NAIH (Hungary) - NAIH-6484-2-2022

From GDPRhub
NAIH - NAIH-6484-2-2022
LogoHU.jpg
Authority: NAIH (Hungary)
Jurisdiction: Hungary
Relevant Law: Article 12(3) GDPR
Article 12(4) GDPR
Article 15(1) GDPR
Type: Complaint
Outcome: Partly Upheld
Started: 11.05.2021
Decided: 09.08.2022
Published: 09.08.2022
Fine: 1200 EUR
Parties: National Health Insurance Fund of Hungary
National Case Number/Name: NAIH-6484-2-2022
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Hungarian
Original Source: NAIH (in HU)
Initial Contributor: Abel Kaszian

The Hungarian DPA held that the National Health Insurance Fund's organisational deficiencies and lack of human resources during the COVID-19 pandemic caused an Article 12 GDPR infringement as the controller failed to provide transparent information to a large number of data subjects.

English Summary

Facts

On 25 March 2021, the data subject noticed that the National Health Insurance Fund Manager (NEAK) “published” information on its website that the data subject registered for the COVID-19 vaccine. By entering their social security number and date of birth, anyone who knew these pieces of personal information, could check the validity of a person’s registration. The data subject e-mailed the controller on the same day, objecting to the processing of his personal data on the website.

On 6 April 2021, the data subject sent another e-mail to the controller, this time invoking their right of access under Article 15 GDPR. They also requested the controller to send the date and IP address from which the data subject requested the vaccination registration. As they did not receive any answer from the controller, the data subject turned to the DPA on 11 May 2021.

The controller neither responded to the DPA's request for clarification, nor did it inform the DPA of the reason for the delay and when the data subject could expect a substantive response. Therefore, the DPA carried out an on-site visit at the premises of the controller on 24 November 2021. During the visit, the DPA found that the controller logged all the data requests in accordance with the requirements of its privacy policy and had the data subject’s request as well.

The controller responded to the data subject only after the visit of the DPA, on 26 November 2021, and even then not in substance, saying: “As reasoning for the delay, we would like to mention that (...) NEAK has received nearly 70,000 requests for vaccine registration.” The controller also claimed to process and respond to thousands of inquiries per day, using the same number of human resources employees it had before the COVID-19 pandemic.

Holding

The DPA found that the controller's reply did not contain any information on the right to lodge a complaint or to seek redress. Therefore, the DPA declared an infringement of Article 12(3) GDPR and Article 12(4) GDPR. Additionally, the DPA held that the controller, whether or not it considered the request under Article 15 GDPR, should have dealt with it within the time frame under Article 12 GDPR.

As the controller mentioned that there were another unanswered requests, among the altogether 70,000 requests, the DPA requested the controller to provide evidence. However, the DPA did not receive the evidence promised to be sent until the present decision became final. Nevertheless, the DPA took into account – as a mitigating factor – that the COVID-19 pandemic required the establishment of data management processes on an unprecedented scale and at very short notice. The controller could not have previously assessed the resources needed to ensure the data subject's rights, but had to ensure them with unchanged human and budgetary resources.

The DPA concluded that registration for vaccination does not automatically mean that someone actually takes the vaccine, therefore it did not constitute processing of special categories of personal data. The DPA interpreted that the displayed information on the status of registration in itself was not necessarily disproportionate to the risks to the rights and freedoms of natural persons. The protection measures applied in the identification process may be proportionate, and for these measures, the controller was responsible.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Hungarian original. Please refer to the Hungarian original for more details.

Case number: NAIH- 6484-2/2022. Subject: decision establishing a violation of law
History: NAIH-4820/2021.





                                        H A T A R O Z A T


Before the National Data Protection and Freedom of Information Authority (hereinafter: Authority) [...]

at the request of the applicant ([…]; hereinafter: Applicant), the personal data of the Applicant a
National Health Insurance Fund Manager (headquarters: 1139 Budapest, Váci út 73/A; hereinafter:
Requested) through the website https://vakcinareg.neak.gov.hu is illegal
in the official data protection procedure initiated in the subject of its management, the Authority makes the following decisions:

I.) In the Authority's decision


I.1.) processing of the personal data of natural persons of the Applicant's data subject request
regarding its protection and the free flow of such data, as well as 95/46/EC
2016/679 of the European Parliament and the Council on the repeal of the Directive. no
Regulation (hereinafter: general data protection regulation) in violation of Article 12 (3)-(4).

due to his non-answer, he approves, establishes the fact of the violation and therefore the Requested
condemns;

I.2.) The application, including its supplement, I.1. s. rejects the part concerning the decision.


II.1.) In its decision, the Authority ex officio states that
    a) the Respondent from paragraphs (3) and (4) of Article 12 of the General Data Protection Regulation
       breached its obligation by not giving to a large number of stakeholders
       transparent information on the formal requirements for submitting data subject requests,
       as well as that
    b) his obligation to cooperate according to Article 31 of the General Data Protection Regulation

       in view of its internal organizational shortcomings, it did not comply by the Authority
       During the inspection conducted on November 24, 2021, the information requested to be additionally attached was not
       made available to the Authority.

II.2.) The Authority I.1. and II.1. s. ex officio in his decision in view of what was written in his decision

states that the Respondent has violated Article 5 (1) of the General Data Protection Regulation
the principle of transparency according to paragraph a) and according to Article 5 (2).
principle of accountability.

II.3.) In the Authority's decision, I.1., II.1. and II.2. s. for violations established in its decision

considering the Petitioner ex officio

                               HUF 500,000, i.e. five hundred thousand forints
                                       data protection fine

obliges him to pay within 30 days from the date this decision becomes final.


II.4.) The Authority is the Infotv. Section 61 (2) on the basis of point b), the resolution orders ex officio
publication in such a way that it contains the Applicant's identification data.


…………………………………………………………………………………………………………

1055 Budapest Tel.: +36 1 391-1400 ugyfelszolgalat@naih.hu
Falk Miksa utca 9-11 Fax: +36 1 391-1410 www.naih.huIII.) The Authority states in its order that the administration deadline has been exceeded, therefore as such
stipulates that HUF 10,000, i.e. ten thousand forints, shall be paid to the Applicant - to be indicated in writing
according to your choice - pay by bank transfer or postal order.



