| NAIH - NAIH-2020-2546-5 | |
|---|---|
 | |
| Authority: | NAIH (Hungary) |
| Jurisdiction: | Hungary |
| Relevant Law: | Article 5(1)(c) GDPR Article 6(1) GDPR Article 9(1) GDPR Article 12(1) GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | 16.12.2020 |
| Published: | |
| Fine: | 35000000 HUF |
| Parties: | n/a |
| National Case Number/Name: | NAIH-2020-2546-5 |
| European Case Law Identifier: | n/a |
| Appeal: | Not appealed |
| Original Language(s): | Hungarian |
| Original Source: | NAIH (in HU) |
| Initial Contributor: | Hunprivacy |
The Hungarian DPA (NAIH) held that the controller processed copies of documentation containing personal data (including health data) without a legal basis and not in line with the purpose of processing. The processing was also not in line with the controller's legal obligation to process information on the provision of childbirth incentive loan. NAIH imposed a fine of approx. €97,430.
English Summary
Facts
Two parents turned to NAIH in connection with their credit institute’s processing of personal data regarding their “Childbirth incentive loan”.
The couple applied for suspension of repayment, for which they were eligible under the condition that the fetus is at least 12 weeks old. In order to certify this fact, the administrator of the credit institute copied their pregnancy booklet in its entirety.
The parents were of the opinion that this is unnecessary for the purpose of certifying the age of the fetus, as the pregnancy booklet contains a number of sensitive information.
Following this situation, NAIH conducted an ex officio investigation. In order to have all the necessary and relevant information, NAIH collected statements from the controller.
NAIH found that the controller processed the personal data in question excessively and unlawfully, and therefore had breached multiple GDPR provisions. As a consequence, NAIH imposed a data protection fine of HUF 35,000,000 on the controller.
Dispute
Is the controller’s general data processing practice in compliance with the GDPR in connection with collecting personal data from pregnancy booklets and patient records for the purpose of reviewing the eligibility of a couple for repayment suspension for a “childbirth incentive loan” construction?
Holding
The conditions of a special loan called as “childbirth incentive loan” are set out in a respective Hungarian Government Decree. According to the relevant rules, parents, or parents expecting a child are eligible for suspension of repayment, where specific criteria are met, including that the fetus is at least 12 weeks old.
In order to verify this, certain documents must be presented. The controller in this case requested, amongst others, the copy of the complete pregnancy booklet, with all the information in it, as well as the patient records.
The pregnancy booklet contains a wide range of personal data regulated specifically in a ministerial decree, e.g., detailed information about the health status of the mother, including data related to possible previous pregnancies, details about the circumstances of previous childbirth, or miscarriages.
Regarding the legal basis of the above data processing, NAIH highlighted, that the fact of being pregnant is in itself health data, and as such, can only be processed if one of the legal bases in Article 6 (1) and an additional criterion under Article 9 (2) of the GDPR apply.
Article 9 (2) of the GDPR does not contain an exception that would explicitly allow the processing of health data for the purpose of performing a contract. According to Article 9 (2) (a) of the GDPR, health data may be processed if data subjects give their explicit consent. Pursuant to Section 9 (2) of the relevant Government Decree, the spouses must expressly state in the loan agreement that they consent to the processing of data regarding the 12th week of pregnancy and the expected date of childbirth. By this, the Government Decree settles the legal basis for the processing of health data. However, NAIH raised issues as to the validity of the consent. NAIH is of the opinion that it is questionable whether the consent is freely given, since without the prior consent of the contractor, no loan agreement would be concluded.
NAIH concluded, that the controller violated the principle of data minimization by copying the entire pregnancy booklet, containing excessive health data and other highly sensitive data, as it is not strictly necessary in light of the purpose of the processing. In addition to the excessive collection of special categories of personal data, NAIH highlighted that the affected individuals were in an extremely vulnerable situation.
NAIH also held, that the data controller had, in fact, no appropriate legal basis for the processing.
NAIH held that the continuous nature of the violation of the data subjects’ rights, and the large number of affected individuals were aggravating factors in the case. On the other hand, NAIH acknowledged the fact that the controller reconsidered and changed its data processing operations, and ended its unlawful practice of keeping copies of pregnancy booklets and patient records.
Comment
NAIH has already considered the copying of personal and other documents and processing identification documents by controllers in multiple cases. According to NAIH's practice, copying of documents is generally not necessary for concluding a contract or for pre-contractual screening. Processing of identification documents and relevant identification numbers is also generally unnecessary for the given purpose of processing, unless it is prescribed by law.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Hungarian original. Please refer to the Hungarian original for more details.
Case number: NAIH / 2020/2546/15. Subject: Decision
H A T Á R O Z A T
Before the National Authority for Data Protection and Freedom of Information (hereinafter referred to as the Authority), the […]
hereinafter referred to as the “Customer”) prior to the conclusion of contracts for the provision of a baby waiting loan,
or, during the term of the contracts, the lending, the related discounts,
the handling of documents containing personal data in connection with grants, and
the lawfulness of information on data processing during the granting of a baby waiting loan, the general
ex officio data protection to verify compliance with the Data Protection Regulation
In administrative proceedings, the Authority shall take the following decisions:
I. Finds that the Customer
(1) infringed Article 5 (1) (c) of the General Data Protection Regulation (GDPR);
the principle of data saving in accordance with the principle of non - compliance with
personal data, including health data, in copies of final reports
managed that were not necessary to achieve the purpose of the data processing;
(2) handled without a legal basis prepared pregnancy books and prepared final reports
personal data, including health data, recorded in copies
Article 6 (1) of the GDPR and, in the case of health data, Article 9 of the GDPR.
Article 1 (1);
(3) did not provide clear and transparent information to those concerned about the baby waiting loan
and the processing of data during the life of the concluded loan agreements
Article 12 (1) of the GDPR.
II. Instructs Customer to do so within 60 days of this decision becoming final
(1) delete any pregnancy books and final reports still available
destroy electronic copies, paper copies, and have done so
credibly to the Authority.
(2) reshape the baby waiting loan application as well as the contracts concluded
information management practices in a manner consistent with Article 12 of the GDPR.
transparency requirement under Article 1 (1).
III. Due to the unlawful data processing, the Customer shall be informed of the 30th day after the final adoption of this decision
within a day
HUF 35,000,000, ie thirty-five million forints
data protection fine
obliges to pay.
_______________________________________________________________________________________________________________
1055 Budapest Tel .: +36 1 391-1400 ugyfelszolgalat@naih.hu
Falk Miksa utca 9-11. Fax: +36 1 391-1410 www.naih.hu 2
* * *
The fine was imposed on the Authority’s centralized revenue collection forint settlement account (10032000-
01040425-00000000 Centralized direct debit account IBAN: HU83 1003 2000 0104 0425 0000 0000)
to be paid for. When transferring the amount, NAIH / 2020/2546. JUDGE. should be referred to.
