NAIH (Hungary) - NAIH-4137- 8/2022
|NAIH - NAIH-4137- 8/2022|
|Relevant Law:||Article 5(1)(a) GDPR|
Article 5(2) GDPR
Article 12(2) GDPR
Article 13(1)(a) GDPR
Article 13(1)(b) GDPR
Article 15 GDPR
|National Case Number/Name:||NAIH-4137- 8/2022|
|European Case Law Identifier:||n/a|
|Original Source:||NAIH (in HU)|
The Hungarian DPA fined a gynecologist €1,400 for not ensuring effective exercise of data subject rights in violation of Articles 12(2) and 13(1)(a)(b) GDPR. Moreover, the processing of personal data was not transparent as required by Article 5(1)(a) GDPR.
English Summary[edit | edit source]
Facts[edit | edit source]
The data subject was the patient of a gynecologist (the controller), who owned a private practice, and requested access to their medical records. The requested documentation related to the data subject's maternity care and pregnancy, which ended in the death of the fetus. Within a span of two months, the data subject sent two letters requesting a copy of the records, both with no response. Consequently, they lodged a complaint with the Hungarian DPA in order to obtain access to the data.
The DPA initiated a procedure and asked the controller to clarify the facts of the case. The controller responded that it managed the practice without any administrative help and due to the Covid-19 pandemic, struggled with minor administrative shortcomings. Consequently, it did not become aware of the data subject's request on time. The controller largely relied on paper records rather than an electronic patient database and only maintained the statutory mandatory electronic records. At the request of the DPA, the controller provided a copy of the documents, signed and sealed, to the data subject. However, the file was not complete as several medical test results were missing. The data subject requested the DPA to order the controller to send a copy of the missing records.
The DPA examined whether the controller acted lawfully in considering the request for access to medical records. The DPA also examined ex officio the general data management practices of the controller.
Holding[edit | edit source]
First, the DPA recalled that the GDPR defines data relating to the health and healthcare of a data subject as personal data, including special categories of personal data under Article 9 GDPR.
Second, the DPA noted that maintaining paper records is still considered processing of personal data under the GDPR if the data are part of a filing system, in line with Article 2(1) GDPR. Article 4(6) GDPR defines a filing system as "any structured set of personal data, which are accessible according to specific cirteria". Accordingly, the DPA held that, in the present case, the patient files maintained by the controller in the context of providing private healthcare fell within the scope of the GDPR.
Third, the DPA noted the obligations of the controller under Articles 12(2) and 15 GDPR to provide the details of the right to access as well as a copy of the requested data. Respectively, the copies of medical records sent to the data subject were not complete and the controller did not respond at all to two consequtive requests. The DPA pointed out that, according to the principle of accountability in Article 5(2) GDPR, the controller is responsible for compliance with the GDPR and must be able to demonstrate it.
Fourth, the DPA noted that, contrary to the requirements of Article 13(1)(a)(b) GDPR, it was difficult to find the correct address for submissions of access requests because the controller's Privacy Notice with contact information was not provided to the data subject.
Fifth, the DPA took a closer look at the controller's documentation practices. In this context, the DPA indicated that the controller was unclear about how it stored patients' data. First, it had stated that it did not keep electornic records. Later, the controller stated that it created electronic records when required by national law. Therefore, the controller was not transparent with regards to the means of processing personal data, in breach of Article 5(1)(a) GDPR.
The Hungarian DPA had to reject the data subject's request to order the controller to submit the missing documents as they turned out to be missing from the medical documentation overall. However, on its own initiative, the DPA concluded that the controller did not ensure an effective exercise of data subject rights in violation of Articles 12(2) and 13(1)(a)(b) GDPR. The controller also did not process personal data in a transparent manner in violation of Article 5(1)(a) GDPR. The DPA imposed a €1,400 fine for these violations.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Hungarian original. Please refer to the Hungarian original for more details.
Case number: NAIH-4137-8/2022 (NAIH-4935/2021) Subject: rejecting the application, ex officio finer decision The National Data Protection and Freedom of Information Authority (hereinafter: Authority) [...] (residential address: [...]; hereinafter: Applicant) authorized representative is […] lawyer by ([…]#cegkapu) on May 13, 2021 […] with an obstetrician-gynecologist specialist business seat: […]; hereinafter: Respondent) against the Applicant healthcare in the official data protection proceedings regarding access to its documentation, makes the following decisions: I. In the Authority's decision I.1. rejects the Applicant's requests. I.2. The Authority ex officio determines that the Respondent violated the natural on the protection of persons with regard to the management of personal data and such on the free flow of data and the repeal of Directive 95/46/EC Regulation (EU) 2016/679 (hereinafter: General Data Protection Regulation) Article 5 (1) point a) of paragraph 12, paragraph 2 of Article 13 and points a)-b) of paragraph 1 of Article 13. I.3. I.2. due to the violations established in point 600,000 HUF, i.e. six hundred thousand forints data protection fine obliged to pay. II. In an order, the Authority terminates the part of the procedure that aimed to a Authority to establish the Civil Code. 2:51 a.m. § (1) point a) violation. The data protection fine shall be imposed within 30 days from the date of the finalization of this decision Authority's centralized revenue collection target settlement HUF account (10032000- 01040425-00000000 Centralized direct debit account IBAN: HU83 1003 2000 0104 0425 0000 0000) must be paid. When transferring the amount, NAIH-4137/2022. FINE. for number must be referred to. If the Respondent does not fulfill his obligation to pay the fine within the deadline, he is in default must pay an allowance. The amount of the late fee is the legal interest, which is a corresponds to the central bank base rate valid on the first day of the calendar semester affected by the delay yes. I.3. in the case of non-payment of the fine and the late fee, the Authority orders the execution of the decision. There is no place for administrative appeal against this decision and order, but it is within 30 days from the notification, with a letter of claim addressed to the Capital Court ……………………………………………………………………………………...………… Falk Miksa utca 9-11 Fax: +36 1 391-14100 firstname.lastname@example.org 2 can be challenged in an administrative lawsuit. The claim must be submitted to the Authority, electronically, which forwards it to the court together with the case documents. The complete personal for those who do not receive a tax exemption, the fee for the administrative lawsuit is HUF 30,000, the lawsuit is subject to the right of material levy record. Legal representation in proceedings before the Metropolitan Court obligatory. I N D O C O L A S I. The course of the procedure: I.1. On May 13, 2021, the Applicant submitted an application to the Authority, in which he presented that in a registered letter sent on January 15, 2021, through its representative, it requested from the Application It rained between January 1, 2020 and September 20, 2020, for maternity care issue of your complete medical documentation. Due on March 4, 2021 he repeated his request in his letter sent as a consignment, the requests were sent to the [...] clinic [...] sent to postal address. Your application, sent with a return receipt, was returned with a "not searched" mark to it. He did not receive a response from the Application, nor did he receive a copy of the Requested documents provided. In the letters sent, the Applicant requested private obstetrics and gynecology from the Applicant under care during your pregnancy care - either at the [...] clinic or elsewhere locally - generated, stored in an electronic system or outside of it documentation, including the consent form, patient information sheet, imaging recordings, expert opinion, written/electronic communication with the Applicant. The Applicant asked the Authority to establish the violation, Eütv. of § 24 violation of the Civil Code 2:51 a.m. Based on § (1) point a), oblige the Applicant to a To fulfill the applicant's request for the issuance of documents, as well as against the Application impose a fine. I.2. At the request of the Applicant, on the right to self-determination of information and that CXII of 2011 on freedom of information. Act (hereinafter: Infotv.) Section 60 (1) based on paragraph NAIH-4935/2021. case number on May 14, 2021, data protection authorities proceedings have been initiated. In order to clarify the facts, the Authority called on him to make a statement on June 7, 2021 the Applicant. I.3. The legal representative of the Respondent is a client of […] individual lawyer ([…]#cegkapu) - eg all healthcare workers - due to workload, NAIH-4935-4/2021. for number in its letter dated July 14, 2021, the response deadline is thirty days requested an extension, which was issued by the Authority on July 29, 2021 allowed. I.4. The Respondent's response to the invitation to clarify the facts was received on August 11, 2021 and NAIH-4935-6/2021. was registered. 