                                              * * *

The fine is the HUF account for the collection of centralized revenues of the Authority
(10032000-01040425-00000000 Centralized account IBAN: HU83 1003 2000 0104 0425 0000
0000) must be paid in favor of When transferring the amount, NAIH-6484-2/2022. FINE. must count
refer to.


If the Respondent does not fulfill his obligation to pay the fine within the deadline, he is in default
must pay an allowance. The amount of the late fee is the legal interest, which is due to the delay
is the same as the central bank base rate valid on the first day of the relevant calendar semester.

In the event of non-payment of the fine and late fee, the Authority shall issue a decision
implementation.


There is no place for administrative appeal against this decision and order, but a
with a letter of claim addressed to the Metropolitan Court within 30 days of notification
can be challenged in an administrative lawsuit. The claim must be submitted to the Authority,
electronically, which forwards it to the court together with the case documents. The complete personal
for those who do not receive a tax exemption, the fee for the administrative lawsuit is HUF 30,000, the lawsuit is substantive
is subject to the right of levy memo. Legal representation is mandatory in proceedings before the Metropolitan Court.




                                       I N D O C O L A S


I. Procedure and clarification of the facts


The Applicant submitted an application to the Authority on May 11, 2021, in which he stated that in 2021
noticed on March 25 that on the website https://vakcinareg.neak.gov.hu the National
The Health Insurance Fund Manager "published" the information that the Applicant registered the
For the vaccine against COVID-19: by entering the social security number and date of birth on the page, anyone who
data, you can query the validity of the data subject's registration. The Applicant hereby
in this context, he objected to why he didn't just send it to his e-mail address, for example

the result of the query to the Requested.

On the same day, March 25, 2021, the Applicant contacted the Applicant via electronic mail, and
objected to the handling of his personal data on the https://vakcinareg.neak.gov.hu website. THE
until the date of the application dated May 7, 2021, received by the Authority on May 11, 2021, and
until the date of the response to the notice to make up the gap (NAIH-4820-2/2021), i.e. until June 21, 2021, the
According to the applicant's statement, he did not receive any response from the Application.


On April 6, 2021, the Applicant repeatedly sent an electronic letter to the Applicant such
in such a way that its predecessor, the request of March 25, 2021, was also contained in the letter in which
this time, he requested with reference to his right of access according to Article 15 of the General Data Protection Regulation,
for the Requested to send it to: "exactly when, from which IP address did I request the TAJ/birth.
by entering my vaccination registration data with the date combination - this is my application
until the day of your answer".


However, according to his statement, the Applicant did not receive any response from the Application.

In view of this, in the request received by the Authority on May 11, 2021, the Applicant


                                                2 requested the Authority to conduct an official procedure, and that "the Authority establish the
violation of the rights of the data controller and oblige him to provide the missing information, oblige him to protest
to take into account my right and to make my personal data accessible on the Internet
to terminate its clause."


In order to clarify the facts, the Authority dated July 13, 2021, No. NAIH-4820-4/2021.
with its order, contacted the Applicant with a deadline of 30 days. The order contained the Art. Section 77-
information regarding the possible legal consequences (procedural fine) pursuant to
therefore, he was aware of this in view of the fact that the order was issued on the same day, July 13, 2021
verifiably received.


The Respondent did not respond to the Authority either within the specified 30-day deadline or after that
to the fact-finding request for information, thus hindering the substantive conduct of the case, but at the same time about it
he did not inform the Authority of the reason for the delay and when a meaningful response is expected
sending. In view of this, the Authority NAIH-4820-5/2021. No., dated August 13, 2021, 2021
sent on August 17 and verifiable to the Applicant on the same day
in his delivered order, he repeatedly called the Applicant to state the facts within five working days
clarification, specifically drawing its attention to the possible legal consequences of the omission

(procedural fine). The Respondent accepted the repeated order in a verifiable manner, but for the summons
still did not comply.

In view of this, on September 6, 2021, the Authority issued NAIH-4820-6/2021. s. 250,000 in order,
i.e. he ordered the Applicant to pay a procedural fine of HUF two hundred and fifty thousand.

Since, despite the above, the Respondent did not comply with the clarification of the facts either

obligation, nor did he pay the procedural fine, the Authority November 24, 2021
I conducted an on-site inspection at the headquarters of the Applicant.

During the inspection - Inspection and testing of the applicant's electronic information system
by means of an inquiry - it was established that the Respondent a
Published at https://vakcinareg.neak.gov.hu/regisztracio/AdatkezelesiTajekoztato.pdf
in accordance with the information contained in its data management information, it was logged through the query interface

requests for data and had the access letter sent by the Applicant on April 6, 2021
data related to your request. In addition to these, among others, the following were added:
In the minutes:

    - "1. In order to clarify the facts, the acting civil servant of the Authority declares a
       He asked his head of department, who was entitled to make a statement, that he had received
       through the office gate, the Authority NAIH-4820-4/2021. contained in order no

       questions, NAIH-4820-5/2021. questions sent repeatedly in order no.
       and NAIH-4820-6/2021. the procedural fine established in order no. and the
       NAIH-4820-4/2021. questions written in order no. within five working days
       obligation to answer.

       The [...] present on behalf of the Applicant informs the acting members of the Authority that the above
       orders no. Sub-orders 5 and 8 are dedicated to the Data Protection and

       They were forwarded to the Coordination Department for further administration.

       The Authority sent sub-numbers 4 and 6 to the office gate of NEAKJOG. […] Wow
       provides information that, due to the internal organization, this type of inquiries
       The applicant is received at the OEPKER office gate, so it has not yet been identified. THE
       The staff of the authority handed over a certified copy of the four orders written above."


    - “[…]: Yes, queries are logged, it has already been done for those affected
       data provision, we will additionally send a copy of this to the Authority. For log files
       one person has access, authorization is local, and log files are available in-house.”



                                                3 - "Documents requested to be additionally attached by the representatives of the Authority:
       previously completed stakeholder access to the log file affected by the case in question
       a copy of the response to the request."