If the Customer fails to meet its obligation to pay the fine within the time limit, a late payment surcharge
obliged to pay. The rate of late payment is the statutory interest, which is the calendar affected by the delay
equal to the central bank base rate valid on the first day of the first half of the year.
A II. obligation under point III. non - payment of the fine and penalty for late payment in accordance with point
In that case, the Authority shall order the enforcement of the decision.
Until the expiry of the time limit for bringing an action against the decision, or an administrative action
until the final decision of the court, the data involved in the disputed data processing shall not
can be deleted or not destroyed.
A II. within 8 days of the implementation of the measures provided for in point
together with supporting evidence, shall notify the Authority. To the Customer
as evidence, it must be accompanied by a document fully documenting the fact and IT circumstances of the cancellations
a record (s) and a statement that all copies of the said data
deleted.
There shall be no administrative appeal against this Decision, but it shall be subject to a right of appeal within 30 days of notification
An appeal addressed to the Metropolitan Court may be challenged in an administrative lawsuit within one day. THE
The application shall be submitted to the Authority, electronically, which shall forward it together with the case file to the
court. For those who do not receive a full personal tax exemption, there is an administrative lawsuit fee
HUF 30,000, the lawsuit is subject to the right to record material taxes. In the proceedings before the Metropolitan Court, the legal
representation is mandatory.
I N D O K O L Á S
I. Procedure
(1) The Authority has received a notification in the public interest in which the notifier has submitted that
took a loan with his spouse from the Client. The applicant and his spouse have requested the Client to
suspension of loan repayment. The Customer's administrator copied the entire
a pregnancy care book to prove that the fetus was 12 weeks old.
(2) On the basis of the notification in the public interest, the circumstance giving rise to the initiation of the official inspection came to the
Authority, so that the Authority, on 24 January 2020, issued NAIH / 2020/1156. case number of the Customer
initiated a formal inspection to verify that the Customer
whether its general data management practices in relation to baby loans are in line with a
GDPR requirements.
3. The Authority shall make a declaration at the same time as it notifies the initiation of the official control
called the Customer. The Client's statement was received by the Authority on 14 February 2020. 3
(4) Based on the Client's statement and additional information revealed during the official inspection
it was probable that the Client had breached the provisions of the GDPR, therefore the Authority is
In its case, NAIH / 2020/2546 initiated ex officio data protection proceedings on 28 February 2020.
case number. The investigation period covered the period from 1 July 2019 to 28 February 2020.
(5) In addition to the notification of the data protection authority procedure, the Authority shall clarify the facts
In order to do so, he invited the Client to make a statement, and in his order he reserved the ones already concluded
loan transactions performed by the Client on the maternity books, the adoption
paper - based decisions, abortion or stillbirth documents, and
electronic copies. The Authority left the seized copies of the documents in the custody of the Client. THE
It was necessary to order a seizure because, on the basis of the Client's statement, its
there is a risk that the copies of the records, in the context of the Client's own review of
deleted before the end of the data protection authority procedure.
(6) In its statement dated 15 May 2020 (NAIH / 2020/2546/2), the Client informed the
Authority to comply with the attachment order, the paper - based and
destruction of electronic copies of documents, deletion from systems upon receipt of the order
suspended after.
(7) On 22 June 2020, the Authority adopted Decision NAIH / 2020/2546/3. clarification of the facts in its order no
In order to do so, he invited the Client to make a statement and send various copies of the documents.
(8) In the Client's letter dated 8 July 2020, the deadline for reply is an additional 15
The Authority requested the extension of the application by NAIH / 2020/2546/5. No.
in his order. The Client's statement and the requested documents are electronic, with a password
A copy of the protected copies was received by the Authority on 30 July 2020.
(9) In order to clarify the facts, the Authority should amend NAIH / 2020/2546/9. in his order no
invited the client to make a statement on October 20, 2020. Customer Statement November 2020
He arrived at the Authority on the 25th.
(10) The Authority shall, in the course of loan transactions already concluded by the Client in the care of pregnant women
books, adoption decisions, proof of miscarriage or stillbirth
seizure of paper and electronic copies of documents on 14 December 2020
terminated by order of.
II. Clarification of the facts
(11) Decree 44/2019 on the baby waiting allowance. (III.12.) Government Decree (hereinafter: Government Decree)
under the baby waiting loan interest subsidized, the transaction interest on behalf of the state to the Treasury
disbursed to the credit institution.
(12) Beneficiaries - ie the spouses with whom the financial institution is expecting a baby loan
are entitled to a suspension of repayment - other
after the 12th week of pregnancy, including the post-natal period
or if they adopt a child together.
(13) Beneficiaries are entitled to a non-refundable fee in the event of the second or third child
childbirth allowance, the amount of which is for the second child from the baby-waiting loan
30% of the outstanding debt and, in the case of a third child, the remaining 4
amount corresponding to the loan debt. Childbirth allowance to suspend repayment
similarly after the 12th week of pregnancy, including the postpartum period, or
can be requested in case of adoption.
(14) An application for suspension of repayment and child-raising allowance should be submitted to the credit institution.
to be submitted, which must be accompanied by the provisions of Section 9 (2) (b) and (c) of the Government Decree.
which are as follows:
• the 12th week of pregnancy and the expected date of delivery
to prove the maternity care book, the data content of which is
26/2014 on maternity care. (IV. 8.) Annex 1 of the EMMI Decree
(or, after 1 July 2020, in the Government Decree
a document issued by the treating physician with a specific content);
• in the case of a blood child, proof of birth: the child's birth
birth certificate, official certificate of residence and
tax ID;
• in the case of an adopted child, the final authorizing the adoption
decision, the official identity card of the child and the
tax ID;
• a statement in full private evidence from the beneficiaries stating that
that they live in a household;
• in the case of stillbirth or miscarriage, the document certifying the occurrence,
In client practice, the final report was (fetal death as of July 1, 2020)
in the case of a document pursuant to Annex 3 of the Government Decree; stillbirth
on the examination of the dead and the procedure relating to the dead
in the case of a document according to a government decree, or in the event of the death of a child born alive
death certificate).
(15) In order to suspend repayment and apply for childbirth allowance, the Client shall use the same a
systematized the form. For these requests, the original of the above documents
demanded a presentation, of which he made a copy, not including in a household
declaration of origin, as it required it to be submitted in the original. This
[…] Of the Regulations (hereinafter: the Product Regulations).
(16) Electronic copies of the above documents shall be sent to the Customer on or after 1 November 2019
prior to that, its predecessors recorded and stored them in their process management systems.
