filed by the parents of a student regarding the access to his grade history. The DPA considered that the fact that the potential modifications of the grades in the system could not be tracked was compliant with the GDPR.   


== English Summary ==
== English Summary ==
Line 91: Line 91:
With regard to the personal data of a minor, the parent is not considered to be the data subject pursuant to [[Article 4 GDPR|Article 4(1) GDPR]]. At the same time, the parent can submit a data subject request to the controller on behalf of the minor data subject. The parent wanted to exercise this right in order to have access to the information related to the management of the grade, regarding the overwriting and deletion of the grade, based on [[Article 15 GDPR|Article 15(1) GDPR]]. The purpose was to establish the legality of the data management on behalf of the controller.   
With regard to the personal data of a minor, the parent is not considered to be the data subject pursuant to [[Article 4 GDPR|Article 4(1) GDPR]]. At the same time, the parent can submit a data subject request to the controller on behalf of the minor data subject. The parent wanted to exercise this right in order to have access to the information related to the management of the grade, regarding the overwriting and deletion of the grade, based on [[Article 15 GDPR|Article 15(1) GDPR]]. The purpose was to establish the legality of the data management on behalf of the controller.   


The DPA held that the data processor (the KRÉTA system) provided information on certain data following a request from the controller. This practice was in compliance with [[Article 28 GDPR|Article 28(3) GDPR]] since the data controller validated the data subject's request by asking for the information in question from the data processor.   
The DPA confirmed that the processor (the KRÉTA system) provided information on of the date on which the grades were entered, following a request from the controller. However, the processor could not track whether a certain grade entry was overwritten or deleted form the system. This practice was in compliance with [[Article 28 GDPR|Article 28(3) GDPR]] since the data controller validated the data subject's request by asking for the information in question from the data processor.   


The DPA found that the allegation that the personal data in question had been manipulated was not substantiated and that the controller had not committed any infringement in the course of complying with the data subject's request to access the data in question. The DPA noted that the accessed data was not provided to the data subject, not in an attempt to conceal any manipulated merits, but rather due to the fact that the requested data was not in the controller's possession yet.  
The DPA found that the allegation that the personal data in question had been manipulated was not substantiated and that the controller had not committed any infringement in the course of complying with the data subject's request to access the data in question. The DPA noted that the accessed data was not provided to the data subject, not in an attempt to conceal any manipulated merits, but rather due to the fact that the requested data was not in the controller's possession yet.  

Revision as of 10:20, 7 December 2022

NAIH - NAIH-4667-10/2022
LogoHU.jpg
Authority: NAIH (Hungary)
Jurisdiction: Hungary
Relevant Law: Article 10 GDPR
Article 28 GDPR
Article 28(3)(c) GDPR
Article 58(2)(b), (d), (h) of Regulation (EU) 2016/679
Directive 95/46/EC
Article 60(1) of Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information
Type: Other
Outcome: n/a
Started: 22.10.2021
Decided: 22.09.2022
Published:
Fine: n/a
Parties: The National Authority for Data Protection and Freedom of Information
The Minor
Primary School and Secondary School
National Case Number/Name: NAIH-4667-10/2022
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Hungarian
Original Source: NAIH (in HU)
Initial Contributor: Leah Fielden

The Hungarian DPA rejected a complaint filed by the parents of a student regarding the access to his grade history. The DPA considered that the fact that the potential modifications of the grades in the system could not be tracked was compliant with the GDPR.

English Summary

Facts

A minor student (the data subject) alleged that his grade had been amended before the semester grading meeting without notification. The parent of the data subject requested access to his personal data contained in the eKRÉTA (Public Education Registration and Study Fund) system. This system was used by the school (the controller) to record and capture the grade history of pupils, including the data subject.

The controller failed to provide the requested personal data. However, it did ask KRÉTA (the processor) whether additional information regarding manipulation of grades can be exracted from the system and informed the parent that no such possibility existed.

Consequently, the parent of the data subject filed a complaint with the Hungarian DPA. The parent submitted that the overwriting and deletion of the data subject's grades could not be tracked on the eKRÉTA administrative interface accessible to parents. The parent proved their right of representation before the DPA with the child's birth certificate. The DPA initiated an investigation into the matter.

Holding

The DPA reitarrated, based on the definitions of the GDPR, that a subject grade is data related to the data subject's academic evaluation and should be considered personal data. Hence, any operation performed on the data is considered data processing. In the present case, the personal data was allegedly modified or overwritten at a time other than when the semester grade notice was issued to pupils.

With regard to the personal data of a minor, the parent is not considered to be the data subject pursuant to Article 4(1) GDPR. At the same time, the parent can submit a data subject request to the controller on behalf of the minor data subject. The parent wanted to exercise this right in order to have access to the information related to the management of the grade, regarding the overwriting and deletion of the grade, based on Article 15(1) GDPR. The purpose was to establish the legality of the data management on behalf of the controller.

The DPA confirmed that the processor (the KRÉTA system) provided information on of the date on which the grades were entered, following a request from the controller. However, the processor could not track whether a certain grade entry was overwritten or deleted form the system. This practice was in compliance with Article 28(3) GDPR since the data controller validated the data subject's request by asking for the information in question from the data processor.

The DPA found that the allegation that the personal data in question had been manipulated was not substantiated and that the controller had not committed any infringement in the course of complying with the data subject's request to access the data in question. The DPA noted that the accessed data was not provided to the data subject, not in an attempt to conceal any manipulated merits, but rather due to the fact that the requested data was not in the controller's possession yet.

The DPA concluded that the general data processing of the controller did not directly affect the rights or legitimate interest of the data subject. In view of this, the DPA rejected the complaint.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Hungarian original. Please refer to the Hungarian original for more details.