In the Authority case initiated with the application received on May 11, 2021, the Applicant is the 2021
dated November 24, NAIH-4820-11/2021. No., an original at the end of the on-site inspection
in copy, head of data protection and coordination department acting on behalf of the Applicant
this decision as written in the protocol handed over to the head of department performing his duties
documents certifying the provision of the exercise of the rights of the affected party were not complied with until it became final
did not send a copy, and NAIH-4820-6/2021. s. procedural established in the order
he did not comply with his obligation to pay a fine either.


On November 30, 2021, the Applicant informed the Authority (NAIH-4820-12/2021) that the
He received a reply from his application on November 26, 2021, in which the Applicant informed him that
that since the data subject submitted his requests by e-mail, "based on his data" in the e-mails
it is not possible to identify him, however, this is "the assessment of his objection and the data
from the point of view of service (…) it is essential". The Applicant further informed the
Applicant that "e-mail is not considered a form of written contact, moreover

in the absence of identification, it is not possible to return the requested data
way".

In the letter attached as evidence by the Applicant, the Respondent called the Applicant to

"your application, if you have a customer portal, (...) into a private document with full evidential force
busy (…) please send it”.


As a reason for the delayed response, the Respondent informed the Applicant that "it is
from the start of vaccination campaigns in March 2021, nearly 70,000 electronically
an inquiry was received regarding vaccine registration for NEAK. Mass vaccination
thousands of inquiries per day were processed and answered
in addition to performing our basic tasks, using unchanged human resource capacities".


Following the on-site inspection conducted by the Applicant on November 24, 2021, the
Not in any way about the measures taken in connection with the applicant's exercise of stakeholder rights
informed the Authority.

Based on the above, the Applicant supplemented his original application, assuming a new violation.
He submitted that the Respondent further restricts the exercise of his right to object by
"after authentication, the customer portal asks me to send my application again", as well as complete proof

binds the exercise of the rights of the affected party to the form of a valid private deed, despite the fact that the personal
this was not necessary when collecting data. According to the Applicant, this violated the general rule
of Article 12 (1) of the Data Protection Regulation, because the Respondent did not comply with "easily
accessible form" of his obligation to provide information.

In the supplement to the application, the Applicant also complained that the Respondent is the general
data protection regulation "5. further processing of my personal data contrary to points b) and c) of Article

determined when I was given my birth name, time and place of birth, and my mother
asks you to enter your birth name." The applicant considers this unnecessary for identification,
"after all, in relation to the data processing affected by the protest, only my name, e-mail address,
I gave my date of birth and social security number".

At the same time, in the addendum to the application addressed to the Authority, the
Applicant:

"Possibly, the Requested Party wishes to connect the subject data management with data management for other purposes
(illegally), do you need these data? For my current question, I ask NEAK as the data controller
also your answer."



                                               4 II. Applicable legal provisions

Pursuant to Article 2 (1) of the General Data Protection Regulation, the website of the Respondent

the general data protection regulation shall be applied to data management related to its operation.

CXII of 2011 on the right to information self-determination and freedom of information. law
(hereinafter: Infotv.) According to Section 2 (2) of the general data protection decree there
shall be applied with the additions contained in the specified provisions.

Infotv. Validation of the right to the protection of personal data based on § 60, paragraph (1).

in order to do so, the Authority will initiate a data protection official procedure at the request of the data subject. The
for official data protection procedure CL. of 2016 on general public administrative order. law
(hereinafter: Ákr.) rules shall be applied with the additions specified in Infotv. and
with deviations according to the general data protection regulation.

The Akr. Based on the provisions of § 6 paragraphs (1)-(3), all participants in the procedure are obliged
act in good faith and cooperate with other participants, no one's conduct

it may be aimed at deceiving the authority or the decision-making or implementation is unjustified
delay.

According to Article 31 of the General Data Protection Regulation, the duties of the data controller and the data processor
during its implementation, is obliged to communicate with the supervisory authority - based on its inquiry -
to cooperate.


According to Section 62 (1) of the Ákr, if the available information is not sufficient for decision-making
data, the authority will carry out an evidentiary procedure.

The Akr. According to § 63, if the clarification of the facts makes it necessary, the authority is the client
may invite you to make a statement; the Akr. According to paragraph (1) of § 64, if it is not excluded by law, it is
the client can replace the missing evidence with his statement if it is not possible to obtain it.


The Akr. Based on § 65, subsections (1) and (2), the authority, if necessary during the clarification of the facts,
and that of 2015 on the general rules of electronic administration and trust services
CCXXII. cannot be obtained by law, you can call the customer a deed or other document
for presentation. Unless otherwise provided by law or government regulation, the client shall provide the document
you can also submit a copy if you declare that it is the same as the original in all respects.

According to Article 58 (1) of the General Data Protection Regulation, the supervisory authority is investigating

acting within its competence - among other things - required by the data controller to perform its tasks
may request information, and the data controller is obliged to grant access to the supervisory authority
for all personal data and all information necessary to perform its tasks.

The Akr. According to paragraphs (1) and (2) of § 105, the customer is obliged to call the authority to this effect
to provide the data necessary for a substantive decision, the client may then refuse to provide the data
and if he could refuse that testimony. The Akr. Section 66 (3) in this case

on the basis of the relevant provision, the testimony may be refused if the client's testimony
would accuse himself or a relative of committing a crime or freedom of the press
and a media content service provider according to the Act on Basic Rules of Media Content (a
hereinafter: media content provider), or in an employment relationship with it or for work
a person in another legal relationship - even after the termination of the legal relationship - and a
with his testimony in connection with the activity of the media content provider
would reveal the identity of the person providing the information.


The Akr. Pursuant to § 64, paragraph (2), if the client or his representative knows otherwise
falsely states or withholds significant information from the point of view of the case - this does not include if not as a witness
can be heard or the testimony of the Ákr. Defined in points b) and c) of paragraph (3) of § 66


                                                 You can refuse for 5 reasons - or if it is part of the mandatory data provision in Section 105 (2).
in the absence of a specified reason, he does not fulfill his obligation to provide data, he may be subject to a procedural fine.

The Akr. Based on the provisions of § 77, whoever violates his obligation due to his own fault, the authority

obligates him to reimburse the additional costs caused, and may impose a procedural fine. The procedural
The minimum amount of the fine is HUF 10,000 per case, the maximum amount - if the law states otherwise
does not have - five hundred thousand HUF in the case of a natural person, legal entity or other
one million HUF in the case of an organization.