1 The NAIH_K01 form is used to initiate the administrative lawsuit: NAIH_K01 form (16.09.2019) The form can be filled out using the general form filling program (ÁNYK program). 3 I.5. NAIH-4935-7/2021 order of the Authority dated in order to further clarify the facts. number was sent on September 21, 2021, the Requested on October 4, 2021 took over. I.6. The Respondent's response to this call was received on October 18, 2021, NAIH-4935-8/2021. registration number. I.7. NAIH-4935-9/2021. mailed on October 27, 2021 and by the Applicant in 2021. In its order received on November 2, the Authority requested the Applicant's statement on the above by answering questions and sending documents. I.8. The Applicant's statement received on November 5, 2021 is NAIH-4935-10/2021. number was filed. I.9. The Authority deemed it necessary to further clarify the facts, to this end NAIH- 4935-11/2021. sent an order to the Respondent on November 18, 2021, which Received on December 6, 2021. I.10. The Respondent responded to the order in a letter received on December 23, 2021, and Authority NAIH-4935-12/2021. registered. I.11. The Authority supplemented the procedure with an examination of the Respondent's general practice, this Application was issued on March 28, 2022 and received by him on April 11, 2022 informed him in his order, and at the same time called on him to make another statement. I.12. The Applicant NAIH-4137-2/2022. Your answer was registered on April 27, 2022 arrived. I.13. Acting administrator NAIH-4137-3/2022. his note no. dated May 4, 2022. I.14. On May 26, 2022, the Authority notified customers that the proof procedure completed and clients can see the documents of the procedure. The Authority at the request of the Applicant On June 9, 2022, he sent it to a party that did not originate from him and did not arise during the procedure copies of all documents sent by making the protected data unknowable. II. Clarification of the facts II.1. In his reply given through his legal representative, the Respondent submitted the following: The [...] clinic operating as the location of your order is a fictitious name for the purpose of the order he rents premises based on a verbal agreement from […] an obstetrician-gynecologist, who you cannot attach a document relating to the legal relationship. To manage your patient's data the relevant data controller is the Requested person, the submission of data subject requests provides the possibility at the registered office of the individual entrepreneur - […] - as well as the data management information sheet and the sole proprietorship register. In relation to the examined access request, he provided information that the request together with many other doctors regularly provides health care services at his address, however, he only carries out medical prescription activities there, and for the sake of administration a no one is employed on site. He did not receive the requests from the stakeholders, to respond to them he didn't know either. According to the statement, the Applicant also performs health and medical tasks in both […] In a teaching hospital, both in private practice. The highest in the last period is 4 The coronavirus epidemic also required an increased effort from the application to provide patients with professional services and in order to properly care for him, he was forced to prioritize his tasks due to the workload, thus primarily, in accordance with his medical oath, all his capacity to care for patients translated. Due to these circumstances, it could happen that with the appropriate administration on the other hand, he placed the emphasis on the care of patients, thus - despite all his efforts, by him also acknowledged - minor administrative deficiencies may have occurred in its activities. You have attached a copy of your data management policy to your reply. II.2. Questions asked in the following order sent to the Authority during the clarification of the facts during his response, the Respondent submitted that the Authority was sent to the […] clinic addressee's letter was delivered in such a way that the related notice was ordered by someone else there he received it from a colleague, who, seeing that it was an official document, took it in good faith at the post office. The Requested does not send inquiries related to data management to this address is accepted, as only one room is rented at the place of order during the order period duration, so he cannot ensure the reception of inquiries there. With the assistant is in a contractual relationship, his task is to give the appointment based on a telephone request, is not present on the order. You have no other agreement with the lessor apart from renting the premises, there is no joint administration at the given address. Patients are informed about data management in Data Management it is informed by means of the information contained in the information sheet, which can also be found on its website ([…]), and a it is also available at the place of order at the time of ordering. The data management information sheet has the He cannot prove that he was acquainted with the applicant. The Respondent at the request of the Authority - in which the Authority is the Applicant requested the part of his documentation on which the first data collection took place, or on which there is an official signature - he checked his records, however, it concerns the Applicant no documentation found. The previously cited reason for the administrative deficiency he cited workload caused by the coronavirus epidemic, according to which the patients are adequate spent its limited capacities on health care and the fight against the epidemic, and in such a medically and humanly difficult situation he considered that the administration is of secondary importance. Despite all this, administration and documentation aware of its importance and regretted the omission. II.3. The Authority invited the Applicant to make a statement, and the maternity care to attach a copy of your booklet, in which information about the data controller – date of care, name of healthcare provider providing care, doctor's seal, etc. - its visibility had to be ensured. This was sent by the Applicant, his statement is further and informed the Authority on which dates ([…].) he carried out the She requested her pregnancy care as part of a private order at the [...] clinic. performed by that on the occasion of these meetings, ultrasound examinations were also carried out, the data of which a they were recorded in a maternity care booklet, written with a pen, signed and sealed. […]- he was received by the Applicant at the […] Hospital, the results of the examination were recorded in the outpatient card for recording. On […], at the clinic on [...] street, he determined that the fetus was no longer there heartbeat. According to the Applicant's statement, the Applicant submitted the results of the examinations, ultrasound examinations, as well as the dates of the next meetings and check-ups in the pregnancy care book recorded, signed and sealed. Attached by the Applicant from the Electronic Health Services Area (EESZT) requested documentation, in which during the private ordering occasions indicated above generated data, findings are not found. She also stated that her pregnancy care during, on examinations and ultrasound examinations carried out within the framework of the Respondent's private order did not receive findings or test results either on paper or in electronic form, the 5 After the stitches were removed, the Respondent became unavailable to him, and he had no contact with him he couldn't move, he didn't answer his messages, he didn't answer his phone calls. II.4. At the Authority's further request, the Respondent submitted that the patient data of the procedure it is recorded by means of the "Condition assessment form for patients" document already sent during which is recorded on paper. (The Authority notes that this document has not been published to be sent to the Authority.) He stores the patient documentation at his headquarters, that's it place of data management, and if necessary uploads it to the EESZT system. Electronic does not keep records. At the request of the Authority, it inspected its