NAIH (Hungary) - NAIH-5361-1/2022

From GDPRhub
Revision as of 12:24, 29 June 2022 by Ea (talk | contribs)
NAIH - NAIH-5361-1/2022
LogoHU.jpg
Authority: NAIH (Hungary)
Jurisdiction: Hungary
Relevant Law: {{{GDPR_Article_1}}} [[Category:{{{GDPR_Article_1}}}]]
Article 12(3) GDPR
Article 15(1) GDPR
Article 15(3) GDPR
Type: Complaint
Outcome: Partly Upheld
Started:
Decided: 16.05.2022
Published:
Fine: n/a
Parties: Budapest Bar Association
National Case Number/Name: NAIH-5361-1/2022
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Hungarian
Original Source: NAIH (in HU)
Initial Contributor: n/a

The Hungarian DPA held that the Budapest Bar Association violated Article 15 and Article 12 GDPR by failing to reply to an access request within the time limit, which was held to start running regardless of the Association's closed offices.

English Summary

Facts

The data subject had been a member of the Budapest Bar Association (the controller) until 2011 when their membership was terminated after their failure to pay their membership fees in time. On 1 October 2020, the data subject requested information about their account balance and the decision on the termination of their membership. After they did not receive the information asked for, they sent another request to the controller on 12 December 2020, referring to Article 15(1) GDPR, and asking for information relating to their account balance, the amount of their debt, the legal basis of the registered debt and the existence of the suspension and termination decisions. On 4 February 2021, the data subject complained to the DPA that the controller did not provide them with access to this information which constituted their personal data.

In its submission to the DPA, the controller claimed that the data subject’s communication from 1 October 2020 did not qualify as an access request within the meaning of the GDPR. Additionally, the request from 12 December 2020 was only received by the controller on 23 December 2020. Since the offices of the controller were closed between 19 December 2020 and 3 January 2021, the controller claimed that the time limit for complying with the access request only started running on 4 January 2021. The controller claimed that due to the complexity of the request, it was entitled to extending the deadline by additional two months as provided for in Article 12(3) GDPR. Hence, the controller considered itself to have properly provided access to the data subject within the time limit when it replied to the data subject’s request on 2 April 2021.

Holding

The DPA held that the controller violated Article 15(1) and (3) and Article 12(3) GDPR.

The DPA considered the communication sent by the data subject on 1 October 2020 to be too general to qualify as an access request. On the other hand, it regarded the communication sent on 12 December 2020 and received on 23 December 2020, which explicitly referred to the data subject‘s rights under the GDPR, as a proper access request from the data subject. The DPA further held that because the time limit set in Article 12 GDPR is calculated in calendar days and not in working days, the time limit for complying with the request started running on 24 December 2020 and not on 4 January 2021. Contrary to the controller’s assertions, the calculation of the time limit is not affected by the leave arrangements of the controller, as it is obliged to organise its work in such a way that it complies with the provisions of the GDPR. Consequently, the deadline for complying with the data subject's access request had already passed when the controller replied on 2 April 2021.

In addition, although the controller claimed that the complexity of the request entitled it to extending the deadline for replying by further two months, the data subject was not informed of any such extension and the reasons for it as required under Article 12(3) GDPR. The controller was also unable to supply evidence of any internal decision made to actually extend the deadline. Lastly, whilst the controller could have possibly refused to comply with the access request for being too excessive under Article 12(5) GDPR, it did not invoke this ground in its letter to the data subject sent on 2 April 2021.

Consequently, the DPA held that the controller violated Article 15(1) and (3) and Article 12(3) GDPR by not replying to the access request within the time limit and for not complying with the requirements relating to the extension of the deadline.

Comment

The complaint was only partly upheld because the DPA refused to order the controller to comply with the access request. Instead, it only issued a warning.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Hungarian original. Please refer to the Hungarian original for more details.

Case number: NAIH-5361-1 / 2022. Subject: Partial decision granting the application
History: NAIH-2160/2021.




                                           H A T A R O Z A T


The National Authority for Data Protection and Freedom of Information (hereinafter referred to as the Authority) […] (domiciled in […].)
Infringement of the right of access of the applicant (hereinafter: the Applicant) on 4 February 2020
with the Budapest Bar Association (registered office: Szalay utca 7. 1055 Budapest)

hereinafter referred to as the "Requested"), shall take the following decisions in the data protection authority proceedings against:

I. In the part of the Authority's application

                                               gives place and

I.1. Finds that the Applicant has infringed Article 15 (1) and (3) of the General Data Protection Regulation

and Article 12 (3) of the General Data Protection Regulation by
The applicant did not reply to his request dated 23 December 2021 within the deadline.

I.2. The Authority shall request the part of the application in which the Authority instructs the Requested access
request is rejected.

I.3. The Authority shall due to another breach of data protection
increased the present infringement as a precedent in determining the legal consequences

weight will be taken into account - warns.

