NAIH - NAIH/2020/34/3 | |
---|---|
Authority: | NAIH (Hungary) |
Jurisdiction: | Hungary |
Relevant Law: | Article 12(2) GDPR Article 15 GDPR Article 83(2)(a) GDPR Article 83(2)(c) GDPR Article 83(2)(d) GDPR Article 83(2)(k) GDPR Recital 63 Regulation 2016/679 (GDPR) |
Type: | Complaint |
Outcome: | Partly Upheld |
Started: | |
Decided: | 08.06.2020 |
Published: | |
Fine: | 200000 HUF |
Parties: | n/a |
National Case Number/Name: | NAIH/2020/34/3 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Hungarian |
Original Source: | NAIH (in HU) |
Initial Contributor: | n/a |
The Hungarian DPA (NAIH) held that a former civil servant had the right of access to their work email archive under Article 15. However, they were not entitled to access all of the information in the archive, pursuant to restrictions set out in Recital 63.
English Summary
Facts
The complainant was employed as a civil servant, but his employment was terminated in February 2019. The complainant knew of his termination four months in advance (October 2018), and so filed an employment law action in early November 2018.
In the course of the employment law proceedings, the complainant sought access to the entire 2018 archive of his email account on a CD, which included partly private letters, correspondence concerning with publishers from certain publications regarding to the complainant's research and letters regarding other applications and the complainants' doctoral training.
The respondents rejected the complainant's reasons for the requests, stating that no interest would justify the complainant's access to the mail account again as a former civil servant.
Dispute
Did the complainant have a right of access under Article 15 GDPR? By denying the complainant access, did the respondent infringe Articles 12(1) or 12(2) GDPR?
Holding
The NAIH that the complainant's right of access could only be partly upheld.
In particular, given the volume of emails requested and the complainant's failure to specify which emails they required, the NAIH held that pursuant to Recital 63 GDPR, the complainant should have specified to which emails the request related and that the respondent could legitimately refuse the complainant access to the entire archive of emails from 2018.
However, the NAIH also held that the application of Recital 63 did not deny the complainant access to all of his letters and correspondence. The NAIH noted that the respondents could have asked the complainant to clarify which emails he specifically required, or they could have sorted the letters into private and business categories. On this basis, the NAIH decided that the respondents had failed to provide the complainant with adequate and transparent information on accessing his private letters pursuant to Article 12(1). Subsequently, the NAIH held that the respondents had infringed Article 12(2) as they failed to facilitate the exercise of the complainant's data rights under Article 15.
Comment
The NAIH considered that the respondent's failure to properly inform the applicant of their access rights, and their obstruction of the complainant's Article 15 entitlements were aggravating factors in deciding the amount of the fine issued to the respondent, on the basis of GDPR Articles 83(2)(a), (k), (c) and (d). The respondent will be subject to an additional fine of 10,000 HUF if they do not fulfil the orders of the NAIH pursuant to the decision within 30 days of being notified of the decision.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Hungarian original. Please refer to the Hungarian original for more details.
Case No: NAIH / 2020/34 / 3. (NAIH / 2019/7857) Subject: Decision granting the application in part At the request of the National Authority for Data Protection and Freedom of Information (hereinafter: the Authority) [...] hereinafter: the Applicant) 8 November 2019 [...] (hereinafter: the Applicant) in the data protection authority proceedings concerning access to the 2018 archived letters of his workplace e-mail account provided by his former employer, makes the following decisions: I. The Authority In its decision. 1.a The Applicant's application is partially upheld and the Applicant has unlawfully refused to grant the Applicant access to his archived private letters in 2018. I. 2. Notes of its own motion that the Applicant did not facilitate the exercise of the Applicant's right of access by failing to provide him with transparent information on the action taken on his application. I. 3. Instructs the Applicant ex officio to review, within 15 days of the finalization of this decision, with the involvement and information of the Applicant, that the Applicant's e-mail account2018. which personal data of the archives of the previous years and, if applicable, of the previous years, are considered private, and to provide the Applicant with access to these private e-mails. 4. Rejects the part of the Applicant's request that the Authority oblige the Applicant to provide the archived work-related letters of his workplace e-mail account in 2018. I. 5. obliges the Applicant to pay HUF 200,000 ex officio, ie two hundred thousand HUF data protection fines. II. The Authority IN ORDER OF ITS ORDER, it shall order the payment of HUF 10,000, ie ten thousand forints, to the Applicant by the transfer of a bank account or postal voucher of his / her choice, if he / she exceeds the administrative deadline. The Applicant must confirm to the Authority in writing, within 30 days of the notification of this Decision, that he has fulfilled the obligations set out in point I. 3, together with the supporting evidence. The data protection fine must be paid within 30 days from the date of the final decision of the Authority's centralized collection account for centralized revenues (10032000-01040425-00000000 Centralized collection account IBAN: HU83 1003 2000 0104 0425 0000 0000). When transferring the amount, NAIH / 2020/200. Quince. If