records, however, in relation to the Applicant no documentation is included. The Applicant's test results in the maternity care recorded in a book, as he did in other cases. The cause of the documentation deficiencies was the previously explained epidemic situation cited difficulties and asked the Authority to understand that the case take this into account when considering your circumstances. At the request of the Authority, he attached […] a certificate signed by the chief physician of the department, in which the chief physician certifies that the Applicant intensively participates in the increased patient care in the ward, as well as before not a few, the number of patients on duty has also increased significantly. II.5. In the Authority's next order, the Respondent answered the question that - subject to to his statement of December 21, 2021, according to which he does not keep electronic records - in the absence of electronic records, how does it comply with the requirements for recording in the EESZT submitted in response to his obligation, according to which, clarifying his previous statement, the EESZT in addition to the mandatory electronic data upload, other electronic records doesn't drive. Therefore, according to his point of view, there is no contradiction in the Data Management Information 6.1.4. between his point and his actual practice according to his statement dated December 21, 2021 regarding the electronic registration of data. By the wording "if necessary" written in your previous answer, you mean that the data it is uploaded to the EESZT if required by law. The Authority to his question about the detailed information regarding the Electronic Health Services Area 39/2016 on rules. (XII. 21.) to the regulation according to § 19 (2) of the EMMI Decree how and in which cases it complies, he did not give an answer. He sent the "Condition assessment sheet for patients". document sample, he declared that the information before the already sent Data Management information from January 2020 applied - a copy of which was also attached - which information was made available on its website, moreover, he was also available at the place of the order at the time of the order, and stated that He treated 68 patients in 2020 and 196 patients in 2021 in private practice, of which its income was HUF 1,220,000 in 2020 and HUF 3,962,000 in 2021, the he also attached an extract from the relevant tax return. III. Legal provisions applicable in the case: On the protection of natural persons with regard to the management of personal data and on the free flow of such data, as well as outside the scope of Directive 95/46/EC Regulation (EU) 2016/679 (hereinafter: General Data Protection Regulation) for data management under the scope of Infotv. According to Section 2 (2), general data protection regulation shall be applied with additions in the provisions indicated there. 6 of the General Data Protection Regulation According to point 1 of Article 4, "personal data": identified or identifiable natural any information relating to a person ("data subject"); the natural person can be identified, who directly or indirectly, in particular an identifier such as name, number, location data, online identifier or physical, physiological, one concerning your genetic, intellectual, economic, cultural or social identity can be identified based on several factors; According to point 15 of Article 4, "health data" means the physical state of a natural person personal data regarding your mental health, including the natural person also data relating to the health services provided to him, which information carries about the state of health of the natural person; According to Article 4, point 2, "data management": you are on personal data any operation performed on data files in an automated or non-automated manner or set of operations, such as collection, recording, organization, segmentation, storage, transformation or change, query, insight, use, communication, transmission, distribution or otherwise by making available, coordinating or connecting, restriction, deletion or destruction; According to point 7 of Article 4, "data controller": the natural or legal person, public authority body, agency or any other body that aims to manage personal data and determines its assets independently or together with others; if the purposes of data management and its means are determined by EU or member state law, the data controller or the data controller EU or Member State law also lays down special considerations for its designation can define; According to Article 5 of the General Data Protection Regulation: (1) Personal data: a) handling legally and fairly, as well as in a transparent manner for the data subject must be carried out ("legality, due process and transparency"); b) it should be collected only for specific, clear and legal purposes, and not those be treated in a manner inconsistent with these purposes; of Article 89 (1). accordingly, the public interest is not considered incompatible with the original purpose for archiving purposes, for scientific and historical research purposes or for statistical purposes further data processing ("target binding"); c) they must be appropriate and relevant in terms of the purposes of data management, and they must be limited to what is necessary ("data sparing"); d) they must be accurate and, if necessary, up-to-date; all reasonable measures must be done in order to ensure that it is inaccurate in terms of the purposes of data management have personal data promptly deleted or corrected ("accuracy"); e) must be stored in a form that allows the identification of the data subjects only a enables the processing of personal data for the time necessary to achieve its goals; the Personal data may only be stored for a longer period of time if insofar as the processing of personal data is in accordance with Article 89 (1). for the purpose of archiving in the public interest, for scientific and historical research purposes or for statistical purposes will take place for the purpose of protecting the rights and freedoms of those affected in this regulation for the implementation of appropriate technical and organizational measures subject to ("limited shelf life"); f) must be handled in a way that is technically or organizationally appropriate adequate security of personal data should be ensured by applying measures, that is unauthorized or illegal processing, accidental loss or destruction of data or protection against its damage ("integrity and confidentiality"). (2) the data controller is responsible for compliance with paragraph (1), and must also be able to demonstrate this compliance ("accountability"). Pursuant to Article 12 of the General Data Protection Regulation 7 (1) The data controller takes appropriate measures to ensure that the data subject for the processing of personal data referred to in Articles 13 and 14 all information and 15-22. and each information according to Article 34 is concise, in a transparent, comprehensible and easily accessible form, in a clear and understandable way provide it in writing, especially in the case of any information addressed to children. The information in writing or in another way - including, where applicable, the electronic way - must be given. Verbal information can also be given at the request of the data subject, provided that it is done in another way the identity of the person concerned was verified. (2) The data controller facilitates the relevant 15-22. the exercise of his rights according to art. The 11. in the cases referred to in paragraph (2) of Article 15-22, the data controller your rights under Art may not refuse to fulfill your request for exercise, unless you prove that that the person concerned cannot be identified. (3) The data controller without undue delay, but in any case the request within one month of its receipt, informs the person concerned of the 15-22 according to article on measures taken following a request. If necessary, taking into account the request complexity and the number of applications, this deadline is extended by two more months can be extended. Regarding the extension of the deadline, the data controller explains the reasons for the delay indicating within one month from the receipt of the request concerned. If the person concerned submitted the request electronically, the information is possible must be provided electronically, unless the data subject requests otherwise. (4) If the data controller does not take measures following the data subject's request, it is a delay without, but at the latest within one month from the receipt of the request data subject about the reasons for the failure to take action, as well as whether the data subject complained can submit it to a supervisory authority and exercise its right to judicial redress. Based on Article 13 of the General Data Protection Regulation: Information to be made available if personal data is collected from the data subject (1) If personal data concerning the data subject is collected from the data subject, the data controller a