Case number: NAIH-4667-10/2022 (Previous: NAIH-7922/2021)
The National Data Protection and Freedom of Information Authority (hereinafter: Authority) [...] represented by [...] ([...]; hereinafter: Representative) minor [...] (hereinafter: Applicant) [...] General School, High School and [...] Vocational High School ([...]; hereinafter referred to as: Applicant) makes the following decision in the data protection authority proceedings initiated against the Applicant regarding access to his personal data contained in the eKRÉTA system:
The Authority rejects the Applicant's request.
There is no place for an administrative appeal against this decision, but it can be challenged in an administrative lawsuit within 30 days from the date of notification. The statement of claim must be submitted electronically1 to the Authority, which forwards it to the court together with the case documents. For those who do not benefit from the full personal tax exemption, the fee for the administrative lawsuit is HUF 30,000, the lawsuit is subject to the right to file a tax record. Legal representation is mandatory in proceedings before the Metropolitan Court.
JUSTIFICATION
I. Procedure of the procedure
I.1. On October 22, 2021, the Representative submitted an application to the Authority on behalf of the Applicant, in which he initiated official data protection proceedings against the Applicant. According to the request, the institution as a data controller is not aware of the CXII of 2011 on the right to self-determination of information and freedom of information. Act (hereinafter: Infotv.) to provide the right of access to personal data in accordance with Section 14 (b), the overwriting and deletion of grades cannot be tracked on the parent-accessible or administrative interface of the eKRÉTA (Public Education Registration and Study Basic System).
The Representative requested from the Authority Article 58 of Regulation (EU) 2016/679 on the protection of personal data and the free flow of such data, as well as on the repeal of Directive 95/46/EC (hereinafter: General Data Protection Regulation) ( for measures according to points b), d), h) of paragraph 2.
CXII of 2011 on the right to self-determination of information and freedom of information to the request submitted by the Representative. Act (hereinafter: Infotv.) based on Section 60 (1) NAIH-7922/2021. On October 13, 2021, a data protection official procedure was initiated on case number.
1 The NAIH_K01 form is used to initiate the administrative lawsuit: NAIH_K01 form (September 16, 2019) The form can be filled out using the general form filling program (ÁNYK program). https://www.naih.hu/kozig-hatarozat-birosagi-felulvizsgalata
................................................... ................................................... ..............
1055 Budapest Tel.: +36 1 391-1400 ugyfelszolgalat@naih.hu Falk Miksa utca 9-11. Fax: +36 1 391-1410 www.naih.hu
Subject: decision rejecting the application
     
2
I.2. The Representative responded to the Authority's order to fill in the gaps in a letter filed under NAIH-7922-4/2021, received on November 26, 2021, in which he confirmed his right to represent the applicant's minor child and clarified the request.
I.3. The Authority NAIH-7922-5/2021. number, in its order issued on December 7, 2021, it called on the Applicant to answer the questions asked in order to clarify the facts and to verify its answers.
I.4. The Respondent's response was received on December 14, 2021 and is NAIH-7922-6/2021. was registered.
I.5. On April 8, 2022, the Authority issued the Applicant NAIH-7922-6/2021. requested the Applicant to send the certificate or statement referred to in letter no. (NAIH-4667-1/2022).
I.6. The Respondent responded to the order in a letter received on April 21, 2022 (NAIH-4667- 2/2022).
I.7. In its order dated May 23, 2022, the Authority called on the Applicant to send documents and make a statement (NAIH-4667-3/2022)
I.8. The Respondent's response was received electronically on June 1, 2022 (NAIH-4667-4/2022), and was also sent by post with an arrival date of June 7, 2022
I.9. The Authority notified the clients of the completion of the proof procedure on July 22, 2022.
I.10. The Applicant exercised his right to inspect the documents on August 30, 2022, and did not comment on the documents he had seen.
II. Clarification of the facts:
II.1 In the application, the Representative submitted that the overwriting and deletion of grades cannot be tracked on the administrative interface of the eKRÉTA system accessible by parents.
According to the documents attached to the application - the letter addressed by the Representative to the Information Department of the Central Customer Service of the Education Office on July 6, 2021 - the Applicant's semester notice for the 2020/2021 academic year dated January 27, 2021, was listed as a major in history. At the end of the year, he received a good grade with an average of 4.6. After verbally contacting the head of class, they learned that the semester notice had mistakenly included a semester history ticket that was printed before the semester grading meeting, while the ticket was amended after the semester grading meeting, it was corrected on January 20, 2021. They were not notified of the amendment, and no record was made of the fact of the amendment. The tickets received by the Applicant in the second semester were not included in the eKRÉTÁ.
In order to investigate the matter, the Deputy Director of Education of the Respondent was contacted orally, and the dialogue also took place electronically. In doing so, they requested an investigation of the date on which the marks were entered, because the screenshot obtained from the KRÉTA system shows the date on which the semester evaluation was entered, not the day on which it was entered. During the consultation, they were given a screenshot that now shows not only the date of the entry (on which day it was entered), but also the date of recording (the actual entry). Then they missed that the answer did not show whether a ticket was overwritten or a ticket was deleted from the system, and they said that they do not consider eKRÉTA closed
 