Infotv. Pursuant to § 61:


"61. § (1) In the decision made in the official data protection procedure, the Authority
 a) in connection with the data management operations defined in paragraphs (2) and (4) of § 2, the
can apply the legal consequences specified in the general data protection decree, thus
in particular, upon request or ex officio, he can order the personal data illegally processed by him
to be deleted in a specified manner, or temporarily or permanently in other ways
may limit data management, (…).
(2) The Authority may order in its decision - the identifier of the data manager or the data processor

disclosure by publishing your data, if
a) the decision affects a wide range of persons,
b) it was brought in connection with the activities of a body performing a public task, or
c) the severity of the infringement justifies disclosure.
(3) The application of a warning in the Authority's procedure is excluded if the Authority decides to do so
determines the need to impose a fine based on relevant regulations.
(4) The amount of the fine can range from one hundred thousand to twenty million forints

a) subsection (1) point b) bg) and
b) if for the payment of a fine imposed in the decision made in the data protection official procedure
obliged budgetary body, Article 83 of the General Data Protection Regulation
in the case of a fine imposed according to
(…)"

Pursuant to Article 12 of the General Data Protection Regulation:


"(1) The data controller shall take appropriate measures to ensure that the data subject a
all the information referred to in Articles 13 and 14 regarding the management of personal data and
15-22 and each information according to Article 34 is concise, transparent, comprehensible and easy
provide it in an accessible form, clearly and comprehensibly worded, especially a
for any information addressed to children. The information in writing or otherwise –
including, where applicable, the electronic route - must be specified. Oral at the request of the person concerned

information can also be provided, provided that the identity of the person concerned has been verified in another way.
(2) The data controller facilitates the relevant 15-22. the exercise of his rights according to art. Article 11 (2)
in the cases mentioned in paragraph 15-22 of the relevant to exercise his rights according to art
may not refuse to fulfill your request, unless you prove that the person concerned
cannot be identified.
(3) The data controller without undue delay, but in any case from the receipt of the request
informs the data subject within one month of the 15-22 brought as a result of a request pursuant to art

measures. If necessary, taking into account the complexity of the application and the requests
number, this deadline can be extended by another two months. About the extension of the deadline
the data controller, indicating the reasons for the delay, from the date of receipt of the request
informs the person concerned within a month. If the person concerned submitted the application electronically, a
if possible, information must be provided electronically, unless the data subject requests otherwise
asks for
(4) If the data controller does not take measures following the data subject's request, without delay, but

informs the person concerned no later than one month from the date of receipt of the request
about the reasons for the failure to take action, as well as about the fact that the person concerned can submit a complaint to a
with a supervisory authority, and can exercise his right to judicial redress.
(5) The information according to Articles 13 and 14 and Articles 15–22 and information according to Article 34 and


                                                 6 measures must be provided free of charge. If the data subject's request is clearly unfounded
- especially due to its repetitive nature - excessive, the data controller, taking into account the requested information or
for administrative costs associated with providing information or taking the requested measure:


a) may charge a fee of a reasonable amount, or
b) may refuse to take action based on the request.

It is the responsibility of the data controller to prove that the request is clearly unfounded or excessive.

(6) Without prejudice to Article 11, if the data controller has well-founded doubts in accordance with Articles 15-21. article
in relation to the identity of the natural person who submitted the application, further, the person concerned

you can request the provision of information necessary to confirm your identity.
(7) Information to be provided to the data subject pursuant to Articles 13 and 14 with standardized icons
can also be supplemented in order to make the planned data management clearly visible to the data subject,
receive general information in an easy-to-understand and easy-to-read form. It's electronically
displayed icons must be machine readable.
(8) The Commission shall be empowered to delegate in accordance with Article 92
adopt legal acts on the information to be displayed by the icons and the standardized icons

for the purpose of determining the procedures for ensuring

Pursuant to Article 15 of the General Data Protection Regulation:

"(1) The data subject is entitled to receive feedback from the data controller regarding whether
whether your personal data is being processed, and if such data processing is underway,
you have the right to access your personal data and the following information:

a) the purposes of data management;
b) categories of personal data concerned;
c) recipients or categories of recipients with whom or with which the personal data
communicated or will be communicated, including in particular to recipients in third countries, or
international organizations;
d) where appropriate, the planned period of storage of personal data, or if this is not the case
possible aspects of determining this period;

e) the data subject's right to request personal data relating to him from the data controller
rectification, deletion or restriction of processing and may object to such personal data
against treatment;
f) the right to submit a complaint addressed to a supervisory authority;
g) if the data were not collected from the data subject, all available information about their source;
h) the fact of automated decision-making referred to in paragraphs (1) and (4) of Article 22, including
also profiling, and at least in these cases to the applied logic and that

comprehensible information regarding the significance of such data management and the data subject
looking at the expected consequences.
(2) If personal data is transferred to a third country or international organization
is transmitted, the data subject is entitled to receive information about the transmission
about the corresponding guarantees according to Article 46.
(3) The data controller shall provide the data subject with a copy of the personal data that is the subject of data management
makes available. For additional copies requested by the data subject, the data controller is administrative

may charge a reasonable fee based on costs. If the person concerned electronically
submitted the application, the information must be in a widely used electronic format
to make available, unless the data subject requests otherwise.
(4) The right to request a copy referred to in paragraph (3) shall not be adversely affected
the rights and freedoms of others."

Pursuant to Article 21 (1) of the General Data Protection Regulation:


"(1) The data subject has the right to object at any time for reasons related to his own situation
against the processing of your personal data based on points e) or f) of Article 6 (1), including
also profiling based on the aforementioned provisions. In this case, the data controller is the personal one


                                                 7 data may not be processed further, unless the data controller proves that the data processing is as such
justified by compelling legitimate reasons that take precedence over the interests of the data subject,
against your rights and freedoms, or to submit legal claims,
are related to its enforcement or protection."


Pursuant to Article 24 (1)-(2) of the General Data Protection Regulation:

"(1) The data controller is responsible for the nature, scope, circumstances and purposes of data processing, as well as the natural
a risk of variable probability and severity to the rights and freedoms of persons
taking into account appropriate technical and organizational measures to ensure it
and for the purpose of proving that personal data is handled in accordance with this regulation.