(17) […] From 1 November 2019, paper-based documents in the customer files in the branches
have been placed.
(18) With regard to the handling of paper-based documents and copies of documents, since 1 November 2019, the
The practice of the Customer 's bank branches is uniform, it is stated in Annex […] of the Product Regulations and
regulated by its annexes […].
(19) In the course of the procedure, the Client referred to the previous decision of the Authority - Data Protection Officers 2019.
conference, received from data protection officials, not in the context of video presentations
expressed in question 25 of the document "Answered questions" that "A
Authority shall accept copies if the employer, as data controller, is such
develop a practice of making copies only of data whose 5
otherwise entitled to handle it. In this case, copy the data on the document
data management operation, but not a new data management purpose compared to the original purpose of data collection, but
a way of collecting data for the original purpose of data processing and the related legal basis,
which otherwise helps to ensure the accuracy of the data. "
(20) The Client shall list and make available on the […] website the information related to the baby waiting loan
documents, including documents governing data management, e.g. […].
(21) The Client informed the Authority that between 1 July 2019 and 30 January 2020 in total
[…] Persons applied for a baby waiting loan from him, of which […] granted a baby waiting loan to a person,
which means a total of […] transactions. […] Transaction was suspended during the repayment of the first
after child and […] supported couple claimed childbirth allowance for the second or
after the third child.
(22) Upon receipt of the Client's order to initiate official control
reviewed its rules of procedure and the forms requested. Of this
abolished the pregnancy books, the adoption permit
copies of decisions, documents certifying miscarriage or stillbirth, and this information,
prepared separate model certificates to prove the circumstances, on which the beneficiary declares the
on the correctness of the data ordered by the Government Decree on the basis of the presented documents.
To prove this, the statement is accompanied by the amended […] Product Regulations
in […] of which the Client has expressly stated that it is to be presented
documents (maternity care book, adoption decision, stillbirth or birth certificate)
abortion certificate) is strictly forbidden. In addition to these, the Authority
made available the amended annexes - [kidolg] - and the newly developed certificates - to the
[…] - patterns as well.
(23) The Client has also reviewed the documents of the baby waiting loan from the point of view of data protection,
which were not affected by the Authority's request. On the implementation of the amendments on 15 May 2020
informed the Authority, the amended Product Regulations, in its statement dated […]
application for support and to verify the data in the […] pregnancy care book
attached to his statement of 27 July 2020.
(24) The Client has stated that in respect of the transactions already concluded in which
In the absence of legal authorization, copies were made pursuant to Section 9 (2) (b) and (b) of the Government Decree
c), decided to make copies of paper-based documents
on the annulment of the decision, on the recording of the fact of the destruction, and on the
the indication of the data required by law and the deletion of electronic copies of documents, and
has begun to do so, following an order by the Authority ordering a seizure
suspended.
(25) At the request of the Authority, the Client provided the Authority with the information from 1 July 2019 to 2019.
1 August 2020 and 1 January 2020-2020. in the periods between January 30 and pregnancy
copies of books.
(26) No copy of the adoption decision was made during the period under review, while abortion or death
A total of 2 copies were made of the birth certificate - the final report - the other two
In this case, the abortion has already been verified with a sample of the certificate prepared by the Client, which
only the natural identity data, address of the pregnant woman, 6 of the 12th week of pregnancy
miscarriage or stillbirth and to identify the specialist
contain the necessary details and signature.
(27) In order to verify the actual application of the new amended certificates, the Client shall
5 from the period from 1 February to 15 March 2020, signed by the parties concerned, a
a copy of the certificate marked with the number […] certifying the presentation of the maternity care book
made available to him.
III. Applicable legal provisions
Following the period under review, the Government Decree was amended several times. The Authority is the Government.
Regulation took into account the provisions in force during the period under review on the lawfulness of data processing
in its assessment.
Pursuant to Article 2 (1) of the GDPR, the GDPR applies to the processing of data in the present case.
The relevant provisions of the GDPR in the present case are the following:
GDPR Recital 35: Personal health data include the data subject
health data which provide information on the past,
current or future physical or mental health. These include: a
personal data relating to a natural person which are provided to the individual in accordance with Directive 2011/24 / EU
for the purposes of healthcare referred to in Directive (9) of the European Parliament and of the Council
during registration or provision of such services, the natural person
number, sign or data assigned to it for individual identification for health purposes,
any part of the body or constituent material of the body, including genetic data and biological samples
- information resulting from testing or examination, and any, such as the data subject
illness, disability, disease risk, medical history, clinical treatment or
information on its physiological or biomedical condition, whatever its source, which
it can be, for example, a doctor or other healthcare professional, a hospital, a medical device or in vitro
diagnostic test.
GDPR Article 4, point 15: "health data" means the physical or mental health of a natural person
personal data, including health care provided to the natural person
services that also carry information about the natural person’s health
status.
GDPR Article 5 (1) (c): Personal data for the purposes of data processing
they must be appropriate and relevant and limited to what is necessary
(“Data saving”).
GDPR Article 6 (1) (b) and (c) and (3): Processing of personal data only
lawful if and to the extent that at least one of the following is met:
(b) the processing is necessary for the performance of a contract to which one of the parties is a party, or
necessary to take steps at the request of the data subject before concluding the contract;
(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
3. The legal basis for the processing referred to in points (c) and (e) of paragraph 1 shall be determined by:
(a) Union law, or
(b) the law of the Member State to which the controller is subject. 7
The purpose of the processing shall be defined by reference to this legal basis or in paragraph 1 (e)
with regard to the processing of such data, it must be necessary in the public interest or in the public interest
task performed in the framework of the exercise of a public authority delegated to a data controller
to implement. This legal basis may include adjustments to the application of the rules contained in this Regulation
provisions governing the lawfulness of data processing by the controller
conditions, the type of data which are the subject of the processing, the data subjects, the legal
with which personal data may be communicated and the purposes of such communication for the purpose of data processing
restrictions on the duration of data storage and data processing operations, as well as other
data management procedures so as to ensure lawful and fair data management
measures, including those set out in Annex IX. for other specific data management situations as defined in Chapter
for. Union or Member State law must pursue a public interest objective and be proportionate
for the legitimate aim pursued.
GDPR Article 9 (1): Racial or ethnic origin, political opinion, religion or belief
personal data referring to worldviews or trade union membership, and
genetic and biometric data for the unique identification of natural persons, health
data and on the sexual life or sexual orientation of natural persons
the processing of personal data is prohibited.