3
their suspicions regarding its manipulation, and requested the formation of an independent committee of experts.
The Respondent's reply letter informed them that the Respondent had made a request to eKRÉTA Informatikai Zrt. (1111 Budapest Budafoki u. 59.), which operates eKRÉTA. According to the Respondent, no additional information can be extracted from the system apart from the previously sent data. The parents did not receive an answer to their question regarding the possible cancellation of grades, according to the Respondent's answer, "no information can be obtained from the system about the modification of grades or its date." The Representative requested the sending of the error ticket submitted by the Respondent to the eKRÉTA operator. According to this, the eKRÉTA customer service gave the above answer to the question, "Is it possible to see somewhere how many times a grade is overwritten by a teacher, as currently only the time when it was last entered is visible", so that regarding the modification of grades, no information can be retrieved from the system.
In parallel with all of this, on June 30, 2021, the Representative also made a request to the customer service of eKRÉTA Informatikai Zrt., where he asked to send a chronological table (ordered according to the date of entry) regarding the Applicant's history notes
• the serial number;
• recording date;
• name of recording user;
• on which date the ticket was issued, or if a half-yearly or annual evaluation was entered (other than a
recording date);
• the number of the evaluation;
• the type of evaluation (ticket – with a single multiplier, paper – with a double multiplier;
half-year evaluation, annual evaluation);
• whether another grade, paper, semester or year was overwritten with this entry
evaluation? (Yes No);
• if an overwrite occurred, which serial number entry was overwritten;
• has the ticket, paper, semester or annual evaluation been deleted? (Yes No);
• name of the deleting user;
• data deletion date.
Furthermore, if the system logs the printing of the registered grades by the school regarding the Applicant's data, he separately requested that the date of printing and the name of the printer user be sent to him.
After the positive feedback by phone, the Representative received a written response from eKRÉTA Informatikai Zrt. on July 1, 2021 rejecting their data request. According to the answer, these can be requested from the public education institution if they make it available, and some of the requested data can be accessed by entering the e-Check module as a parent or student in the Classes menu, by clicking on the downward arrow before the name of the subject.
After the above, the Representative made the statement that the Respondent was unable to ensure the Applicant's right of access with regard to personal data.
Following the Authority's request to fill in the gaps, the Representative sent a copy of the correspondence with the Application and the maintainer. In the context of the description of the specific situation that created the alleged violation, the overwriting and deletion of the Applicant's grade marked the lack of access and traceability by the parent, according to which the Applicant did not fully provide the Representative with access to the Applicant's history subject data on the eKRÉTA interface. In filling the gaps, he stated that, following the request sent to the maintainer on August 18, 2021, November 2, 2021
 
4
I received an answer, so the deleted or overwritten grade as personal data was only accessible after a lengthy investigation.
The Representative requested that the Authority act in accordance with points b), d), h) of Article 58 (2) of the General Data Protection Regulation, i.e.
b) condemn the data controller or data processor if its data management activities violated the provisions of this regulation, because the data processor handed over to the data controller a program that does not fully ensure the applicant's representative can find out the grades as personal data, specifically who made changes to the grades , who deleted the grade when, (this is a systemic problem that affects not only the applicant, but all children and their parents who are required to use eKRÉTA);
d) instructs the data controller or the data processor to bring its data management operations into line with the provisions of this regulation in a specified manner and within a specified time, i.e. to correct the eKRÉTA program so that the representatives of the children and the children are also the identified entry into the program after that, they can fully learn about their personal data regarding grades, specifically, who, when, what grade was entered, who and when modified the grade, who and when deleted the grade;
h) withdraws the certificate, or instructs the certification body to withdraw the certificate issued in accordance with Articles 42 and 43, or instructs the certification body not to issue the certificate, if the conditions for the certification are not or are no longer met, i.e. if the data processor does not modify the eKRÉTA system in accordance with the criteria listed in point d) within the deadline set by the NAIH, then withdraw or instruct the certifying organization to withdraw the issued certificate.
II.2. In his statement given during the clarification of the facts, the Respondent presented in chronological order the measures taken during the settlement of the dispute between the Representative and the Respondent.
The first request of the Representative, submitted on behalf of the Applicant, related to the contested case, was received by electronic mail on June 21, 2021, at which time he asked the deputy director of education of the institution to make the related modifications in the KRÉTA system and the grade recorded in the Applicant's certificate for the end-of-year history subject. please review.
In his e-mail sent on June 23, 2021, the Deputy Director of the Applicant informed the Representative that he had investigated the circumstances of the evaluation, explained the reason for the amendment of the semester mark, and how the end-of-year grade was formed.
In the reply sent by e-mail on June 24, 2021 at 10:19 p.m., the Representative requested the date of entry or modification of all the marks received by the Applicant for the subject of history, including the examination of his semester evaluation and the sending of screenshots of the date of the actual entries, to be completed by the Dated June 30, 2021.
On June 24, 2021, at 11:45 p.m., the Deputy Director of the Respondent responded to the Representative's request by email and provided information that he entered the system and took the requested photo, which he attached to his letter. He also noted that the history teacher on January 20, 2021 approx. sealed the tickets of a hundred students, and in this case "clicked next".
  
5
In his reply sent on June 29, 2021 at 12:50, the Representative objected that one of the screenshots received is the same as what they see, while the other screenshot shows what they first requested, but it also does not show whether it happened overwriting, if so, when and whether a ticket was deleted from the system. In addition, they voiced the fact that they do not consider their suspicions regarding the eKRÉTA manipulation closed, requested the appointment of an objective expert committee to investigate the case, and put forward the prospect of turning to the Commissioner of Education Rights, if no progress is made in the case by the deadline he specified.
Subsequently, on June 29, 2021, at 2:45 p.m., the head of the institution informed the Representative in an electronic mail that it was not possible to set up an expert committee after the end of the school year's diligence period, and at the same time sent the eKRÉTA operator's response to the institution's request, according to the screenshot sent too much information cannot be extracted from the system. He also recorded that the information that can be extracted from the admin interface of the e-diary application is clear and documented with screenshots. These clearly show the date of the entry (the school day in connection with which the entry was made) and the recording date (the time when the entry was recorded in the e-diary). Finally, he informed the Representative that he considered the matter closed.
In his response to the Authority, the Applicant outlined the circumstances of the incorrect entry of the ticket, which were discovered during the investigation initiated by the parents. According to this, the head of the class finalized the semester notice based on an extract printed before the grading meeting in KRÉTÁ, in which the student's history grade was marked based on a wrong entry. According to the information received from the specialist teacher, the Applicant had just achieved a good result in the subject, but the teacher had entered dozens of marks in the KRÉTÁ on the day of the recording, so he made a mistake and accidentally clicked on the mark. He already noticed his mistake at the classification conference, and he corrected it in KRÉTÁ, but unfortunately the mark was included in the printed copy. The parent admitted that his child's performance in the first semester was good, but claimed that during the second semester he was in the system. Although he could not prove this, according to the head of the institution, he thereby accused the institution of falsifying the entry in the diary.
The parents wanted to prove their claim with screenshots, which were sent to them by the Respondent in the form available to them, and the administrative error was noticed and corrected in time. Therefore, the Requested took a screenshot of the data available to them in the system, of the entries visible on the admin interface, and their dates, and sent them to the parents, at the same time they also requested a technical opinion from the company operating the system. The operator's answer was then presented to the Representative, according to which, in addition to the information already provided, the institution cannot more accurately decipher the information related to the management of the diary, which the parent lacked.
The question asked in the referenced resolution is exactly: "My question is, is it visible somewhere how many times the teacher overwrites a ticket. Currently, we only see (that we know of) the last time you typed. "
Answer given by [...] (eKRÉTA) on June 29, 2021 at 1:48 p.m.:
"Dear [...]. Thank you for your inquiry. We can give you the following answer to your question: Information about the modification of grades and its date cannot be retrieved from the system. [...]"
According to his statement, the Applicant only found out after that that the Applicant was the EMMI (Ministry of Human Resources Public Education-Administrative

