NAIH (Hungary) - NAIH-1743/2021

From GDPRhub
Revision as of 11:27, 19 December 2021 by Tapir (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Hungary |DPA-BG-Color=background-color:#7f0037; |DPAlogo=LogoHU.jpg |DPA_Abbrevation=NAIH (Hungary) |DPA_With_Country=NAIH (Hungary) |Case_Num...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
NAIH (Hungary) - NAIH-1743/2021
LogoHU.jpg
Authority: NAIH (Hungary)
Jurisdiction: Hungary
Relevant Law: Article 5(1) GDPR
Article 6(1) GDPR
Article 9 GDPR
Article 58 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 23.09.2021
Published: 09.12.2021
Fine: None
Parties: n/a
National Case Number/Name: NAIH-1743/2021
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Hungarian
Original Source: NAIH (in HU)
Initial Contributor: Tapir

Hungarian DPA reprimands controller for the unlawful recording and sharing of a private conversation containing special categories of data.

English Summary

Facts

A data subject submitted a complaint with the Hungarian DPA for the unlawful processing of their personal data and the personal data of their child, including special categories of data. The complaint was made regarding the recording and subsequent sharing of a private conversation between the defendant and the complainant, as well as an employee of a daycare attended by both of their respective children. The recording contained personal data, including sensitive information about the health of a minor. It was then shared by the controller within a Facebook group containing of all the parents whose children attend the daycare, as well as via e-mail with other parties. Upon questioning, the defendant admitted that they had no legal grounds for the collection or sharing of this data.

Holding

The Hungarian DPA noted that both recording the conversation for purely personal use or sharing information about the meeting with other interested parents could have fallen under the household exemption of the GDPR under Article 2(2)(c). However, NAIH held that sharing this information via a recording was contrary to the principles of purpose limitation and data minimisation under Articles 5(1)(b) and 5(1)(c) GDPR. Moreover, the DPA held that the defendant had no legal ground for the processing of the data, including special categories of data, under Article 6(1) and Article 9. Subsequently, NAIH decided to reprimand the controller under Article 58(2)(b) and impose a ban on any further processing under Article 58(2)(f). The DPA also ordered the controller to inform those with whom the data was shared to erase it without undue delay under Article 58(2)(g). However, NAIH did not find it necessary to impose an administrative fine under Article 83(2), taking into account that the controller is a natural person who had accepted that their conduct had been unlawful.

Comment

In the DPA's Opinion, the recording of the conversation between two parents and the daycare employee in secret is 'concerning and unacceptable from an ethical point of view'. However, they state that it would have still fallen under the household exemption, as long as the data is not shared with others (but only serves as an aid to help remembering what was said during the meeting). One could argue that this interpretation of Article 2(2)(c) allows natural persons to record all of their phone conversations for example, as long as they don't share them with anyone. One risk could be that given that the this processing would fall outside the scope of the GDPR, even the general principles (especially security) wouldn't apply.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Hungarian original. Please refer to the Hungarian original for more details.

Case No: NAIH-1743- / 2021 Subject: Approval of application
                                                                           decision






                                         DECISION


Before the National Authority for Data Protection and Freedom of Information (hereinafter referred to as the Authority) […]
with regard to the minority of the applicant (hereinafter referred to as the Applicant): […] (address:
[…], Hereinafter referred to as "the Representative", against […] (address: […]) (hereinafter referred to as "the Applicant")
unauthorized data processing submitted to the Authority on 28 January 2021
In the data protection authority proceedings initiated following the request of the Authority, the Authority shall take the following decisions:


I. The Authority will grant the applicant 's request and

    1) condemn the Applicant, taking into account that the Applicant 's personal data and
       special personal data of natural persons for the processing of personal data
       and the free movement of such data, and
       Regulation (EU) 2016/679 repealing Directive 95/46 / EC (a

       hereinafter referred to as the GDPR) in accordance with Article 5 (1) (a), a
       The principle of purpose limitation under Article 5 (1) (b) of the GDPR and Article 5 (1)
       the principle of data retention referred to in paragraph 1 (c) and Articles 6 and 9 of the GDPR
       unlawfully handled the data when disclosed to third parties
       made it available;



    2) prohibits the Applicant from recording with third parties - either online or
       otherwise;

    3) oblige the Applicant to provide the recipients to whom the recording by e-mail
       personal and special personal data of the Applicant
       notified of the need to delete the recording. The Applicant is
       the completion of the measure must be duly substantiated to the Authority by the present decision

       within 30 days of becoming final.