GDPR Article 12 (1): The controller shall take appropriate measures to ensure that
referred to in Articles 13 and 14 concerning the processing of personal data
information and Articles 15 to 22. and 34, each information in a concise, transparent, comprehensible and
in an easily accessible form, in a clear and comprehensible manner, in particular:
for any information addressed to children. The information shall be provided in writing or otherwise -
including, where appropriate, the electronic route. Oral information at the request of the data subject
provided that the identity of the data subject has been otherwise established.
Article 58 (2) (b), (d) and (i) GDPR: Acting in the corrective power of the supervisory authority:
(b) condemn the controller or the processor if his or her data processing activities have infringed this
provisions of this Regulation;
(d) instruct the controller or processor to carry out its data processing operations, where applicable
in a specified manner and within a specified period, in accordance with the provisions of this Regulation;
(i) impose an administrative fine in accordance with Article 83, depending on the circumstances of the case
in addition to or instead of the measures referred to in paragraph 1;
Article 83 (1) to (2) and (5) (a) to (b) of the GDPR: 1. Each supervisory authority shall ensure that:
infringements of this Regulation referred to in paragraphs 4, 5, 6
administrative fines should be effective, proportionate and dissuasive in each case.
2. Administrative fines shall be imposed in accordance with Article 58 (2) (a) to (2), depending on the circumstances of the case.
It shall be imposed in addition to or instead of the measures referred to in points (h) and (j). When deciding that
whether it is necessary to impose an administrative fine or the amount of the administrative fine
In each case, due account shall be taken of the following:
(a) the nature, gravity and duration of the breach, taking into account the nature of the processing in question;
the scope or purpose of the infringement and the number of persons affected by the infringement and by them
the extent of the damage suffered;
(b) the intentional or negligent nature of the infringement; 8
(c) the mitigation of damage suffered by the data subject by the controller or the processor
any measures taken to
(d) the extent of the responsibility of the controller or processor, taking into account the
Technical and organizational measures taken pursuant to Article 32;
(e) relevant infringements previously committed by the controller or the processor;
(f) the supervisory authority to remedy the breach and the possible negative effects of the breach
the extent of cooperation to alleviate
(g) the categories of personal data affected by the breach;
(h) the manner in which the supervisory authority became aware of the infringement, in particular
whether the controller or processor reported the breach and, if so, in what detail;
(i) if, previously against the controller or processor concerned, on the same subject matter,
ordered one of the measures referred to in Article 58 (2), the
compliance with measures;
(j) whether the controller or processor has considered itself approved in accordance with Article 40
codes of conduct or approved certification mechanisms in accordance with Article 42; and
(k) other aggravating or mitigating factors relevant to the circumstances of the case, such as:
financial gain obtained or avoided as a direct or indirect consequence of the infringement
loss.
5. Infringements of the following provisions in accordance with paragraph 2 shall not exceed 20 000 000
With an administrative fine of EUR 1 million or, in the case of undertakings, the previous financial year in full
amounting to a maximum of 4% of its annual worldwide turnover,
a higher amount should be charged:
(a) the principles of data processing, including the conditions for consent, in accordance with Articles 5, 6, 7 and 9;
(b) the rights of data subjects under Articles 12 to 22. in accordance with Article
Infotv. Pursuant to Section 2 (2), the General Data Protection Decree is indicated therein
shall apply with the additions provided for in
Infotv. Pursuant to Section 60 (1), the enforcement of the right to the protection of personal data
In order to do so, the Authority may initiate ex officio data protection proceedings. The data protection authority
procedure CL of the General Administrative Procedure of 2016. Act (hereinafter: Act)
rules shall apply with the additions specified in the Information Act and the general data protection
with derogations under this Regulation.
Infotv. Section 61 (6): Until the expiry of the time limit for bringing an action open to challenge the decision,
or, in the case of the initiation of an administrative lawsuit, until the final decision of the court is involved in the disputed data processing
data cannot be deleted or destroyed.
Infotv. Section 71 (2): The Authority shall obtain a document or data lawfully obtained in the course of its proceedings
you may use another means of proof in another procedure.
Infotv. 75 / A. § the Authority in Article 83 (2) - (6) of the General Data Protection Regulation
shall exercise its powers in accordance with the principle of proportionality, in particular by:
legislation on the processing of personal data or in a binding act of the European Union
for the first time in the event of a breach of the rules, to remedy the breach
in accordance with Article 58 of the General Data Protection Regulation, in particular the controller or
by alerting the data controller. 9
Section 9 (2) (b) and (c) of the Government Decree (in force between 1 July 2019 and 29 February 2020)
time status): The loan agreement contains the beneficiaries
(b) a statement that the 12th week of pregnancy and the expected date of confinement
are certified by the maternity care book and contribute to the management of this data,
(c) a statement that, if not after the birth or adoption of the child
claim family support or, if they are claimed at a family
the child's birth certificate, official certificate proving the address and tax certificate,
or, in the case of an adopted child, the final decision authorizing the adoption, and
an official identity card and a tax certificate proving the residence of the adopted child, and
in a private document of full probative value
living in the household or, in the event of the death of the fetus, in accordance with Annex 3
a document with a specific content, in the case of stillbirth, on the examination of the dead and with the dead
or a child born alive
in the event of his death, a death certificate certifying that this has taken place, within a maximum of 60 days
presented to the credit institution and consent to the management of that data.
Government Decree § 14 (1) and (4): Beneficiaries to suspend repayment
eligible
(a) after a fetus of at least 12 weeks of gestation, if the gestation is due to the loan application
on or after the date of submission of the loan and at the latest from the disbursement of the loan
reaches the 12th week of pregnancy within a period of 5 years, or
(b) adopted after the entry into force of this Regulation and adopted jointly by the beneficiaries
after the child, if the decision authorizing the adoption after the submission of the loan application, but
it will become final no later than 5 years after the disbursement of the loan.
4. An application for suspension of repayment shall be submitted to the credit institution. Attach to the application
the documents specified in Section 9 (2) (b) and (c), respectively.
Section 19 (1), (2), (5), (7), (8) of the Government Decree: The supported persons in paragraph (2)
meets certain conditions
(a) in the case of their second child, 30% of the outstanding debt under this Regulation
amount,
(b) in the case of their third child, corresponding to the total outstanding debt under this Regulation
amount
are entitled to a non-refundable childbirth allowance.
(2) Childbirth allowance
(a) in the event of pregnancy occurring on or after the date on which the loan application is submitted,
may be claimed after a fetus of at least 12 weeks of gestation for beneficiaries, and
(b) adopted after the entry into force of this Regulation and adopted jointly by the beneficiaries
may be applied for after a child if the decision authorizing adoption is the submission of a loan application
becomes final after.
5. An application for child-raising allowance shall be submitted to the credit institution. Attach to the application
the documents specified in Section 9 (2) (b) and (c), respectively.