the Applicant fails to meet its obligation to pay the fine within the time limit, it shall pay a late payment surcharge to the above account number. The amount of the late payment fee is the statutory interest rate, which is the central bank base rate valid on the first day of the calendar half-year affected by the delay. In case of non-payment of the obligation provided for in point I. 3 or the data protection fine and late payment fee, the Authority By a decision pursuant to point I of this decision and There is no right of administrative appeal against the order pursuant to point 1 of this Article, but it may be challenged in an administrative lawsuit addressed to the Metropolitan Court within 30 days of the communication. The emergency does not affect the time limit for bringing an action. The application must be submitted to the Authority, electronically, which will forward it to the court together with the case file. The request for a hearing must be indicated in the application. For those who do not receive a full personal tax exemption, the administrative fee is HUF 30,000, and the lawsuit is subject to the right to record the material tax. Legal representation is mandatory in the proceedings before the Metropolitan Court. REASONS. Procedure and clarification of the facts I. 1. By letter received on 7 November 2019, the Applicant applied to the Authority, in vain to request the Applicant, on 6 February 2019, to access his work e-mail account after the termination of his employment as a civil servant [...] 2018 . The Applicant requested the Authority to initiate a data protection authority procedure for the issuance of the Applicant's e-mails, including his official and semi-official archives with the management. I. 2. In its order to initiate the data protection authority procedure, the Authority notified the Applicant and, in order to clarify the facts, called for a statement and disclosure of information. The termination date was 9 February 2019. Following the termination, the Applicant filed an employment lawsuit against the Applicant on 9 November 2018 for the legal consequences of the unlawful termination of the employment relationship, in which the appellant brought action. During the labor lawsuit, on February 6, 2019, the Applicant submitted a request in which he wanted to receive the 2018 letters from the Applicant on a CD in order to obtain his e-mails about scientific publications and announcements related to research related to his employment. According to the Applicant's letter to the Applicant, he would have needed partly private letters containing the IDs, passwords, passwords to the journals, submission time, name of the journal and persons and information related to the application of university teaching aids in various companies. According to his statement to the Authority, he specifically wanted to receive letters concerning communications and scientific publications, scientific activity and contracts, as well as correspondence with publishers which the Applicant stated he had received at his Representation. According to the Applicant's statement, he also wanted to have access to the letters he received regarding the applications he received and the doctoral training. you should also arrange for it to be delivered to colleagues. According to the Applicant's statement dated 29 November 2019, the archive of the e-mail account, although it has deleted most of them, may contain a small number of private letters. The Authority's request was addressed mainly to its internal correspondence, official and semi-official letters to management. However, the Authority notes that the The applicant would not accept the reasons given by the Applicant for his access to his e-mails, as he considered that the Applicant, as a university, should who takes over the duties of his former civil servant and in what way, so there is no interest on the Applicant's page that would justify the Applicant's access to the mail account again as a former civil servant. Given that the Applicant's employment as a civil servant has been terminated, the Applicant's Declaration does not allow him to indicate the Applicant in his scientific publications, so there is no interest on the Applicant's side referred to by the However, in view of the fact that an employment lawsuit was pending and that the Applicant could not identify the personal data, such as scientific publications, which the Applicant had requested to be disclosed, the Data Controller could not comply with his request. According to the Applicant's Declaration, the use of the electronic mail system for private purposes was not regulated in any way at the time of the Applicant's civil service relationship, therefore the Applicant could use or use it for private purposes in accordance with its declaration. Thus, in the absence of appropriate internal regulations, the Applicant did not receive any specific information, however, in accordance with Article II of the [...] Organizational and Operational Regulations. Pursuant to the last sentence of Section 36 (2) of the Employment Requirements System, the Applicant should have cease. The Applicant also requested that if it is established in the data protection authority proceedings that the Applicant has committed an infringement and the Authority considers that a fine is justified, the Authority should note that the Applicant has committed an infringement for the first time since the entry into force of the General Data Protection Regulation. Your application has not yet been convicted of a breach of the General Data Protection Regulation. The Applicant regulated the issues examined in the data protection authority procedure in full, in detail, informed its employees about the established norm, the adopted data management and data protection regulations, and also informed the public employees about the data management in the use of