at the time of obtaining personal data, provides the data subject with a all of the following information: a) the identity of the data controller and - if any - the data controller's representative and your contact information; b) contact details of the data protection officer, if any; Based on Article 15 of the General Data Protection Regulation: (3) The data controller shall provide the data subject with a copy of the personal data that is the subject of data management makes available. For additional copies requested by the data subject, the data controller is responsible may charge a reasonable fee based on administrative costs. If it is affected submitted the application electronically, the information was widely used must be made available in electronic format, unless the data subject requests otherwise. (4) The right to request a copy referred to in paragraph (3) shall not be affected adversely affect the rights and freedoms of others According to Article 39 of the General Data Protection Regulation: Duties of the data protection officer (1) The data protection officer performs at least the following tasks: a) the data manager or the data processor provides information and professional advice, and for employees performing data management, this regulation, as well as other EU or in relation to their obligations according to the data protection provisions of the Member States; b) checks the compliance with this regulation and other EU or Member State data protection regulations provisions, as well as personal data of the data controller or data processor compliance with its internal rules regarding its protection, including responsibilities designation, raising the awareness of personnel involved in data management operations and training, as well as related audits;* 8 c) upon request, provides professional advice regarding the data protection impact assessment, as well as monitors the completion of the impact assessment in accordance with Article 35;* d) cooperates with the supervisory authority; and e) in matters related to data management - including the preliminary notice referred to in Article 36 consultation - serves as a point of contact for the supervisory authority, as well as given consults with him on any other issue. (2) The duties of the data protection officer are the risk associated with data management operations taking into account the nature, scope, circumstances and purpose of data processing also takes into account CLIV of 1997 on health. the relevant provisions of the Act (Eütv.): § 3 f) healthcare provider: regardless of the form of ownership and provider, all for the provision of health services and issued by the state health administration body individual healthcare entrepreneur, legal person or legal entity entitled on the basis of an operating license entity without personality; The Eütv. Paragraph (2) of § 26 states that the patient - if his state of health enables - obligates the abilities of the healthcare workers involved in its care and to your knowledge cooperate as follows: a) informing them of everything necessary to establish the diagnosis is appropriate to create a treatment plan and carry out interventions, so especially everything about your previous illness, medical treatment, medicine or medicinal product about its use and health-damaging risk factors. The Eütv. § 24 (1) The patient has rights in the health documentation prepared for him to learn about the contents - taking into account the provisions of § 135. (2) The patient's the rights of natural persons related to their personal data on the protection of personal data in terms of processing and that such data is free flow, as well as repealing Regulation 95/46/EC (general data protection Regulation) of April 27, 2016 (EU) 2016/679 of the European Parliament and of the Council, and on the management and protection of health and related personal data the provisions of the Act on (3) The patient is entitled a) upon discharge from the inpatient hospital according to point a) of Section 137 to receive a final report, b) according to the provisions of point b) of § 137, outpatient specialist care activities receive an outpatient care card upon completion. § 136. (1) Data related to the examination and medical treatment of the patient is included in medical documentation. Medical records must be kept in such a way that so that it reflects the care process in accordance with reality. (2) It must be indicated in the health documentation a) on the treatment of the patient's health and related personal data and personal identification data specified in the Act on Protection, b) in the case of a patient capable of acting, the person to be notified, and - if the patient requests - a the name, address and contact information of the supporter according to the Act on Supported Decision-Making, also a minor, or partially or completely restricting the capacity to act in the case of a patient under guardianship, the name, address and contact information of the legal representative, c) medical history, medical history, d) the result of the first examination, e) examination results establishing the diagnosis and treatment plan, a the date of carrying out the tests, f) the name of the disease justifying the treatment, which serves as the basis for its development disease, concomitant diseases and complications, 9 g) other diseases that do not directly justify care, or risk factors name, h) the time of the performed interventions and their results, i) medicinal and other therapy and its results, j) data on the patient's drug hypersensitivity, k) the name of the healthcare worker making the registration and the date of the registration, l) information provided to the patient or other person entitled to information recording its content, m) the consent [15. § (3)], or the fact of refusal (§ 20-23), as well as their date, n) all other data and facts that may influence the patient's recovery. (3) The following must be kept as part of the health documentation: a) the findings of each examination, b) documents generated during medical treatment and consultation, c) nursing documentation, d) recordings of imaging diagnostic procedures, as well as e) tissue samples taken from the patient's body. § 137 The healthcare provider a) at the end of a connected care process consisting of several sub-activities or inpatient after hospital care, a final report summarizing the care data, b) at the end of the outpatient specialist care activity, with the care of the patient and ambulatory care sheet containing summary data related to medical treatment prepares and - with the exception of the case specified in Section 14 (1) - hands it over to the patient. The Eütv. According to paragraph (2) of § 126, the doctor - provided that his professional competence and he is entitled to this based on his preparation - he examines the patient who comes to him. Paragraph (3). pursuant to which the examination of the patient covers everything brought to the attention of the attending physician complaint, medical history and individual circumstances affecting the patient's recovery to explore. Deviating from the provisions of paragraphs (2)-(3) is only for the patient's life may be necessary in the case of interventions that cannot be postponed (§ 126 of the Eütv. (4)). The Eütv. Pursuant to § 77, paragraph (3), all patients - to use care regardless of its legal title - with the care expected from those involved in its care, as well as a must comply with professional and ethical rules and guidelines. On the management and protection of health and related personal data XLVII of 1997 according to law (Eüak.): 35/B. § (1) To connect to the EESZT through its authorized IT system obliged a) for the provision of health services by the state health administration body based on an issued operating license, a health service provider who is financing obliged to submit a report or provide electronic data, b) the pharmacy, c) the state ambulance service, d) state administrative bodies and other organizations defined by the minister in a decree, e) the distributor of medical aids with a price subsidy contract. (2) Data controllers belonging to the health care network and not covered by paragraph (1). they can join the EESZT under the conditions specified in the minister's decree. About the detailed rules related to the Electronic Health Services Area 39/2016. (XII. 21.) Pursuant to EMMI Regulation 10 § 2 (1) The Eüak. 35/B. According to point d) of paragraph (1) of the EESZT, information technology state administrative bodies obliged to join the system: a) the National Health Insurance Fund Manager, b) the Ministry of Human Resources, c) the National Center for Public Health, d) the National Pharmaceutical and Food Health Institute. (1a) The Eüak. 35/B. Others required to join pursuant to point d) of paragraph (1) of § organization is Eüak. 35/B. Medical or not falling within the scope of § (1) point a). healthcare provider with an operating license for dental work. § 22. (1) Obligations related to joining f) the health care provider according to § 