https://gdprhub.eu/index.php?title=NAIH_(Hungary)_-_NAIH-4137-_8/2022&feed=atom&action=historyNAIH (Hungary) - NAIH-4137- 8/2022 - Revision history2024-03-28T22:16:05ZRevision history for this page on the wikiMediaWiki 1.39.6https://gdprhub.eu/index.php?title=NAIH_(Hungary)_-_NAIH-4137-_8/2022&diff=28776&oldid=prevKk: /* Holding */2022-10-19T13:16:38Z<p><span dir="auto"><span class="autocomment">Holding</span></span></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 13:16, 19 October 2022</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l69">Line 69:</td>
<td colspan="2" class="diff-lineno">Line 69:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>}}</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>}}</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>The Hungarian DPA fined a gynecologist €1,400 for not ensuring effective exercise of data subject rights in violation of [[Article 12 GDPR|Articles 12(2)]] and [[Article 13 GDPR|13(1)(a)(b) GDPR]]. Moreover, the <del style="font-weight: bold; text-decoration: none;">documentation practices were </del>not transparent as required by [[Article 5 GDPR|Article 5(1)(a) GDPR]].</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>The Hungarian DPA fined a gynecologist €1,400 for not ensuring effective exercise of data subject rights in violation of [[Article 12 GDPR|Articles 12(2)]] and [[Article 13 GDPR|13(1)(a)(b) GDPR]]. Moreover, the <ins style="font-weight: bold; text-decoration: none;">processing of personal data was </ins>not transparent as required by [[Article 5 GDPR|Article 5(1)(a) GDPR]].</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>== English Summary ==</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>== English Summary ==</div></td></tr>
<tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l89">Line 89:</td>
<td colspan="2" class="diff-lineno">Line 89:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Fourth, the DPA noted that, contrary to the requirements of [[Article 13 GDPR|Article 13(1)(a)(b) GDPR]], it was difficult to find the correct address for submissions of access requests because the controller's Privacy Notice with contact information was not provided to the data subject. </div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Fourth, the DPA noted that, contrary to the requirements of [[Article 13 GDPR|Article 13(1)(a)(b) GDPR]], it was difficult to find the correct address for submissions of access requests because the controller's Privacy Notice with contact information was not provided to the data subject. </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>Fifth, the DPA took a closer look at the controller's documentation practices. In this context, the DPA indicated that the controller <del style="font-weight: bold; text-decoration: none;">provided wrong information </del>about how it stored patients' data. First, it had stated that it did not keep electornic records. Later, the controller stated that it created electronic records when required by national law. Therefore, the controller was not transparent with regards to the means of processing personal data, in breach of [[Article 5 GDPR|Article 5(1)(a) GDPR]]. </div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>Fifth, the DPA took a closer look at the controller's documentation practices. In this context, the DPA indicated that the controller <ins style="font-weight: bold; text-decoration: none;">was unclear </ins>about how it stored patients' data. First, it had stated that it did not keep electornic records. Later, the controller stated that it created electronic records when required by national law. Therefore, the controller was not transparent with regards to the means of processing personal data, in breach of [[Article 5 GDPR|Article 5(1)(a) GDPR]]. </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>The Hungarian DPA had to reject the data subject's request to order the controller to submit the missing documents as they turned out to be missing from the medical documentation overall. However, on its own initiative, the DPA concluded that the controller did not ensure an effective exercise of data subject rights in violation of [[Article 12 GDPR|Articles 12(2)]] and [[Article 13 GDPR|13(1)(a)(b) GDPR]]. The controller also did not process personal data in a transparent manner in violation of [[Article 5 GDPR|Article 5(1)(a) GDPR]]. The DPA imposed a €1,400 fine for these violations.</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>The Hungarian DPA had to reject the data subject's request to order the controller to submit the missing documents as they turned out to be missing from the medical documentation overall. However, on its own initiative, the DPA concluded that the controller did not ensure an effective exercise of data subject rights in violation of [[Article 12 GDPR|Articles 12(2)]] and [[Article 13 GDPR|13(1)(a)(b) GDPR]]. The controller also did not process personal data in a transparent manner in violation of [[Article 5 GDPR|Article 5(1)(a) GDPR]]. The DPA imposed a €1,400 fine for these violations.</div></td></tr>