their e-mail account. The Application was the subject of an employment lawsuit between the Applicant, due to which the Applicant's interest justified that the Applicant, as a former civil servant, should not have access to his correspondence, as this would have provided an opportunity to even remove evidence that could be used in the lawsuit. Irrespective of the lawsuit, the protection of the data controller's financial and economic interests and business secrets justified the non-disclosure of any data due to the termination of the Applicant's civil servant status. According to the Applicant's statement, the Applicant justified the reopening of his / her e-mail account in his / her application to the Applicant on the grounds that there was a university interest in publishing the publications (scientific publications) he / she wanted to obtain. However, in view of the fact that the legal relationship of the Applicant as a civil servant has been terminated, he / she may not indicate the Applicant in his / her future publications and scientific publications, so the Applicant's interest referred to by the Applicant does not exist. In addition, in the Applicant's view, the Applicant could reasonably be expected to have its communications available on other media. The other reason cited by him, according to which various software related to his legal relationship and job is sent to this e-mail address, is not an appropriate reason, as they are the property of the Applicant, to which the Applicant as a former civil servant has no connection. The Applicant could get acquainted with the letters received at this e-mail address, related to the legal relationship of the Applicant as a former civil servant, and took care of the related work. The Applicant also requested the Authority to take into account that no pecuniary or non-pecuniary damage had occurred on the Applicant's side and that the Applicant's employment relationship had been terminated with an exemption which he became aware of four months before the actual termination, thus: you had the option to redirect, save, delete, or perform any other operation on your private mail. According to the Applicant's Declaration, he is also fully open to the transmission of the Applicant's private letters, provided that he indicates the e-mails from which he has requested and to which he is sent, indicating that he is requesting access to or publication of correspondence for the entire term or for a specified period. , and indicating the medium on which you request the data to be sent and whether the data is to be transmitted to yourself or another data controller. However, the Applicant stated all this to the Authority, in an e-mail sent to the Applicant on 25 February 2019, denying the Applicant access to his archived e-mails in 2018 only on the grounds that, unless his / her data protection officer was interest does not justify it, we cannot allow it. He is no longer entitled to act or work on behalf of [...], so his correspondence in the course of his university work belongs to [...]. Such an edition could not work independently of the GDPR, and it has been less so since then. ” II. Applicable legal provisions on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 / EC Pursuant to Article 2 (1) of Regulation (EU) 2016/679 (hereinafter referred to as the General Data Protection Regulation), the General Data Protection Regulation applies to the processing of data in the present case. Act CXII of 2011 on the right to information self-determination and freedom of information. Act (hereinafter: the Information Act) 2. § (2) of the Information Act, the general data protection decree shall be applied with the additions contained in the provisions indicated therein. Pursuant to Section 60 (1), in order to enforce the right to the protection of personal data, the Authority may, upon request, initiate data protection authority proceedings and may ex officio initiate data protection authority proceedings. The data protection authority procedure is governed by Act CL of 2016 on General Administrative Procedure. (hereinafter: Ákr.) shall apply with the additions specified in the Information Act and with the exceptions provided for in the General Data Protection Decree. take measures to ensure that the data subject is provided with all the information referred to in Articles 13 and 14 and Articles 15 to 22 concerning the processing of personal data. and any information referred to in Articles 1 and 34 shall be provided in a concise, transparent, comprehensible and easily accessible form, in a clear and comprehensible manner, in particular in relation to any information addressed to children. The information shall be provided in writing or by other means, including, where appropriate, by electronic means. Oral information may be provided at the request of the data subject, provided that the identity of the data subject has been otherwise established. exercise of their rights under this Article. In the cases referred to in Article 11 (2), the controller shall It may not refuse to comply with a request for the exercise of its rights under Article 1 unless it proves that the person concerned cannot be identified. 3. The controller shall, without undue delay, but in any case within one month of receipt of the request, inform the data subject in accordance with Articles 15 to 22. on the action taken in response to a request under Article. If necessary, taking into account the complexity of the application and the number of applications, this time limit may be extended by a further two months. The controller shall inform the data subject of the extension of the time limit, indicating the reasons for the delay, within one month of receiving the request. If the data subject has submitted the request by electronic means, the information shall, as far as possible, be provided by electronic means, unless the data subject requests otherwise. 