6
Department) - to which the Office of Education directed the Applicant based on his complaint cited above - in accordance with his reply dated August 10, 2021, he turned to the maintainer.
According to this response from EMMI, "The [...] Primary School, High School and [...] Vocational High School (hereinafter referred to as the Institution) are maintained by [...]. The maintainer is obliged to investigate the observation and complaint related to the Institution's procedure towards the student and parent, and must inform the person concerned about the result.
The Government operates the KRÉTA system through the Klebelsberg Center in relation to the state maintainers, however, the Klebelsberg Center has no information regarding the agreement between eKRÉTA Informatikai Zrt. and the ecclesiastical legal entity maintainer of the Institution, i.e. what modules and what functions are used.
In the KRÉTA system, any operation with data (entry, modification, deletion) - and its characteristics (which user, from which IP address, when the operation was performed) - is logged in a retrievable way, on which detailed information is provided by the development company and the maintainer upon request. for".
On October 6, 2021, the maintainer requested information from the Applicant about the circumstances of the case - when the good grade in the semester certificate was entered into the KRÉTA system and when it was corrected - and about the steps taken to clarify the matter.
The Respondent gave an answer to the maintainer the same day, the description of the circumstances of the case was the same as what was contained in their answer to the Authority, they also referred to the answer of the company operating the e-diary, according to which they, as an institution, cannot more precisely decipher the information related to the management of the diary requested by the parent , as sent to them. He forwarded to them the correspondence with the Representative and informed them that at the beginning of the new school year, they were informed that the Applicant's student status at their institution had been terminated, that the Applicant's parents had taken him out of the school, and that the employment of the history teacher involved in the case had also been terminated.
According to the documents sent to the Authority and attached to the Respondent's response, on October 7, 2021, the maintainer requested information from the operator of eKRÉTA about all the history tickets entered by the Applicant in the 2020/2021 school year, the date of entry of the tickets and the date of possible correction, the request was made with the above letter from EMMI supported it.
The employee of eKRÉTA Informatikai Zrt. sent the requested information as an attachment to an email on October 14, 2021 to the maintainer, according to eKRÉTA Informatikai Zrt.'s letter dated October 8, 2021, in the Applicant's KRÉTA branch in the 2020/2021 academic year, 11 grades from the history subject were recorded, on which no changes were made and they were not deleted, and presented in tabular form the grades received, the date they were entered, the name of the person recording the grade and the date on which the given grade was recorded, in italics those where the grade was recorded day differs from the day on which the ticket was recorded.
In response to this letter, the maintainer informed the operator on the same day, October 14, 2021, that the content of their letter contradicts what the parents claim, because the printed certificate shows a clear semester grade, so it is clear that a modification has been made.
The new letter sent to the maintenance department of eKRÉTA Informatikai Zrt. is dated October 19, 2021, in which it is stated that what was contained in their previous letter - that there was no change in the student's marks - was wrongly stated without examining the log data thoroughly, for which we apologize I'd ask for. In the KRÉTA system, when logging in with the user account of the history teacher, on February 03, 2021 at 13:14:16, a good grade was recorded for the student with the date of that day. At that time, the recorder could see both the student's average and the previously recorded semester mark, which was still visible at that time.
  
7
volt. 17 seconds after that, on February 03, 2021 at 13:14:33, the user changed the value of the semester ticket to a good rating.
In a letter dated November 2, 2021, the operator informed the Representative about the content of both letters from eKRÉTA Informatikai Zrt., and summarized that the requested information was only established for the operating company as a result of a deeper, more thorough, more comprehensive investigation. They maintained their position that from the time they learned about the case, they investigated everything to the best of their ability and reported back to those involved based on the information they could find out.
II.3. The Authority NAIH-4667-1/12022. on April 21, 2022, the Applicant sent the NAIH-7922-6/2021. the certificate referred to in their answer, in which the operator of eKRÉTA declares whether the institution has access rights to the logged data in question. The operator's statement is dated December 15, 2021, and in it the CEO of eKRÉTA Informatikai Zrt., who is authorized to register, states that "eKRÉTA Informatikai Zrt. has access rights to log files related to users' use of the KRÉTA system, with the fact that eKRÉTA Informatikai Zrt. upon the written request of the institution using the KRÉTA system and/or the institution's maintainer, the diary files will be released".
The Respondent stated again that their institution does not have direct access to the data, this is supported by the previously sent documents, and their institution provided the Representative with all available information about the data they had access to within the deadline.
Regarding the statement of eKRÉTA Informatikai Zrt, the Respondent noted that it is inaccurate in several details - both in form and content - and does not fully correspond to reality, as the previously attached documents prove their position that the institution has no access to the data in question to access. Only at the written request of the maintainer, after several attempts, did the operator manage to provide data, which data was immediately made available to the Representative by the maintainer after consultation with the Requester.
II.4. The Authority requested the sending of a copy of the operating or business contract entered into by the Applicant or the maintainer with eKRÉTA Zrt for the use of the KRÉTA system, or - if they have one - a copy of the data processing contract affecting the KRÉTA system, as well as a statement that who decided that the institution uses the KRÉTA system
In his answer, the Respondent provided information that the decision regarding the use of the eKRÉTA system is required by the vocational training agreement concluded in order to ensure the vocational high school training at the school, and the Ministry of Innovation and Technology obliged the maintainer to use it in the vocational training agreement. In 2020, due to a change in legislation, a new agreement was concluded with the Ministry of Human Resources, point 5 of which still includes the obligation to use eKRÉTA. The Applicant attached a copy of the vocational training agreements.
According to his further statement, they tried to find the contract concluded with eKRÉTÁ, but could not find it. Although they contacted the system operator electronically in 2019, they did not receive an answer regarding the remuneration and conclusion of the contract, and in the meantime they were provided with the use of the system free of charge. The Respondent attached a copy of this correspondence to its response.