</table>Kkhttps://gdprhub.eu/index.php?title=NAIH_(Hungary)_-_NAIH-4137-_8/2022&diff=28738&oldid=prevKk at 08:11, 19 October 20222022-10-19T08:11:23Z<p></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 08:11, 19 October 2022</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l89">Line 89:</td>
<td colspan="2" class="diff-lineno">Line 89:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Fourth, the DPA noted that, contrary to the requirements of [[Article 13 GDPR|Article 13(1)(a)(b) GDPR]], it was difficult to find the correct address for submissions of access requests because the controller's Privacy Notice with contact information was not provided to the data subject. </div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Fourth, the DPA noted that, contrary to the requirements of [[Article 13 GDPR|Article 13(1)(a)(b) GDPR]], it was difficult to find the correct address for submissions of access requests because the controller's Privacy Notice with contact information was not provided to the data subject. </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>Fifth, the DPA took a closer look at the controller's documentation practices. In this context, the DPA indicated that the controller provided wrong information about how it stored patients' data. First, it had stated that it <del style="font-weight: bold; text-decoration: none;">does </del>not keep electornic records. Later, the controller stated that it created electronic records when required by national law. Therefore, the controller was not transparent with regards to the means of processing personal data, in breach of [[Article 5 GDPR|Article 5(1)(a) GDPR]]. </div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>Fifth, the DPA took a closer look at the controller's documentation practices. In this context, the DPA indicated that the controller provided wrong information about how it stored patients' data. First, it had stated that it <ins style="font-weight: bold; text-decoration: none;">did </ins>not keep electornic records. Later, the controller stated that it created electronic records when required by national law. Therefore, the controller was not transparent with regards to the means of processing personal data, in breach of [[Article 5 GDPR|Article 5(1)(a) GDPR]]. </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>The Hungarian DPA had to reject the data subject's request to order the controller to submit the missing documents as they turned out to be missing from the medical documentation overall. However, on its own initiative, the DPA concluded that the controller did not ensure an effective exercise of data subject rights in violation of [[Article 12 GDPR|Articles 12(2)]] and [[Article 13 GDPR|13(1)(a)(b) GDPR]]. The controller also did not process personal data in a transparent manner in violation of [[Article 5 GDPR|Article 5(1)(a) GDPR]]. The DPA imposed a €1,400 fine for these violations.</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>The Hungarian DPA had to reject the data subject's request to order the controller to submit the missing documents as they turned out to be missing from the medical documentation overall. However, on its own initiative, the DPA concluded that the controller did not ensure an effective exercise of data subject rights in violation of [[Article 12 GDPR|Articles 12(2)]] and [[Article 13 GDPR|13(1)(a)(b) GDPR]]. The controller also did not process personal data in a transparent manner in violation of [[Article 5 GDPR|Article 5(1)(a) GDPR]]. The DPA imposed a €1,400 fine for these violations.</div></td></tr>
</table>Kkhttps://gdprhub.eu/index.php?title=NAIH_(Hungary)_-_NAIH-4137-_8/2022&diff=28707&oldid=prevKk at 09:06, 18 October 20222022-10-18T09:06:40Z<p></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 09:06, 18 October 2022</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l69">Line 69:</td>
<td colspan="2" class="diff-lineno">Line 69:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>}}</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>}}</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>The Hungarian DPA fined a gynecologist €1,400 for not ensuring effective exercise of data subject rights in violation of <del style="font-weight: bold; text-decoration: none;">Articles </del> Articles <del style="font-weight: bold; text-decoration: none;">5(1)(a), </del>12(2) and 13(1)(a)(b) GDPR.</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>The Hungarian DPA fined a gynecologist €1,400 for not ensuring effective exercise of data subject rights in violation of <ins style="font-weight: bold; text-decoration: none;">[[Article 12 GDPR|</ins>Articles 12(2)<ins style="font-weight: bold; text-decoration: none;">]] </ins>and <ins style="font-weight: bold; text-decoration: none;">[[Article 13 GDPR|</ins>13(1)(a)(b) GDPR<ins style="font-weight: bold; text-decoration: none;">]]. Moreover, the documentation practices were not transparent as required by [[Article 5 GDPR|Article 5(1)(a) GDPR]]</ins>.