NAIH - NAIH-2020-2546-5
|NAIH - NAIH-2020-2546-5|
|Relevant Law:||Article 5(1)(c) GDPR|
Article 6(1) GDPR
Article 9(1) GDPR
Article 12(1) GDPR
|National Case Number/Name:||NAIH-2020-2546-5|
|European Case Law Identifier:||n/a|
|Original Source:||NAIH (in HU)|
The Hungarian DPA (NAIH) held that the controller processed copies of documentation containing personal data (including health data) without a legal basis and not in line with the purpose of processing. The processing was also not in line with the controller's legal obligation to process information on the provision of childbirth incentive loan. NAIH imposed a fine of approx. €97,430.
English Summary[edit | edit source]
Facts[edit | edit source]
Two parents turned to NAIH in connection with their credit institute’s processing of personal data regarding their “Childbirth incentive loan”.
The couple applied for suspension of repayment, for which they were eligible under the condition that the fetus is at least 12 weeks old. In order to certify this fact, the administrator of the credit institute copied their pregnancy booklet in its entirety.
The parents were of the opinion that this is unnecessary for the purpose of certifying the age of the fetus, as the pregnancy booklet contains a number of sensitive information.
Following this situation, NAIH conducted an ex officio investigation. In order to have all the necessary and relevant information, NAIH collected statements from the controller.
NAIH found that the controller processed the personal data in question excessively and unlawfully, and therefore had breached multiple GDPR provisions. As a consequence, NAIH imposed a data protection fine of HUF 35,000,000 on the controller.
Dispute[edit | edit source]
Is the controller’s general data processing practice in compliance with the GDPR in connection with collecting personal data from pregnancy booklets and patient records for the purpose of reviewing the eligibility of a couple for repayment suspension for a “childbirth incentive loan” construction?
Holding[edit | edit source]
The conditions of a special loan called as “childbirth incentive loan” are set out in a respective Hungarian Government Decree. According to the relevant rules, parents, or parents expecting a child are eligible for suspension of repayment, where specific criteria are met, including that the fetus is at least 12 weeks old.
In order to verify this, certain documents must be presented. The controller in this case requested, amongst others, the copy of the complete pregnancy booklet, with all the information in it, as well as the patient records.
The pregnancy booklet contains a wide range of personal data regulated specifically in a ministerial decree, e.g., detailed information about the health status of the mother, including data related to possible previous pregnancies, details about the circumstances of previous childbirth, or miscarriages.
Regarding the legal basis of the above data processing, NAIH highlighted, that the fact of being pregnant is in itself health data, and as such, can only be processed if one of the legal bases in Article 6 (1) and an additional criterion under Article 9 (2) of the GDPR apply.
Article 9 (2) of the GDPR does not contain an exception that would explicitly allow the processing of health data for the purpose of performing a contract. According to Article 9 (2) (a) of the GDPR, health data may be processed if data subjects give their explicit consent. Pursuant to Section 9 (2) of the relevant Government Decree, the spouses must expressly state in the loan agreement that they consent to the processing of data regarding the 12th week of pregnancy and the expected date of childbirth. By this, the Government Decree settles the legal basis for the processing of health data. However, NAIH raised issues as to the validity of the consent. NAIH is of the opinion that it is questionable whether the consent is freely given, since without the prior consent of the contractor, no loan agreement would be concluded.
NAIH concluded, that the controller violated the principle of data minimization by copying the entire pregnancy booklet, containing excessive health data and other highly sensitive data, as it is not strictly necessary in light of the purpose of the processing. In addition to the excessive collection of special categories of personal data, NAIH highlighted that the affected individuals were in an extremely vulnerable situation.
NAIH also held, that the data controller had, in fact, no appropriate legal basis for the processing.
NAIH held that the continuous nature of the violation of the data subjects’ rights, and the large number of affected individuals were aggravating factors in the case. On the other hand, NAIH acknowledged the fact that the controller reconsidered and changed its data processing operations, and ended its unlawful practice of keeping copies of pregnancy booklets and patient records.
Comment[edit | edit source]
NAIH has already considered the copying of personal and other documents and processing identification documents by controllers in multiple cases. According to NAIH's practice, copying of documents is generally not necessary for concluding a contract or for pre-contractual screening. Processing of identification documents and relevant identification numbers is also generally unnecessary for the given purpose of processing, unless it is prescribed by law.
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Hungarian original. Please refer to the Hungarian original for more details.