8
In order to comply with the Authority's order, on May 26, 2022, they contacted eKRÉTA Zrt, which operates the system, in order to receive a copy of the contract, but on May 30, 2022, they were informed that they did not have an individual contract, that the National It is provided to them in the framework of a public procurement contract concluded with the Office of Vocational and Adult Education (NSZFH). They requested this contract by mail, to which they received the reply on May 31, 2022 that they were unable to send it due to their confidentiality obligation, so they should contact the other contracting party. According to the Applicant's information, on the website of the NSZFH, under the public interest data menu item, under the "Contracts concluded through public procurement" section, the visitor is greeted with "Uploading...Soon" content.
III. Legal provisions applicable in the case:
For data processing under the scope of Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free flow of such data, as well as on the repeal of Directive 95/46/EC (hereinafter: general data protection regulation), the information CXII of 2011 on the right to self-determination and freedom of information. Act (hereinafter: Infotv.) Section 2 (2), the general data protection regulation must be applied with additions in the provisions indicated there.
The General Data Protection Regulation
According to point 1 of Article 4, "personal data": identified or identifiable natural
any information relating to a person ("data subject"); a natural person can be identified directly or indirectly, in particular on the basis of an identifier such as name, number, location data, online identifier or one or more factors relating to the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person identifiable;
According to point 2 of Article 4, "data management": any operation or set of operations performed on personal data or data files in an automated or non-automated manner, such as collection, recording, organization, segmentation, storage, transformation or change, query, insight, use, communication by means of transmission, distribution or other means of making available, coordination or connection, restriction, deletion or destruction;
Pursuant to Article 4, point 7, "data controller": the natural or legal person, public authority, agency or any other body that determines the purposes and means of processing personal data independently or together with others; if the purposes and means of data management are determined by EU or member state law, the data controller or the special aspects regarding the designation of the data controller may also be determined by EU or member state law;
Pursuant to Article 4, point 8, "data processor": the natural or legal person, public authority, agency or any other body that processes personal data on behalf of the data controller;
According to recital (63) of the General Data Protection Regulation: The data subject has the right to access the data collected about him and to exercise this right simply and at reasonable intervals in order to establish and check the legality of the data management. [...]
Pursuant to Article 12 of the General Data Protection Regulation:
(2) The data controller facilitates the relevant 15-22. the exercise of his rights according to art. The 11.
in the cases referred to in paragraph (2) of Article 15-22, the data controller you may not refuse to fulfill your request to exercise your rights according to Article, unless you prove that you are unable to identify the person concerned.
 
9
(3) The data controller shall inform the data subject without undue delay, but in any case within one month of the receipt of the request, in accordance with Articles 15-22. on measures taken following a request pursuant to Art. If necessary, taking into account the complexity of the application and the number of applications, this deadline can be extended by another two months. The data controller shall inform the data subject of the extension of the deadline, indicating the reasons for the delay, within one month of receiving the request. If the data subject submitted the request electronically, the information must be provided electronically, if possible, unless the data subject requests otherwise.
(4) If the data controller does not take measures following the data subject's request, it shall inform the data subject without delay, but at the latest within one month of the receipt of the request, of the reasons for the failure to take action, and of the fact that the data subject may file a complaint with a supervisory authority and take legal action with his right of redress.
According to Article 15 of the General Data Protection Regulation:
(1) The data subject is entitled to receive feedback from the data controller regarding
whether your personal data is being processed and, if such data processing is underway, you are entitled to access your personal data and the following information:
a) the purposes of data management;
b) categories of personal data concerned;
c) recipients or categories of recipients with whom or with which the personal
data has been or will be disclosed, including in particular third-country recipients and international organizations;
d) where appropriate, the planned period of storage of personal data, or if this is not possible, the criteria for determining this period;
e) the right of the data subject to request from the data controller the correction, deletion or restriction of processing of personal data concerning him and to object to the processing of such personal data;
f) the right to submit a complaint addressed to a supervisory authority;
g) if the data were not collected from the data subject, all available information about their source;
h) the fact of automated decision-making referred to in paragraphs (1) and (4) of Article 22, including profiling, as well as, at least in these cases, comprehensible information about the logic used and the significance of such data management for the data subject what are the expected consequences.
(2) If personal data is transferred to a third country or to an international organization, the data subject is entitled to receive information about the appropriate guarantees in accordance with Article 46 regarding the transfer.
(3) The data controller shall make a copy of the personal data subject to data management available to the data subject. For additional copies requested by the data subject, the data controller may charge a reasonable fee based on administrative costs. If the data subject submitted the request electronically, the information must be provided in a widely used electronic format, unless the data subject requests otherwise.
(4) The right to request a copy referred to in paragraph (3) may not adversely affect the rights and freedoms of others.
Pursuant to Article 28 of the General Data Protection Regulation: The data processor
(3) The data processing carried out by the data processor shall be governed by a contract or other legal act established on the basis of EU law or Member State law - defining the subject, duration, nature and purpose of data processing, the type of personal data, the categories of data subjects, and the obligations and rights of the data controller must regulate, which binds the data processor vis-à-vis the data controller. In particular, the contract or other legal act stipulates that the data processor:
e) taking into account the nature of the data management, with appropriate technical and organizational measures, helps the data controller as much as possible to fulfill

