NAIH (Hungary) - NAIH-6484-2-2022
|NAIH - NAIH-6484-2-2022|
|Relevant Law:||Article 12(3) GDPR|
Article 12(4) GDPR
Article 15(1) GDPR
|Parties:||National Health Insurance Fund of Hungary|
|National Case Number/Name:||NAIH-6484-2-2022|
|European Case Law Identifier:||n/a|
|Original Source:||NAIH (in HU)|
|Initial Contributor:||Abel Kaszian|
The Hungarian DPA held that the National Health Insurance Fund's organisational deficiencies and lack of human resources during the COVID-19 pandemic caused an Article 12 GDPR infringement as the controller failed to provide transparent information to a large number of data subjects.
English Summary[edit | edit source]
Facts[edit | edit source]
On 25 March 2021, the data subject noticed that the National Health Insurance Fund Manager (NEAK) “published” information on its website that the data subject registered for the COVID-19 vaccine. By entering their social security number and date of birth, anyone who knew these pieces of personal information, could check the validity of a person’s registration. The data subject e-mailed the controller on the same day, objecting to the processing of his personal data on the website.
On 6 April 2021, the data subject sent another e-mail to the controller, this time invoking their right of access under Article 15 GDPR. They also requested the controller to send the date and IP address from which the data subject requested the vaccination registration. As they did not receive any answer from the controller, the data subject turned to the DPA on 11 May 2021.
The controller responded to the data subject only after the visit of the DPA, on 26 November 2021, and even then not in substance, saying: “As reasoning for the delay, we would like to mention that (...) NEAK has received nearly 70,000 requests for vaccine registration.” The controller also claimed to process and respond to thousands of inquiries per day, using the same number of human resources employees it had before the COVID-19 pandemic.
Holding[edit | edit source]
The DPA found that the controller's reply did not contain any information on the right to lodge a complaint or to seek redress. Therefore, the DPA declared an infringement of Article 12(3) GDPR and Article 12(4) GDPR. Additionally, the DPA held that the controller, whether or not it considered the request under Article 15 GDPR, should have dealt with it within the time frame under Article 12 GDPR.
As the controller mentioned that there were another unanswered requests, among the altogether 70,000 requests, the DPA requested the controller to provide evidence. However, the DPA did not receive the evidence promised to be sent until the present decision became final. Nevertheless, the DPA took into account – as a mitigating factor – that the COVID-19 pandemic required the establishment of data management processes on an unprecedented scale and at very short notice. The controller could not have previously assessed the resources needed to ensure the data subject's rights, but had to ensure them with unchanged human and budgetary resources.
The DPA concluded that registration for vaccination does not automatically mean that someone actually takes the vaccine, therefore it did not constitute processing of special categories of personal data. The DPA interpreted that the displayed information on the status of registration in itself was not necessarily disproportionate to the risks to the rights and freedoms of natural persons. The protection measures applied in the identification process may be proportionate, and for these measures, the controller was responsible.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Hungarian original. Please refer to the Hungarian original for more details.
Case number: NAIH- 6484-2/2022. Subject: decision establishing a violation of law History: NAIH-4820/2021. H A T A R O Z A T Before the National Data Protection and Freedom of Information Authority (hereinafter: Authority) [...] at the request of the applicant ([…]; hereinafter: Applicant), the personal data of the Applicant a National Health Insurance Fund Manager (headquarters: 1139 Budapest, Váci út 73/A; hereinafter: Requested) through the website https://vakcinareg.neak.gov.hu is illegal in the official data protection procedure initiated in the subject of its management, the Authority makes the following decisions: I.) In the Authority's decision I.1.) processing of the personal data of natural persons of the Applicant's data subject request regarding its protection and the free flow of such data, as well as 95/46/EC 2016/679 of the European Parliament and the Council on the repeal of the Directive. no Regulation (hereinafter: general data protection regulation) in violation of Article 12 (3)-(4). due to his non-answer, he approves, establishes the fact of the violation and therefore the Requested condemns; I.2.) The application, including its supplement, I.1. s. rejects the part concerning the decision. II.1.) In its decision, the Authority ex officio states that a) the Respondent from paragraphs (3) and (4) of Article 12 of the General Data Protection Regulation breached its obligation by not giving to a large number of stakeholders transparent information on the formal requirements for submitting data subject requests, as well as that b) his obligation to cooperate according to Article 31 of the General Data Protection Regulation in view of its internal organizational shortcomings, it did not comply by the Authority During the inspection conducted on November 24, 2021, the information requested to be additionally attached was not made available to the Authority. II.2.) The Authority I.1. and II.1. s. ex officio in his decision in view of what was written in his decision states that the Respondent has violated Article 5 (1) of the General Data Protection Regulation the principle of transparency according to paragraph a) and according to Article 5 (2). principle of accountability. II.3.) In the Authority's decision, I.1., II.1. and II.2. s. for violations established in its decision considering the Petitioner ex officio HUF 500,000, i.e. five hundred thousand forints data protection fine obliges him to pay within 30 days from the date this decision becomes final. II.4.) The Authority is the Infotv. Section 61 (2) on the basis of point b), the resolution orders ex officio publication in such a way that it contains the Applicant's identification data. ………………………………………………………………………………………………………… 1055 Budapest Tel.: +36 1 391-1400 email@example.com Falk Miksa utca 9-11 Fax: +36 1 391-1410 www.naih.huIII.) The Authority states in its order that the administration deadline has been exceeded, therefore as such stipulates that HUF 10,000, i.e. ten thousand forints, shall be paid to the Applicant - to be indicated in writing according to your choice - pay by bank transfer or postal order. * * * The fine is the HUF account for the collection of centralized revenues of the Authority (10032000-01040425-00000000 Centralized account IBAN: HU83 1003 2000 0104 0425 0000 0000) must be paid in favor of When transferring the amount, NAIH-6484-2/2022. FINE. must count refer to. If the Respondent does not fulfill his obligation to pay the fine within the deadline, he is in default must pay an allowance. The amount of the late fee is the legal interest, which is due to the delay is the same as the central bank base rate valid on the first day of the relevant calendar semester. In the event of non-payment of the fine and late fee, the Authority shall issue a decision implementation. There is no place for administrative appeal against this decision and order, but a with a letter of claim addressed to the Metropolitan Court within 30 days of notification can be challenged in an administrative lawsuit. The claim must be submitted to the Authority, electronically, which forwards it to the court together with the case documents. The complete personal for those who do not