These measures are reviewed by the data controller and updated if necessary.

(2) If it is proportionate in relation to the data management activity, referred to in paragraph (1).
as part of the measures, the data manager also applies appropriate internal data protection rules."


III. Decision


III.1. Presumed violation of the exercise of the right to protest

The Applicant contacted the Respondent several times via electronic mail, its query
in connection with the management of personal data processed through its interface.

Based on the e-mails attached as evidence during the procedure, the Applicant first received 2021.

submitted an application to the Respondent on March 25. In his electronic mail, the general
filed a protest in accordance with Article 21 of the Data Protection Regulation to the data controller.

Based on Article 21 (1) of the General Data Protection Regulation, the Applicant had the right "a
for reasons related to your own situation at any time" to object to your personal data in accordance with Article 6 (1)
against processing by the Respondent based on point e) or f) of paragraph


On the website https://vakcinainfo.gov.hu, data management information in effect at the time of submitting the application
according to:

"NEAK processes the provided personal data in accordance with Article 6 (1) point (e) of the GDPR and Article 386/2016.
(XII. 2.) Subject to the public duties contained in Section 7 (1) points o) and p) of Government Decree
handles",


as well as

"On the basis of your right to protest, you, as a data subject, are entitled to, with your own situation
object to your personal data at any time for reasons related to Article 6 (1) of the GDPR
against treatment based on point e). In this case, the data controller does not use the personal data
may continue to process it, unless the data controller proves that the data processing is so compelling
justified by legitimate reasons that take precedence over the interests, rights and

against your freedoms, or for the submission or enforcement of legal claims
are related to the protection of

furthermore

"The data provided during the application of the query interface (TAJ, date of birth) is provided by NEAK
it is compared with the records kept to establish the authority of the person executing the query

for the sake of.”

Pursuant to Article 12 (3)-(4) and (6) of the General Data Protection Regulation:



                                                8"(3) The data controller without undue delay, but in any case the request
within one month of its receipt, informs the person concerned of the 15-22. according to article
on measures taken following a request. If necessary, taking into account the request
complexity and the number of applications, this deadline can be extended by another two months. THE

the request for extension of the deadline by the data controller indicating the reasons for the delay
informs the person concerned within one month of receipt. If it is affected
submitted the application electronically, the information must be provided electronically if possible
to provide, unless the data subject requests otherwise."

"(4) If the data controller does not take measures following the data subject's request, it is a delay
without, but at the latest within one month from the receipt of the request

data subject about the reasons for the failure to take action, as well as whether the data subject complained
can submit it to a supervisory authority and exercise its right to judicial redress."

"(6) Without prejudice to Article 11, if the data controller has well-founded doubts in accordance with Articles 15-21. article
in relation to the identity of the natural person who submitted the application, further, the person concerned
you can request the provision of information necessary to confirm your identity."


Although from the content of the electronic letter of March 25, 2021 submitted by the Applicant to the Authority
it can be established that the Applicant is Article 21 (1) of the General Data Protection Regulation
he did not specifically refer to "reasons related to his own situation" according to
he stated that "the fact that I was registered for vaccination was made public".
in the opinion of the Authority, despite this, if the Respondent does not accept the Applicant's request
would have identified a legitimate objection under Article 21 of the General Data Protection Regulation
as a request, even in that case he would have been obliged according to Article 12 (3).

to respond within the deadline and with the content according to paragraph (4). Failure to respond is
during the procedure, the Respondent clearly acknowledged both the Authority and the Applicant.

In response to the Applicant's request to exercise the right to object received on March 25, 2021, only
He replied on November 26, 2021, and not even then in substance: "In order to justify our delay
I would like to say that (…) nearly 70,000 inquiries were received regarding vaccine registration
for NEAK.” According to the respondent, the processing of thousands of requests per day and

was answered, "using unchanged human resources capacities".

During the inspection conducted by the Authority at the Applicant's headquarters on November 24, 2021, its
according to the minutes, the following questions and statements were made:

       "3.1. "Declare whether you have arrived at the National Health Insurance Fund Management [...]
       from an e-mail address, or in any other way according to the general data protection regulation

       application for exercise of data subject rights on March 25, 2021 and April 6, 2021,
       or at any other time?”

       A protest was received on March 25, 2021. On April 6, the Applicant received the one concerning him
       log file access request to NEAK.

       3.2. "If so, please state whether you have responded to these stakeholder requests?

       Please respond to your statement separately, for each stakeholder request received!"

       NEAK has not responded to these yet, it is in progress.

       3.3. "Declare for each application whether you have evaluated them on their merits, as well as whether
       whether they were assessed within the deadline prescribed in the general data protection regulation?"


       The general information is awaiting signature, according to the Applicant's statement. The logging
       the data subject to an e-mail inquiry that does not allow easy identification of the results
       in the absence of identification, he cannot send it, given that they are
       refer to special personal data. The general procedure is to fill in gaps


                                                9 are requested from the person concerned, a private document with full probative value or, in urgent cases, four
       they fulfill it by confirming knowledge of natural personal identification data.

       In all cases, the response to the person concerned is given when the vaccine is registered

       may be sent to electronic contact for data security reasons even if it is
       the data subject submits it from another e-mail address or the data subject rights are exercised by a relative,
       bearing in mind that there is no proof of the relative's right of representation
       mode within the deadline. This does not apply to data subjects not received in connection with vaccine information
       for legal exercises.

       3.4. An employee of the Authority asked him to make a statement: "If not until today

       responded to the request or requests of the person concerned in the subject matter, please state as such
       about the reason why he didn't do it!"

       The Applicant submits:

       Since March 11, 2021, more than seventy thousand, according to the General Data Protection Regulation
       a request for the exercise of the rights of the affected party has been received, which it is unable to fulfill

       sufficient human resources are available, a total of four people are available on a case-by-case basis
       legal advisors of the Legal Department and regional bodies are also involved.

       In relation to the inquiry system, a total of inquiries were received from two stakeholders, viz
       one of the applicants involved in the case in question.

       The third issue related to the query system is that it was hit by a load attack

       data management system on March 25, 2021. Requested in this case, the chargeable
       filed a complaint with the investigative authority due to the attack, criminal proceedings were initiated in the case
       At the National Bureau of Investigation.