10
obligation of the concerned III. with regard to responding to requests related to the exercise of your rights contained in chapter;
20/2012 on the operation of educational institutions and the use of names of public educational institutions. (VIII. 31.) The relevant provisions of the EMMI Decree:
§ 94. The form used by the school
11. the class diary,
§ 101. (4) The class diary
a) progress and failure, and b) evaluator
contains a diary section.
(6) The assessment diary section
a) the student's name, place and time of birth, address, education identification number,
your social security number, mother's birth name and contact information, father's or legal representative's name and contact information,
b) the student's journal number, master sheet number,
c) the subjects studied and their assessment broken down by month, as well as the semester and end-of-year text assessment and grades,
d) contains data related to the performance of community service.
CXC of 2011 on national public education. Act (hereinafter: Nkt.): § 41. (4) The public education institution keeps the following data of the child or student:
e) data related to the student relationship:
eb) evaluation and qualification of the student's behavior, diligence and knowledge, exam data,
§ 57 (6) school forms - with the exception of the end-of-year certificate and the certificate issued for completion of the state exam - can be prepared and stored electronically using the system approved by the minister responsible for education, while maintaining privacy, data protection and security requirements. The form on which the certificate is issued must also be produced in printed form in this case and must be kept.
The relevant provisions of Act V of 2013 on the Civil Code (Ptk.):
2:43 a.m. § [Named personality rights]
It means a violation of personal rights in particular
e) violation of the right to privacy and protection of personal data;
2:54 a.m. § [Enforcement of personal rights]
(1) Personal rights can be asserted personally.
4:161. § [Legal representation of the child]
(1) It is the right and obligation of parents exercising parental supervision that their child
represent him in his personal and property matters.
Infotv. According to § 60, paragraph (1), in order to assert the right to the protection of personal data, the Authority initiates a data protection official procedure at the request of the data subject.
Infotv. Section 60
In the absence of a different provision of the general data protection regulation, the official data protection procedure initiated on the request shall be governed by CL. 2016 on the general public administrative order.
 (2) for the initiation of official data protection proceedings
 request in the case specified in Article 77 (1) of the General Data Protection Regulation
 can be submitted.

11
Act (hereinafter: Act) shall be applied with the exceptions specified in Infotv.
The Akr. According to Section 35 (1), a request is a declaration by the client, with which he requests the conduct of an official procedure or a decision of the authority in order to assert his right or legitimate interest.
The Akr. According to § 35, paragraph (3), the client may dispose of his request until the decision on the matter becomes final.
The Akr. According to Section 62 (4), the authority freely chooses the method of proof and evaluates the available evidence according to its free conviction.
ARC. The Authority's decision, the evidence taken into account and its evaluation
III.1. In accordance with the contents of the application, the Authority examined whether the Respondent fulfilled the Applicant's request for access to the Applicant's 2020/2021 application in the KRÉTA system. regarding the data regarding the overwriting and modification of the semester history mark of the academic year.
IV.1. Establishing the procedural rights of the Representative
The Authority first examined the Representative's procedural rights in the requested case.
Based on the definitions of the General Data Protection Regulation, the child's subject grade as data related to the child's academic evaluation is considered the child's personal data, and any operation performed on the data is considered data processing. So, the child's information is the grade he was given in the given subject in the semester notice, and this information does not change in the basic case. In the present case, the data has changed, it was modified or overwritten at a time other than when the semi-annual notice was issued. According to the Authority's point of view, the data management operation that caused the discrepancy between the two data is also considered information concerning the child.
Infotv. Based on Section 60 (2) and Article 77 (1) of the General Data Protection Regulation, data subjects may request the initiation of official data protection proceedings due to the violation of their rights contained in the General Data Protection Regulation.
With regard to the personal data of the minor child, the parent is not considered to be the data subject pursuant to Article 4, point 1 of the General Data Protection Regulation. At the same time, the parent can submit a data subject request to the data controller on behalf of the minor data subject. A request for the conduct of a data protection official procedure can also be submitted to the Authority by the data subject, the person concerned by the data management – in the case of a child, his or her representative.
The Civil Code § 2:43 point e) refers to the protection of personal data as a personal right. The Civil Code 2:54 a.m. According to § (1), personality rights can be asserted personally, which can therefore be exercised by the person concerned, and the Civil Code. 2:14 a.m. §, the minor's legal representative can act on behalf of the minor, so he also exercises the right of access to the child's data - detailed in Article 15 of the General Data Protection Regulation. In the case of the minor's legal representative's parents, the Civil Code 4:161. pursuant to §, the parent exercising parental supervision. In the case of the concept of parent, the GDPR uses the practitioner of parental supervision.
In the institutional system of data protection, the function of the right of access is to check the legality of data management, as stipulated in the General Data Protection Regulation (63)
  
12
its preamble explains, so that the data subject must make sure that his/her data is being processed, and during this process check the conditions of data processing. Regarding the purpose of the right of access, Kúria issued on June 10, 2020, Kf.VI.39.065/2020/5. s. decision also confirmed this argument: Pursuant to paragraph (63) of the preamble of the GDPR, the data subject has the right to access the data collected about him and to exercise this right simply and at reasonable intervals in order to establish and check the legality of the data management. Based on the above provisions, the essence of the right of access is therefore that the data subject receives information about the processing of his personal data in order to establish and control the legality of the data processing. The data subject is not obliged to justify his request for access to his personal data in detail, regarding the basis, but it must be clear from the request that the purpose of the data subject is to exercise his right to access, that is, to obtain information in order to establish and check the legality of data processing.
As a legal representative, the Representative wanted to exercise the rights of the affected person on behalf of the minor's child, thus, acting on behalf of the minor, he wanted to have access as a affected person to the information related to the management of the grade, regarding the overwriting and deletion of the grade based on the provisions of Article 15 (1) of the GDPR. The purpose of this was to establish the legality of the data management, by means of information on the fact of the modification (overwriting, deletion) of the data relating to the subject evaluation of the child and its time. He proved his right of representation before the Authority with the child's birth certificate.
The Authority established the Representative's right of representation regarding the enforcement of the Applicant's rights as a stakeholder, as well as the initiation of the related data protection official procedure.
IV.2. Determining the identity of the data controller
Based on the information presented above, the Applicant's subject grade as data related to the evaluation of the child is personal data, and any operation performed on personal data is considered data management. Thus, recording, modifying, overwriting, or deleting the given grade is considered data management.
And the data controller according to Article 4, point 7 of the General Data Protection Regulation, who has substantive decision-making authority as defined therein - the purpose and means of data management can also be determined by national law - and is also responsible for fulfilling the legal obligations related to data management. Thus, among other things, the data controller must satisfy the data subject's demand for the exercise of rights [general data protection decree 12-23. article].
The public education institution collects the data on the student's assessment in accordance with the domestic law, Nkt. It is managed on the basis of Section 41 (4) point e) subpoint eb), the institution is considered a data controller with regard to the data relating to the student's evaluation.
In this case, the electronic registration of the data relating to the assessment is carried out via the KRÉTA system. 20/2012. (VIII. 31.) EMMI decree designates it as a mandatory form for public education institutions, and prescribes the use of the class diary. The law does not contain any regulations regarding the design, form, or content of the form, so there is no public education legal obstacle to the introduction of an electronic class diary. Nkt. The system corresponding to paragraph (6) of § 57 is the Public Education Registration and Study Basic System - CRETE.
The public education institution managing the data evaluates the child's subject performance in the form of a grade and records the given grade in the electronic diary. This investigation
   