receive a tax exemption, the fee for the administrative lawsuit is HUF 30,000, the lawsuit is substantive is subject to the right of levy memo. Legal representation is mandatory in proceedings before the Metropolitan Court. I N D O C O L A S I. Procedure and clarification of the facts The Applicant submitted an application to the Authority on May 11, 2021, in which he stated that in 2021 noticed on March 25 that on the website https://vakcinareg.neak.gov.hu the National The Health Insurance Fund Manager "published" the information that the Applicant registered the For the vaccine against COVID-19: by entering the social security number and date of birth on the page, anyone who data, you can query the validity of the data subject's registration. The Applicant hereby in this context, he objected to why he didn't just send it to his e-mail address, for example the result of the query to the Requested. On the same day, March 25, 2021, the Applicant contacted the Applicant via electronic mail, and objected to the handling of his personal data on the https://vakcinareg.neak.gov.hu website. THE until the date of the application dated May 7, 2021, received by the Authority on May 11, 2021, and until the date of the response to the notice to make up the gap (NAIH-4820-2/2021), i.e. until June 21, 2021, the According to the applicant's statement, he did not receive any response from the Application. On April 6, 2021, the Applicant repeatedly sent an electronic letter to the Applicant such in such a way that its predecessor, the request of March 25, 2021, was also contained in the letter in which this time, he requested with reference to his right of access according to Article 15 of the General Data Protection Regulation, for the Requested to send it to: "exactly when, from which IP address did I request the TAJ/birth. by entering my vaccination registration data with the date combination - this is my application until the day of your answer". However, according to his statement, the Applicant did not receive any response from the Application. In view of this, in the request received by the Authority on May 11, 2021, the Applicant 2 requested the Authority to conduct an official procedure, and that "the Authority establish the violation of the rights of the data controller and oblige him to provide the missing information, oblige him to protest to take into account my right and to make my personal data accessible on the Internet to terminate its clause." In order to clarify the facts, the Authority dated July 13, 2021, No. NAIH-4820-4/2021. with its order, contacted the Applicant with a deadline of 30 days. The order contained the Art. Section 77- information regarding the possible legal consequences (procedural fine) pursuant to therefore, he was aware of this in view of the fact that the order was issued on the same day, July 13, 2021 verifiably received. The Respondent did not respond to the Authority either within the specified 30-day deadline or after that to the fact-finding request for information, thus hindering the substantive conduct of the case, but at the same time about it he did not inform the Authority of the reason for the delay and when a meaningful response is expected sending. In view of this, the Authority NAIH-4820-5/2021. No., dated August 13, 2021, 2021 sent on August 17 and verifiable to the Applicant on the same day in his delivered order, he repeatedly called the Applicant to state the facts within five working days clarification, specifically drawing its attention to the possible legal consequences of the omission (procedural fine). The Respondent accepted the repeated order in a verifiable manner, but for the summons still did not comply. In view of this, on September 6, 2021, the Authority issued NAIH-4820-6/2021. s. 250,000 in order, i.e. he ordered the Applicant to pay a procedural fine of HUF two hundred and fifty thousand. Since, despite the above, the Respondent did not comply with the clarification of the facts either obligation, nor did he pay the procedural fine, the Authority November 24, 2021 I conducted an on-site inspection at the headquarters of the Applicant. During the inspection - Inspection and testing of the applicant's electronic information system by means of an inquiry - it was established that the Respondent a Published at https://vakcinareg.neak.gov.hu/regisztracio/AdatkezelesiTajekoztato.pdf in accordance with the information contained in its data management information, it was logged through the query interface requests for data and had the access letter sent by the Applicant on April 6, 2021 data related to your request. In addition to these, among others, the following were added: In the minutes: - "1. In order to clarify the facts, the acting civil servant of the Authority declares a He asked his head of department, who was entitled to make a statement, that he had received through the office gate, the Authority NAIH-4820-4/2021. contained in order no questions, NAIH-4820-5/2021. questions sent repeatedly in order no. and NAIH-4820-6/2021. the procedural fine established in order no. and the NAIH-4820-4/2021. questions written in order no. within five working days obligation to answer. The [...] present on behalf of the Applicant informs the acting members of the Authority that the above orders no. Sub-orders 5 and 8 are dedicated to the Data Protection and They were forwarded to the Coordination Department for further administration. The Authority sent sub-numbers 4 and 6 to the office gate of NEAKJOG. […] Wow provides information that, due to the internal organization, this type of inquiries The applicant is received at the OEPKER office gate, so it has not yet been identified. THE The staff of the authority handed over a certified copy of the four orders written above." - “[…]: Yes, queries are logged, it has already been done for those affected data provision, we will additionally send a copy of this to the Authority. For log files one person has access, authorization is local, and log files are available in-house.” 3 - "Documents requested to be additionally attached by the representatives of the Authority: previously completed stakeholder access to the log file affected by the case in question a copy of the response to the request." In the Authority case initiated with the application received on May 11, 2021, the Applicant is the 2021 dated November 24, NAIH-4820-11/2021. No., an original at the end of the on-site inspection in copy, head of data protection and coordination department acting on behalf of the Applicant this decision as written in the protocol handed over to the head of department performing his duties documents certifying the provision of the exercise of the rights of the affected party were not complied with until it became final did not send a copy, and NAIH-4820-6/2021. s. procedural established in the order he did not comply with his obligation to pay a fine either. On November 30, 2021, the Applicant informed the Authority (NAIH-4820-12/2021) that the He received a reply from his application on November 26, 2021, in which the Applicant informed him that that since the data subject submitted his requests by e-mail, "based on his data" in the e-mails it is not possible to identify him, however, this is "the assessment of his objection and the data from the point of view of service (…) it is essential". The Applicant further informed the Applicant that "e-mail is not considered a form of written contact, moreover in the absence of identification, it is not possible to return the requested data way". In the letter attached as evidence by the Applicant, the Respondent called the Applicant to "your application, if you have a customer portal, (...) into a private document with full evidential force busy (…) please send it”. As a reason for the delayed response, the Respondent informed the Applicant that "it is from the start of vaccination campaigns in