2, paragraph (1a) is obliged until January 1, 2020 complete. Section 19 (1) Health registered through the EESZT and specified in Annex 4 within the framework of the obligation to provide information regarding documents, the joined data controller a) transmits in accordance with the technical requirements published by the operator a documents, or b) in case of compliance with the technical requirements published by the operator a of documents from the health IT system of the connected data controller provided by forwarding a link that enables direct access. (2) Data provision specified in this § relating to the transmission of documents obligation a) in the case of a document handed over to a patient, handing over the document to the patient, b) in the case of a document not handed over to the patient, the approval of the document, c) in the case of a document already transferred to the register of the EESZT change immediately after, but no later than in Annex 4 in relation to individual documents must be completed within a specified period of time. (3) From the register of health documents, the operator is Eüak. Section 4 (1) is only entitled to access the data for the purpose specified in paragraph a)-d). provides sector users with access to the relevant healthcare to document. Annex 4 to 39/2016 (XII. 21.) to EMMI decree Record of health documents A B C 1 Document type Deadline Document forwarding 3 The Eütv. 1 hour according to point b) of § 137 is mandatory outpatient card 11 26/2014 on maternity care. (IV. 8.) EMMI regulation: § 1 (1) The purpose of prenatal care is to preserve the health of the pregnant woman and the fetus promoting healthy development and healthy birth, a risks and the prevention of complications, as well as in a timely manner recognition, as well as for childbirth, the child's early attachment, breastfeeding and preparation for infant care. (2) Antenatal care begins when the obstetrician-gynecologist is on the uterus determines intrauterine pregnancy, carries out the risk classification and informs the pregnant woman accordingly gives proof. Section 4 (1) An obstetrician-gynecologist or midwife who, in Section 1 (2) takes care of the pregnant woman after the prescribed classification and is considered a responsible person. (2) The responsible person in the care book of the expectant mother according to Annex 1 (a hereinafter: pregnancy care book) in Annex 1, point 1.1.2. referred to in subsection indicates data and signs it. § 10. Apart from the provisions of paragraphs (2)-(4) of § 4, the responsible person: a) informs the pregnant woman against the other fees specified in the professional guidelines about the possibility of available tests, b) records in the pregnancy care book that the information according to point a) has been provided, and the pregnant woman confirms with her signature that she has received the information, c) performs the necessary examinations and their results in the pregnancy care book document it. Act V of 2013 on the Civil Code (Ptk.) 2:51 a.m. § [Sanctions independent of prosecution] (1) A person whose personal rights are violated, based on the fact of the violation - during the statute of limitations within - you can demand based on the circumstances of the case a) the court finding that the violation has occurred; Infotv. According to § 60, paragraph (1), the right to the protection of personal data in order to enforce it, the Authority, at the request of the person concerned, data protection initiates official proceedings. Infotv. Pursuant to § 60, paragraph (2), for the initiation of official data protection proceedings request in the case specified in Article 77 (1) of the General Data Protection Regulation can be submitted. In the absence of a different provision of the General Data Protection Regulation, the application was initiated for official data protection procedure CL. of 2016 on general public administrative order. the provisions of the Act (hereinafter referred to as the Act) specified in Infotv shall be applied with differences. The Akr. According to § 17, the authority's powers and jurisdiction are all the proceedings examines ex officio in the If you notice a lack of one, and without a doubt the authority with jurisdiction over the case can be determined, the case will be transferred to it in its absence, the application is rejected or the procedure is terminated. The Akr. According to paragraph (1) of § 35, the request is a declaration by the client with which the official request the conduct of a procedure or a decision of the authority for his right or legitimate interest in order to enforce it. The Akr. According to § 35, paragraph (3), a decision made on the subject at the client's request until it becomes final. 12 The Akr. According to paragraph (4) of § 62, the authority freely chooses the method of proof, and evaluates the available evidence according to his free conviction. ARC. Evidence taken into account during the Authority's decision and their evaluation: IV.1. In accordance with the contents of the application, the Authority examined whether the Applicant whether the Applicant's healthcare provided in the framework of a private order was legal access request for the release of medical documentation created during during its assessment, and whether the Applicant must oblige the Applicant to comply with the Applicant's access request to fulfill. The requested documentation concerns the Applicant's pregnancy care, which pregnancy ended in the death of the fetus. The Authority also ex officio investigated the You requested your general data management practices. IV.2. The fact of data management, the person of the data manager Based on the definition of the general data protection regulation, for the health of the data subject and the data relating to your health care are personal data, including personal data as data constituting a special category of data, any processing performed on personal data operation is considered data management. A data controller according to Article 4, point 7 of the General Data Protection Regulation, who is there has substantive decision-making authority as defined - the purpose of data management and its means may also be defined by member state law - and at the same time it bears responsibility for the fulfillment of legal obligations related to data management. So, among other things, it is the data controller must satisfy the data subject's demand for the exercise of rights [general data protection decree 12-23 article]. According to the Respondent's statement, the patient data is included in the "Condition Assessment Sheet for Patients" recorded by means of a document, which is registered on a paper basis. The patient documentation is a it is stored at its headquarters, this is the place of data management, and if necessary, it is uploaded by the EESZT into your system. No electronic records - or required by law except for uploading data, no - leads. According to Article 2 (1) of the General Data Protection Regulation, the regulation must be applied a for processing personal data in a partially or fully automated manner, as well as for the non-automated handling of data that is part of a registry are part of a system or are intended to be part of a registration system. The concept of data management is defined in point 2 of Article 4. The General Data Protection Regulation According to preamble paragraph (15), the protection of natural persons is personal data in addition to processing by means of automated means, it also applies to manual processing if a personal data is stored or intended to be stored in a registration system. Documents that and groups of documents and their cover pages that are not organized are specified aspects, they do not fall under the scope of the regulation. Among these provisions are the following they follow. The general data protection regulation includes manual data processing restrictive provision. Manual, i.e. non-automated (in other words: paper-based) in the case of data management, the scope of the regulation only covers data that are part of a registration system or are managed for registration purposes. What constitutes a registration system is determined by Article 4, Point 6 of the GDPR, according to which registration system personal data in any way – centralized, decentralized or according to functional or geographical aspects – its staff, which is 13 accessible based on specific criteria. The concept of registration is therefore broad can be interpreted, it can be any list or list in which the data is of any kind they can be searched and grouped according to criteria. In view of what has been described, private health care is provided by the Applicant regarding the data of its patients during the general data protection regulation on a paper-based, manually kept record applicable. The maintenance of this record is Article 4, Point 2 of the General Data Protection Regulation according to data management, with regard to this activity, the Respondent is the general according to Article 4, point 7 of the Data Protection Regulation, it