II. The Authority shall issue the Applicant ex officio for the infringements set out in point I.

                                     in the warning


       gives.


There is no administrative remedy against this decision, but from the date of notification
within 30 days of the application to the Metropolitan Court in an administrative lawsuit

can be challenged. The application must be submitted to the Authority, electronically, which is the case
forward it to the court together with his documents. Those who do not benefit from full personal exemption

…………………………………………………………………………………………………………
1055 Budapest Tel .: +36 1 391-1400 ugyfelszolgalat@naih.hu
Falk Miksa utca 9-11. Fax: +36 1 391-1410 www.naih.huszám The fee for the administrative lawsuit is HUF 30,000, the lawsuit is subject to the right to record material fees. The Capital
Legal proceedings are mandatory in proceedings before the General Court.



                                        I N D O K O L Á S


I. Procedure


(1) The Representative, represented by the Applicant, received a letter from the Authority on 28 January
       submitted a request for data protection authority proceedings against the Applicant,
       in which he complained that the Requested was secretly made and then a Facebook

       published a recording of a conversation in which the Applicant 's personal and
       information classified as special data was provided.


(2) The Applicant shall, in order to investigate the matter, discover the violation,
       and the legal consequences for the Applicant
       requested the Authority to apply.


(3) The Authority issued its decision of 5 March 2021, NAIH-1743-2 / 2021. Order No. of the Applicant
       on 17 March 2021
       In its letter to the Authority and the annexes thereto

       deed.

(4) The Authority found that the detail of the screenshot was not suitable for the objected subject

       to prove the processing of data, therefore NAIH-1743-4 / 2021 dated 14 April 2021. number
       In his order, he called on the Representative to do so within 8 days of receiving the order
       send a screenshot of the recording to the Authority.



(5) Following the receipt of the above-mentioned order on 16 April 2021, the Applicant shall
       by post and attached to the letter received by the Authority on 27 April
       complied with the Authority's order.


(6) The Authority issued NAIH-1743-6 / 2021 on 13 May 2021. In its order No
       To give an application within fifteen days of receipt of the order

       information on the purpose and legal basis for sharing the recording on the Facebook group,
       as well as who in the process got to know the Applicant’s personal and special
       personal data and whether the recording was sent by e-mail,

       to whom (s), for what purpose and on what legal basis.







                                                 2 (7) On 2 June 2021, the Applicant sent NAIH-1743-6 / 2021. Order no
       NAIH-1743-9 / 2021.

       on 14 June 2021 via the e-paper service
       in his letter sent.


(8) On 25 June 2021, the Authority informed the Applicant and the Applicant that the
       in the data protection authority proceedings, the evidentiary procedure was completed and drew their attention
       the right to inspect the file and to submit further requests for evidence

       the possibility of exercising it.

(9) On 2 July 2021, the Representative indicated that he wished to exercise his right of access to the file.


       The Authority has issued NAIH-1743-14 / 2021. submitted by the Representative in his order no
       limited access to personal data that is not known to him

       and sent it to the specified postal address from the non-Applicant
       copies of documents originating from and not sent to the Applicant.

(10) No further request for access to the file or request for proof was received by the Authority.



II. Facts


(11) In a request received by the Authority on 28 January 2021, the Applicant complained that.
       discussing the problem related to the Applicant - indicated by the kindergarten teacher
       A meeting was organized with the Representative and the head of the kindergarten

       also taken the Applicant, who is the mother of one of the kindergarten groupmates. Included in the application
       According to He requested from the first 46 minutes of the meeting with his mobile phone in secret
       made a video recording that is more of an audio recording because the recording

       when it was made, the device was in his pocket, so it only recorded sound. The Applicant submitted
       that Applicant “uploaded the audio recording to the Facebook community page of a kindergarten
       to the side of the group created for the parents, that is, to the public
       made it directly accessible, ’. According to the application, the applicant is included in the recording

       information that constitutes your personal and special personal information
       notwithstanding, the Applicant has not requested the Representative - ie
       Applicant 's legal representative - consent to the recording of the sound recording, and

       neither the fact of its preparation nor its use, that is, to the public
       did not inform the Representative.


(12) According to the Applicant, the Applicant violated the information self-determination
       CXII of 2011 on the right to freedom of information and freedom of information Act (hereinafter: the Information Act)
       Section 4 (1), Section 5 (1) (b), Section (2) (a) and Section 14

       therefore processing is unlawful. The Applicant requested the Authority to investigate
       expose the case, detect the breach and prohibit the infringing controller from further infringement,
       and apply legal sanctions against him.