March 2021, nearly 70,000 electronically an inquiry was received regarding vaccine registration for NEAK. Mass vaccination thousands of inquiries per day were processed and answered in addition to performing our basic tasks, using unchanged human resource capacities". Following the on-site inspection conducted by the Applicant on November 24, 2021, the Not in any way about the measures taken in connection with the applicant's exercise of stakeholder rights informed the Authority. Based on the above, the Applicant supplemented his original application, assuming a new violation. He submitted that the Respondent further restricts the exercise of his right to object by "after authentication, the customer portal asks me to send my application again", as well as complete proof binds the exercise of the rights of the affected party to the form of a valid private deed, despite the fact that the personal this was not necessary when collecting data. According to the Applicant, this violated the general rule of Article 12 (1) of the Data Protection Regulation, because the Respondent did not comply with "easily accessible form" of his obligation to provide information. In the supplement to the application, the Applicant also complained that the Respondent is the general data protection regulation "5. further processing of my personal data contrary to points b) and c) of Article determined when I was given my birth name, time and place of birth, and my mother asks you to enter your birth name." The applicant considers this unnecessary for identification, "after all, in relation to the data processing affected by the protest, only my name, e-mail address, I gave my date of birth and social security number". At the same time, in the addendum to the application addressed to the Authority, the Applicant: "Possibly, the Requested Party wishes to connect the subject data management with data management for other purposes (illegally), do you need these data? For my current question, I ask NEAK as the data controller also your answer." 4 II. Applicable legal provisions Pursuant to Article 2 (1) of the General Data Protection Regulation, the website of the Respondent the general data protection regulation shall be applied to data management related to its operation. CXII of 2011 on the right to information self-determination and freedom of information. law (hereinafter: Infotv.) According to Section 2 (2) of the general data protection decree there shall be applied with the additions contained in the specified provisions. Infotv. Validation of the right to the protection of personal data based on § 60, paragraph (1). in order to do so, the Authority will initiate a data protection official procedure at the request of the data subject. The for official data protection procedure CL. of 2016 on general public administrative order. law (hereinafter: Ákr.) rules shall be applied with the additions specified in Infotv. and with deviations according to the general data protection regulation. The Akr. Based on the provisions of § 6 paragraphs (1)-(3), all participants in the procedure are obliged act in good faith and cooperate with other participants, no one's conduct it may be aimed at deceiving the authority or the decision-making or implementation is unjustified delay. According to Article 31 of the General Data Protection Regulation, the duties of the data controller and the data processor during its implementation, is obliged to communicate with the supervisory authority - based on its inquiry - to cooperate. According to Section 62 (1) of the Ákr, if the available information is not sufficient for decision-making data, the authority will carry out an evidentiary procedure. The Akr. According to § 63, if the clarification of the facts makes it necessary, the authority is the client may invite you to make a statement; the Akr. According to paragraph (1) of § 64, if it is not excluded by law, it is the client can replace the missing evidence with his statement if it is not possible to obtain it. The Akr. Based on § 65, subsections (1) and (2), the authority, if necessary during the clarification of the facts, and that of 2015 on the general rules of electronic administration and trust services CCXXII. cannot be obtained by law, you can call the customer a deed or other document for presentation. Unless otherwise provided by law or government regulation, the client shall provide the document you can also submit a copy if you declare that it is the same as the original in all respects. According to Article 58 (1) of the General Data Protection Regulation, the supervisory authority is investigating acting within its competence - among other things - required by the data controller to perform its tasks may request information, and the data controller is obliged to grant access to the supervisory authority for all personal data and all information necessary to perform its tasks. The Akr. According to paragraphs (1) and (2) of § 105, the customer is obliged to call the authority to this effect to provide the data necessary for a substantive decision, the client may then refuse to provide the data and if he could refuse that testimony. The Akr. Section 66 (3) in this case on the basis of the relevant provision, the testimony may be refused if the client's testimony would accuse himself or a relative of committing a crime or freedom of the press and a media content service provider according to the Act on Basic Rules of Media Content (a hereinafter: media content provider), or in an employment relationship with it or for work a person in another legal relationship - even after the termination of the legal relationship - and a with his testimony in connection with the activity of the media content provider would reveal the identity of the person providing the information. The Akr. Pursuant to § 64, paragraph (2), if the client or his representative knows otherwise falsely states or withholds significant information from the point of view of the case - this does not include if not as a witness can be heard or the testimony of the Ákr. Defined in points b) and c) of paragraph (3) of § 66 You can refuse for 5 reasons - or if it is part of the mandatory data provision in Section 105 (2). in the absence of a specified reason, he does not fulfill his obligation to provide data, he may be subject to a procedural fine. The Akr. Based on the provisions of § 77, whoever violates his obligation due to his own fault, the authority obligates him to reimburse the additional costs caused, and may impose a procedural fine. The procedural The minimum amount of the fine is HUF 10,000 per case, the maximum amount - if the law states otherwise does not have - five hundred thousand HUF in the case of a natural person, legal entity or other one million HUF in the case of an organization. Infotv. Pursuant to § 61: "61. § (1) In the decision made in the official data protection procedure, the Authority a) in connection with the data management operations defined in paragraphs (2) and (4) of § 2, the can apply the legal consequences specified in the general data protection decree, thus in particular, upon request or ex officio, he can order the personal data illegally processed by him to be deleted in a specified manner, or temporarily or permanently in other ways may limit data management, (…). (2) The Authority may order in its decision - the identifier of the data manager or the data processor disclosure by publishing your data, if a) the decision affects a wide range of persons, b) it was brought in connection with the activities of a body performing a public task, or c) the severity of the infringement justifies disclosure. (3) The application of a warning in the Authority's procedure is excluded if the Authority decides to do so determines the need to impose a fine based on relevant regulations. (4) The amount of the fine can range from one hundred thousand to twenty million