</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>== English Summary ==</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>== English Summary ==</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>=== Facts ===</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>=== Facts ===</div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>The data subject was the patient of a gynecologist (the controller), who owned a private practice, and requested access to their <del style="font-weight: bold; text-decoration: none;">complete </del>medical records. Within a span of <del style="font-weight: bold; text-decoration: none;">over </del>two months, the data subject sent two letters requesting a copy of the records, both with no response. Consequently, they lodged a complaint with the Hungarian DPA in order to obtain access to the data. </div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>The data subject was the patient of a gynecologist (the controller), who owned a private practice, and requested access to their medical records<ins style="font-weight: bold; text-decoration: none;">. The requested documentation related to the data subject's maternity care and pregnancy, which ended in the death of the fetus</ins>. Within a span of two months, the data subject sent two letters requesting a copy of the records, both with no response. Consequently, they lodged a complaint with the Hungarian DPA in order to obtain access to the data. </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>The DPA initiated a procedure and asked the controller to clarify the facts of the case. The controller responded that it managed the practice without any administrative help and due to the Covid-19 pandemic, struggled with minor administrative shortcomings. Consequently, it did not become aware of the data subject's request on time. The controller largely relied on paper records rather than an electronic patient database and only maintained the statutory mandatory electronic records. At the request of the DPA, the controller provided a copy of the documents, signed and sealed, to the data subject. However, the file was not complete as several medical test results were missing.</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>The DPA initiated a procedure and asked the controller to clarify the facts of the case. The controller responded that it managed the practice without any administrative help and due to the Covid-19 pandemic, struggled with minor administrative shortcomings. Consequently, it did not become aware of the data subject's request on time. The controller largely relied on paper records rather than an electronic patient database and only maintained the statutory mandatory electronic records. At the request of the DPA, the controller provided a copy of the documents, signed and sealed, to the data subject. However, the file was not complete as several medical test results were missing<ins style="font-weight: bold; text-decoration: none;">. The data subject requested the DPA to order the controller to send a copy of the missing records</ins>. </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>The DPA examined whether the controller acted lawfully in considering the request for access to medical records<del style="font-weight: bold; text-decoration: none;">. The requested</del></div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>The DPA examined whether the controller acted lawfully in considering the request for access to medical records. The DPA also examined ex officio the general data management practices of the controller.</div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;">documentation related to the data subject's maternity care and pregnancy, which ended in the death of the fetus</del>. The DPA also examined ex officio the general data management practices of the controller.</div></td><td colspan="2" class="diff-side-added"></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>=== Holding ===</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>=== Holding ===</div></td></tr>
<tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l86">Line 86:</td>
<td colspan="2" class="diff-lineno">Line 85:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Second, the DPA noted that maintaining paper records is still considered processing of personal data under the GDPR if the data are part of a filing system, in line with [[Article 2 GDPR#1|Article 2(1) GDPR]]. [[Article 4 GDPR#6|Article 4(6) GDPR]] defines a filing system as "any structured set of personal data, which are accessible according to specific cirteria". Accordingly, the DPA held that, in the present case, the patient files maintained by the controller in the context of providing private healthcare fell within the scope of the GDPR. </div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Second, the DPA noted that maintaining paper records is still considered processing of personal data under the GDPR if the data are part of a filing system, in line with [[Article 2 GDPR#1|Article 2(1) GDPR]]. [[Article 4 GDPR#6|Article 4(6) GDPR]] defines a filing system as "any structured set of personal data, which are accessible according to specific cirteria". Accordingly, the DPA held that, in the present case, the patient files maintained by the controller in the context of providing private healthcare fell within the scope