13
in this case, the Respondent meets the conditions set out in the data controller's conceptual definition, because he recorded the Applicant's grade in the electronic diary and then modified it at a different time, accordingly, he is also responsible for fulfilling the data subject's access request.
According to the General Data Protection Regulation, a data processor is someone who processes personal data on behalf of the data controller, but who does not have substantive decision-making rights regarding data management.
The operator of the KRÉTA system is eKRÉTA Informatikai Zrt. (1111 Budapest Budafoki u. 59.) with regard to the data managed in the system, according to the Authority's determination, it is considered a data processor, since its task, as stated in the referenced information and on the https://ekretazrt.hu/ website, is to Parameterization, development and product support of the KÉRETA system.
According to the publicly available data protection information of the KRÉTA system - https://tudasbazis.ekreta.hu/pages/viewpage.action?pageId=4064926 - the public education institution is the data controller.
"The Data Controller is the 2011 CXC on national public education. Act (hereinafter: Nkt.), and Act XXXIII of 1992 on the legal status of public employees. under the law, in all cases the institution." [...] "eKRÉTA Informatikai Zrt. does not perform data management activities, its task is to develop and support the operation of the KRÉTA system."
In the present case, the Authority did not examine the possible existence of joint data controller status – in view of the role of the maintainer and the ministry responsible for public education – since the Respondent as a public education institution is definitely considered a data controller. The Authority draws the legislator's attention to the problems identified in the data management issues of the KRÉTA system - detailed below - by means of a recommendation.
IV.3. Handling the access request
The Applicant requested access to the data recorded in the electronic log before the Respondent.
The Applicant submitted his request, which is considered an access request, on June 24, 2021, to which the data controller had a one-month response period based on Article 12 (3) of the General Data Protection Regulation, and the reason for the non-fulfilment of the request according to paragraph (4) had to provide information.
The Applicant responded to the request on the same day, June 24, 2021, which contained a copy of the data that the Applicant had at that time, i.e. on which date the given grade was recorded and on which day it was recorded. He did not provide information about who changed the grade and when, because according to his statement, he did not have this information at the time of completing the request.
All the documents from different sources attached to the application and obtained in the evidentiary procedure unanimously attest that the additional information requested by the Applicant - who modified the disputed ticket and on what date - was not handled by the Respondent at the time the access request was submitted to him, and he did not have access to it had, so he could not fulfill the request for access to this data under his own authority.
   
14
The Requested asked the customer service of the data processor eKRÉTA Informatikai Zrt. in order to provide the requested information and fulfill the access request - "is it possible to see somewhere how many times a ticket is overwritten by the teacher. At the moment, we only see (we know about this) the last time you entered it" - and then on June 29, 2021, you received a reply from the data processor that this data cannot be extracted from the system - "It is not possible to extract information about the modification of grades and its date information from the system."
Based on all of this, it was established that at the time of the submission of the access request - June 24, 2021 - the Respondent did not manage the information to which the access request was directed.
According to Article 15 (1) of the General Data Protection Regulation, the data controller must provide access to the data that is under its management at the time of the request, which data management is "in progress".
According to the information provided by the customer service of eKRÉTA Informatikai Zrt., which operates the system, on June 29, 2021, the requested data, the information regarding the overwriting or cancellation of the ticket, was not even managed by the data processor.
It is clear from the correspondence between the operator of the Requested Party and eKRÉTA Informatikai Zrt. between October 6, 2021 and October 19, 2021 that the data processor provided the requested information on October 19, 2021, so it was established that the data processor provided the requested information on June 29, 2021 i, the information provided to the Respondent did not correspond to reality. In the same way, the information given by eKRÉTA Informatikai Zrt to the Representative on July 1, 2021, according to which the requested log data can be made available to the public education institution managing the data, did not correspond to reality, since the information sent to the administrator on October 19, 2021 according to the letter, only the data processor could provide these data.
Since the Requested data controller did not handle the data affected by the access request at the time of submitting the access request, it took measures towards the data processor within the set deadline in order to fulfill it, and then, based on the information received, it was aware that it was not possible to provide the requested data, thus the Requested did not violate the provisions of the General Data Protection Regulation regarding the fulfillment of the access request, so this part of the Requester's request was rejected.
With regard to the data available to him, the Respondent completed the access request within the deadline stipulated in the general data protection regulation - in fact, on the day of the submission of the request. With regard to the additional data, he requested the cooperation of the data processor, and due to its negative response, he did not see the further fulfillment of the request as feasible, and he informed the Representative of this. In this regard, according to the Authority's point of view, the Applicant is not charged with negligence either - if, to his knowledge and according to the information received, the requested information cannot be retrieved from the system, no further action on his part was justified.
During the subsequent procedure, the maintainer received the requested data after receiving a response from the data processor for the first time with content that did not contain the information in question in accordance with reality, so the fulfillment of the access request with regard to the requested information was not part of the procedure of the maintainer and data processor either it can be said to be a mature practice, which also reduces the responsibility of the Respondent.
IV.4. Cooperation of the data processor
According to the revealed facts and the testimony of the attached documents, the information provided by the company operating the system and the public administrative body providing supervision was also not the same
 