forints a) subsection (1) point b) bg) and b) if for the payment of a fine imposed in the decision made in the data protection official procedure obliged budgetary body, Article 83 of the General Data Protection Regulation in the case of a fine imposed according to (…)" Pursuant to Article 12 of the General Data Protection Regulation: "(1) The data controller shall take appropriate measures to ensure that the data subject a all the information referred to in Articles 13 and 14 regarding the management of personal data and 15-22 and each information according to Article 34 is concise, transparent, comprehensible and easy provide it in an accessible form, clearly and comprehensibly worded, especially a for any information addressed to children. The information in writing or otherwise – including, where applicable, the electronic route - must be specified. Oral at the request of the person concerned information can also be provided, provided that the identity of the person concerned has been verified in another way. (2) The data controller facilitates the relevant 15-22. the exercise of his rights according to art. Article 11 (2) in the cases mentioned in paragraph 15-22 of the relevant to exercise his rights according to art may not refuse to fulfill your request, unless you prove that the person concerned cannot be identified. (3) The data controller without undue delay, but in any case from the receipt of the request informs the data subject within one month of the 15-22 brought as a result of a request pursuant to art measures. If necessary, taking into account the complexity of the application and the requests number, this deadline can be extended by another two months. About the extension of the deadline the data controller, indicating the reasons for the delay, from the date of receipt of the request informs the person concerned within a month. If the person concerned submitted the application electronically, a if possible, information must be provided electronically, unless the data subject requests otherwise asks for (4) If the data controller does not take measures following the data subject's request, without delay, but informs the person concerned no later than one month from the date of receipt of the request about the reasons for the failure to take action, as well as about the fact that the person concerned can submit a complaint to a with a supervisory authority, and can exercise his right to judicial redress. (5) The information according to Articles 13 and 14 and Articles 15–22 and information according to Article 34 and 6 measures must be provided free of charge. If the data subject's request is clearly unfounded - especially due to its repetitive nature - excessive, the data controller, taking into account the requested information or for administrative costs associated with providing information or taking the requested measure: a) may charge a fee of a reasonable amount, or b) may refuse to take action based on the request. It is the responsibility of the data controller to prove that the request is clearly unfounded or excessive. (6) Without prejudice to Article 11, if the data controller has well-founded doubts in accordance with Articles 15-21. article in relation to the identity of the natural person who submitted the application, further, the person concerned you can request the provision of information necessary to confirm your identity. (7) Information to be provided to the data subject pursuant to Articles 13 and 14 with standardized icons can also be supplemented in order to make the planned data management clearly visible to the data subject, receive general information in an easy-to-understand and easy-to-read form. It's electronically displayed icons must be machine readable. (8) The Commission shall be empowered to delegate in accordance with Article 92 adopt legal acts on the information to be displayed by the icons and the standardized icons for the purpose of determining the procedures for ensuring Pursuant to Article 15 of the General Data Protection Regulation: "(1) The data subject is entitled to receive feedback from the data controller regarding whether whether your personal data is being processed, and if such data processing is underway, you have the right to access your personal data and the following information: a) the purposes of data management; b) categories of personal data concerned; c) recipients or categories of recipients with whom or with which the personal data communicated or will be communicated, including in particular to recipients in third countries, or international organizations; d) where appropriate, the planned period of storage of personal data, or if this is not the case possible aspects of determining this period; e) the data subject's right to request personal data relating to him from the data controller rectification, deletion or restriction of processing and may object to such personal data against treatment; f) the right to submit a complaint addressed to a supervisory authority; g) if the data were not collected from the data subject, all available information about their source; h) the fact of automated decision-making referred to in paragraphs (1) and (4) of Article 22, including also profiling, and at least in these cases to the applied logic and that comprehensible information regarding the significance of such data management and the data subject looking at the expected consequences. (2) If personal data is transferred to a third country or international organization is transmitted, the data subject is entitled to receive information about the transmission about the corresponding guarantees according to Article 46. (3) The data controller shall provide the data subject with a copy of the personal data that is the subject of data management makes available. For additional copies requested by the data subject, the data controller is administrative may charge a reasonable fee based on costs. If the person concerned electronically submitted the application, the information must be in a widely used electronic format to make available, unless the data subject requests otherwise. (4) The right to request a copy referred to in paragraph (3) shall not be adversely affected the rights and freedoms of others." Pursuant to Article 21 (1) of the General Data Protection Regulation: "(1) The data subject has the right to object at any time for reasons related to his own situation against the processing of your personal data based on points e) or f) of Article 6 (1), including also profiling based on the aforementioned provisions. In this case, the data controller is the personal one 7 data may not be processed further, unless the data controller proves that the data processing is as such justified by compelling legitimate reasons that take precedence over the interests of the data subject, against your rights and freedoms, or to submit legal claims, are related to its enforcement or protection." Pursuant to Article 24 (1)-(2) of the General Data Protection Regulation: "(1) The data controller is responsible for the nature, scope, circumstances and purposes of data processing, as well as the natural a risk of variable probability and severity to the rights and freedoms of persons taking into account appropriate technical and organizational measures to ensure it and for the purpose of proving that personal data is handled in accordance with this regulation. These measures are reviewed by the data controller and updated if necessary. (2) If it is proportionate in relation to the data management activity, referred to in paragraph (1). as part of the measures, the data manager also applies appropriate internal data protection rules." III. Decision III.1. Presumed violation of the exercise of the right to protest The Applicant contacted the Respondent several times via electronic mail, its query in connection with the management of personal data processed through