(7) The fulfillment of the eligibility conditions shall be established by the credit institution on the basis of the submitted certificates.
(8) In the case of recourse to childbirth allowance with regard to the fetus, the childbirth allowance
the expected date of confinement must be indicated when the allowance is fixed.
26/2014 on pregnant care. (IV. 8.) of EMMI Decree 1
the contents of a pregnancy care book. 10
About the identification methods that replace the personal identification mark and the use of identification codes
XX of 1996 (hereinafter: Szaztv.) Section 7 (2): The data controller who is appointed by law
does not authorize the use of an identification code, the identification code specified in § 6 can only be used by the citizen
preliminary, in accordance with Article 4 (11) of Regulation (EU) 2016/679 of the European Parliament and of the Council
with your consent or with the consent given in the administrative order.
The Szaztv. § 23 determines which bodies are entitled to manage the TAJ number and for what purpose.
ARC. Decision:
IV.1. The need to process personal data recorded in the pregnancy care book
(28) Pursuant to Section 9 (2) (b) of the Government Decree - in force at the beginning of the official proceedings -
the beneficiaries must declare at the time of concluding the loan agreement that:
the 12th week of pregnancy and the expected date of delivery with a pregnancy care book
verify and consent to the processing of this data. The 12th week of pregnancy and the
proof of the expected date of confinement is required if the fetus is 12 weeks old
the assisted couple wishes to claim a discount, ie to suspend the repayment, or
childbirth allowance.
(29) Section 14 (4) and Section 19 (5) of the Government Decree provide that the repayment
application for childcare allowance or childbirth allowance a
must be submitted to a credit institution providing a baby waiting loan, to which the Government Decree must be attached
Documents pursuant to Section 9 (2) (b) and (c). The Government Decree does not define that submission
how the term is to be understood, as a presentation at the bank branch when submitting the application or as a document
a copy to the application. Subject to Section 9 (2) (b) of the Government Decree
which is only expected for the 12th week of pregnancy and childbirth
and that from 13 June 2020 the Government Decree § 9 (2)
In accordance with paragraph 2 (b), the above data shall relate to obstetrics with the content specified in Annex 2.
may also be attested by a certificate issued by a gynecologist, in the opinion of the Authority
submission shall be construed in a narrower sense as a presentation.
(30) What data should be recorded and what data can be recorded in pregnancy care
26/2014 on Pregnancy Care. (IV. 8.) EMMI Decree (hereinafter: EMMI
Regulation). In the pregnancy care book, the pregnant woman is natural
In addition to the personal identification data, the social security number is indicated
sign, place of residence, place of residence, place of work, occupation, education, telephone number, a
the name and address of the next of kin (page 1). They shall also indicate:
data on those involved in maternity care, ie the area nurse, the GP, the obstetrician, the
various details of a gynecologist or midwife, e.g. name, address, phone number, email address
(Page 2).
(31) At the expected time of confinement or in addition to the fact that the obstetrician-gynecologist
in which week the pregnant woman appeared - from which it can be calculated that the 12th week of pregnancy
when loaded - a number of additional details will be recorded in the pregnancy care book,
some of which are health data. The pregnancy care book contains the pregnant woman
blood group, risk classification of pregnancy, data on previous births and pregnancies (3.
side). These data include that if a pregnant woman has already given birth,
when was she born, in how many weeks of pregnancy, how many grams was the newborn born, what was it like 11
whether its position - cranial position, pelvic end, transverse position - was there any
complication during labor, vaginal delivery - episiotomy or barrier protection, or
by gripping surgery or vacuum extraction - or by cesarean section, or that the child
what state of health you are in when you are admitted to another pregnancy.
(32) Data on ‘failed pregnancies’ indicate in which year, the number of pregnancies
how many weeks and how the pregnancy was terminated: with an artificial or spontaneous abortion, or whether it was
angina or ectopic pregnancy in a pregnant woman.
(33) In addition to the above, a history of diseases, diseases,
surgeries - developmental disorders in the parents' family, inherited diseases,
drug sensitivity or test finding (page 4). It is also recorded by the dentist
study findings (page 4), records of those involved in pregnancy care (pages 8-13),
in which they record when, in what week of pregnancy the size of the pregnant woman was
body weight, blood pressure, heart rate, abdominal circumference and the position of the fundus, as well as
symptoms observed during the studies and the therapy or measure recommended for them.
(34) Also included in the Pregnancy Care Book (pages 6-7) according to the EMMI Regulation
free, mandatory examinations - e.g. various blood tests, urine tests, ultrasound
tests or genetic testing (page 14) if the pregnant woman is 37 years of age at conception
assessment and any specialist comments, and when it was
the first day of the last menstrual period, usually how long a menstrual cycle is and what the birth is
expected date.
(35) The Authority notes that there is no explicit section in the Pregnancy Care Book in which
it could be indicated when the 12th week of pregnancy was loaded, it can only be calculated
may be from when, in what week of pregnancy the proof of pregnancy occurred.
This should or can be listed in two places in the pregnancy care book, first inside it
on page 7, which is completed by the nurse, and on page 7, “The ultrasound of intrauterine pregnancy
examination ’, completed by the obstetrician and gynecologist performing the examination.
(36) As acknowledged by the customer, the Client supported it in accordance with its general practice during the period considered
on a women’s pregnancy care book who, along with their spouses, applied for a baby-waiting loan
suspension of childbirth or childbirth allowance
made a copy for the 12th week of pregnancy, sometimes to varying degrees.
(37) The Authority examined the pregnancy books provided by the Client
made copies showing that […] the practice of each account was not uniform
the extent to which a copy of the pregnancy care book was made. Some […]
accounts copied the entire pregnancy care book, others only natural
pages with personal information and the expected date of delivery. Also a copy
attached is the Client, which was made exclusively from the page of the pregnancy care book on which the
specialist indicates the expected date of delivery. However, in addition to these, there are also copies
were made which did not contain the pages on which the expected date of confinement was given
or from which the 12th week of pregnancy could have been calculated.
(38) The data content of the copies of the pregnancy books of each beneficiary varies according to the
depending on the personal circumstances of the spouses, the number of their children or whether
at what stage of pregnancy did the Client turn to suspend the repayment, or 12
application for childbirth allowance, as the more advanced the pregnancy, the more
several test results are recorded in the pregnancy care book.
(39) In addition to the data specified in the EMMI Regulation, nurses and general practitioners are unique
comments have also been included in pregnancy books, e.g. how many days was the
the menstrual cycle of a pregnant woman at the age of 15 or the age of her first child
breastfed.