There is no administrative remedy against the decision, but it must be lodged 30 days after notification
An action brought before the Metropolitan Court may be challenged in an administrative action within one day. THE
shall lodge the application electronically with the Authority, which shall forward it together with the case file
to the court. The request to hold a hearing must be indicated in the application. The whole personal
For those who do not receive an exemption, the fee for the administrative lawsuit is HUF 30,000, the lawsuit is material

subject to the right to record duties. Legal representation is mandatory in proceedings before the Metropolitan Court.

Act CXII of 2011 on the right to information self-determination and freedom of information. Act (a
hereinafter: Infotv.) Section 61 (2) (b), the Authority shall publish this decision in the
Authority website.



                                           I N D O K O L Á S


I. Procedure and clarification of the facts

The Applicant submitted a request to the Authority on 4 February 2021 for a data protection official procedure.
according to which, as a former member of the Applicant, he has been trying for several years to achieve that the Applicant
provide adequate information on your account balance and the reasons for the items in it; and
legal basis. For this reason, on 1 October 2020, the

To the applicant requesting that the suspension and exclusion decision be sent to him or the
registered account balance, and also applied for access by mail on 12 December 2020
with reference to the Applicant and Article 15 (1) of the General Data Protection Regulation, requested that
inform you of the processing of your personal data and of any other circumstances referred to in paragraph 2


Article 15 (1) of the General Data Protection Regulation. The Applicant also requested a
Applicant to inform the registrant of the account balance, debt, the registrant
and the suspension and exclusion of the 2011 membership fee for non-payment
decision, their existence.

The Applicant did not receive a response to its inquiries from the Applicant until its request to the Authority.

During the examination of the application, the Authority established that the application was submitted to Infotv. Section 60 (5)
did not comply because it did not contain a decision on the decision to remedy the alleged infringement
application, therefore the Authority dated 19.02.2021, NAIH-2160-3 / 2021. order no

called on the Applicant, which was issued by the Applicant on 05.03.2021 and addressed to the Authority on 03.03.2021.
In its reply received on the 10th day, the Authority complied with and requested an explicit decision from the Authority on the rights of the data subject.
and asked him to warn the controller of the breach,
and instruct the data controller to comply with the data subject's request, as well as sanctions, administrative fines
requested the Authority to impose. By filling in the deficiencies of the Applicant on March 10, 2021
has become complete.

NAIH-2160-5 / 2021, dated 18 March 2021, received by the Applicant on 24 March 2021. number
In his order, the Applicant requested clarification of the facts and informed the

Authority that the facts set out in the clarification order are in part disputed, as the Applicant
For some of the questions asked in your application to the applicant before
received information.

In his statement, the Applicant stated that the Applicant was obliged to pay the membership fee on time
did not comply, therefore, following three notices, the Applicant issued a decision on 04.07.2011
by administrative decision of 4 July 2011, the Presidency of the
from the membership register. This decision became final on 24.08.2011. Then the Applicant's balance
It showed a debt of HUF […].

The Applicant contacted the Applicant on 18.10.2017 and inquired that “in 2011

administrative cancellation due to non-payment of membership fees or suspension due to criminal proceedings "
is an obstacle to the recruitment of legal counsel. The Applicant will answer this question on the same day
received. Thereafter, correspondence continued between the Applicant and the Applicant, during which
the balance of the Applicant registered with the Applicant was mentioned. The membership fee debt due to which the
The Applicant has been deleted by administrative means, in the meantime it has expired, so the Applicant has informed the Applicant that
that the REFUND OF MEMBERSHIP FEE AND LATE FEES [...]
cost.

In addition to the above, the Applicant's Disciplinary Board for committing a disciplinary offense

He was fined HUF 150,000 and, in addition, as a total procedural expense
He should have paid HUF 65,300. The disciplinary decision became final on 7 June 2013. THE
Regarding the disciplinary fine, the Applicant received a letter of formal notice from the Applicant on 22.07.2015. Since the
the Applicant sent a demand for payment in a verifiable manner, therefore the limitation period
started again. The competent chamber clerk therefore also informed the Applicant that
that it is necessary to pay the fine and the costs of the proceedings in Case F […] 2012;
the amount of which is HUF 215,300.

According to the Applicant, the Presidency of the Applicant took a decision on 07/09/2020,

under which bad debts can be written off. As the Applicant is liable to disciplinary action and
its debt arising from procedural costs expired on 22/07/2020, therefore the debt was canceled.

Accordingly, on the basis of the Applicant's statement, the Applicant
he had no registered debt on.

According to the Applicant's statement, the Applicant's request for access dated 12 December 2020 a
It was received by the applicant on 23.12.2020. According to the Applicant, the service provider 's office and
Its headquarters were closed from 19 December 2020 to 1 January 2021, as every year.
no administrative work was carried out, so the deadline for administration started on 04.01.2021.