15
in terms of how access to the requested data can be ensured. According to EMMI's information dated August 10, 2021, eKRÉTA Informatikai Zrt., which operates the KRÉTA system, provides information on the requested data at the request of the operator, while based on the operator's statement dated December 15, 2021, the public education institution or its operator can also request the data service concerning the data of the log files, to which the operator eKRÉTA Informatikai Zrt. has access.
The latter qualifies as a practice in accordance with the General Data Protection Regulation, since the duty of the data controller - and not its maintainer - is to validate the data subject's requests, the fulfillment of which is assisted by the data processor in accordance with Article 28 (3) point (e).
In the event of the use of a data processor, in accordance with the provisions of the agreement pursuant to Article 28 of the General Data Protection Regulation, the method of ensuring the exercise of the rights of the data subject must also be covered.
According to the facts revealed in the present case, the Respondent was obliged to use the eKRÉTA system due to the form of training he provided, but he did not have a contract for the use of the system either - he was not individually obliged to conclude such a contract, because the Zrt to use the system had the NSZFHI was entitled as part of the public procurement contract concluded with - nor with a data processing contract.
It is clear from the request and the correspondence that substantiates it that the Applicant primarily criticized the Respondent's procedure, that the Respondent "manipulated" the grade data in the KRÉTA system, and that his procedure was aimed at revealing and verifying this before the Respondent.
This suggestion was not substantiated, the Authority found that the Requested did not commit a violation during the fulfillment of the request, did not manage the data affected by the access, was unable to provide information about it, and took the necessary measures to fulfill the request. The Requested Party did not provide the data affected by the access, not because it wanted to cover up any "manipulation" or potentially debatable action it had carried out, but because the requested data was not actually in its management, and the information did not reach it even after the measures taken to obtain it into his possession.
For this reason - since the subject of the procedure was the data management of the Requested Party, but not the discovery of the system-level problems of the KRÉTA system - the Authority did not involve the data processor in this procedure, and does not make any findings requiring action regarding its practices. At the same time, due to the known practice of eKRÉTA Zrt., according to which the Zrt. provided access to the data stored in its system only after lengthy and contradictory statements to the maintainer, and not to the data management institution, the Authority to the state body responsible for public education, the Ministry of the Interior uses the aforementioned recommendation and draws the legislator's attention to the identified deficiencies. It must be clarified that during the exercise of data subject rights - regardless of the form of data controller - the task of the data management institution is to ensure the exercise of the data subject's rights, not the data controller, the data processor must provide assistance for this, and this can be done by a contract according to Article 28 of the General Data Protection Regulation, or by other legal must be regulated by an act.
IV.5. Assessment of the Applicant's additional requests
Additional requests formulated by the Applicant, according to which the Authority should act in accordance with points b), d), h), paragraph 2 of Article 58 of the General Data Protection Regulation - and those detailed by the Applicant - are not considered to be a stakeholder request, so the relevant
 
16
an application procedure cannot be continued either. The data manager's general data management practice does not directly affect the rights or legitimate interests of the Applicant, such a decision by the Authority does not create any rights or obligations for him, and as a result, the Applicant is not considered a customer in this procedure, which falls within the scope of enforcement of the public interest. Based on paragraph (1) of § 10, and - since the Ákr. It does not comply with paragraph (1) of § 35, there is no place to submit an application in this regard.
In view of the above, the Authority rejected the application in the part of the application aimed at this general practice.
V. Rules of procedure
The competence of the Authority is set by Infotv. Section 38, paragraphs (2) and (2a), its jurisdiction covers the entire territory of the country.
The decision is in Art. 80-81. § and Infotv. It is based on paragraph (1) of § 61. The decision is in Art. Based on § 82, paragraph (1), it becomes final upon its publication. The Akr. On the basis of § 112, § 116, paragraph (1), and § 114, paragraph (1), the decision can be appealed through a public administrative lawsuit.
Given that the Authority exceeded Infotv. Administrative deadline according to § 60/A paragraph (1), Ákr. Based on point b) of § 51, the Applicant is entitled to HUF 10,000, i.e. ten thousand forints - at his choice - by bank transfer or postal order.
***
The rules of the administrative proceedings are determined by Act I of 2017 on the Administrative Procedures (hereinafter: Act). The Kp. On the basis of § 12, paragraph (1), the administrative lawsuit against the Authority's decision falls under the jurisdiction of the court, the lawsuit is referred to in the Kp. On the basis of § 13, paragraph (3) point a) point aa), the Metropolitan Court is exclusively competent. The Kp. On the basis of § 27, paragraph (1) point b), legal representation is mandatory in a lawsuit within the jurisdiction of the court. The Kp. According to Section 39 (6), the submission of a claim does not have the effect of postponing the entry into force of the administrative act.
The Kp. Paragraph (1) of § 29 and, in view of this, Pp. CCXXII of 2015 on the general rules of electronic administration and trust services, applicable according to § 604. According to Section 9 (1) point b) of the Act, the customer's legal representative is obliged to maintain electronic contact.
The time and place of submitting the statement of claim is set by Kp. It is defined by § 39, paragraph (1). Information about the possibility of a request to hold a hearing can be found in Kp. It is based on paragraphs (1)-(2) of § 77. The amount of the fee for the administrative lawsuit is determined by Act XCIII of 1990 on fees. Act (hereinafter: Itv.) 45/A. Section (1) defines. Regarding the advance payment of the fee, the Itv. Paragraph (1) of § 59 and point h) of § 62 (1) exempt the party initiating the procedure.
Dated: Budapest, September 22, 2022.
President Dr. Attila Péterfalvi
c. professor