its interface. Based on the e-mails attached as evidence during the procedure, the Applicant first received 2021. submitted an application to the Respondent on March 25. In his electronic mail, the general filed a protest in accordance with Article 21 of the Data Protection Regulation to the data controller. Based on Article 21 (1) of the General Data Protection Regulation, the Applicant had the right "a for reasons related to your own situation at any time" to object to your personal data in accordance with Article 6 (1) against processing by the Respondent based on point e) or f) of paragraph On the website https://vakcinainfo.gov.hu, data management information in effect at the time of submitting the application according to: "NEAK processes the provided personal data in accordance with Article 6 (1) point (e) of the GDPR and Article 386/2016. (XII. 2.) Subject to the public duties contained in Section 7 (1) points o) and p) of Government Decree handles", as well as "On the basis of your right to protest, you, as a data subject, are entitled to, with your own situation object to your personal data at any time for reasons related to Article 6 (1) of the GDPR against treatment based on point e). In this case, the data controller does not use the personal data may continue to process it, unless the data controller proves that the data processing is so compelling justified by legitimate reasons that take precedence over the interests, rights and against your freedoms, or for the submission or enforcement of legal claims are related to the protection of furthermore "The data provided during the application of the query interface (TAJ, date of birth) is provided by NEAK it is compared with the records kept to establish the authority of the person executing the query for the sake of.” Pursuant to Article 12 (3)-(4) and (6) of the General Data Protection Regulation: 8"(3) The data controller without undue delay, but in any case the request within one month of its receipt, informs the person concerned of the 15-22. according to article on measures taken following a request. If necessary, taking into account the request complexity and the number of applications, this deadline can be extended by another two months. THE the request for extension of the deadline by the data controller indicating the reasons for the delay informs the person concerned within one month of receipt. If it is affected submitted the application electronically, the information must be provided electronically if possible to provide, unless the data subject requests otherwise." "(4) If the data controller does not take measures following the data subject's request, it is a delay without, but at the latest within one month from the receipt of the request data subject about the reasons for the failure to take action, as well as whether the data subject complained can submit it to a supervisory authority and exercise its right to judicial redress." "(6) Without prejudice to Article 11, if the data controller has well-founded doubts in accordance with Articles 15-21. article in relation to the identity of the natural person who submitted the application, further, the person concerned you can request the provision of information necessary to confirm your identity." Although from the content of the electronic letter of March 25, 2021 submitted by the Applicant to the Authority it can be established that the Applicant is Article 21 (1) of the General Data Protection Regulation he did not specifically refer to "reasons related to his own situation" according to he stated that "the fact that I was registered for vaccination was made public". in the opinion of the Authority, despite this, if the Respondent does not accept the Applicant's request would have identified a legitimate objection under Article 21 of the General Data Protection Regulation as a request, even in that case he would have been obliged according to Article 12 (3). to respond within the deadline and with the content according to paragraph (4). Failure to respond is during the procedure, the Respondent clearly acknowledged both the Authority and the Applicant. In response to the Applicant's request to exercise the right to object received on March 25, 2021, only He replied on November 26, 2021, and not even then in substance: "In order to justify our delay I would like to say that (…) nearly 70,000 inquiries were received regarding vaccine registration for NEAK.” According to the respondent, the processing of thousands of requests per day and was answered, "using unchanged human resources capacities". During the inspection conducted by the Authority at the Applicant's headquarters on November 24, 2021, its according to the minutes, the following questions and statements were made: "3.1. "Declare whether you have arrived at the National Health Insurance Fund Management [...] from an e-mail address, or in any other way according to the general data protection regulation application for exercise of data subject rights on March 25, 2021 and April 6, 2021, or at any other time?” A protest was received on March 25, 2021. On April 6, the Applicant received the one concerning him log file access request to NEAK. 3.2. "If so, please state whether you have responded to these stakeholder requests? Please respond to your statement separately, for each stakeholder request received!" NEAK has not responded to these yet, it is in progress. 3.3. "Declare for each application whether you have evaluated them on their merits, as well as whether whether they were assessed within the deadline prescribed in the general data protection regulation?" The general information is awaiting signature, according to the Applicant's statement. The logging the data subject to an e-mail inquiry that does not allow easy identification of the results in the absence of identification, he cannot send it, given that they are refer to special personal data. The general procedure is to fill in gaps 9 are requested from the person concerned, a private document with full probative value or, in urgent cases, four they fulfill it by confirming knowledge of natural personal identification data. In all cases, the response to the person concerned is given when the vaccine is registered may be sent to electronic contact for data security reasons even if it is the data subject submits it from another e-mail address or the data subject rights are exercised by a relative, bearing in mind that there is no proof of the relative's right of representation mode within the deadline. This does not apply to data subjects not received in connection with vaccine information for legal exercises. 3.4. An employee of the Authority asked him to make a statement: "If not until today responded to the request or requests of the person concerned in the subject matter, please state as such about the reason why he didn't do it!" The Applicant submits: Since March 11, 2021, more than seventy thousand, according to the General Data Protection Regulation a request for the exercise of the rights of the affected party has been received, which it is unable to fulfill sufficient human resources are available, a total of four people are available on a case-by-case basis legal advisors of the Legal Department and regional bodies are also involved. In relation to the inquiry system, a total of inquiries were received from two stakeholders, viz one of the applicants involved in the case in question. The third issue related to the query system is that it was hit by a load attack data management system on March 25, 2021. Requested in this case, the chargeable filed a complaint with the investigative authority due to the attack, criminal proceedings were initiated in the case At the National Bureau of Investigation. The request of the applicant was presumably lost among the large number of requests. Currently, 100-150 requests are received per day, which is a manageable amount." Based