       The request of the applicant was presumably lost among the large number of requests.

       Currently, 100-150 requests are received per day, which is a manageable amount."


Based on the above, the Authority established that both the Applicant and the Respondent
his statement is the same in that until his application is submitted, the Applicant has nothing
he did not receive any information from the data controller, neither on the merits nor on the extension of the deadline
and the need for additional information needed to identify the Applicant
regarding. In addition, the Respondent's answer of November 26, 2021 did not include either
information on filing a complaint and legal remedies. Based on all this, the Authority

as written in the relevant part, established in this regard by the general data protection
the violation of Article 12 (3)-(4) of the Decree.

The Authority subsequently rejected the Applicant's request, according to the relevant part, because a
Requests addressed to the respondent to exercise data subject rights in a non-identifiable manner,
submitted it by simple electronic mail (e-mail), but it was sent late
according to the data controller's information, you already know in accordance with the procedure of the Requested Party

to submit his data subject requests and to exercise his data subject rights, thus an actual violation of his rights e
he didn't understand it.


III.2. Presumed violation of the exercise of the right of access

The Applicant, since he did not receive a response to his protest request dated March 25, 2021 from the Application,

with reference to Article 15 of the General Data Protection Regulation on April 6, 2021
submitted a request to the Respondent via electronic mail, requesting:

"please send me exactly when and from which IP address I requested the TAJ/birth. date


                                               By entering with combination 10, my vaccination registration data".

Because the cited stakeholder request is Article 12 (3) of the General Data Protection Regulation
neither a substantial response within the one-month deadline, nor an extension of the deadline

did not receive relevant information regarding the conduct of the Applicant's data protection official procedure
submitted an application to the Authority.

During the clarification of the facts, the Authority referred to III.1. as described in point, established that
the Applicant also did not receive a response from the Application to the stakeholders sent on April 6, 2021
upon request, as well as by March 25, 2021.


Based on the above, the Authority established that the Respondent, regardless of whether a
received a request for access according to Article 15 of the General Data Protection Regulation
whether he considered it or not, he would have been obliged to do so within the time limit according to Article 12 (3), (4)
to be judged on the merits with the content according to paragraph. This is not disputed by the Respondent
due to his absence, the Authority decided according to the relevant part.



III.3. The supplement to the application, the obligation to identify the person concerned and the information about it
information

On November 30, 2021, the Applicant sent another submission citing new evidence to the
For the Authority (NAIH-4820-12/2021.). The Applicant attached the Respondent November 26, 2021-
dated F022/25-3/2021. reference number, F022/37-2/2021. letter with file number, in which a
The Respondent informed the Applicant that "for the merits of his protest and the requested

it is not possible to provide data on the basis of the submitted electronic mails
that your identification is not based on the data available in the e-mail
possible, which from the point of view of the assessment of your objection and the provision of data -
given that it affects the rights of the stakeholders, it is essential."

The Applicant objected that the Applicant did not evaluate his data subject requests even within eight months
in merit. He considered it unjustified that the Respondent did not respond to the merits of the requests in full

subject to submission in the form of a private document with evidentiary value, with customer gatekeeper identification,
even though the only legal requirement for the submission of the application is the identification of the customer, a
a private deed form with full evidential force is not.

According to the applicant, this violates Article 12 (1) of the General Data Protection Regulation in that a
regarding that the data controller must comply "in an easily accessible form".
obligation to provide information.


The applicant further explained: "Contrary to points b) and c) of Article 5 of the GDPR, additional
determined the management of my personal data when my birth name and date of birth
and asks me to enter my place and my mother's birth name. These data
they are not necessary for my identification, as they are already related to the data processing affected by the protest
I only provided my name, e-mail address, date of birth and social security number. On this
I provided and attached my data in my application to the Applicant.

(…)
I respectfully ask the Authority to proceed with its procedure for the above infringement also with a Request
opposite."

In view of the new application (supplement to the application) submitted on November 30, 2021, the Authority
established that, despite the incomplete reference, Article 5 of the General Data Protection Regulation
(1) of Article points b) and c) and Article 12 (1) presupposes a violation.


Pursuant to Article 12 (6) of the General Data Protection Regulation, "if the data controller
you have reasonable doubts about 15-21. a natural person submitting an application pursuant to Art
regarding his identity, it is necessary to further confirm the identity of the person concerned


                                               11 may request the provision of information".

According to the Authority's point of view, the duty of the requested state data controller is to the affected parties, such as a
It is the responsibility of the person concerned to establish the identity of the Applicant involved in the subject matter (identification).

prior to securing rights, for which simple e-mail is not suitable, lack of identification
may lead to a data protection incident. Against Cov-19 operated by another data controller
the identification of the person concerned was not realized on the vaccination registration interface either, and
In the case of the Respondent, no further action was taken in relation to the Applicant.

NAIH-4820-11/2021. Pursuant to the Protocol of inspection no. the Respondent is clear
position on the identifiability of those involved: "Simple identification of the logging results

does not allow e-mail inquiries due to the lack of identification of the data subject
to send, given that they refer to special personal data. It's common
the procedure is to ask the person concerned to fill in the gaps, you are a private document with full probative value
in urgent cases, it is performed by confirming the knowledge of four natural personal identification data
that."

At the same time, as part of clarifying the facts, the Authority ex officio examined the

Information provided upon registration on the website vaccinainfo.gov.hu, on the Applicant's website
information on data management, as well as on the query interface related to the matter in question
(https://vakcinareg.neak.gov.hu/regisztracio/AdatkezelesiTajekoztato.pdf) available
informative content.

However, none of the information sheets contain how the data subjects can be identified
themselves before the requested data controller during the exercise of their data subject rights, as well as

that requests from unidentified data subjects will not be answered at all.

However, according to the information on the query interface:

"The data subject in the event of a violation of his rights related to the processing of his personal data, as well as his rights
in order to validate it, to the National Health Insurance Fund Manager (1139 Budapest, Váci út
73/A, e-mail address: adatvedelem@neak.gov.hu; name of data protection officer: dr. Szomolanyi

Borbála, e-mail address: adatvedelem@neak.gov.hu) can be contacted."