is considered a data controller. Among the other institutions and persons involved in the procedure, the "[…] clinic" is not legal person, and therefore cannot be classified as a data controller, rents the premises of the clinic to the Applicant tax […] does not participate in data management, so it is not considered a data controller either. Furthermore, the The activity performed by the respondent during publicly funded care was not the application subject, so it arose in the course of the Applicant's activities at the [...] Teaching Hospital documents are not subject to the procedure, so the institution is not considered in the procedure either data controller. IV.3. Handling the access request Pursuant to the provisions of Article 12 (2) of the General Data Protection Regulation, data manager facilitates the concerned 15-22. the exercise of his rights according to art. Article 15 provides for the details of the right of access, including the data in Article 15 (3). establishes the right to a copy. As stated above, the provision of healthcare services includes patients in general, and also in the present case […] an individual entrepreneur is considered a data controller, as a health care provider who is the personal and health data of the patients concerned during the care provided by him on a paper basis, and with regard to the mandatory data upload is electronically documented, the fact of the quality of the data controller is also the statement of the Requested records. According to the introduction of the Data Management information of the Respondent dated 2020, “[…] individual entrepreneur (headquarters: [...]; tax number: [...]; medical registration number: [...]; individual business registration number: [...]) (hereinafter: Doctor) for its data management activities related main regulations", while the Data Management Information dated 2021 a according to the introduction, "[…] individual entrepreneur (headquarters: [...]; tax number: [...]; medical registration number: […]; individual entrepreneur registration number: [...]) (hereinafter: Doctor) details the main regulations related to its data management activities. In point 9 of both information sheets, there is a provision on how to ensure the rights of stakeholders, a 9.1. discusses the exercise of the right to access. The regulations do not at this point provides for the method and address of submission of requests, which is the general data protection does not meet the requirements of Article 12 (1) of the Decree. According to point 10 of both information sheets, data protection officer [...], address: [...]; e-mail: […]; and can be found as an explanation that “with data protection issues or questions the above you can contact a data protection officer". However, according to the Authority's point of view, it is not it follows that the data subject's requests must also be sent to the data controller in this way, or that according to Article 39 of the General Data Protection Regulation, it is not responsible for data protection either providing officials with measures taken following stakeholder requests. In addition to public health care, the Applicant is covered by the […] clinic […] visited him several times in the framework of pregnancy care, private healthcare 14 service at this location. You sent your affected access requests to this address twice, indicating the Applicant who regularly provides services there as recipient. According to the Respondent's statement, he did not fulfill the access request because a did not become aware of the request. He did not become aware of the request because a addressed to the place of your private order, registered, then mailed with return receipt he did not receive shipments. According to Article 5 (2) of the General Data Protection Regulation, the data controller is responsible for (1) for compliance with paragraph and must also be able to demonstrate this compliance ("accountability"). In the present examined case, the Respondent could not prove, according to the contents of his statement, that the Applicant was familiar with the data management information, so the Applicant was not in possession of the information on the address of the business headquarters of the service provider providing it, where you could have otherwise sought the data protection officer. On the Applicant's website a In the "Contact" menu item, at the time of initiation of the official procedure, the "Place of order: […] surgery - […]." designation was listed as the only title, so the Applicant from this source nor was he able to learn about the place where the claims were submitted. The Applicant does not include a copy of the pregnancy care book attached by the Applicant business headquarters, such as receiving data protection problems, questions, or requests the indication of the reporting address. That the Applicant was aware of the stakeholder requests the address and method of submission, the Applicant could not verify, to the place of the order and he did not ensure the reception of the submitted request. According to the Authority's point of view, the data subject does not have to be aware that it is the legal form in which the healthcare provider operates, its corporate headquarters does it match the place of the order. If the person concerned, about the address for submission of applications does not receive explicit and verifiable information, it is reasonable and unobjectionable if the request it will be delivered to the address where you regularly visited the doctor for medical care. The data controller's duty to facilitate the exercise of rights includes that the data controller must cooperate with the data subject, in addition to the general data protection regulation according to the data controller does not have the possibility to limit the rights of the data subject the way of presentation. If a data management information sheet has been presented to the data subject in a verifiable manner contains the address of submission of data subject requests, in which case the data controller you can claim that you helped assert the rights of the affected parties. if not is included, or the data subject was not familiar with it, organizational measures must be taken to help the data subject in order to receive his request properly. According to the above findings of the Authority, the rights of the stakeholders were not ensured the possibility of effective exercise in relation to the Applicant, thereby the Applicant violated Article 12 (2) and Article 13 (1) of the General Data Protection Regulation paragraph a-b). Based on the inspection carried out on May 4, 2022, the Authority found that the Applicant on its website after the initiation of the procedure, as the address for correspondence/claims a business address. IV.4. Management of health documentation, management of the Applicant's data 15 The General Data Protection Regulation defines the concept of data controller and data management when defining it, it clearly states that the person who is personal is considered a data controller manages data. The fulfillment of stakeholder requests regarding the subject of data management is general Article 12 of the Data Protection Regulation is the body or person performing data management activities makes it an obligation. The 2020 Data Management Information of the Requested 6.1.4. point contains the following: "6.1.4. Management of relevant data generated during the provision of medical services: Relevant data generated during the provision of the medical service Data manager closed IT are recorded in its algorithm-protected system, for which only in point 8.1 specific persons have access rights. If the given data is recorded on a paper basis, in that case The data controller is located in a properly lockable building from a security point of view premises, is systematically guarded, and only by the persons specified in point 8.1 have access rights. The data manager reserves the right to make the data recording paper-based also make a digital copy of the document. In such cases, the data is closed by the Data Controller, are recorded in its system protected by an IT algorithm, for which only the 8.1 persons specified in point have access rights. The data required by law are also included in the Data Controller's Patient "Pregnancy Care Book". records" The 2021 Data Management Information of the Requested 6.1.4. clause provides as follows: "6.1.4. Management of relevant data generated during the provision of medical services: Relevant data generated during the provision of the medical service Data manager closed IT are recorded in its algorithm-protected system, for which only in point 8.1 specific persons have access rights. If the given data is recorded on a paper basis, in that case The data controller is located in a properly lockable building from a security point of view premises, is systematically guarded, and only by the persons specified in point 8.1 have access rights. The data manager reserves the right to make the data recording paper-based also make a digital copy of the