on the above, the Authority established that both the Applicant and the Respondent his statement is the same in that until his application is submitted, the Applicant has nothing he did not receive any information from the data controller, neither on the merits nor on the extension of the deadline and the need for additional information needed to identify the Applicant regarding. In addition, the Respondent's answer of November 26, 2021 did not include either information on filing a complaint and legal remedies. Based on all this, the Authority as written in the relevant part, established in this regard by the general data protection the violation of Article 12 (3)-(4) of the Decree. The Authority subsequently rejected the Applicant's request, according to the relevant part, because a Requests addressed to the respondent to exercise data subject rights in a non-identifiable manner, submitted it by simple electronic mail (e-mail), but it was sent late according to the data controller's information, you already know in accordance with the procedure of the Requested Party to submit his data subject requests and to exercise his data subject rights, thus an actual violation of his rights e he didn't understand it. III.2. Presumed violation of the exercise of the right of access The Applicant, since he did not receive a response to his protest request dated March 25, 2021 from the Application, with reference to Article 15 of the General Data Protection Regulation on April 6, 2021 submitted a request to the Respondent via electronic mail, requesting: "please send me exactly when and from which IP address I requested the TAJ/birth. date By entering with combination 10, my vaccination registration data". Because the cited stakeholder request is Article 12 (3) of the General Data Protection Regulation neither a substantial response within the one-month deadline, nor an extension of the deadline did not receive relevant information regarding the conduct of the Applicant's data protection official procedure submitted an application to the Authority. During the clarification of the facts, the Authority referred to III.1. as described in point, established that the Applicant also did not receive a response from the Application to the stakeholders sent on April 6, 2021 upon request, as well as by March 25, 2021. Based on the above, the Authority established that the Respondent, regardless of whether a received a request for access according to Article 15 of the General Data Protection Regulation whether he considered it or not, he would have been obliged to do so within the time limit according to Article 12 (3), (4) to be judged on the merits with the content according to paragraph. This is not disputed by the Respondent due to his absence, the Authority decided according to the relevant part. III.3. The supplement to the application, the obligation to identify the person concerned and the information about it information On November 30, 2021, the Applicant sent another submission citing new evidence to the For the Authority (NAIH-4820-12/2021.). The Applicant attached the Respondent November 26, 2021- dated F022/25-3/2021. reference number, F022/37-2/2021. letter with file number, in which a The Respondent informed the Applicant that "for the merits of his protest and the requested it is not possible to provide data on the basis of the submitted electronic mails that your identification is not based on the data available in the e-mail possible, which from the point of view of the assessment of your objection and the provision of data - given that it affects the rights of the stakeholders, it is essential." The Applicant objected that the Applicant did not evaluate his data subject requests even within eight months in merit. He considered it unjustified that the Respondent did not respond to the merits of the requests in full subject to submission in the form of a private document with evidentiary value, with customer gatekeeper identification, even though the only legal requirement for the submission of the application is the identification of the customer, a a private deed form with full evidential force is not. According to the applicant, this violates Article 12 (1) of the General Data Protection Regulation in that a regarding that the data controller must comply "in an easily accessible form". obligation to provide information. The applicant further explained: "Contrary to points b) and c) of Article 5 of the GDPR, additional determined the management of my personal data when my birth name and date of birth and asks me to enter my place and my mother's birth name. These data they are not necessary for my identification, as they are already related to the data processing affected by the protest I only provided my name, e-mail address, date of birth and social security number. On this I provided and attached my data in my application to the Applicant. (…) I respectfully ask the Authority to proceed with its procedure for the above infringement also with a Request opposite." In view of the new application (supplement to the application) submitted on November 30, 2021, the Authority established that, despite the incomplete reference, Article 5 of the General Data Protection Regulation (1) of Article points b) and c) and Article 12 (1) presupposes a violation. Pursuant to Article 12 (6) of the General Data Protection Regulation, "if the data controller you have reasonable doubts about 15-21. a natural person submitting an application pursuant to Art regarding his identity, it is necessary to further confirm the identity of the person concerned 11 may request the provision of information". According to the Authority's point of view, the duty of the requested state data controller is to the affected parties, such as a It is the responsibility of the person concerned to establish the identity of the Applicant involved in the subject matter (identification). prior to securing rights, for which simple e-mail is not suitable, lack of identification may lead to a data protection incident. Against Cov-19 operated by another data controller the identification of the person concerned was not realized on the vaccination registration interface either, and In the case of the Respondent, no further action was taken in relation to the Applicant. NAIH-4820-11/2021. Pursuant to the Protocol of inspection no. the Respondent is clear position on the identifiability of those involved: "Simple identification of the logging results does not allow e-mail inquiries due to the lack of identification of the data subject to send, given that they refer to special personal data. It's common the procedure is to ask the person concerned to fill in the gaps, you are a private document with full probative value in urgent cases, it is performed by confirming the knowledge of four natural personal identification data that." At the same time, as part of clarifying the facts, the Authority ex officio examined the Information provided upon registration on the website vaccinainfo.gov.hu, on the Applicant's website information on data management, as well as on the query interface related to the matter in question (https://vakcinareg.neak.gov.hu/regisztracio/AdatkezelesiTajekoztato.pdf) available informative content. However, none of the information sheets contain how the data subjects can be identified themselves before the requested data controller during the exercise of their data subject rights, as well as that requests from unidentified data subjects will not be answered at all. However, according to the information on the query interface: "The data subject in the event of a violation of his rights related to the processing of his personal data, as well as his rights in order to validate it, to the National Health Insurance Fund Manager (1139 Budapest, Váci út 73/A, e-mail address: firstname.lastname@example.org; name of data protection officer: dr. Szomolanyi