                                                 3 (13) The Applicant attached to his application a piece of data carrier on which it can be found

       one that contains a visual display only in its first seconds, but is natural
       a non-personal video recording of the conversation described in the application
       audible. There are also two Word documents on the flash drive, one of which

       presumably an online conversation between the Applicant and the Applicant, while
       another is likely to be between the parents of children in the affected kindergarten group
       online conversation was recorded in typed form.


(14) In response to the Authority's request for rectification, the Representative clarified his request that
       infringes the processing of your child's personal and special personal data, and

       provided the personal data requested by the Authority and Facebook referred to in the request
       group information. The impugned recording was attached to the letter
       a detail of the screenshot to verify the publication of the […]
       Screenshot of a Facebook group.


(15) The Applicant shall send another flash drive - with the screenshots on it
       - confirmed that the recording in question was in a Facebook group used by several persons

       publication, its date and the identity of the publisher, and the fact that the
       group includes a discourse on the conversation you hear on the recording.



(16) At the request of the Authority, the Applicant submitted that the audio material was submitted on 21 January 2021
       was made for the reason that such a conversation also had professional reasons
       they utter what he can hardly recall later. The Applicant explained that he was not

       bad intentions, and in this conversation it became clear to the children
       they are in danger, and neither the kindergarten teacher nor the Representative want a substantive
       take steps. The Applicant further submitted that to his knowledge, in addition to one
       nor was a parent aware that he was “suffering from a severe nervous system problem

       a small child joins the group, ”and feared the children. He therefore claims to have published the
       audio material on January 22, 2021 at 5:12 a.m. parents of preschoolers - a total of 23 people -
       used by the messenger group. He stressed that the purpose was to inform and

       that he realized that this should not have been the case when the kindergarten teacher a
       on the day of publication, he wrote to him at 10:30 a.m. to remove the recording because he had not consented
       to it. The Applicant therefore removed the recording from the group at 10:15 a.m. THE

       According to the applicant, since many parents are working at the time of publication, and
       recording was available for a very short time, "almost no one could listen." THE
       Based on his statement, the applicant also immediately deleted the recording from the conversation. THE

       Applicant also cited the group discussions as well as his statement
       also attached screenshots to prove this.


                                                4 (17) To the Authority's question on the legal basis for sending the recording by e-mail
       in response, the Applicant admitted that he had no right to send the recording to anyone who

       he asked, and again pointed out that he had done so not with malicious intent, but for the benefit of the children.
       He further submitted that the recording was sent only to the person who requested it from one of the parents.


(18) In its clarified statement, the Applicant identified the three persons to whom the
       recording has been sent via email.



(19) On the basis of the information available, the Authority concluded that the application
       between the Representative, the Applicant and the head of the kindergarten
       talk.




(20) During the discussion, the following points concerning the Applicant were made, inter alia
       information: name ([…]), place of residence, fact that it does not belong to the given kindergarten district,

       as well as the finding in a particularly sensitive area of the private sector that
       there have been three recent deaths in his family. It can also be heard on the recording
       a lot of information that the Applicant's behavior, behavioral problems

       whether it is to mention a specific conflict or a problem
       duration of its existence.


(21) In addition, the following information on the Applicant 's state of health was recorded on the audio recording
       information can also be heard: they accompany […]; You are taking a 'active' medicine; […] Will be investigated
       (Due to […] problem); twice a week and related
       statements referring to the fact of illness (eg by the Applicant to the Representative)

       statement: "I do not see you admitting that [”]. ").

(22) The recording was published in a chat group of which the Applicant is a member
       parents of children attending kindergarten group also visited. To publish a link to the recording

       the day after the conversation on the recording, that is to say, on 22 January 2021, and a
       messenger was also deleted from the group that day.


III. Applicable law


Article 2 (1) GDPR: This Regulation shall apply to personal data in part or
fully automated processing of personal data and the processing of personal data

which are part of a registration system
which are intended to be part of a registration system.






                                                5GDPR Article 2 (2) (c): 'This Regulation shall not apply to personal data
natural persons solely for their personal or domestic activities

carried out in the framework of the

GDPR Article 4 (1): "personal data" means identified or identifiable natural data

any information about the person ("data subject"); identifiable by that natural
a person who, directly or indirectly, in particular by means of an identifier such as a name,
number, location data, online identification or physical, physiological,

genetic, intellectual, economic, cultural or social identity
identifiable by several factors;


GDPR Article 4 (2): "processing of personal data" means personal data or data files
any operation or set of operations carried out in an automated or non-automated manner,
thus collecting, recording, organizing, sorting, storing, transforming or altering, querying,

available for inspection, use, communication, transmission or other means
harmonization or interconnection, restriction, deletion or destruction.