5. The information referred to in Articles 13 and 14 and the information referred to in Articles 15 to 22 shall be provided to the data subject within one month of The information and action provided for in Articles 31 and 34 shall be provided free of charge. If the data subject's request is manifestly unfounded or, due to its particularly repetitive nature, excessive, the controller may, taking into account the administrative costs of providing the requested information or action: (a) charge a reasonable fee, or (b) refuse to act on the request. 6. Without prejudice to Article 11, where the controller has reasonable doubts as to the application of Articles 15 to 21, the burden of proving that the request is manifestly unfounded or excessive shall In relation to the identity of the natural person submitting the application in accordance with Article 1, he may request the provision of additional information necessary to confirm the identity of the data subject. " According to Article 15 of the General Data Protection Regulation: have access to the following information: (a) the purposes of the processing, (b) the categories of personal data concerned;(c) the recipients or categories of recipients to whom or to whom the personal data have been or will be communicated, including, in particular, recipients in third countries or international organizations; (e) the right of the data subject to request the controller to rectify, erase or restrict the processing of personal data concerning him or her and to object to the processing of such personal data, (f) the right to lodge a complaint with a supervisory authority; (h) the fact of the automated decision-making referred to in Article 22 (1) and (4), including profiling, and at least in these cases the logic used and its comprehensible nature; information that 2. Where personal data are transferred to a third country or to an international organization, the data subject shall have the right to be informed of the transfer in accordance with Article 46. 3. The controller shall make a copy of the personal data which are the subject of the processing available to the data subject. For additional copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject has submitted the request by electronic means, the information shall be provided in a widely used electronic format, unless the data subject requests otherwise. " According to Article 23 (1) of the General Data Protection Regulation: “Union or Member State law applicable to a controller or processor may, by means of legislative measures, restrict Articles 12 and 34 and Articles 12 to 22. the scope of the rights and obligations set out in Article 5, provided that the restriction respects the essential content of fundamental rights and freedoms and is a necessary and proportionate measure to protect in a democratic society: (a) national security; (c) public security, (d) the prevention, investigation, detection or prosecution of criminal offenses and the execution of criminal sanctions, including protection against and prevention of threats to public security, (e) other important general interest objectives of the Union or of a Member State, in particular important economic or financial interests of the Union or of a Member State, including monetary, budgetary and fiscal matters, public health and social security, (f) protection of the independence of the judiciary and judicial proceedings; (h) in the cases referred to in points (a) to (e) and (g), control, investigation or regulatory activities relating to the performance of public authority tasks, in the cases referred to in points (a) to (e) and (g); the protection of the data subject or the protection of the rights and freedoms of others; (j) the enforcement of civil claims. " According to Article 58 (2) of the General Data Protection Regulation: (b) condemn the controller or the processor if his or her processing activities have infringed the provisions of this Regulation; (e) instruct the controller to inform the data subject of the data protection incident, (f) temporarily or permanently restrict the processing, including the prohibition of the processing; ., 17 and 18 respectively, order the rectification or erasure of personal data or the restriction of data processing, and order the notification of the recipients with whom or in accordance with Articles 17 (2) and 19. with whom the personal data have been communicated, h) vi withdraw the certificate or instruct the certification body to withdraw the certificate issued in accordance with Articles 42 and 43, or instruct the certification body not to issue the certificate if the conditions for certification are not or are no longer fulfilled; impose an appropriate administrative fine in addition to or instead of the measures referred to in this paragraph, as the case may be; and (j) order the suspension of the flow of data to a third country recipient or to an international organization. " Under Article 83 (2), (5) and (7) of the General Data Protection Regulation: '... 