As the request for personal data in addition to personal records
therefore the complexity of the request under Article 12 (3) of the General Data Protection Regulation
Within one month of receipt of the request, the applicant shall reply to the request within 3 months


it was not possible to extend the deadline by another month. THE
Applicant does not dispute that the extension of the deadline and the reasons for it are not the Applicant
informed in accordance with that paragraph, but in its view, the
replied to the Applicant's letter on 02.04.2021 within the extended deadline.

The Applicant has attached the application of the Applicant dated 12 December 2020, the ELN. […],
a 2016. ELN. […] And its data management prospectus, and on 02.04.2021 a
He sent a reply letter to the applicant.

The Applicant further informed the Authority that its data processing is in principle in accordance with Section 6 (1) (c) of the GDPR.

and (e). According to the Applicant's statement, the relevant legislation - the lawyers
1998 XI. Act LXXVIII of 2017 on the activity of a lawyer. Act (a
hereinafter: Üttv.) - specify the scope of data to be registered, which data to store
also subject to statutory regulation.

The Applicant also referred to the Üttv. § 11, according to which it is not possible to attach a
It made individual decisions in relation to the applicant with regard to the obligation of confidentiality.

The Authority has issued NAIH-2160-7 / 2021. by order no., called on the Applicant to prove that
The deadline for replying to the applicant 's request was extended by two months
certify that the Authority has already collected the information needed to respond to the request

started before learning of the start of the procedure. In addition, the Authority requested that:
state exactly what you consider to be legal professional privilege in the present case and justify why
the lawyer's duty of confidentiality.

By letter received on 25 May 2021, the Applicant informed the Authority that the April 2021
It maintains the contents of its letter of 8 June with unchanged content, so that, in their interpretation, it is general
Article 12 (3) of the Data Protection Regulation allows for an additional 60 days after 30 days
extension of the deadline, so he calculated the two-month extended deadline, which he said
It began on January 4, 2021 and expired on April 4, not exceeded.


In this statement, the Applicant further stated that the Articles of Association set out in detail the
Duties falling within the competence of the requested officers. Given that the first round of the
request concerned financial data, so on 4 January 2021, the beginning of the administrative period,
for the first time it became necessary to clarify the financial issues, so within 2021.
On 29 January, the Data Protection Officer also received the material. It was received from each department
The next task was to coordinate and compare the responses, to evaluate the data received and
following its decision, for the evaluation of which an external colleague was also involved on 5 February 2021. The deadline
no internal record of the extension was made. And he obviously slowed down the process

104/2021 on the temporary tightening of protection measures, which will enter into force on 8 March 2021.
(III.5.), According to which the personal appearance pursuant to Section 6 (1)
the room or location for the purpose of the service was required to be kept closed.

Regarding the collection of data concerning the financial records, the June 2013
The debt arising from the disciplinary decision that became final on the 7th day of the Applicant was closed in 2013
year. The records related to this financial year have already been filed, so its paper
had to be retrieved from the archives. Data collection at the beginning of the administrative break at the beginning of the year
began in the week beginning January 4, 2021.


Gathering Information Required to Respond to an Applicant's Request for Access a
According to the applicant, even before the Authority became aware of the proceedings
started with the document entitled “Memorandum” dated 7 January 2021
certify. From this, it can be stated that debts related to the person of the Applicant have already been
they are also mentioned in this note, the financial justification for their deletion, and
and confirmation was needed.

The Applicant did not dispute that he had not informed the Applicant about the fact of the extension of the deadline. THE
According to the Applicant's statement, the response was that the Applicant's uncertainty had developed

the situation should be clarified, notwithstanding the fact that it considers the Information to be provided to the Applicant in part
already done., 4


The Applicant attached his full correspondence with the Applicant and on January 7, 2021
[…] Document entitled "Note".

In his statement, the Applicant explained that the scope of data to be treated as legal professional secrecy
due to the diversity of its activities. This is also the reason for this
Üttv, which establishes the obligation of confidentiality for a lawyer. nor does it contain guidelines. THE
Act on the obligation of confidentiality only provides that the lawyer is bound by confidentiality

shall be liable for all information and facts which come to his knowledge in the exercise of his profession
learned. An exhaustive list of the elements of legal professional privilege is impossible in practice, as it is
it can include the client's personal data and business secrets, and often the bank's or tax secrets
family, medical and personal matters, where applicable
facts concerning the family relations and state of health of the opposing party.

In his statement, the Applicant stated that the agreement between the Applicant, the Applicant and the Authority
the obligation of confidentiality is a special obligation of confidentiality, since according to the law a
The applicant shall be bound by the obligation of professional secrecy, in order to comply with the

fulfills its obligation to cooperate and provide information. Thus, Üttv. Section 11 (2)
the individual decision of the Applicant in the disciplinary case,
which, without the Applicant's excuse as a secret holder, the Applicant does not know to the Authority
to bring.