(40) The processing of data listed in the above paragraphs, in particular health data, is not
necessary to complete the 12th week of pregnancy and the expected date of delivery a
supported by the Client are certified to the Client, i.e. by the Client in the Pregnancy Books
data handled in copies - excluding the expected date of delivery and the pregnancy is loaded
are not appropriate for the purpose of data processing and are not
relevant, they go far beyond the required range of data and the Authority therefore concludes that
that the Customer has violated the principle of data protection pursuant to Article 5 (1) (c) of the GDPR.
IV.2. Handling of personal information contained in copies of maternity care books
legal basis
(41) Certain conditions for the use of the baby waiting loan and related aid are a
Government Decree, in addition to in accordance with Section 4 (4) of the Government Decree
a loan agreement may be concluded only with claimants who are covered by the credit institution's general internal rules
according to which it qualifies as creditworthy for the borrowing requested.
(42) According to Section 9 (2) (b) of the Government Decree in force during the period under review, the repayment
pause and childbirth allowance for the 12th week of pregnancy
and the expected date of confinement must be evidenced by the pregnancy record book if the
to apply for discounts to the Customer to submit the child
takes place before birth.
(43) The processing of this data by the Client is necessary in order to be able to ascertain the
the eligibility of applications for benefits and the benefits
can ensure the use of this data between the beneficiaries and the
necessary to fulfill the contracts concluded between the beneficiaries. That doesn't change that
nor that as a condition for the use of the grant the processing of these data by Government Decree
makes it binding on the Client within the framework of the contractual relationship. Therefore, the
data on the completion of the 12th week of pregnancy and the expected date of delivery, which
the legal basis for the processing of a pregnant woman's personal data under Article 6 of the GDPR is Article 6 (1) of the GDPR
paragraph (b).
(44) It should also be emphasized that the fact of pregnancy is in itself the health of the pregnant person
including how many weeks of pregnancy you are going and when you are expected to
to give birth. According to Article 9 of the GDPR, personal data are personal data
and their handling is, in principle, prohibited. Health data legally
they can only be dealt with if one of the legal bases set out in Article 6 (1) of the GDPR
In addition, there is a circumstance within the meaning of Article 9 (2) of the GDPR.
(45) Article 9 (2) of the GDPR does not contain an exception which is expressly a contract
would allow the processing of health data in order to meet Article 9 (2) of the GDPR
(a), health data may be processed if one or more of the specific data subject 13
express consent. According to Section 9 (2) of the Government Decree, the spouses a
they must expressly state in the loan agreement that the 12th week of pregnancy
contribute to the processing of data on the loading and expected date of confinement,
that is, the Government Decree apparently settles the legal basis for the processing of health data. THE
In the Authority's view, the contribution is voluntary as one of the contributions
whether the condition of validity is fully enforced during the data management is questionable, since a
without the prior consent of the contracter at the time of conclusion of the contract
no loan agreement would be concluded.
(46) The Client may not review or act on the laws of the Member States which govern it
on the contrary, the Authority finds that in the case of spouses who have
they wish to take advantage of the benefit provided for in the Government Decree with regard to their fetuses,
legally manages the 12th week of pregnancy and the expected date of delivery
data.
(47) The Client shall lawfully manage the data contained in the pregnancy care book in addition to the
spouses ’natural identity and contact information, and the pregnant woman
data on the occupation and education of the Client, which is managed by the Client and the
necessary for the performance of a contract between spouses, including before the conclusion of the contract
credit assessment - and, on the other hand, to fulfill its various legal obligations, e.g. money laundering and
contributing to the prevention and deterrence of terrorist financing. These
the Client has an appropriate purpose and legal basis for its management.
(48) The Authority has a copy of the TAJ number of the pregnant woman in the copy of the pregnancy care book
considers it necessary to emphasize that the TAJ number is in line with the Szaztv. according to
an identification code that is handled and transmitted only by statutory rules
that is, that is, the data controller who is not authorized by law to use the TAJ number
only with the consent of the GDPR concerned in accordance with Article 4 (11). The Szaztv. Section 23
also determines which bodies are authorized to manage the TAJ number, for what purpose,
however, no financial institutions are listed among them, nor is there any other sectoral law
authorizes them, and the parties concerned have not demonstrably contributed to the TAJ
for their handling by the Client, ie they are managed by the Client without a legal basis.
(49) Section III.1 of the Decision. The treatment of the health data described in
(45), supplemented by the fact that the processing of these data is not limited to Article 9 of the GDPR.
None of the circumstances set out in Article 2 (2) apply, but also to the Client
admittedly, it does not have a legal basis under Article 6 of the GDPR. In the Pregnancy Care Book
pregnant women have not demonstrably contributed to the processing of the health data
they are not necessary for the fulfillment of the loan agreement - not including the pregnancy
12th week and the expected date of delivery - their management by the Client
not necessary to fulfill its legal obligation. In addition, the Customer is in the public interest
does not perform a task, does not exercise public power, the data management of the data subjects or other natural
protection of personal vital interests is not necessary, as well as the Customer these
cannot present a legitimate interest in the management of those concerned
rights and freedoms.
(50) The findings made in the previous paragraph with regard to Article 6 (1) of the GDPR are as follows:
personal data not mentioned as hitherto, which do not qualify as health data - who is the pregnant woman
GP, nurse, dentist. 14
(51) In the Authority’s view, the Client should have recognized that the Government Decree
It shall apply subject to the provisions of the GDPR and in conjunction with that legislation
a prudent, proportionate data management practice in line with the principles of data management
to design.
(52) On the basis of the above, the Authority concludes that by the 12th week of pregnancy, the expected
with the exception of the data referred to in point (47) of the Decision
all additional data in pregnancy books, including health data
the Client did not have an adequate legal basis for dealing with the breach, in breach of Article 6 (1) of the GDPR.
as well as Article 9 (1) of the GDPR as regards health data.
IV.3. Necessity and legal basis for the processing of the data recorded in the final reports
(53) According to Section 9 (2) (c) of the Government Decree - in force during the period under review - the subsidized
persons must also declare their commitment, dead, when concluding the loan agreement
in the case of birth or miscarriage, a certificate certifying that this has taken place within a maximum of 60 days a
presented to the credit institution and contribute to the management of that data.
(54) Section 14 (4) and Section 19 (5) of the Government Decree provide that the repayment
application for childcare allowance or childbirth allowance a
must be submitted to a credit institution providing a baby waiting loan, to which the Government Decree must be attached
Documents pursuant to Section 9 (2) (b) and (c). The Government Decree does not define that submission
how the term is to be understood, as a presentation at the bank branch when submitting the application or as a document
a copy to the application. Section 9 (2) (c) of the Government Decree expressly
it provides for the presentation, not the copying, of the documents listed there.