Article 4 (15) of the GDPR: '' health data 'means a physical or mental substance of a natural person

personal data concerning his state of health, including for a natural person
also provide information on the health services provided
the state of health of the natural person; "


Article 5 (1) (a) GDPR: “the processing of personal data lawfully and lawfully
be carried out fairly and in a way that is transparent to the data subject ("legality,

fair procedure and transparency ");"

Article 5 (1) (b) GDPR: "the collection of personal data shall be limited to specified,

for a clear and legitimate purpose and not be treated in a way that is incompatible with those purposes
in a compatible manner; does not constitute an original purpose in accordance with Article 89 (1)
incompatible for the purpose of archiving in the public interest, scientific and historical research

further processing for personal or statistical purposes ("purpose limitation"); "

Article 5 (1) (c) GDPR: personal data shall have “the purposes for which they are processed

they must be appropriate and relevant and necessary
limited to "data saving"; "

GDPR Article 6 (1): Processing of personal data only if and to the extent that

lawful if at least one of the following is met:
(a) the data subject has given his or her consent to the processing of his or her personal data for one or more specific purposes
treatment;

(b) processing is necessary for the performance of a contract to which one of the parties is a party;
or to take action at the request of the data subject prior to the conclusion of the contract
required;

(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
                                              6d) the processing is in the vital interests of the data subject or of another natural person
necessary for its protection;

(e) the exercise of a public interest or the exercise of official authority vested in the controller
necessary for the performance of its task;
(f) processing for the legitimate interests of the controller or of a third party

necessary, unless the interests of the data subject take precedence over those interests
or fundamental rights and freedoms which call for the protection of personal data,
especially if the child concerned.


Point (f) of the first subparagraph shall not apply to the performance of their duties by public authorities
data management.


3. The legal basis for the processing referred to in points (c) and (e) of paragraph 1 shall be the following
state:

(a) Union law, or
(b) the law of the Member State to which the controller is subject.

The purpose of the processing shall be determined by reference to this legal basis and in accordance with paragraph 1 (e).

with regard to the processing of data referred to in point (a), it must be necessary in the public interest
or a task performed in the exercise of a public authority conferred on the controller
to implement. This legal basis may include the application of the rules contained in this Regulation

adjusting provisions, including the lawfulness of the processing by the controller
general conditions, the type of data subject to data processing, the data subjects, the
the entities with which personal data may be disclosed and the purposes of such disclosure,

restrictions on the purpose of the data processing, the duration of the data storage and the data processing
operations and other data processing procedures, such as lawful and fair data processing
measures necessary to ensure compliance, including the other as defined in Chapter

for specific data management situations. EU or national law must pursue an objective in the public interest
must be proportionate to the legitimate aim pursued.


Article 9 of the GDPR:
Management of special categories of personal data
(1) Racial or ethnic origin, political opinion, religion or belief

or personal data referring to trade union membership, as well as genetic data, natural
biometric data for personal identification, health data and
personal information concerning the sexual life or sexual orientation of natural persons
data processing is prohibited. *

2. Paragraph 1 shall not apply if:
(a) the data subject has given his or her explicit consent to one or more specific transfers of such personal data
unless Union or Member State law provides that

the prohibition referred to in paragraph 1 may not be lifted with the consent of the data subject;
(b) the processing of data by the controller or the data subject concerning employment and social
fulfillment of its obligations under legal provisions governing security and social protection

and in order to exercise his specific rights, if he is defending the fundamental rights and interests of the data subject
                                                7 under EU or national law which also provides adequate guarantees or under the law of a Member State
a collective agreement allows for this;

(c) processing for the protection of the vital interests of the data subject or of another natural person
necessary if, due to the physical or legal incapacity of the person concerned, he is unable to a
give its consent;