2. Administrative fines shall be imposed in accordance with Article 58 (2) (a) to (h), ) and (j). In deciding whether to impose an administrative fine or in setting the amount of an administrative fine, due regard shall be had in each case to: (a) the nature, gravity and duration of the infringement, taking into account the nature, scope or purpose of the processing in question; and the number of data subjects affected by the breach and the extent of the damage they have suffered, (b) the intentional or negligent nature of the breach, (c) any action taken by the controller or processor to mitigate the damage suffered by the data subject; the extent of the controller's liability, taking into account the technical and organizational measures taken by him under Articles 25 and 32. (e) the relevant infringements previously committed by the controller or the processor, (f) the supervisory authority to remedy the infringement and any adverse effects of the infringement; to alleviate fo (g) the categories of personal data involved in the breach; (h) the manner in which the supervisory authority became aware of the breach, in particular whether the controller or processor reported the breach and, if so, in what detail; (j) whether the controller or processor has complied with the codes of conduct approved in accordance with Article 40 or the data referred to in Article 42; approved certification mechanisms; and (k) other aggravating or mitigating factors relevant to the circumstances of the case, such as the financial gain or loss avoided as a direct or indirect consequence of the infringement. With an administrative fine of EUR 1 000 000 or, in the case of undertakings, the previous financial year as a whole up to 4% of its annual worldwide turnover, the higher of the two amounts being charged: (a) the principles of data management, including the conditions for consent, in accordance with Articles 5, 6, 7 and 9; (b) the rights of data subjects under Articles 12 to 22. (c) the transfer of personal data to a recipient in a third country or to an international organization in accordance with Articles 44 to 49; (d) in accordance with Article IX; (e) failure to comply with an instruction of a supervisory authority pursuant to Article 58 (2) or a request to temporarily or permanently restrict or suspend the processing of data, or in breach of Article 58 (1); 7. Without prejudice to the remedial powers of the supervisory authorities under Article 58 (2), each Member State may lay down rules on the whether an administrative fine can be imposed and, if so, to what extent. Infotv. 75 / A. § “the Authority shall exercise the powers provided for in Article 83 (2) to (6) of the General Data Protection Regulation, taking into account the principle of proportionality, in particular by providing for the first set of rules on the processing of personal data in legislation or a binding act of the European Union. In accordance with Article 58 of the General Data Protection Regulation, measures shall be taken to remedy the breach primarily by warning the controller or processor. ”Infotv. According to Section 61 (4) (b): "The amount of the fine may range from one hundred thousand to twenty million forints if the budgetary body is obliged to pay the fine imposed in the decision made in the data protection authority proceedings, in the case of a fine imposed pursuant to Article 83 of the General Data Protection Regulation." III. Decision III. 1. General remarks According to the definitions of the General Data Protection Regulation, the data content of the workplace e-mail account provided to the employee is considered personal data, and any operations performed on the personal data are considered data processing. A separate issue is that personal data and data processing are related only to the work, its purposes, or for private purposes, which may be relevant in assessing the identity of the data controller or the lawfulness of the data processing. In the present case, based on the statements and the attached documents, it can be stated that the use of the electronic mail system by the Applicant was not regulated, so the so-called “corporate e-mail account” used by the Applicant In the event that the employee uses the e-mail account, regardless of whether the employer otherwise prohibits or authorizes private use, he / she also performs data management activities with regard to the personal data stored in it. If the data processing is related to the performance of work, it is done for that purpose, the employee essentially acts on behalf of the employer as a data controller, and this activity as a data processing activity can also be attributed to the employer. The fact that this data management a in the case of persons other than the employee, an independent issue and liability for possible illegality depends on the in the case of third parties, the employer is primarily responsible under the relevant civil law rules. With regard to the employee's own personal data, as long as the data processing takes place in connection with the performance of the work, the legal basis for the data processing in the case of an employment relationship is first and foremost the employment contract, and the data processing must be assessed accordingly. However, as in the present case, where the body performing a public interest task is a data controller, the legal basis for the processing is the legal basis under Article 6 (1) (e) of the General Data Protection Regulation, according to which the processing of personal data is lawful. if the data processing is necessary for the performance of a task in the public interest or in the exercise of a public authority conferred on the data controller. However, if handles its own personal data and, in most cases, other third parties, the situation is no longer so clear. In this case, the purpose of the data processing is not determined by the employer, but by the employee, who thus becomes the data controller himself with regard to the personal data of third parties in relation to data processing in no way related to his work. He decides on the transfer of personal data to the e-mail account, and as long as he has the account in his possession, he can decide on its deletion and other use. However, with regard to this personal data, the operation of the system remains the task and competence of the employer, and the employer does not lose the right to dispose of the e-mail account containing personal data, who therefore remains the data controller for private data. The employer's quality as a data controller cannot be questioned in this case either, because private use is not prohibited and, as a result, personal data in connection with other data processing for employee purposes may be