According to the Authority's point of view, if the Applicant, according to the specified rules, only
after establishing beyond doubt the identity of the person concerned, it will judge on its merits
stakeholder requests, this prerequisite should have been informed in the information sheet(s) above
necessary for those involved. Since the Respondent is obliged to identify the data subject
he did not make the relevant expectations, i.e. the prerequisites for the exercise of the rights of the stakeholders

made available, violated Article 5 (1) of the General Data Protection Regulation. according to point a).
the requirement of transparency.

Since the Applicant was not identified in the absence of the necessary data, a
in the subject matter, it cannot even be raised that the 2021, aimed at filling in these missing data.
the invitation sent to the Applicant on November 26, the Authority pursuant to Article 12 (1)
as actual, meaningful information, or as a violation of the easily accessible format

evaluate, namely for the identification of the data subject, as well as for the merits of the data subject application
relevant provisions contain different requirements.

The obligation of identification according to the above does not give exemption according to Article 12 (3).
deadline and from the obligation regarding the content according to paragraph (4), however, these
violations of law, the Authority shall refer to III.1. and III.2. as explained in points already evaluated and a
made findings in accordance with the provision.


The Authority, taking into account the requirement of good faith, does not consider that it is well-founded
the identity of the data subject submitting a request for the exercise of data subject rights
the management of the data necessary for its determination, as well as the electronic administration route that ensures this


                                                12 would violate the principle of purpose-bound data management or data saving, especially if
that as long as the Applicant identifies with the Authority as a customer gatekeeper, via e-Paper, the
connection, until then through the same Central Identification Agent ("Customer Gatekeeper")
identification in connection with another public body "in Article 5 b) and c) of the GDPR"

considers it a conflict.

At the same time, the Authority notes that personal data managed by a data controller is one
categories do not define what is necessary to identify the natural person concerned
range of natural personal identifiers.

Thus, contrary to the Applicant's assumption, the fact that in the case in question the Respondent manages the

It does not make certain categories of the applicant's personal data illegal in itself, such as, for example,
personal data contrary to points b) and c) of Article 5 (1)
the management of other categories of data for the purpose of customer identification.

In view of the above, the Authority rejected the request in this regard, according to the relevant part.

Furthermore, according to the relevant part, the Authority established ex officio the general data protection

violation of the principle of transparency according to Article 5 (1) point a) of the Regulation.


III.4. Lack of the Respondent's obligation to cooperate during the procedure

The Authority NAIH-4820-6/2021. s. already assessed the Respondent's previous default in its decision
and imposed a procedural fine, but nevertheless requested it repeatedly in the same order

the Respondent did not send information to the Authority after that either, the Authority took this into account
In its order number 8, it ordered an on-site visit in 2021 in order to clarify the facts.
for the 24th of November.

During the on-site inspection conducted at the Applicant's headquarters - based on its minutes - a
The respondent's representative submitted that the Authority did not comply due to internal organizational reasons
orders:

       "1. In order to clarify the facts, the acting civil servant of the Authority declares a
       He asked his head of department, who was entitled to make a statement, that he had received
       through the office gate, the Authority NAIH-4820-4/2021. contained in order no
       questions, NAIH-4820-5/2021. questions sent repeatedly in order no.
       and NAIH-4820-6/2021. the procedural fine established in order no. and the
       NAIH-4820-4/2021. questions written in order no. within five working days
       obligation to answer.

       On behalf of the Applicant, the present (…) informs the acting members of the Authority that the above
       orders no. Sub-orders 5 and 8 are dedicated to the Data Protection and
       They were forwarded to the Coordination Department for further administration.
       The Authority sent sub-numbers 4 and 6 to the office gate of NEAKJOG. (…) Wow
       provides information that, due to the internal organization, this type of inquiries
       The applicant is received at the OEPKER office gate, so it has not yet been identified. The Authority
       his colleagues handed over a certified copy of the four orders written above."


According to the testimony of the minutes, the Authority in support of the fact that during the on-site inspection
as stated, the approximately seventy thousand referred to by the Respondent actually occurred
fulfillment of an access request based on any of the requests are the log files of the querying interface
regarding, requested that the Respondent send the supporting document after the inspection
evidence:


"Documents requested to be additionally attached by the representatives of the Authority:
to the previous, completed stakeholder access request for the log file affected by the case in question
a copy of the answer." (NAIH-4820-11/2021., page 6 of the minutes)



                                               13 Despite this, the Authority did not send the promised evidence until this decision became final
got it.

In view of the above, the Authority decided according to the relevant part and established it ex officio

According to Article 31 of the General Data Protection Regulation, the Respondent is obliged to cooperate
in relation to the period following the failure to pay a procedural fine.


III.5. Querying the status of online registration on the website vaccinainfo.gov.hu

In his application, the Applicant objected that by specifying the TAJ and his date of birth a

The status of your online registration on vaccinainfo.gov.hu is directly the query
appears on the interface, in this way the Respondent has made his personal data public.

Since the Authority is not obliged to act based on mere assumptions, NAIH-4820-2/2021. s.
in point 5 of the order, called on the Applicant to state whether he can prove that,
that it actually became known to an unauthorized natural or legal person
the fact of its registration.


NAIH-4820-3/2021. in his answer filed under the account, the Applicant stated that he also
sought an answer to the question, but the Respondent did not respond to the stakeholder's request.

The Authority states that the vaccination against the coronavirus occurred on the site vaccinainfo.gov.hu
online or by returning the form sent by the Hungarian State Treasury

the fact of registration does not mean that the vaccine is actually taken by a person concerned and therefore does not
constitutes the processing of special personal data.

Based on the above, the Authority's position is that although the query interface is indeed direct
displays information about the status of the registration, this in itself is not necessarily the case
disproportionate to the rights and freedoms of natural persons, variable probability and
with serious risks, the protective measures applied during identification are known

they can be proportional to data circles. Consideration of this is the task of the requested data controller.

Based on the above, the Authority rejected the request in the query interface
regarding that the Respondent, if the Applicant properly identifies himself
before that, he is obliged to comply with the Requester's access request, which will reveal that
whether an actual infringement has occurred. If such a real violation of the access request
on the basis of the given answer, the Applicant will likely, on the basis of this evidence, as a violator

affected by data management, can request the Authority's procedure with the data manager who committed the violation
opposite.