The Authority dated 16 August 2021, NAIH-2160-9 / 2021. case number in a clarification order
invited the Applicant to declare that in the letter sent by the Applicant on 2 April 2021
whether you have answered the questions in your request for access dated 12 December 2020 or if so
answer it, please indicate exactly why it is not suitable for you and which of your access requests

affects point.

The Applicant did not receive the order at his / her place of residence, the order was returned with the indication “did not seek”
to the Authority. In view of this, the Authority, dated 21 September 2021, NAIH-2160-10 / 2021. case number
repeatedly contacted the Applicant in the order. The Applicant did not take over the order at his place of residence, a
order was returned to the Authority as "not sought". On October 25, 2021, the Authority
dated, NAIH-2160-11 / 2021. The Court again contacted the Applicant in the order no
The applicant did not accept the order, the order was returned to the Authority with the indication “not sought”.

Given that NAIH-7362-1 / 2021. official of the case pending before the Authority
is aware that the address of the Applicant is at […], therefore the Authority will

dated November 24, NAIH-2160-12 / 2021. contacted the Applicant at his address in case no.
The Applicant received the order on 2 December 2021, but no reply has been received to date.


II. Applicable legal provisions

Pursuant to Article 2 (1) of the General Data Protection Regulation, the processing of data in the present case is

general data protection regulation applies.

The relevant provisions of the General Data Protection Regulation in the present case are the following:

Article 4 (1) of the General Data Protection Regulation: "personal data" means identified or identifiable
any information relating to a natural person ("data subject"); identifiable by that natural
a person who, directly or indirectly, in particular by means of an identifier such as a name, number,
location data, online identification or physical, physiological, genetic, mental,

on the basis of one or more factors relating to their economic, cultural or social identity
identifiable.

Under Article 12 (3) of the General Data Protection Regulation, the controller is unduly delayed
but in any case within one month of receipt of the request
concerned in accordance with Articles 15 to 22. on the action taken in response to a request under Article. If necessary, take into account
given the complexity of the application and the number of applications, this deadline is an additional two months

extendable. The extension of the deadline by the data controller shall be the reasons for the delay
within one month of receipt of the request. If so, 5


the application has been submitted by electronic means, the information shall be provided, if possible by electronic means
unless otherwise requested by the data subject.

Pursuant to Article 12 (4) of the General Data Protection Regulation, if the controller does not do so
measures at the request of the data subject, without delay but at the latest upon receipt of the request
inform the person concerned of the reasons for not taking action within one month of
that the person concerned may lodge a complaint with a supervisory authority and have recourse to the courts

with the right.

Information pursuant to Articles 13 and 14 pursuant to Article 12 (5) of the General Data Protection Regulation
and 15-22. The information and action provided for in Articles 1 and 34 shall be provided free of charge. If concerned
request is manifestly unfounded or, in particular due to its repetitive nature, excessive, the controller,
the provision of the requested information or information or the taking of the requested action
administrative costs:
(a) charge a reasonable fee, or

(b) refuse to act on the application.
The burden of proving that the request is manifestly unfounded or excessive is on the controller.

Pursuant to Article 15 (1) of the General Data Protection Regulation, the data subject is entitled to:
receive feedback from the data controller that your personal data is being processed
whether and if such data processing is in progress, you have the right to access your personal data and
access to the following information:

(a) the purposes of the processing;
(b) the categories of personal data concerned;
(c) the recipients or categories of recipients to whom the personal data have been disclosed
or will be communicated, including in particular to third country recipients or international
organizations;
(d) where applicable, the intended period for which the personal data will be stored or, if that is not possible, this
criteria for determining duration;
(e) the data subject's right to request personal data concerning him or her from the controller

rectification, erasure or restriction on the processing of such personal data and may object to the processing of such personal data
against;
(f) the right to lodge a complaint with a supervisory authority;
(g) if the data were not collected from the data subject, all available information on their source;
(h) the fact of automated decision-making referred to in Article 22 (1) and (4), including profiling
and, at least in these cases, the logic used
information on the significance of such data processing and what is expected of the data subject

consequences.

Pursuant to Article 15 (3) of the General Data Protection Regulation, the controller is the subject of the processing
provide the data subject with a copy of the personal data Additional requested by the data subject
for copies, the controller may charge a reasonable fee based on administrative costs.
If the data subject submitted the application electronically, the information was widely used
shall be provided in electronic format, unless otherwise requested by the data subject.


Pursuant to Article 15 (4) of the General Data Protection Regulation, the copy referred to in paragraph 3
the right to claim must not adversely affect the rights and freedoms of others.