Borbála, e-mail address: email@example.com) can be contacted." According to the Authority's point of view, if the Applicant, according to the specified rules, only after establishing beyond doubt the identity of the person concerned, it will judge on its merits stakeholder requests, this prerequisite should have been informed in the information sheet(s) above necessary for those involved. Since the Respondent is obliged to identify the data subject he did not make the relevant expectations, i.e. the prerequisites for the exercise of the rights of the stakeholders made available, violated Article 5 (1) of the General Data Protection Regulation. according to point a). the requirement of transparency. Since the Applicant was not identified in the absence of the necessary data, a in the subject matter, it cannot even be raised that the 2021, aimed at filling in these missing data. the invitation sent to the Applicant on November 26, the Authority pursuant to Article 12 (1) as actual, meaningful information, or as a violation of the easily accessible format evaluate, namely for the identification of the data subject, as well as for the merits of the data subject application relevant provisions contain different requirements. The obligation of identification according to the above does not give exemption according to Article 12 (3). deadline and from the obligation regarding the content according to paragraph (4), however, these violations of law, the Authority shall refer to III.1. and III.2. as explained in points already evaluated and a made findings in accordance with the provision. The Authority, taking into account the requirement of good faith, does not consider that it is well-founded the identity of the data subject submitting a request for the exercise of data subject rights the management of the data necessary for its determination, as well as the electronic administration route that ensures this 12 would violate the principle of purpose-bound data management or data saving, especially if that as long as the Applicant identifies with the Authority as a customer gatekeeper, via e-Paper, the connection, until then through the same Central Identification Agent ("Customer Gatekeeper") identification in connection with another public body "in Article 5 b) and c) of the GDPR" considers it a conflict. At the same time, the Authority notes that personal data managed by a data controller is one categories do not define what is necessary to identify the natural person concerned range of natural personal identifiers. Thus, contrary to the Applicant's assumption, the fact that in the case in question the Respondent manages the It does not make certain categories of the applicant's personal data illegal in itself, such as, for example, personal data contrary to points b) and c) of Article 5 (1) the management of other categories of data for the purpose of customer identification. In view of the above, the Authority rejected the request in this regard, according to the relevant part. Furthermore, according to the relevant part, the Authority established ex officio the general data protection violation of the principle of transparency according to Article 5 (1) point a) of the Regulation. III.4. Lack of the Respondent's obligation to cooperate during the procedure The Authority NAIH-4820-6/2021. s. already assessed the Respondent's previous default in its decision and imposed a procedural fine, but nevertheless requested it repeatedly in the same order the Respondent did not send information to the Authority after that either, the Authority took this into account In its order number 8, it ordered an on-site visit in 2021 in order to clarify the facts. for the 24th of November. During the on-site inspection conducted at the Applicant's headquarters - based on its minutes - a The respondent's representative submitted that the Authority did not comply due to internal organizational reasons orders: "1. In order to clarify the facts, the acting civil servant of the Authority declares a He asked his head of department, who was entitled to make a statement, that he had received through the office gate, the Authority NAIH-4820-4/2021. contained in order no questions, NAIH-4820-5/2021. questions sent repeatedly in order no. and NAIH-4820-6/2021. the procedural fine established in order no. and the NAIH-4820-4/2021. questions written in order no. within five working days obligation to answer. On behalf of the Applicant, the present (…) informs the acting members of the Authority that the above orders no. Sub-orders 5 and 8 are dedicated to the Data Protection and They were forwarded to the Coordination Department for further administration. The Authority sent sub-numbers 4 and 6 to the office gate of NEAKJOG. (…) Wow provides information that, due to the internal organization, this type of inquiries The applicant is received at the OEPKER office gate, so it has not yet been identified. The Authority his colleagues handed over a certified copy of the four orders written above." According to the testimony of the minutes, the Authority in support of the fact that during the on-site inspection as stated, the approximately seventy thousand referred to by the Respondent actually occurred fulfillment of an access request based on any of the requests are the log files of the querying interface regarding, requested that the Respondent send the supporting document after the inspection evidence: "Documents requested to be additionally attached by the representatives of the Authority: to the previous, completed stakeholder access request for the log file affected by the case in question a copy of the answer." (NAIH-4820-11/2021., page 6 of the minutes) 13 Despite this, the Authority did not send the promised evidence until this decision became final got it. In view of the above, the Authority decided according to the relevant part and established it ex officio According to Article 31 of the General Data Protection Regulation, the Respondent is obliged to cooperate in relation to the period following the failure to pay a procedural fine. III.5. Querying the status of online registration on the website vaccinainfo.gov.hu In his application, the Applicant objected that by specifying the TAJ and his date of birth a The status of your online registration on vaccinainfo.gov.hu is directly the query appears on the interface, in this way the Respondent has made his personal data public. Since the Authority is not obliged to act based on mere assumptions, NAIH-4820-2/2021. s. in point 5 of the order, called on the Applicant to state whether he can prove that, that it actually became known to an unauthorized natural or legal person the fact of its registration. NAIH-4820-3/2021. in his answer filed under the account, the Applicant stated that he also sought an answer to the question, but the Respondent did not respond to the stakeholder's request. The Authority states that the vaccination against the coronavirus occurred on the site vaccinainfo.gov.hu online or by returning the form sent by the Hungarian State Treasury the fact of registration does not mean that the vaccine is actually taken by a person concerned and therefore does not constitutes the processing of special personal data. Based on the above, the Authority's position is that although the query interface is indeed direct displays information about the status of the registration, this in itself is not necessarily the case disproportionate to the rights and freedoms of natural persons, variable probability and with serious risks, the protective measures applied during identification are known they can be proportional to data circles. Consideration of this is the task of the requested data controller. Based on the above, the Authority rejected the request in the query interface regarding that the Respondent, if the Applicant properly identifies himself before that, he is obliged to comply with the Requester's access request, which will reveal that whether an actual infringement has occurred. If such a real violation of the access request on the basis of the given answer, the Applicant will likely, on the basis of this evidence, as a violator affected by data management, can request the Authority's procedure with the data manager who committed the violation opposite. However, the Authority did not substantiate the violation with evidence, based on its mere assumption does not act on a stakeholder request, so it decided as written in the operative part. III.6. Legal consequences The Respondent did not inform the Applicant in a timely manner that it was personal identification in its absence, it cannot evaluate the data subject's requests to exercise their rights. THE however, following delayed information, the Applicant provided the available, you can exercise your data subject rights in a way that includes establishing your identity. If the Applicant decides not to disclose his identity to the Respondent credibly substantiated, the fact of this cannot be assessed at the expense of the Respondent. Therefore, the Authority granted the Applicant's request and found that III.1.