(d) the processing is carried out by a foundation for political, ideological, religious or trade union purposes,
association or any other non-profit organization with appropriate guarantees
provided that the processing is carried out exclusively by such a body

applies to current or former members or to persons who are regular members of the organization
are related to the purposes of the organization and that personal data are
shall not be made available to persons outside the organization without the consent of the persons concerned

for;
(e) the processing relates to personal data which are specifically requested by the data subject
disclosed;

f) the processing is necessary for the establishment, enforcement or protection of legal claims,
or when the courts are acting in their judicial capacity; *
(g) processing is necessary for overriding reasons of public interest under Union law or the law of a Member State which:
proportionate to the aim pursued, respects the right to the protection of personal data

appropriate to ensure the fundamental rights and interests of the data subject and
prescribes concrete measures;
(h) for the purposes of pre - processing health or occupational health purposes,

assessment of an employee's ability to work, medical diagnosis, health care
or the provision of social care or treatment, or health or social systems and
necessary for the management of the service, under Union or Member State law, or

under a contract with a healthcare professional and referred to in paragraph 3
subject to conditions and warranties;
(i) the processing is necessary in the public interest in the field of public health, such as:

protection against serious cross-border threats to health or health
the high quality and safety of care, medicines and medical devices
under EU or Member State law that is appropriate and specific

provides for measures to safeguard the rights and freedoms of the data subject, and in particular to:
professional secrecy;
(j) data processing in accordance with Article 89. for archiving in the public interest in accordance with Article

necessary for scientific and historical research or statistical purposes
under the law of a Member State, which is proportionate to the aim pursued, respects personal data
the essential content of the right to the protection of the individual and the fundamental rights and interests of the data subject
provides for appropriate and concrete measures to ensure

3. The personal data referred to in paragraph 1 may be exchanged in accordance with paragraph 2 (h).
for the purposes referred to in paragraph 1, if the processing of such data by or on behalf of a professional
under the responsibility of a professional who is competent or competent under Union or Member State law

professional secrecy laid down in the rules laid down by the competent authorities of the Member States
or by another person who is also a Member State or a Member State
rules laid down by the competent authorities of the Member States

subject to a specific obligation of confidentiality.
                                                Member States may maintain additional conditions, including restrictions, or
may be introduced for the management of genetic data, biometric data and health data

regarding.



Article 58 (2) GDPR: Acting in the corrective power of the supervisory authority:
(b) reprimands the controller or the processor if he or she is acting in a data-processing capacity
infringed the provisions of this Regulation.

(f) temporarily or permanently restrict data processing, including data processing
prohibition;
(g) order personal data in accordance with Articles 16, 17 and 18 respectively

rectification or erasure of data and restrictions on data processing, as well as Article 17 (2)
order notification to the addressees in accordance with
with whom or with whom the personal data have been communicated;


Article 77 (1) GDPR: Without prejudice to other administrative or judicial remedies,
all parties concerned shall have the right to lodge a complaint with a supervisory authority, in particular the
according to his habitual residence, place of employment or the place of the alleged infringement

in a Member State, if the data subject considers that the processing of personal data concerning him or her
infringes this Regulation.


Infotv. § 2 (2): Personal data shall be processed in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council
covered by the Council Regulation (hereinafter referred to as the General Data Protection Regulation)
General Data Protection Regulation in Annexes III-V. and VI / A. Chapter and Section 3, Sections 3, 4, 6, 11, 12,

13, 16, 17, 21, 23-24. Section 4 (5), Section 5 (3) to (5), (7) and (8)
§ 13 (2), § 23, § 25, § 25 / G. § (3), (4) and (6)
in paragraph 25 / H. § (2), 25 / M. § (2), 25 / N. §, 51 / A.

§ (1), Articles 52-54. § 55 (1) - (2), 56-60. §, 60 / A. §
(1) - (3) and (6), Section 61 (1) (a) and (c), Section 61 (2) and (3)
paragraph 4 (b) and paragraphs 6 to 10, paragraphs 62 to 71. § 72

in Section 75 (1) - (5), Section 75 / A. With the additions specified in § and Annex 1
should be used.

Infotv. Enforcement of the right to the protection of personal data pursuant to Section 60 (1)
the Authority shall, at the request of the data subject, initiate a data protection authority procedure.


The data protection authority procedure is governed by the CL of 2016 on General Administrative Procedure.
(hereinafter: Ákr.) shall be applied in accordance with the provisions of the Infotv
additions and derogations under the General Data Protection Regulation.

Infotv. 75 / A. §: The Authority is set out in Article 83 (2) to (6) of the General Data Protection Regulation

exercise its powers in accordance with the principle of proportionality, in particular by:
legislation on the processing of personal data or binding European Union law
for the first time in the event of a breach of the rules laid down in


                                                9 in accordance with Article 58 of the General Data Protection Regulation
by alerting the controller or processor.