Pursuant to Article 58 (2) (b), (c), (g) and (i) of the General Data Protection Regulation, the supervisory authority
acting in its corrective capacity:
(b) reprimand the controller or the processor if his or her data processing activities have infringed this
provisions of this Regulation;

(c) instruct the controller or processor to comply with the conditions laid down in this Regulation
request for the exercise of his rights;
(g) order the rectification of personal data in accordance with Articles 16, 17 and 18 respectively;
or deletion of data processing and Article 17 (2) and Article 19
order the notification of the recipients with whom or with whom the personal data are held
data were provided;
(i) impose an administrative fine in accordance with Article 83, depending on the circumstances of the case;
in addition to or instead of the measures referred to in paragraph 6



Article 83 (1) to (2) and (5) (a) to (b) of the General Data Protection Regulation:
1. Each supervisory authority shall ensure that the measures referred to in paragraphs 4, 5 and 6
administrative fines imposed pursuant to this Article for infringements of this Article shall be effective in each case,
be proportionate and dissuasive.

2. Administrative fines shall be imposed in accordance with Article 58 (2) (a) to (h), depending on the circumstances of the case.

and (j) shall be imposed in addition to or instead of the measures referred to in When deciding that
whether it is necessary to impose an administrative fine or the amount of the administrative fine
In each case, due account shall be taken of the following:
(a) the nature, gravity and duration of the breach, taking into account the nature of the processing in question;
the scope or purpose of the infringement and the number of persons affected by the infringement and the
extent of damage;
(b) the intentional or negligent nature of the infringement;
(c) to mitigate any damage suffered by the controller or the data subject

any action taken;
(d) the extent of the responsibility of the controller or processor, taking into account the
the technical and organizational measures taken pursuant to Article.
(e) relevant infringements previously committed by the controller or processor;
(f) with the supervisory authority to remedy the breach and mitigate any adverse effects of the breach
the degree of cooperation in order to
(g) the categories of personal data concerned by the breach;

(h) the manner in which the supervisory authority became aware of the infringement, in particular
whether the controller or processor has reported the breach and, if so, in what detail;
(i) if, prior to the controller or processor concerned,
one of the measures referred to in Article 58 (2) has been imposed
compliance with measures;
(j) whether the controller or processor has kept itself approved in accordance with Article 40
codes of conduct or approved certification mechanisms in accordance with Article 42; and
(k) other aggravating or mitigating factors relevant to the circumstances of the case, such as:

financial gain or avoidance as a direct or indirect consequence of the infringement
loss.

5. Infringements of the following provisions in accordance with paragraph 2 shall not exceed EUR 20 000 000
or, in the case of undertakings, the full financial year of the previous financial year
up to 4% of its worldwide turnover, provided that
a higher amount should be charged:

(a) the principles of data processing, including the conditions for consent, in accordance with Articles 5, 6, 7 and 9;
(b) the rights of data subjects under Articles 12 to 22. in accordance with Article

Infotv. Pursuant to Section 2 (2), the general data protection decree is indicated therein
shall apply with the additions provided for in

Infotv. Enforcement of the right to the protection of personal data pursuant to Section 60 (1)
In order to do so, the Authority may initiate ex officio data protection proceedings. For the data protection authority procedure

CL of 2016 on General Administrative Procedure. (hereinafter: Ákr.)
apply with the additions specified in the Information Act and in accordance with the general data protection regulation
with differences.

Infotv. 75 / A. §, the Authority shall comply with Article 83 (2) to (6) of the General Data Protection Regulation
shall exercise its powers in accordance with the principle of proportionality, in particular by:
legislation on the processing of personal data or a binding act of the European Union

for the first time in the event of a breach of the rules laid down in
in accordance with Article 58 of the General Data Protection Regulation, in particular the controller or
by alerting the data controller.

Section 5 of Act CL of 2016 on General Administrative Procedure (hereinafter: the Act) [Az
customer principles]
   The client may make a statement or comment at any time during the procedure


The Ákr. § 62 [Clarification of the facts]
1. Where the available data are insufficient to reach a decision, the Authority shall conduct an evidentiary procedure
he continues.
2. Any evidence which may clarify the facts may be used in official proceedings
suitable. It may not be used as evidence obtained by the authority in breach of the law
evidence.
(3) Facts officially known to the authority and in the public domain need not be proved.

4. The authority shall be free to choose the means of proof and the evidence available
freely believes.

Ákr. Pursuant to Section 35 (3), until the decision made on the matter at the request of the client becomes final
may have.

The Ákr. Pursuant to Section 50 (5) (b), the client does not count towards the administrative deadline
duration of the omission or delay.


The Üttv. Pursuant to Section 9 (1), all facts, information and data
of which the practitioner of the profession of lawyer has become aware in the exercise of that activity. THE 2)
Unless otherwise provided by this Act, a practitioner of the profession of lawyer shall:
to maintain legal professional secrecy. This obligation of confidentiality extends to a document containing legal professional privilege or otherwise
media.


The Üttv. Pursuant to Section 13 (3), a document prepared for the purpose of defense is official, judicial and other
may not be used as evidence in public proceedings and - the cases specified in this Chapter
may not be inspected, seized or copied by public authorities, except
its presentation, transfer and granting of access to it may be refused. The data subject is concerned
may waive it unless the document relates to protection in criminal matters.