However, the Authority did not substantiate the violation with evidence, based on its mere assumption
does not act on a stakeholder request, so it decided as written in the operative part.



III.6. Legal consequences

The Respondent did not inform the Applicant in a timely manner that it was personal identification
in its absence, it cannot evaluate the data subject's requests to exercise their rights. THE
however, following delayed information, the Applicant provided the available,
you can exercise your data subject rights in a way that includes establishing your identity.
If the Applicant decides not to disclose his identity to the Respondent

credibly substantiated, the fact of this cannot be assessed at the expense of the Respondent.

Therefore, the Authority granted the Applicant's request and found that III.1.-III.4. according to point
violations and Article 58 (2) of the General Data Protection Regulation. b) convicts him
the Applicant because he violated Article 12 (3)-(4) of the General Data Protection Regulation


                                               14 by not providing the Applicant with information on the rights of the data subject for personal identification
until November 26, 2021. As a result, point a) of Article 5 (1) is violated
the principle of transparency, as well as Article 31 of the General Data Protection Regulation during the procedure
the expectation of cooperation according to Article 5 (2).

principle of "accountability".

In addition to this, the Authority - the III.5. subject to what is written in point - the Applicant refuses to do so
your request to establish a violation of the alleged disclosure of your personal data
in the subject matter of the decision, a violation of the principle of purpose-bound data management and data saving,
as well as regarding the management of personal data of other natural persons.


The Authority examined ex officio whether due to the established violations, the
Imposition of a data protection fine against a request. In this context, the Authority is the general
Article 83 (2) of the Data Protection Regulation and Infotv. 75/A. considered ex officio on the basis of §
all the circumstances of the case and established that in the case of the violation discovered during this procedure
the warning is neither a proportionate nor a dissuasive sanction, therefore Infotv. Section 61 (4)
it is necessary to impose a fine according to point b) of paragraph
decided by acting in a discretion based on


When imposing the fine, the Authority considered the following factors as aggravating factors:

1. The violations committed by the Respondent are Article 83 (5) of the General Data Protection Regulation
according to point a) of the paragraph, the violation belonging to the higher fine category
are considered to be related to a basic principle.


2. The violation is serious because the Respondent, with its data management, violates the Applicant's data subject rights
hindered its exercise, by the fact that only the Authority, significantly late to the stakeholder's request
responded after his on-site inspection. [general data protection regulation Article 83 (2) a)
point]

3. The Respondent did not cooperate with the Authority during the investigation of the case. THE
multiple orders calling for the provision of data verified by the Requested party and by means of the order

even after the imposed procedural fine, he did not respond to the Authority's orders clarifying the facts, a
did not send the requested additional information to the Authority. The Authority did not know that
to fully clarify whether the Requested party answers the requests of the stakeholders properly
[general data protection regulation Article 83 (2) point f)].

When imposing the fine, the Authority considered the following factors as mitigating factors:


1. The COVID-19 pandemic is unprecedented in data management processes
required its establishment within an extremely short period of time, with related stakeholder rights
in order to ensure that the data controller was previously unable to assess the necessary resources,
it had to be provided with an unchanged number of human and budgetary resources. [general
Article 83 (2) point a) of the Data Protection Regulation]

2. The Authority had previously provided the Applicant with the provisions of the general data protection regulation

he has not yet been convicted for his violation. [Article 83 (2) of the General Data Protection Regulation
point (e)]

3. There was no evidence indicating that the Applicant actually suffered damage (loss)
would have arisen as a consequence of the Respondent's default. [general data protection regulation
Article 83(2)(k)]


By imposing a fine, the special preventive goal of the Authority is to encourage the Applicant
to review its data management practices in connection with the provision of data subject rights.

The amount of the fine was determined by the Authority acting within its statutory discretion.


                                                 15 Based on the above, the Authority decided in accordance with the provisions of the statutory part.

Therefore, the Authority, after considering the relevant circumstances of the case, five hundred thousand forints, i.e

He ordered the imposition of a HUF 500,000 data protection fine.

The Authority also ordered the final decision on the website of the Requested ID
publication with its data.


ARC. Exceeding the administrative deadline


During the procedure, the Authority exceeded Infotv. 60/A. One hundred and fifty days according to paragraph (1) of §
administrative deadline, therefore the Ákr. Section 51 (1) Based on point b), ten thousand forints will be paid by a
To the applicant.


A. Other questions


The competence of the Authority is set by Infotv. Paragraphs (2) and (2a) of § 38 define it, and its competence is
covers the entire territory of the country.

The Akr. on the basis of § 112 and § 116 (1) and § 114 (1) with the order
on the other hand, there is room for legal redress through a public administrative lawsuit.


                                                * * *

The rules of the administrative trial are set out in Act I of 2017 on the Administrative Procedure
hereinafter: Kp.) is defined. The Kp. Based on § 12, paragraph (1), by decision of the Authority
the administrative lawsuit against falls within the jurisdiction of the court, the lawsuit is referred to in the Kp. § 13, subsection (3) a)
Based on point aa), the Metropolitan Court is exclusively competent. The Kp. Section 27, paragraph (1).
Based on point b), legal representation is mandatory in a lawsuit within the jurisdiction of the court. The Kp. Section 39

(6) of the submission of the claim for the administrative act to take effect
does not have a deferral effect.

The Kp. Paragraph (1) of § 29 and, in view of this, Pp. According to § 604, the electronic one is applicable
CCXXII of 2015 on the general rules of administration and trust services. law (a
hereinafter: E-administration act) according to § 9, paragraph (1), point b) of the customer's legal representative
obliged to maintain electronic contact.


The time and place of submitting the statement of claim is set by Kp. It is defined by § 39, paragraph (1). THE
information on the possibility of a request to hold a hearing in Kp. Paragraphs (1)-(2) of § 77
is based on. The amount of the fee for the administrative lawsuit is determined by Act XCIII of 1990 on fees. law
(hereinafter: Itv.) 45/A. Section (1) defines. It is from the advance payment of the fee
Itv. Paragraph (1) of § 59 and point h) of § 62 (1) exempt the party initiating the procedure.


Budapest, dated: according to electronic signature




                                                            Dr. Attila Péterfalvi
                                                                   president

                                                             c. professor





                                                 16