of the GDPR. </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>Third, the DPA noted the obligations of the controller under Articles 12(2) and 15 GDPR to provide the details of the right to access as well as a copy of the requested data. Respectively, the copies of medical records sent to the data subject were not complete and the controller did not respond at all to two consequtive requests. The DPA pointed out that, according to the principle of accountability in [[Article 5 GDPR#2|Article 5(2) GDPR]], the controller is responsible for compliance with the GDPR and must be able to demonstrate it. </div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>Third, the DPA noted the obligations of the controller under <ins style="font-weight: bold; text-decoration: none;">[[Article 12 GDPR|</ins>Articles 12(2)<ins style="font-weight: bold; text-decoration: none;">]] </ins>and <ins style="font-weight: bold; text-decoration: none;">[[Article 15 GDPR|</ins>15 GDPR<ins style="font-weight: bold; text-decoration: none;">]] </ins>to provide the details of the right to access as well as a copy of the requested data. Respectively, the copies of medical records sent to the data subject were not complete and the controller did not respond at all to two consequtive requests. The DPA pointed out that, according to the principle of accountability in [[Article 5 GDPR#2|Article 5(2) GDPR]], the controller is responsible for compliance with the GDPR and must be able to demonstrate it. </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>Fourth, the DPA noted that, contrary to the requirements of Article 13(1)(a)(b) GDPR, it was difficult to find the correct address for submissions of access requests because the controller's Privacy Notice with contact information was not provided to the data subject. </div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>Fourth, the DPA noted that, contrary to the requirements of <ins style="font-weight: bold; text-decoration: none;">[[Article 13 GDPR|</ins>Article 13(1)(a)(b) GDPR<ins style="font-weight: bold; text-decoration: none;">]]</ins>, it was difficult to find the correct address for submissions of access requests because the controller's Privacy Notice with contact information was not provided to the data subject. </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>The Hungarian DPA had to reject the data subject's request to order the controller to submit the missing documents as they turned out to be missing from the medical documentation overall. However, on its own initiative, the DPA concluded that the controller did not ensure an effective exercise of data subject rights in violation of Articles <del style="font-weight: bold; text-decoration: none;">5(1)(a), </del>12(2) and 13(1)(a)(b) GDPR. The DPA imposed a €1,400 fine for these violations.</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">Fifth, the DPA took a closer look at the controller's documentation practices. In this context, the DPA indicated that the controller provided wrong information about how it stored patients' data. First, it had stated that it does not keep electornic records. Later, the controller stated that it created electronic records when required by national law. Therefore, the controller was not transparent with regards to the means of processing personal data, in breach of [[Article 5 GDPR|Article 5(1)(a) GDPR]]. </ins></div></td></tr>
<tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div> </div></td></tr>
<tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>The Hungarian DPA had to reject the data subject's request to order the controller to submit the missing documents as they turned out to be missing from the medical documentation overall. However, on its own initiative, the DPA concluded that the controller did not ensure an effective exercise of data subject rights in violation of <ins style="font-weight: bold; text-decoration: none;">[[Article 12 GDPR|</ins>Articles 12(2)<ins style="font-weight: bold; text-decoration: none;">]] </ins>and <ins style="font-weight: bold; text-decoration: none;">[[Article 13 GDPR|</ins>13(1)(a)(b) GDPR<ins style="font-weight: bold; text-decoration: none;">]]. The controller also did not process personal data in a transparent manner in violation of [[Article 5 GDPR|Article 5(1)(a) GDPR]]</ins>. The DPA imposed a €1,400 fine for these violations.</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>== Comment ==</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>== Comment ==</div></td></tr>
</table>Kkhttps://gdprhub.eu/index.php?title=NAIH_(Hungary)_-_NAIH-4137-_8/2022&diff=28705&oldid=prevKk: Created page with "{{DPAdecisionBOX |Jurisdiction=Hungary |DPA-BG-Color=background-color:#7f0037; |DPAlogo=LogoHU.jpg |DPA_Abbrevation=NAIH |DPA_With_Country=NAIH (Hungary) |Case_Number_Name=N..."2022-10-18T08:48:28Z<p>Created page with "{{DPAdecisionBOX |Jurisdiction=Hungary |DPA-BG-Color=background-color:#7f0037; |DPAlogo=LogoHU.jpg |DPA_Abbrevation=NAIH |DPA_With_Country=NAIH (Hungary) |Case_Number_Name=N..."</p>
<a href="https://gdprhub.eu/index.php?title=NAIH_(Hungary)_-_NAIH-4137-_8/2022&diff=28705">Show changes</a>Kk