Infotv. Pursuant to Section 71 (1), during the proceedings of the Authority - it is necessary for the conduct of the proceedings
to the extent and for the duration - to handle all personal data and secrets protected by law and

information covered by the obligation of professional secrecy which is relevant to the proceedings; and
which need to be addressed in order to carry out the procedure effectively.
2a. In the case of a defense document, the provisions of paragraphs 1 and 2 shall be
shall apply with the exceptions specified in the Act on the Activity of

III. Decision:


In his application, the Applicant requested an explicit decision of the Authority regarding the violation of the rights of the data subject,
and asked him to warn the data controller of the breach, condemn him and dismiss him
data controller to comply with the data subject's request, as well as to impose a sanction or administrative fine
asked the Authority.

III.1. Application of the Applicant concerned


In its letter of 1 October 2020, the Applicant did not clearly indicate the subject of his application, thus
nor does it intend to exercise the data subject's right. The Applicant on 1 October 2020 during the proceedings
indicated the subject of his letter as a general request for information concerning his debt.


However, the subject of his letter of 12 December 2020 has already been "the exercise of the right of access,
exercise of the right to data portability - GDPR ”. The Applicant's application was attached to the domestic
a return receipt, on the basis of which it can be established that the application of the data subject is to be delivered on 23 December 2020
received by the Applicant. The Applicant clearly stated in his application that his application was primary
that it wished to exercise its right of access under the GDPR. During the proceedings, this concerned
the handling of the application by the Applicant was examined by the Authority.


Regarding the examined data management, it is related to the account balance, debt and chamber membership
The information on the Applicant contained in the chamber registers and documents shall be in accordance with Article 4 (1) of the GDPR.
of the personal data of the Applicant, the data controller of the Requested, the registration of the data and, 8


under Article 4 (2) of the GDPR
apply.

III.2. Violation of the rights of the Applicant concerned


Under Article 15 (1) of the General Data Protection Regulation, the data subject has the right to be personal
access to your data.

Pursuant to Article 12 (3) to (4) of the General Data Protection Regulation, at the request of the data subject, the
shall reply on the merits within one month. This deadline is limited to special circumstances
it may be extended for a further two months, but before the expiry of the original one month

send the data controller information on what he has done so far and for what reason the deadline is necessary
extension.

Before the expiration of the original one month, the Applicant has not fulfilled the right of access of the Applicant
nor did it indicate to the Applicant the need for an extension of the deadline. This is the procedure
during which the Applicant also acknowledged.


According to the Applicant's statement, since the Office and headquarters of the Applicant Service Provider are 19 December 2020 and
2021.01. It was kept closed between 03. During this period, my administration work was open, open for administration
The standing deadline started on 04.01.2021.


The time limit specified in Section 12 of the General Data Protection Decree is a calendar day and not a working day
therefore the deadline for the submission of the application is 24 December 2020.
and not January 4, 2021.

In this context, the Authority notes that the chamber regulations cited below are also calendar days
the time limit for replying to the requests of the persons concerned shall be calculated:


    - According to Article 131 of the Articles of Association published on the Applicant's website, “The Chamber is managed by it
        data are covered by the applicable data protection legislation in force at any time
        according to. In this context, the necessary records, reports and data services
        perform. "
    - The Hungarian Bar Association has adopted the “XVI. Information, right of protest,

        deletion of data, restrictions on data processing ”states in point 3 that the Bar Association
        shall be required as soon as possible after the application has been lodged, but not more than fifteen (15)
        provide the information in writing, in a comprehensible form, free of charge within one day. Privacy
        regulations do not provide for the interruption or suspension of the deadline.

The calculation of the time limit has no effect on the Applicant's leave scheme because of the performance of duties

continuity must also be ensured by the Applicant. Nor is it possible to derogate from that obligation
Neither the Hungarian Bar Association nor the Applicant's internal rules contain any reference. THE
Nor do the austerity measures referred to by the applicant, which entered into force on 8 March 2021, qualify
because the exercise of the rights of the data subject is not a service requiring a personal appearance.

The Applicant is also obliged to organize the work in accordance with the provisions of the GDPR

comply with access requests on time.

The application may be refused access on the grounds set out in Article GDPR12 (5).
fulfillment. The Authority found that the Applicant had subsequently provided the Applicant with
The applicant did not refer to the excessive nature of the request in its letter sent to the GDPR
The application for access, which was lodged for the first time since

that he has previously provided information on the requested data and a copy of the decisions.

In view of the above, the Applicant violated Article 15 (1) and (3) of the GDPR and Article 12
Within one month of receipt of the request and
did not provide an extension at the request of the Applicant for access, so within the time limit set by the GDPR a
did not grant the right of access., 9


The Applicant did not grant the Applicant the right of access beyond the deadline as long as the
The Authority was not aware of the present proceedings, ie it acted as a result of the Authority proceedings because a
The Applicant sent a reply to the Applicant after receiving the order of the Authority on 24 March 2021. THE
However, this reply to the request is the period to be examined (from the submission of the request for access to
Pending the initiation of proceedings before the Authority) and is not relevant to the finding of an infringement, but
should be assessed in terms of sanctions.