added to the e-mail account used by the employer for data processing purposes. , which, on the one hand, are actually obtained through persons acting in relation to their own data processing. On the other hand, due to the circumstances of the data management, it is actually possible to process personal data in the e-mail account that does not actually show any connection with the data management for the purpose it controls - which can almost never be ruled out in a workplace e-mail account or mobile phone. and, in the case of other computer equipment provided as a work tool, although in most cases it may be expected to be expected by the employer, all data management activities carried out in the context of fulfilling its own data management requirements necessarily cover (primarily store) these data, and have access to such personal data in the performance of its tasks necessary to ensure the lawfulness of its own data processing. It should also be noted that, as far as the employee is concerned, the processing of such data stored in the e-mail account solely for his or her private interest, ie for private purposes, as well as for personal or domestic purposes, falls outside the scope of the General Data Protection Regulation. this may not be the case for the employer. In such cases, therefore, a very specific joint data management situation arises, in which case the employer is in any case considered a data controller and the employee is not, in the legal sense at least, necessarily. In addition to the above, it is also important that, due to the legal relationship between the employer and the employee, the employer has the primary responsibility for the lawfulness of the data processing, as the the means (internal regulatory and technical operational measures) to ensure legality are available in the first instance. Thus, it is his responsibility to recognize this situation and to deal with it with appropriate employer measures, such as agreeing on the details of data processing in the case of joint data processing, and regulating the responsibilities related to data processing (essentially in accordance with Article 26 of the General Data Protection Regulation). In the light of the above, the processing of the personal data of an employee who, in addition to using the e-mail account for work purposes, uses the e-mail account provided by his employer for private purposes should also be assessed. compliance with data protection requirements in this respect should be assessed in accordance with the above. III. 2. The applicant's right of access Under the right of access under Article 15 (1) of the General Data Protection Regulation, the data subject has the right to receive feedback from the controller as to whether the processing of his or her personal data is in progress and, if such processing is in progress, to gain access to your personal data and data management information. The obligations of the data controller regarding the way in which the data management information is provided are detailed in Article 12 of the General Data Protection Regulation. On this basis, information on personal data should be provided in a concise, transparent, comprehensible and easily accessible form, in a clear and comprehensible manner. The information must be provided in writing or otherwise. Pursuant to Article 12 (3) of the General Data Protection Regulation, the controller must provide information on the action taken on the request for access to personal data without undue delay and in any case within one month of receipt of the request. If necessary, this period may be extended by a further two months, which shall inform the controller of the fact of the extension and the reasons for the delay within one month of receipt of the request. Pursuant to Article 12 (4) of the General Data Protection Regulation, if the controller does not act on the request, he must inform the data subject without delay, but no later than one month after receipt of the request, of the reasons for the failure to act. Pursuant to Article 12 (5) of the General Data Protection Regulation, requests relating to the rights of data subjects, such as the action taken on a request for access to personal data and information thereon, must in principle be provided free of charge. to assure. If the data subject's request is manifestly unfounded or, due to its particularly repetitive nature, excessive, the controller may charge a reasonable fee or refuse to act on the request, taking into account the administrative costs of providing the requested information or action or taking the requested action. However, the burden of proving that the request is manifestly unfounded or excessive is on the controller. It should be emphasized that the data subject can only access his or her personal data in the context of his or her right of access. The Authority shall act in accordance with Annex III to this Decision. Stated in paragraph 1 that the data content of the work e-mail account provided to the employee, although classified as personal data, is a separate issue, whether the personal data or data processing is related only to work, its purposes or for private purposes, as related letters, such as letters containing business secrets, are protected and therefore, in the event of termination of the employment relationship of the data subject, his / her full e-mail cannot be disclosed. It follows from recital 63 of the GSP This right shall not prejudice the rights and freedoms of others, including trade secrets or intellectual property, and in particular copyright, which protects software. If the controller handles a large amount of information about the data subject, he or she may ask the data subject to specify, before disclosing the information, which information or data processing activities his or her request relates to. In the present case, the Applicant wished to have access to his