document. In such cases, the data is closed by the Data Controller, are recorded in its system protected by an IT algorithm, for which only the 8.1 persons specified in point have access rights. In addition to the above, the Data Controller - fulfilling its legal obligations - is the law also records specific data in the EESZT. [...] The data required by law is the Data Manager The patient "also records" in the Antenatal Care Book However, according to the Respondent's statement in its records regarding the Applicant no documentation is included. The "Condition Assessment Sheet" cannot be found on the Applicant either, and the he also failed to enter his examination results in his records. The Applicant she recorded her test results only in the Applicant's pregnancy care booklet. Nor is the Applicant in relation to the care of the Applicant during pregnancy care did not create electronic or paper-based documentation, data on the Applicant's care was not forwarded to the EESZT, while according to the pregnancy care book, a He provided healthcare services to the applicant at the times indicated there. The data generated during the tests and the results of the tests shall be provided by the Applicant a recorded in the pregnancy care book, which is a document in the pregnant woman's own treatment there is, in addition, according to the Applicant's statement at the end of the investigation, the Respondent's finding is not given and did not transmit the data to the EESZT system. 16 of the EESZT by the Applicant among the documents downloaded from the system during the Respondent's private order, the specified documentation created at test times was not included. Consistent with this, the Respondent's statement states that the Applicant is a no data or documents can be found in its records. The data subject's rights and their exercise can only be interpreted if there is data management which however, it was not in the specific case. As a result, the Respondent did not violate the The applicant hereby waives its right to issue a copy pursuant to Article 15 (3) of the GDPR in relation to recorded patient data, since the "Condition assessment sheet" kept by the Applicant For patients" there was no data in the paper-based register that could be copied and there is no other data that could be ordered to be released. For this reason, the Eütv cannot be established. Violation of the provisions of § 24 - which section is it the rules of the general data protection regulation are ordered to be applied by the health department regarding access to documentation and providing copies. As a result, the Authority rejected the Applicant's request that the Authority oblige a Request for a copy of the documentation containing your health information rejects it, since - in the absence of documentation - the Respondent does not has documents containing such data. The Authority may examine compliance with the general data protection regulation, Civil Code. 2:51 a.m. § It does not have the authority to determine what is contained in point a) of paragraph (1), therefore a in the relevant part of the application, the procedure is referred to in Art. on the basis of § 17, terminates it in an order. IV.5. Findings regarding the documentation practices of the Applicant Due to the present case, the data management information provided by the Respondent does not cover the reality practice, because it states in its information that it keeps paper-based records, creates an electronic record based on its own decision, it is its legal obligation complies with the electronic data transmission circuit, in addition to all this, the entry in the maternity care book as well. In the data management information, the Respondent states that the data is a registers it in the pregnancy care book, which also means that you are aware of that you have to record the data in another form, and also your patients about this practice informs. On the contrary, it refers to the processing of data concerning the Applicant during the discovery of the facts information did not arise, the existence of data management concerning the Applicant could not be verified. Furthermore, the Respondent made a contradictory statement in the present proceedings when earlier stated that he does not keep electronic records, later the mandatory data upload acknowledged the fact of electronic data management in demanding cases. However, he did not comment in detail about the cases in which electronic data transmission is sufficient obligation, what is considered a necessary case. The Respondent therefore approached the Authority also amended its declaration, which basically affects its data management it referred to circumstances, thereby making its real practice difficult for the Authority exploration. As for the Authority, the Respondent is not transparent for the affected parties either practice. Based on all these circumstances, the Authority concludes that a Requested 17 prescribed in Article 5 (1) point a) of the General Data Protection Regulation did not ensure the enforcement of the basic requirement of transparency, and the Respondent is could not fully prove the legality of its data processing. The Applicant stated that it was professional due to the emergency situation caused by the coronavirus because of his additional tasks, he considered administration a task of secondary importance, for this reason administrative failures may have occurred in its operation. So does the Respondent himself states that "in certain cases" there were omissions, which the Authority in its interpretation, it does not only mean the involvement of one person. The Authority's position regarding administrative tasks is that the coronavirus certain additional tasks due to an emergency may result in certain data management postponement of the documentation obligation, however, this cannot mean the professional according to the regulations, the documentation required in the Eütv to be kept about the patient/patients complete neglect of the obligation, therefore, the complete management of health documentation leaving. The Respondent's practice in fulfilling its documentation obligation a It had an impact on the processing of the applicant's data and his rights, as the data subject is exercising his rights is closely related and made it impossible, so the Authority for this reason the facts examined the issue during clarification. To the bodies and persons involved in pregnancy care, in the pregnancy care book 26/2014. (IV. 8.) EMMI decree prescribes for the purpose of that for the bodies providing care for pregnant women (specialists, family doctors, nurses, midwives) the care process information is summarized in a document. However, according to the Authority's point of view, the fulfillment of this requirement does not mean that the Eütv. § 137 b) of the issue of findings according to point 39/2016. (XII. 21.) EMMI Decree § 19, paragraph (2). according to, after the mandatory connection of the private service provider after January 1, 2020, the The obligation to provide data to the EESZT system as a data controller requirement a omission. According to the Authority's point of view, the management of health documentation required by law a during a coronavirus emergency, it cannot be considered an obligation that can be pushed into the background. Any the patient's treatment history is essential for the doctor treating the affected person, medical history study in the Eütv. Expected care according to § 77, paragraph (3) and a for the sake of a professionally founded procedure, which cannot be ensured in the event that the person concerned does not receive the required documentation about his treatment, so it may be a it cannot be forwarded to another doctor later on. The Eütv. Paragraph (2) of § 26 also mentions the patient's medical history as an obligation and information about medical history, which the patient cannot fully comply with, if he does not have the appropriate documentation for his care. In the case of maternity care, data on the life and health of the mother and fetus are the subject of medical documentation. In this case, during the private order the processes leading to the tragedy by failing to fully record the generated data documentation was lacking, for which the Applicant was not aware of the data subject's rights practice and did not get hold of your important health data. The fact that the Respondent, as a health care provider, is required to apply to him professionally did you act in accordance with the rules when, in connection with pregnancy care, a no documentation other than entries in the pregnancy care booklet led, did not give a finding to the provided Applicant at the end of the supply events, or a findings were not forwarded to the EESZT system, it is not the authority of the Authority to judge. 