III.3. Obliging the applicant to comply with the request for access

The part of the Authority's request for an obligation to comply with a request for access
because on 2 April 2021 the Applicant sent a final disciplinary decision and
the cancellation decision to the Applicant or during the proceedings before the Authority takes a decision

has already taken steps to provide the information to the Applicant. The Applicant informed the
Applicant's debt registered with the Applicant, the storage of the Applicant's personal data
and if the Applicant considers that the Applicant has violated it
in the processing of the Applicant's personal data, the general data protection regulation, then at the Authority
or the contact details of the Data Protection Officer of the Applicant.


The Applicant did not object to the reply sent by the Applicant on 2 April 2021, and has since contacted the Authority.
does not co-operate, therefore, in the absence of evidence to the contrary, the Authority will
assessed that the obligation to comply with his request for access had become obsolete.

III.4. Clarification of facts and legal professional privilege


The Authority shall provide the applicant with declarations regarding its procedural and access rights
makes the following remarks in this context:

The Authority has issued NAIH-2160-5 / 2021. In its order No
Applicant as to whether he had responded to the Applicant's request from the data subject and, if so, asked the

A copy of the reply sent to the applicant.

The Applicant sent a copy of the Authority's reply of 2 April 2021, without annexes, to the Authority.
and Üttv. Refused to the Applicant on the grounds of his obligation of confidentiality provided for in § 11
as annexes to the response to the data subject's request to the Authority
sending


However, in the Authority's view, the individual decisions concerning the Applicant do not qualify
a lawyer's secret. Because during the disciplinary proceedings against the Applicant, the Applicant did not
performed the activity of a lawyer, but also performed the duties of a public body, therefore the obligation of confidentiality is regulated by the Üttv.
It cannot be based on the provisions of § 9.


Furthermore, in the Authority's view, the Applicant's claim that it was not possible to attach the
It made individual decisions in relation to the applicant, citing its obligation of confidentiality
is unfounded because Infotv. Pursuant to Section 71 (1), the Authority shall, in the course of its proceedings,
to the extent and for the time necessary to carry out all personal data, and
information which is covered by the obligation of professional secrecy and is covered by the obligation of professional secrecy
related to the procedure or the handling of which is necessary for the efficient conduct of the procedure
required. Infotv. However, pursuant to Section 71 (2a), the Üttv. Section 13 (3)

for the access of certain documents prepared for the purpose of defense, as defined in the Üttv
conditions shall apply.

This is supported by the Üttv. certain laws and other judicial matters related to the entry into force of
Act CXXXVI of 2017 on the amendment of laws to § 80 of the Infotv. To Section 71 (2a)
- a legislative justification for the Authority's right of access as set out below

defined:

“Act CXII of 2011 on the right to information self-determination and freedom of information. Act (a
hereinafter: the Information Act) § 71 (1) and (2) of the National Data Protection and Freedom of Information, 10


It shall grant the Authority the powers necessary for the conduct of its proceedings
to the extent and for the duration of the processing and use of all personal data and by law
data covered by the obligation of professional secrecy and professional secrecy
which are necessary for the efficient conduct of the proceedings.

This right shall also apply to legal professional privilege
the authority primarily responsible for the protection of fundamental rights. In this respect, Infotv.

the exception is Üttv. Section 13 (1) for the protection of legal professional privilege
requirements. This special regulation is also maintained by this law. The Üttv. Section 13 (3)
certain documents drawn up for the purpose of defense in the context of an official procedure
in the context of its knowledge and usability
However, the application of the conditions laid down in the Act on the Enhanced Protection of these Documents a
The procedure of the National Data Protection and Freedom of Information Authority is also justified, the law of this
accordingly aims to create a clear legal environment. "
In view of the above, the Applicant's request for confidentiality in the proceedings initiated at the request of the Applicant

could not have denied the individual decision taken in relation to the Applicant
in particular because they do not constitute a document for the purpose of defense.

The Authority, as it does not share the arguments of the Requested lawyer regarding the obligation of professional secrecy, and
interpretation of the law that the decision of the Applicant in a disciplinary case should be a lawyer's secret
nor did it consider it necessary for the applicant to be exempted from the
ask to keep it a secret.

The Authority shall take the necessary steps to obtain a document which has not been sent and to penalize failure to comply with the request.

disregarded because, although it was closely related and justified to the case, the facts ultimately
it could have been adequately clarified without its precise knowledge.

III.5. The issue of data protection fines

If the Authority finds an infringement in the data protection authority proceedings, the general
may apply the legal consequences set out in the Data Protection Regulation and the Infotv. These include
also includes data protection fines, which are provided for by the Authority in the General Data Protection Regulation
decides on its own initiative or ex officio with other legal consequences, no
upon request. The imposition of a data protection fine directly affects the applicant's right or legitimate interest

does not give rise to any right or obligation on the part of the Authority, and therefore
with regard to the application of these consequences in the public interest
Applicant does not qualify as a customer under Ákr. § 10 (1), or - as the Act no. Section 35 (1)
does not comply with paragraph 1, there is no need to submit an application in this respect, the application
part of it cannot be considered as an application.