ARC. Decision


 (23) The processing of data by recording consisted of two different data processing operations. The first
       operation was to record the recording, while the second operation was to communicate the recording, and the latter
       it took two different forms when the Applicant first appeared in the group

       shared the recording and then e-mailed his statement - and the attached evidence -
       according to three people. Both operations, including the recording and communication of the recording
       considered as data processing within the meaning of Article 4 (2) of the GDPR.





IV.1 Data management related to the communication of the recording



(24) The Authority found that personal data within the meaning of Article 4 (1) of the GDPR
       the following information about the Applicant on the audio recording shall be considered: a

       name ([…]), place of residence, that it does not belong to the given kindergarten district; in his family a
       there have been three recent deaths; the Applicant's conduct, behavioral
       information about your problem.

(25) It was also found that the GDPR was a health claim within the meaning of Article 4 (15)

       and therefore special personal data under Article 9 (1) of the GDPR
       statements made by the Applicant that […]
       are taking “[…]” medication, […] will have a test […] problem, two weeks a week

       times of development, as well as to provide indications that he is ill.



(26) The Applicant indicated different data processing purposes for the two data processing operations
       me. According to the Applicant 's statement, the recording was made for the purpose of:

       later recall the conversation and the communication to the other parents -
       ie to inform the addressees of the communication.




(27) As regards the recording of the recording, the Authority noted that as long as
       is for purely private purposes, that is to say, as the Applicant has pointed out,
       the recording will help the Recaller to recall what was said during the interview

       the so-called "household data management" category, and the GDPR - a
       Article 2 (2) (c) shall not apply to it. However, not
       it may be disregarded that the recording was made in secret - subject to the

                                               10 the sensitivity of the topic of discussion - ethically concerned and not
       acceptable.


(28) However, at the moment, as between the Applicant and the Representative and the
       a recording of a conversation between the kindergarten teacher for other people
       made it available - thus making the Applicant’s personal and special

       personal data - the private nature of the recording, ie also by the Applicant
       emphasized, his own self-interest ceased to exist. Consequently, the position of the Authority
       according to the division of the recording goes beyond the household exception to the GDPR

       the concept of data management.



(29) With regard to the sharing of recordings as a data processing operation, the Authority should
       the purpose indicated by the applicant - ie to inform the other parents about the Applicant

       stated the following. THE
       conversation with two people involved in the main topic, the kindergarten teacher
       with the help, so between three people, it took place in a closed circle, and although it was uttered differently

       also conflicts and general problems related to children, starting from the
       There was a conflict between the Applicant's child and the Applicant. The Applicant himself is a
       in the attached messenger conversation: “Monday afternoon, a

       after another incident with my son, I had another parental complaint with the head of the kindergarten. ”
       […] “At the initiative of yesterday […], we sat down with his kindergarten teacher
       to discuss things. ” The Representative also intends to have a child and the Applicant
       in a conversation between the two of them to resolve a conflict between their children

       informing all parents about what has been said is not considered lawful under the GDPR
       purpose.



(30) In addition to the illegality of the stated objective, the Authority found that if the others
       an oral conversation about general, relevant information that concerns them exclusively
       also due to its household nature does not qualify as GDPR

       therefore cannot be objected to from a data protection point of view.

(31) However, sharing the recording in this way was an unnecessary intervention
       to the privacy of the data subject, ie the Applicant, by being personal and special

       your personal data has thus become accessible to more than one person.

(32) In addition to the above, the Authority did not consider that the online communication was made

       appropriate way to pass on the information in this case, as it carries
       the possibility and risk of the link - or, in the case of an e-mail, the file -
       the recipient may transfer the recording to other persons.





                                               11 (33) In view of the above, the Applicant violated Article 5 of the GDPR by sharing the recording.
          the principle of purpose limitation under Article 5 (1) (b) and Article 5 (1) of the GDPR.

          the principle of data protection set out in paragraph 1 (c).




 IV.2 Legal basis for data processing


(34) Based on the above, the Applicant's personal data of the Applicant is third

          activities under the GDPR
          in which case the lawfulness of the processing is subject to one of the conditions laid down in Article 6 of the GDPR
          Existence of a legal basis governed by paragraph 1.


(35) In addition, the processing of special personal data is in principle prohibited. The special
          personal data may be lawfully processed only if Article 6 (1) of the GDPR
          in addition to a specific legal basis, a circumstance within the meaning of Article 9 (2) of the GDPR
          which allows an exception to the prohibition on the processing of special data.