personal data, to the entire 2018 archive of his e-mail account via a CD, when his legal relationship with the Applicant had already ceased. From this archive he wished to access his work-related letters, according to his declarations. Within this, he would have needed letters, partly private, containing the IDs, passwords, passwords for journals, time of submission, name of the journal, and persons and information related to the application of university teaching aids at various companies. In addition, he specifically requested to receive letters concerning certain publications and scientific publications, scientific activity and contracts, as well as correspondence with publishers which he had received at the Applicant's Office, as well as letters concerning his applications and doctoral training. However, it did not specify exactly which of its e-mails it needed. In the Authority's view, in this case the Applicant could legitimately refuse the Applicant access to the entire archive of e-mails in 2018, since, subject to recital (63) of the General Data Protection Regulation, Following the termination of the applicant's legal relationship, no legitimate aim or interest can be identified on the basis of which it would allow access to work-related data, information and, where appropriate, the employer's business secrets. In the Authority's view, this includes publications and scientific publications requested by the Applicant. activity and contracts related to work. Such correspondence is also correspondence with publishers, which, according to the Applicant's statement, he received at the Applicant's Representation. However, this does not mean that the Applicant could not have had access to his private letters. The fact that he wanted access to his entire 2018 letters also includes access to his private letters. However, the Applicant did not take any measures to give the Applicant access to these letters. It can be stated from the correspondence between the Applicant that in its e-mail sent on 25 February 2019, the Applicant denied the Applicant access to its archived e-mails in 2018, stating that “unless justified by a special university interest, we cannot allow such . He is no longer entitled to act or work on behalf of [...], so his correspondence in the course of his university work belongs to [...]. Such a release could not work independently of the GDPR, and it has been so much ever since.” As stated in recital (63) of the General Data Protection Regulation, a work e-mail account contains such a large number of incoming and outgoing mail that the controller, in this case the Applicant, could not be expected to sort and send it to him. As explained above, the Applicant will not have access to the complete archive in view of the termination of his legal relationship. However, it was in those circumstances that the Applicant should have However, given that the Debtor did not allow the Applicant to access his private e-mails in 2018, the Authority finds that the Applicant has breached Article 15 of the General Data Protection Regulation. III. 3. Measures and transparency requirements related to the right of access of the Applicant. The Authority is no longer entitled to act or perform work on behalf of [...] after the termination of its legal relationship, so its correspondence in the course of university work belongs to [...]. In paragraph 2, it found that the Applicant had unlawfully failed to comply with the Applicant's right of access on the grounds, in breach of Article 15 of the General Data Protection Regulation. However, the Authority considered that this information provided at the Applicant's request did not meet my transparency requirements. In the Authority's view, the transparency requirements and the Latvian measure would have been complied with if it had informed the Applicant of the Applicant Mindar, which it also stated to the Authority during the clarification of the facts. That is, in view of the fact that the Applicant's employment as a civil servant has been terminated, he may not designate the Applicant in his future publications and scientific publications, so there is no interest of the Applicant to issue - even in copy - the Applicant's email fiókja2018. However, it shall be fully open to the transmission of the Applicant's private letters, provided that it indicates the specific e-mails it requires and the medium on which it requests the data to be sent. This can be done either by the Applicant proposing to select which e-mails he needs on the basis of a table of contents or, for example, as explained by the Authority in several decisions: by jointly sorting the Applicant's and the Applicant's private and business letters. This could make it possible for the Applicant to really only access his / her private letters that do not harm his / her interests. Therefore, in view of the fact that the Applicant did not provide adequate and transparent information on how to access the Applicant's private letters, where applicable, pursuant to Article 12 (1) of the General Data Protection Regulation, and why he refused on 6 February 2019. the Authority finds that the Applicant has infringed the Article 12 (2) of the General Data Protection Regulation, as it did not facilitate the exercise of the Applicant's right of access. II. 4. Legal consequences The Authority, in granting the Applicant's request, found that the Applicant had unlawfully refused the Applicant access to the archived private letters of 2018, in violation of Article 15 of the General Data Protection Regulation. by failing to provide him with transparent information on the action taken on his request, in breach of Article 12 (1) to (2) of the General Data Protection Regulation. instructs the Applicant ex officio to review which personal data from the Applicant's e-mail account archive is considered private for 15 days from the date of finalization of this decision and to provide the Applicant with access to these private e-mails. The Authority rejected the part of the Applicant's request that the Authority oblige the Applicant to issue the archived work-related letters of his / her workplace e-mail account in 2018. The Authority also examined of its own motion whether it was justified to impose a data protection fine on the Applicant. In this context, the Authority complies with Article 83 (2) of the General Data Protection Regulation and Infotv. 