(55) The Client made a copy of the final report on the miscarriage of two subsidized women to the
period in order to verify the above. The final report is a natural identity for women
In addition to the data, it includes the tests performed, the therapy used, and the tests performed
description of the intervention. The health status of women, the examinations, their results, the performed
information on interventions, as well as the fact of miscarriage, Article 4 (15) of the GDPR
health data which are not necessary for the fact of a miscarriage
inappropriate and irrelevant to achieve the purpose of the data processing, therefore the
Authority finds that by handling these, the Client has violated Article 5 (1) of the GDPR
(c).
(56) The Authority finds that, as explained in point (49) of this Decision, the Client does not
in addition to the fact of the abortion and the date thereof, in the final report
in breach of Article 6 (1) of the GDPR,
and Article 9 (1).
IV.4. Information on data management during the application and granting of a baby waiting loan
transparency
(57) The Client provides information in several different documents regarding the application for the baby waiting loan, respectively
in the case of the conclusion of a loan agreement, of the data processing carried out in the course of that agreement, which
documents on the Client 's website, under the […] tab, collected in a clickable form and
grouped under […] addresses are easily accessible. 15
(58) The Authority shall assess the adequacy of the information provided by the Client on the processing of personal data a
examined on the basis of the following documents: […] prospectus; […] Prospectus (a
hereinafter referred to as the Data Management Information); […] (Hereinafter: Application Form); […] (hereinafter:
Business Rules).
(59) According to the Code of Conduct […], the purpose, legal basis and processing of personal data
detailed rules, the data management rights of the Clients on the website and at the bank branches
detailed in the data management information provided. The Terms and Conditions expressly a
no further information on data management in connection with a baby waiting loan
contain.
(60) The prospectus […] is of a general nature and covers data processing of a general nature carried out by […],
thus also for the data management performed by the Client in connection with the baby waiting loan - in which
intends to provide data subjects with information on the aspects of the processing of their personal data.
(61) Section […] of the prospectus sets out the possible processing of data by group members.
objectives in a general way, such as “interest in a service, requesting a service
procedure "or" conclusion of a contract, performance of a contract ". Data management is possible
its legal bases are listed in point […]. The scope of managed data under the title is managed data
categories are described, for example […].
(62) In Section […], the Data Protection Prospectus describes in a similar way to Prospectus […] the
the possible purposes of data management, which are detailed in […].
(63) In […], the Customer defines the processed data for data management purposes, their
"Types", the legal basis for the processing and the retention period uniformly for all […]
in connection with the service. This means that the prospectus is not broken down into individual financials
products separately, e.g. mortgage loan, personal loan, baby waiting loan, family
home creation discount, etc. As a result, any personal data or personal information
data category is listed among the managed data for which you have some type of credit or
necessary for the performance of the contract by the Client during the provision of a cash loan.
(64) In the Authority's view, the definition of the purpose of data processing alone is' with the Bank
data processing required for the performance of a contract ”is too broad, not specific, precise and
final, it is difficult to determine what the aspects of the contract are and
related data management is included because e.g. […] the provision and provision of the service
for the customer as a separate data management purpose, although the general meaning of the words, and
Chapter according to the concept of contract, performance of the contract is nothing more than under contract
provision of a service to be performed.
(65) In the Authority's view, in order for the data management to be transparent to the Client
set more specific data management goals, such as the 12th week of pregnancy and
the purpose of the processing of personal data concerning the expected date of delivery is that the Client sets
be able to verify the legitimacy of the claim or subsequently verify that the grant is supported
persons wish to take advantage of the benefits provided for in the Government Decree with regard to their fetus. THE
Authority does not dispute whether the suspension of repayment or childbirth allowance
is provided within the contractual relationship during the performance of the contract, but the
in the absence of a sufficiently specific definition of data management purposes for data subjects
it is clear why they need to make some of their data available to the Client. 16
(66) In the Authority’s view, the data and categories of data processed in the Data Management Information Sheet […]
its listing in this way does not meet the requirement of transparency either, since it is there
approximately all personal information that the Customer has any credit is listed
or in connection with a loan agreement. As a result, it is difficult for those involved to be convinced
that the fulfillment of their credit or loan agreement with the Client, certain aspects thereof
exactly what information they will need to provide. In the present case, for example, a
Beneficiaries do not have to provide a
details of their property insurance or details of their property sold to the Client within five years, as
these data are irrelevant to the credit they use, while, for example, fetal data is one
they are not relevant in a personal loan agreement. In this regard, the Authority also
notes that it is not entirely clear exactly what data the Client understands
fetal data, as the fetus is not yet legal, the 12th week of pregnancy and the
data on the expected date of delivery are the health data of the mother.
(67) In addition, the Data Protection Information Statement states that the purpose of data processing is to:
fulfillment of the reporting obligation to the Hungarian State Treasury (hereinafter: MÁK).
It does not appear from the Data Protection Information that such a reporting obligation is
When it exists for a customer, it affects what kind of contract stakeholders.
(68) Section 26 of the Government Decree also prescribes the obligation to provide information to the MÁK for control purposes, and
specifies which of the persons supported or the child born
must transfer your personal data to the Customer. Defined in the Privacy Policy
the scope of data does not correspond to the scope of data specified in the Government Decree, e.g. the Data Management
is not indicated in the prospectus of the identity card of the supported persons, travel
document or card format driving license number as data to be transmitted [Gov.
Section 26 (1) (bd) of the Decree].
(69) The Application Form must indicate the identity of the applicants for the baby loan, the credit assessment
necessary personal data, data of the requested loan, statements according to the Government Decree,
which are necessary to establish the eligibility conditions, and […].
(70) Under the heading “[…]”, the Client essentially agrees with the contract, its conclusion and conditions.
provides information on a total of […] points. The Government has been inserted in point […].
statements concerning data processing pursuant to Section 9 (2) of the Decree. According to point […]
and [consent to the processing of their personal data]. In the Authority 's view,
privacy statements should have been separated by the Customer from other contractual
provisions in the interests of transparency. Furthermore, the wording of point […] is incorrect
may give the impression to those concerned that their personal data provided on the Application Form
their legal basis for their management.
(71) In the light of the above, the […] prospectus, the Privacy Notice and the Application Form
The information provided by the customer on the handling of personal data is not transparent, not sufficiently
specific and not suitable for the persons concerned to know and see through the personal
process of handling their data and be aware of exactly which Customer is
for what purpose and on what legal basis they process their personal data. The Authority finds that
Customer does not provide clear and transparent information to those concerned about the baby waiting loan
and the processing of data during the life of the concluded loan agreements
Article 12 (1) of the GDPR 17
IV.5. Legal consequences
(72) The Authority finds that the Client has infringed Article 5 (1) (c) GDPR, Article 6
Article 9 (1), Article 9 (1) and Article 12 (1).