18 The examination of this question - the management of the Requested health documentation monitoring the fulfillment of its obligations and related legal requirements - a It is initiated ex officio by the authority at NEAK. IV.6. The Authority rejected the Applicant's request for a data protection fine application, since the application of this legal consequence affects the right or legitimate interest of the Applicant does not directly affect him, such a decision of the Authority does not create a right or obligation for him arises, as a result of which this legal consequence falls within the scope of enforcing the public interest the Applicant is not qualified for the imposition of a fine for the client, the Akr. Based on § 10, paragraph (1). Since the Ákr. § 35, paragraph (1) no corresponds, there is no place to submit an application in this regard, this part of the application cannot be interpreted as a request. Application for the imposition of a data protection fine by the Authority in connection with - preambular paragraphs (148) and (150) of the General Data Protection Regulation, 58. and Article 83 (2) - further points out that the Supervisory Authority - the depending on the circumstances of a given case - he is entitled to decide ex officio in his discretion in order to protect personal data against the data manager/data processor effective, proportionate and dissuasive measures to be applied, or instead of them in addition to sanctions, such as the need to impose an administrative fine, and its imposition in case of its extent. V. Legal consequences: V.1. The Authority rejected the Applicant's requests, established a violation ex officio, and a On the basis of Article 58 (2) point b) of the GDPR, the Applicant is condemned for having violated it Article 5 (1) point a), Article 12 (2) of the General Data Protection Regulation, and points a)-b) of Article 13 (1). V.2. The Authority rejects the Petitioner's request for the imposition of a fine examined ex officio whether a data protection fine against the Application was justified due to the established violations. In this context, the Authority is in accordance with Article 83 (2) of the General Data Protection Regulation and Infotv. 75/A. considered all the circumstances of the case based on §. Given the circumstances of the case a The authority established that in the case of the violation discovered during the present procedure, a a warning is not a proportionate and dissuasive sanction, therefore the imposition of a fine required. Above all, the Authority took into account that the violation committed by the Respondent was according to Article 83 (5) point b) of the General Data Protection Regulation, the higher amount is considered a violation of the fine category, since it is the basic provision and involved a violation of the rights of stakeholders. According to the Authority's point of view, it is otherwise regularly there at the place of order service provider through organizational measures (postal redirection, shipment giving an order for on-site collection, delivery notification of registered shipment forwarding to, etc.) ensure the receipt of stakeholder letters received, they did not depend on the from the difficulties caused by the coronavirus emergency, as the measure is not intended to be regular activity and did not cause an increase in the daily tasks of the data controller. From this as follows, when the Authority determines the amount of the fine presented by the Respondent, he did not consider the circumstances of increased workload for this violation into account. During the imposition of fines, the Authority considers the following circumstances as circumstances that increase the fine rated by: 19 • the violation is considered serious because the Respondent is exercising the rights of the affected party made it difficult, hindered or did not provide. Protection of personal data a to be interpreted in the context of the private sector. It has a special weight on them the protection and lawful handling of data, which is particularly the case in the private sector fall into his sensitive area. The pregnancy, the loss of the fetus and this its circumstances are so deeply and sensitively tied to the private sphere that the law nor does it ignore [GDPR Article 83 (2) point a]]; • the lack of data also limits the possibility of further legal enforcement of the data subject limit [GDPR Article 83(2)(a)]; • the infringement was proved in the case of one person in this procedure, but at the same time Findings regarding data management information are general for the Respondent their practice is affected [GDPR Article 83 (2) point a)] • the fact that the Respondent asserts the rights of the affected party indicates serious negligence did not ensure it with appropriate practical measures [Article 83 (2) GDPR point b)]; • the established data protection law violation refers to special categories of personal data had an impact on the exercise of rights [GDPR Article 83 (2) point (g)]; During the imposition of fines, the Authority considers the following circumstances as mitigating circumstances rated by: • on the website of the Applicant, the address for correspondence/claims is already listed the address of your business headquarters • the Respondent violated it for the first time in a data protection official procedure established that he did not comply with the provisions of the GDPR, he had not previously committed a relevant violation of law el [GDPR Article 83 (2) point (e)]. • the period of the COVID-19 emergency [GDPR Article 83 (2) point (k)]. • the Authority exceeded the procedural deadline prescribed for it - The Authority also took into account • that the Obligee was cooperative in responding to orders within the deadline with his given but at the same time contradictory statements, he made it difficult to reveal the facts [GDPR Article 83(2)(f)] • income data provided by the Respondent. The amount of the fine was determined by the Authority acting within its statutory discretion yes. The fine is 0.007% of the maximum fine that can be imposed. Based on the above, the Authority decided in accordance with the provisions of the statutory part. V.3. During the procedure, the Authority exceeded Infotv. One hundred and fifty according to paragraph (1) of § 60/A day administrative deadline, therefore the Ákr. Based on point b) of § 51, HUF 10,000, i.e. ten thousand HUF is due to the Applicant - at his choice - by transfer to a bank account or by post with voucher. VI. Other questions The competence of the Authority is set by Infotv. Paragraphs (2) and (2a) of § 38 define it, and its competence is covers the entire territory of the country. The decision is in Art. 80-81. § and Infotv. It is based on paragraph (1) of § 61. The decision is in Art. Based on § 82, paragraph (1), it becomes final upon its publication. The Akr. § 112, § 116 (1) 20 paragraph, and on the basis of § 114, paragraph (1), a public administrative lawsuit against the decision there is room for legal redress. * * * The rules of the administrative trial are set out in Act I of 2017 on the Administrative Procedure hereinafter: Kp.) is defined. The Kp. Based on § 12, paragraph (1), by decision of the Authority the administrative lawsuit against falls within the jurisdiction of the court, the lawsuit is referred to in the Kp. Section 13 (3) Based on subparagraph a) point aa), the Metropolitan Court is exclusively competent. The Kp. Pursuant to § 27, paragraph (1) point b) in a lawsuit within the jurisdiction of the court, the legal representation is mandatory. The Kp. According to paragraph (6) of § 39, the submission of the statement of claim a does not have the effect of postponing the entry into force of an administrative act. The Kp. Paragraph (1) of § 29 and, in view of this, Pp. According to § 604, it is applicable of 2015 on the general rules of electronic administration and trust services CCXXII. According to Section 9 (1) point b) of the Act, the client's legal representative is electronic obliged to maintain contact. The time and place of submitting the statement of claim is set by Kp. It is defined by § 39, paragraph (1). THE information on the possibility of a request to hold a hearing in Kp. Section 77 (1)-(2) based on paragraph The amount of the administrative lawsuit fee is determined by the 1990 Law on Fees XCIII. Act (hereinafter: Itv.) 45/A. Section (1) defines. The fee is in advance from the payment of the Itv. Paragraph (1) of § 59 and point h) of § 62 (1) exempt it party initiating the procedure. If the obliged customer does not adequately certify the fulfillment of the prescribed obligations, a The authority considers that the obligations have not been fulfilled within the deadline. The Akr. § 132 according to, if the obligee has not complied with the obligation contained in the final decision of the authority, is enforceable. The Akr. Pursuant to § 133, enforcement - if you are a law government decree does not provide otherwise - it is ordered by the decision-making authority. The Akr. 134. pursuant to § the execution - if it is a law, government decree or municipal authority the decree of the local government does not provide otherwise - the state tax authority undertakes. Dated: Budapest, according to the electronic signature Dr. Attila Péterfalvi president c. professor