75 / A. The Authority considered all the circumstances of the case and found that the warning was not a disproportionate sanction for the infringements detected in the present proceedings, therefore a fine should be imposed. In determining the amount of the fine, the Authority took into account, first of all, the breach of the general data protection principle. In determining the amount of the fine, the Authority took into account as an aggravating circumstance that by failing to properly inform the Applicant of the Applicant's request for access rights, the exercise. [Article 83 (2) (a) and (k) of the General Data Protection Regulation]. The Authority took into account as an aggravating circumstance that the Applicant expressly excluded the Applicant from exercising his / her right as a data subject by not allowing the Applicant access to his / her private e-mails in 2018 [Article 83 (2) (c) and (d) of the General Data Protection Regulation. ) point]. The Authority took into account as an attenuating circumstance that the Applicant had not yet been convicted of a breach of the General Data Protection Regulation (Article 83 (2) (e) of the General Data Protection Regulation). circumstances within the meaning of Article 2 (2) (b), (f), (g), (h), (i), (j), as they cannot be interpreted in the light of the specific case. In view of the above aggravating and mitigating circumstances, the Authority set the amount of the fine at a level close to the minimum. The Authority strongly took into account the mitigating circumstances, as in its opinion it is also possible to enforce the objectives of general and special prevention due to the data protection violation in the Applicant's case. The Applicant2018. According to the profit and loss account according to its annual report, its revenue was in the order of HUF 6,500 million, so the imposed data protection fine does not exceed the maximum of the fine that can be imposed. 5. Exceeding the administrative deadline During the procedure, the authority exceeded the Infotv. 60 / A (1) of the Act, therefore the Ákr. Pursuant to Section 51 b), it pays ten thousand forints to the Applicant ARC. Other issues: The competence of the Authority is limited by the Infotv. § 38. (2) and (2a), its competence extends to the entire territory of the country. 80-81. § and Infotv. It is based on Section 61 (1). The decision is made by Ákr. Pursuant to Section 82 (1), it becomes final with its communication. The Acre. Pursuant to Section 112 and Section 116 (1) and Section 114 (1), there is a right of appeal against the decision through an administrative lawsuit. *** The Acre. Pursuant to Section 135 (1) a), the Applicant is obliged to pay a late payment allowance corresponding to the statutory interest if he fails to meet his payment obligation within the time limit. 6:48. § (1), in case of a debt, the debtor is obliged to pay default interest equal to the central bank base rate valid on the first day of the calendar half-year affected by the delay. Kp.). A Kp. Pursuant to Section 12 (1), an administrative lawsuit against a decision of the Authority falls within the jurisdiction of a court; Pursuant to Section 13 (3) (a) (aa), the Metropolitan Court has exclusive jurisdiction. A Kp. Pursuant to Section 27 (1) (b), legal representation is mandatory in litigation falling within the jurisdiction of the tribunal. A Kp. Pursuant to Section 39 (6), the submission of an application does not have a suspensive effect on the entry into force of the administrative act. Section 29 (1) and with this regard Act CXXX of 2016 on the Code of Civil Procedure. törvény604. § CCXXII of 2015 on the general rules of electronic administration and trust services. Pursuant to Section 9 (1) (b) of the Act, the client's legal representative is obliged to keep in touch. Section 39 (1). Information on the possibility to request a hearing can be found in Kp. It is based on Section 77 (1) - (2). The amount of the fee for an administrative lawsuit is set out in Act XCIII of 1990 on Fees. Act (hereinafter: Itv.) 45 / A. § (1). From the advance payment of the fee, the Itv. Section 59 (1) and Section 62 (1) (h) release the party initiating the proceedings. 74/2020 on certain procedural measures in force during an emergency. (III. 31.) of the Government of the Republic of Hungary, the emergency situation does not affect the deadlines, thus the running of the time limit for initiating an action. If the Applicant does not prove the fulfillment of the prescribed obligation, the Authority . The Acre. Pursuant to Section 132, if the Applicant has not complied with the obligation contained in the final decision of the authority, it may be enforced. The decision of the Authority Pursuant to Section 82 (1), it becomes final upon notification. The Acre. Pursuant to Section 133, enforcement is ordered by the decision-making authority, unless otherwise provided by law or government decree. The Acre. Pursuant to Section 134, enforcement is carried out by the state tax authority, unless otherwise provided by law, a government decree or a decree of a local government in a municipal authority matter. Infotv. Pursuant to Section 61 (7) of the Authority, the Authority shall enforce the decision with regard to the obligation to perform a specific act, to behave, to tolerate or to stop specified in the decision of the Authority. Budapest, 8 June 2020 Dr. Attila Péterfalvi. professor