(73) Pursuant to Article 58 (2) (d) of the GDPR, the Authority instructs the Client to
electronic of the pregnancy books and final reports available to him
delete copies, destroy paper-based copies, and credit for doing so
duly substantiated to the Authority.
(74) Pursuant to Article 58 (2) (d) of the GDPR, the Authority instructs the Client to restructure the
application for a baby waiting loan and data management during the concluded contracts
information practice in such a way as to comply with Article 12 (1) of the GDPR
transparency requirements.
(75) The Authority has examined whether it is justified to impose a data protection fine on the Client. E
In particular, the Authority considered all the circumstances of the case under Article 83 (2) of the GDPR.
In view of the circumstances of the case, the Authority found that it had been identified in the present proceedings
in case of infringement - Infotv. 75 / A. § - warning is disproportionate and dissuasive
sanction and therefore a fine should be imposed.
(76) In particular, the Authority took into account that the nature of the infringements committed by the
in accordance with Article 83 (5) (a) and (b) of the GDPR
constitute an infringement falling within the category of fines.
(77) In setting the fine, the Authority took into account the following as aggravating circumstances:
• Infringements committed by Customer are considered serious infringements as follows
[Article 83 (2) (a) GDPR]:
o Infringements found - breach of the principle of data protection, legal basis
without prejudice to the transparency of data processing and the transparency of information,
were continuous in nature, given that during the period considered
persisted .;
o The infringement affects a large number of persons concerned [Article 83 (2) (a) GDPR]:
▪ personal data in connection with the baby waiting loan
Infringement by inadequate information on the management of
Clients are all baby waiters who have a loan agreement or are waiting for a baby
affects your customer in need of a loan. The Client did it during an official inspection
According to the statement, during the period under review, […] persons requested a baby waiting room
a loan, of which the Client has entered into a contract with […] persons;
▪ the health data in the pregnancy care book is illegal
treatment involved a total of […] women during the study period.
o The subject of the present case is a financial arrangement in which the Client
contractual partners in families or in any special life situation
women who are in their most personal life situation during childbearing
they come into contact with the Client to ensure the existential future of their family
in order to. The Authority considers the attached documents from the circumstances of the present case
on the basis of which he concluded that he was particularly violating his privacy by having children
personal and health data relating to such numbers are of a general nature
his treatment.
• Customer has a significant amount of personal information that is a special category
prepared health data on pregnancy books without a legal basis
copies and the two final reports [Article 83 (2) (g) GDPR];
(78) The Authority considered the following as mitigating circumstances:
• In connection with the personal data handled by the Client in the copies of the pregnancy books
admitted to them - not including the 12th week of pregnancy and childbirth expected
unlawfully handled and ordered the erasure of the copies,
or destruction. [Article 83 (2) (c) GDPR];
• Customer has reviewed its applicable data management practices and terminated the
copying pregnancy books and final reports for the future. Sample certificates
the introduction and application of which are suitable so that they cannot be avoided in the future
line can again be used to process data in the context of a baby waiting loan
grants which are not necessary to achieve the purpose of the processing and which
has no legal basis for dealing with it. [Article 83 (2) (f) GDPR];
• The Government Decree did not fully regulate the issues of data management, it did not decide
clearly state how the data will be handled (eg submission under the word presentation or
copying), thus creating an uncertain legal situation in matters of data management
created at baby-waiting loan financial institutions, including the Client. The Authority
considers it necessary to note that in such a case the data controller is concerned with the data processing
decisions need to be made even more carefully when applying data protection legislation
and in particular to enforce data protection principles. [Article 83 (2) GDPR
paragraph (b) and (k)].
(79) In imposing the fine, the Authority also took into account that the Client had not committed
previously relevant data breach. GDPR Article 83 (2) (e)]
(80) In imposing the fine, the Authority did not consider Article 83 (2) (d), (h),
(i), (j), as they cannot be interpreted in the light of the specific case.
(81) The total amount of the Client's balance sheet in 2019 was HUF […] million, HUF […] million.
(82) The amount of the fine was determined by the Authority in accordance with its statutory discretion.
V. Other issues:
(83) The powers of the Authority are limited by Infotv. Section 38 (2) and (2a), its jurisdiction is
covers the whole country.
(84) The decision is based on Article 80.-81. § and Infotv. It is based on Section 61 (1). The decision is based on Ákr. 82.
§ (1), it becomes final with its communication. 19
(85) Art. § 112 and § 116 (1) and § 114 (1), respectively
there is a right of appeal against an administrative action.
(86) The rules of administrative litigation are laid down in Act I of 2017 on the Procedure of Administrative Litigation (a
hereinafter: Kp.). A Kp. Pursuant to Section 12 (1) by a decision of the Authority
The administrative lawsuit against the court falls within the jurisdiction of the court. Section 13 (3) a)
The General Court has exclusive jurisdiction under subparagraph (aa) of A Kp. Section 27 (1)
Legal representation shall be mandatory in proceedings falling within the jurisdiction of the General Court under paragraph 1 (b).
A Kp. Pursuant to Section 39 (6), the filing of an application is an administrative act
has no suspensive effect.
(87) A Kp. Section 29 (1) and with this regard Pp. Applicable pursuant to Section 604, electronic
CCXXII of 2015 on the general rules of administration and trust services. Act (a
hereinafter: E-Administration Act) pursuant to Section 9 (1) (b) of the Customer's legal representative
obliged to communicate electronically.
(88) The time and place of the submission of the application are set out in Kp. Section 39 (1). THE
Information on the possibility to request a hearing can be found in Kp. Section 77 (1) - (2)
based on. The amount of the fee for an administrative lawsuit is set out in Act XCIII of 1990 on Fees. law
(hereinafter: Itv.) 45 / A. § (1). From the advance payment of the fee is
Itv. Section 59 (1) and Section 62 (1) (h) shall release the party initiating the proceedings.
(89) If the obligor fails to provide adequate evidence of compliance with the required obligation, the Authority will
considers that it has failed to fulfill its obligations within the prescribed period. The Acre. According to § 132, if a
the obligor has not complied with the obligation contained in the final decision of the authority, it shall be enforceable.
The decision of the Authority Pursuant to Section 82 (1), it becomes final upon notification. The Acre.
Section 133 of the Act - unless otherwise provided by law or government decree
- ordered by the decision-making authority. The Acre. Pursuant to Section 134 of the Act - if law,
a government decree or, in the case of a municipal authority, a local government decree otherwise
does not have - is carried out by the state tax authority. Infotv. Pursuant to Section 60 (7) a
Authority to carry out a specific act contained in a decision, specified
the decision as to the obligation to conduct, tolerate or cease
shall be carried out by the Authority.
Budapest, December 16, 2020
Dr. Attila Péterfalvi
President
c. professor