(36) The Applicant did not have the consent of the Applicant for the data processing. THE

          Authority invited the Applicant to indicate his data processing
          however, the Applicant did not comply with this during the proceedings. To the Authority
          he stated, “I did not have the right to send the recording to anyone who asked for it now

          I know.". With the consent of the Applicant or the legal representative
          did not in fact have any provisions or prove the existence of any other plea in law.


(37) In view of the specific circumstances of the case, the Authority concluded that both
          The processing of both the applicant's personal data and his special personal data is a legal basis
          therefore, the Applicant violated Articles 6 (1) and 9 of the GDPR.

(38) In view of the above, the Authority granted the applicant's request pursuant to Article 58 (2) of the GDPR.
          Pursuant to paragraph 1 (f), the Applicant is prohibited from recording the sound by third parties
          to the Commission.





   IV.3. Principle of fair data management


   (39) The fairness of data processing is the principle governing data processing, the data subject
          respect for his or her privacy and human dignity. THE
          in accordance with the principle of fair data processing, the data subject may not become vulnerable to

          against the data controller or another person.

   (40) About the conversation about the Applicant with his legal representative without the Representative's knowledge
          was taken when the Applicant secretly, without informing those present, into his pocket

          used the recording device in secret. He did this to record a conversation
                                                   12 during which the Representative, i.e. the mother of the minor Applicant, did nothing about the recording
       suspecting her child has a number of sensitive privacy and health issues

       shared status information with the other two participants in the conversation.
       Given that the Representative did not know how to make the recording, and given
       he could not even count on him in the circumstances, so he could not protest against him.


(41) The purpose of the meeting was to be the child of the Applicant and the Applicant
       to talk about the situation caused by conflicts and other problems between the two countries, and
       try to find a solution together. The Applicant was therefore aware of this

       put the conversation from the very beginning to be the focus of the Applicant
       will have problems with their behavior and their background.

(42) In addition, the Applicant emphasized on several occasions during the discussion that
       with his questions or comments he tried to confirm that the Applicant was ill.

       An example of this phenomenon is the dialogue on the recording when the Requested
       To his representative that "I do not see you admitting that
       […]. ” the Representative begins his response with “I acknowledge,”. Also during the conversation

       the Applicant is repeatedly compared to other preschoolers as healthy
       with children. The Applicant also mentions his own child in such a context, indirectly
       referring to the Applicant's patient status: "I have the right to protect my healthy child."


(43) The Applicant was therefore aware not only of the conversation but also of the
       knowing the sensitivity of what was said in the conversation - as an active participant in it
       and Shaper - shared the recording with third parties.

(44) Sensitive, special data about the Applicant and the

       allusions to his behavior were made. The data transmission was suitable for a
       Applicant's judgment in the microenvironment, the parents of the kindergarten peers
       adversely affected.


(45) In view of the above, the Authority finds that the Applicant has infringed Article 5 of the GDPR
       The principle of fair treatment under paragraph 1 (a) because in a situation
       decided to be uncomfortable for the Applicant, to the detriment of his fellow preschoolers
       indicating, emphasizing his illness, and distinguishing him from others

       transmission of a recording of a conversation when it would not have existed at all
       need to process personal and special personal data.




IV.4. Other findings of the Authority

(46) According to the Applicant, the Applicant violated the information self-determination
       CXII of 2011 on the right to freedom of information and freedom of information Act (hereinafter: the Information Act)

       Section 4 (1), Section 5 (1) (b), Section (2) (a) and Section 14
       therefore processing is unlawful.


                                               13 (47) The Authority firstly points out that the General Data Protection Regulation is applicable
       Infotv. protection of personal data
       the scope of the relevant provisions of The “new Infotv.”, I.e. Infotv

       Act CXII of 2011 on the right to information self-determination and freedom of information.
       amending the law in connection with the data protection reform of the European Union, and
       Act XXXVIII of 2018 amending other related laws. by law (a
       hereinafter referred to as the Modified Act) - § 2 (2) effective from 26 July 2018
       states that personal data fall within the scope of the General Data Protection Regulation
       the general data protection regulation of the Infotv. in which provisions
       shall apply with specific additions. These do not include the Applicant

       provisions referred to in its request.


(48) In view of the above, subject to the provisions of Article 2 of the GDPR, the present case
      The GDPR shall apply to the processing of data pursuant to


IV.5. Legal consequences


(49) The Authority granted the applicant's request pursuant to Article 58 (2) (b) of the GDPR.
       condemns the Applicant for violating Article 5 (1) (a) of the GDPR;
       (b) and (c), Article 6 and Article 9.