III.6. Legal consequences


The Authority grants the Applicant's request in part and pursuant to Article 58 (2) (b) GDPR
condemns the Applicant as data controller for violating Article 12 of the GDPR.
and Article 15 (1) and (3) of the GDPR.

The Authority examined of its own motion whether a data protection fine against the Applicant was justified.
imposition. In this context, the Authority complies with Article 83 (2) of the General Data Protection Regulation and Infotv.
75 / A. § considered all the circumstances of the case. In doing so, the Authority will be a significant factor

took into account that the Applicant is a public body performing professional and advocacy tasks,
whose members and officials are also lawyers, and is therefore increasingly expected to know correctly
interpret the provisions of the GDPR and treat the data subject appropriately from a data protection point of view
applications.

However, the Authority took into account that the Authority significantly exceeded the 150-day
administrative deadline and that the procedure has been lengthy.


On this basis, the Authority waived the fine.

On the basis of the above, the Authority has decided in accordance with the operative part


III.7. Calculation of administrative deadline, exceeding the administrative deadline

The authority The procedural obligation prescribed in Section 15 (1) and the administrative deadline
it shall begin when the application becomes admissible on the merits.

The Applicant submitted his application to the Authority on 4 February 2021, but did not include the
A strong request for a decision to remedy the infringement identified in

called for rectification on 19 February. The Applicant shall issue a notice to the Authority on 5 March 2021
by letter dated 10 March 2021, received by the Authority on
has become complete.

The Authority then referred NAIH-2160-9 / 2021 to clarify the facts. and NAIH-2160-10 / 2021.
sent an order to the Applicant's place of residence on 16 August and 21 September, which were
Applicant did not take over and did not seek an indication They returned to the Authority on 9 and 20 September 2021
October 11, 2021. The Authority issued its order NAIH-2160-11 / 2021. and NAIH-2160-12 / 2021.
therefore sent it to another address to his official knowledge on October 25, 2021 and then October 20, 2021.

on November 24th. Order NAIH-2160-11 / 2021 was returned on 15 November 2021
to the Authority, while the Applicant is the Authority NAIH-2160-12 / 2021. No. 2021.
received it on 2 December but did not reply.
By failing to do so, the Applicant caused a protracted clarification of the facts, which Section 50 (5)

shall be deemed to be a period not included in the administrative period pursuant to paragraph 1 (b).
ARC. Other issues:


The powers of the Authority shall be exercised in accordance with Infotv. Section 38 (2) and (2a) determine the jurisdiction of the country
covers the whole territory.

The decision is based on Ákr. 80.-81. § and Infotv. It is based on Section 61 (1). The decision is based on Ákr. Section 82 (1)
shall become final upon its communication pursuant to paragraph

In the course of the procedure, the Authority exceeded the Infotv. One hundred and fifty days of administration pursuant to Section 60 / A (1)

deadline, therefore the Ákr. According to § 51 b), ten thousand forints - according to the choice to be indicated in writing -
belongs to the Applicant.

The Ákr. § 112 and § 116 (1) and § 114 (1)
there is a right of appeal through an administrative lawsuit.

The rules of administrative litigation are laid down in Act I of 2017 on the Procedure of Administrative Litigation (a
hereinafter: Kp.). A Kp. Pursuant to Section 12 (1), it is against the decision of the Authority

administrative lawsuit falls within the jurisdiction of the court, the lawsuit is subject to the Kp. 13. Paragraph 3 (a) (aa)
the Metropolitan Court has exclusive jurisdiction. A Kp. Pursuant to Section 27 (1) (b) a
legal representation is mandatory in litigation falling within the jurisdiction of the tribunal. A Kp. Pursuant to Section 39 (6) a
the filing of an application does not have suspensory effect on the entry into force of the administrative act.

A Kp. Section 29 (1) and with this regard Pp. Applicable in accordance with § 604, electronic
CCXXII of 2015 on the general rules of public administration and trust services. Act (a

hereinafter: E-Administration Act) Section 9 (1) (b) of the Client’s legal representative
obliged to keep in touch.

The time and place of the submission of the application is Section 39 (1). The trial
Information on the possibility of requesting the maintenance of the It is based on § 77 (1) - (2). THE
the amount of the fee for an administrative lawsuit in accordance with Act XCIII of 1990 on Fees. Act (hereinafter: Itv.)
45 / A. § (1). From the advance payment of the fee, the Itv. Section 59 (1) and
Section 62 (1) (h) exempts the party initiating the proceedings.


Dated: in Budapest, according to the electronic signature.

                                                                    Dr. Attila Péterfalvi
                                                                           President
                                                                     c. professor