-III.4. according to point violations and Article 58 (2) of the General Data Protection Regulation. b) convicts him the Applicant because he violated Article 12 (3)-(4) of the General Data Protection Regulation 14 by not providing the Applicant with information on the rights of the data subject for personal identification until November 26, 2021. As a result, point a) of Article 5 (1) is violated the principle of transparency, as well as Article 31 of the General Data Protection Regulation during the procedure the expectation of cooperation according to Article 5 (2). principle of "accountability". In addition to this, the Authority - the III.5. subject to what is written in point - the Applicant refuses to do so your request to establish a violation of the alleged disclosure of your personal data in the subject matter of the decision, a violation of the principle of purpose-bound data management and data saving, as well as regarding the management of personal data of other natural persons. The Authority examined ex officio whether due to the established violations, the Imposition of a data protection fine against a request. In this context, the Authority is the general Article 83 (2) of the Data Protection Regulation and Infotv. 75/A. considered ex officio on the basis of § all the circumstances of the case and established that in the case of the violation discovered during this procedure the warning is neither a proportionate nor a dissuasive sanction, therefore Infotv. Section 61 (4) it is necessary to impose a fine according to point b) of paragraph decided by acting in a discretion based on When imposing the fine, the Authority considered the following factors as aggravating factors: 1. The violations committed by the Respondent are Article 83 (5) of the General Data Protection Regulation according to point a) of the paragraph, the violation belonging to the higher fine category are considered to be related to a basic principle. 2. The violation is serious because the Respondent, with its data management, violates the Applicant's data subject rights hindered its exercise, by the fact that only the Authority, significantly late to the stakeholder's request responded after his on-site inspection. [general data protection regulation Article 83 (2) a) point] 3. The Respondent did not cooperate with the Authority during the investigation of the case. THE multiple orders calling for the provision of data verified by the Requested party and by means of the order even after the imposed procedural fine, he did not respond to the Authority's orders clarifying the facts, a did not send the requested additional information to the Authority. The Authority did not know that to fully clarify whether the Requested party answers the requests of the stakeholders properly [general data protection regulation Article 83 (2) point f)]. When imposing the fine, the Authority considered the following factors as mitigating factors: 1. The COVID-19 pandemic is unprecedented in data management processes required its establishment within an extremely short period of time, with related stakeholder rights in order to ensure that the data controller was previously unable to assess the necessary resources, it had to be provided with an unchanged number of human and budgetary resources. [general Article 83 (2) point a) of the Data Protection Regulation] 2. The Authority had previously provided the Applicant with the provisions of the general data protection regulation he has not yet been convicted for his violation. [Article 83 (2) of the General Data Protection Regulation point (e)] 3. There was no evidence indicating that the Applicant actually suffered damage (loss) would have arisen as a consequence of the Respondent's default. [general data protection regulation Article 83(2)(k)] By imposing a fine, the special preventive goal of the Authority is to encourage the Applicant to review its data management practices in connection with the provision of data subject rights. The amount of the fine was determined by the Authority acting within its statutory discretion. 15 Based on the above, the Authority decided in accordance with the provisions of the statutory part. Therefore, the Authority, after considering the relevant circumstances of the case, five hundred thousand forints, i.e He ordered the imposition of a HUF 500,000 data protection fine. The Authority also ordered the final decision on the website of the Requested ID publication with its data. ARC. Exceeding the administrative deadline During the procedure, the Authority exceeded Infotv. 60/A. One hundred and fifty days according to paragraph (1) of § administrative deadline, therefore the Ákr. Section 51 (1) Based on point b), ten thousand forints will be paid by a To the applicant. A. Other questions The competence of the Authority is set by Infotv. Paragraphs (2) and (2a) of § 38 define it, and its competence is covers the entire territory of the country. The Akr. on the basis of § 112 and § 116 (1) and § 114 (1) with the order on the other hand, there is room for legal redress through a public administrative lawsuit. * * * The rules of the administrative trial are set out in Act I of 2017 on the Administrative Procedure hereinafter: Kp.) is defined. The Kp. Based on § 12, paragraph (1), by decision of the Authority the administrative lawsuit against falls within the jurisdiction of the court, the lawsuit is referred to in the Kp. § 13, subsection (3) a) Based on point aa), the Metropolitan Court is exclusively competent. The Kp. Section 27, paragraph (1). Based on point b), legal representation is mandatory in a lawsuit within the jurisdiction of the court. The Kp. Section 39 (6) of the submission of the claim for the administrative act to take effect does not have a deferral effect. The Kp. Paragraph (1) of § 29 and, in view of this, Pp. According to § 604, the electronic one is applicable CCXXII of 2015 on the general rules of administration and trust services. law (a hereinafter: E-administration act) according to § 9, paragraph (1), point b) of the customer's legal representative obliged to maintain electronic contact. The time and place of submitting the statement of claim is set by Kp. It is defined by § 39, paragraph (1). THE information on the possibility of a request to hold a hearing in Kp. Paragraphs (1)-(2) of § 77 is based on. The amount of the fee for the administrative lawsuit is determined by Act XCIII of 1990 on fees. law (hereinafter: Itv.) 45/A. Section (1) defines. It is from the advance payment of the fee Itv. Paragraph (1) of § 59 and point h) of § 62 (1) exempt the party initiating the procedure. Budapest, dated: according to electronic signature Dr. Attila Péterfalvi president c. professor 16