(50) The Authority granted the Applicant’s request, the termination of the infringement and the
       in order to restore data protection in Article 58 (2) (f) GDPR
       prohibits recording, whether online or otherwise
       - and instructs the Applicant to refrain from such conduct in the future.

(51) In addition, in accordance with Article 58 (2) (g) of the GDPR, the Authority instructs the

       The applicant shall be notified of the need to delete the recording to the addressees
       to whom the recording has been forwarded by e-mail.


(52) The Authority examined of its own motion whether it was justified to impose a data protection
       imposition of a fine. In this context, the Authority will amend Article 83 (2) of the GDPR and Infotv. 75 / A.
       § considered all the circumstances of the case. In view of the circumstances of the case,

       The Authority found that in the case of the infringement found in the present proceedings,
       warning is a proportionate and dissuasive sanction, so the imposition of a fine is not
       required.


(53) In its decision, the Authority took into account that the Requested Individual and the case
       in all its circumstances, it is presumed that it is possible to impose a fine without the imposition of a fine

       fully comply with the decision of the Authority and ensure the personal identity of the Applicant
       protection of your data. The Authority will specifically monitor compliance with this Decision,
       and in the event of non-compliance, impose a procedural fine or another data protection authority
       may initiate proceedings. Legal consequences in the event of a further data breach

       the present infringement will be taken into account as an antecedent with greater weight.


                                               14V. Other issues


(54) The powers of the Authority are limited to Infotv. Section 38 (2) and (2a) defines its jurisdiction
       it covers the entire territory of the country.


(55) The decision is based on Article 80.-81. § and Infotv. It is based on Section 61 (1). The decision is
       Ákr. Pursuant to Section 82 (1), it becomes final upon its communication.


(56) Art. Pursuant to Section 112 and Section 116 (1) and Section 114 (1) a
       administrative action against the decision and the winding-up order
       redress.


(57) The rules of administrative litigation are laid down in Act I of 2017 on the Procedure of Administrative Litigation (a
       hereinafter: Kp.). A Kp. Pursuant to Section 12 (1), the Authority
       The administrative lawsuit against the decision of the Criminal Court falls within the jurisdiction of the court. 13.

       § (3) (a) (aa), the Metropolitan Court has exclusive jurisdiction.
       A Kp. Pursuant to Section 27 (1) (b), in proceedings falling within the jurisdiction of the General Court, the
       representation is mandatory. A Kp. Pursuant to Section 39 (6), the filing of the application a

       has no suspensory effect on the entry into force of an administrative act.

(58) A Kp. Section 29 (1) and with this regard Pp. Applicable pursuant to Section 604, the

       of 2015 on the general rules of electronic administration and trust services
       CCXXII. Pursuant to Section 9 (1) (b) of the Act (hereinafter: E-Administration Act)
       the client's legal representative is obliged to communicate electronically.


(59) The time and place of the application were set out in Kp. Section 39 (1). THE
       Information on the possibility of requesting a hearing is provided in the CM. Section 77 (1) - (2)

       based on paragraph The rate of the fee for an administrative lawsuit is set out in the 1990 Fees Act
       XCIII. Act (hereinafter: Itv.) 45 / A. § (1). The fee is preliminary
       from the payment of the Itv. Section 59 (1) and Section 62 (1) (h) exempt
       initiating proceedings.


(60) If the Debtor does not duly prove the fulfillment of the prescribed obligation, a
       The Authority considers that it has not complied with the obligation within the time limit. The Ákr. Section 132

       if the debtor has not made the obligation contained in the final decision of the authority
       meet, it is doable. The decision of the Authority Pursuant to Section 82 (1) a
       becomes final upon communication. The Ákr. Section 133 enforcement - if you are a law

       Government decree does not provide otherwise - it is ordered by the decision-making authority. The Ákr.
       Under Article 134 of the Enforcement - if by law, government decree or municipal
       local government decree does not provide otherwise in an official matter - the state

       tax authority. Infotv. Pursuant to Section 60 (7) in the decision of the Authority
       to perform a specific act, conduct or tolerate a specific act


                                                15 the obligation to suspend the enforcement of the decision by the Authority
       implements.



Budapest, September 23, 2021






                                                                    Dr. Attila Péterfalvi
                                                                          President

                                                                    c. professor










































                                                16