NAIH - NAIH-2020-2546-5 | |
---|---|
Authority: | NAIH (Hungary) |
Jurisdiction: | Hungary |
Relevant Law: | Article 5(1)(c) GDPR Article 6(1) GDPR Article 9(1) GDPR Article 12(1) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 16.12.2020 |
Published: | |
Fine: | 35000000 HUF |
Parties: | n/a |
National Case Number/Name: | NAIH-2020-2546-5 |
European Case Law Identifier: | n/a |
Appeal: | Not appealed |
Original Language(s): | Hungarian |
Original Source: | NAIH (in HU) |
Initial Contributor: | Hunprivacy |
The Hungarian DPA (NAIH) held that the controller processed copies of documentation containing personal data (including health data) without a legal basis and not in line with the purpose of processing. The processing was also not in line with the controller's legal obligation to process information on the provision of childbirth incentive loan. NAIH imposed a fine of approx. €97,430.
English Summary
Facts
Two parents turned to NAIH in connection with their credit institute’s processing of personal data regarding their “Childbirth incentive loan”.
The couple applied for suspension of repayment, for which they were eligible under the condition that the fetus is at least 12 weeks old. In order to certify this fact, the administrator of the credit institute copied their pregnancy booklet in its entirety.
The parents were of the opinion that this is unnecessary for the purpose of certifying the age of the fetus, as the pregnancy booklet contains a number of sensitive information.
Following this situation, NAIH conducted an ex officio investigation. In order to have all the necessary and relevant information, NAIH collected statements from the controller.
NAIH found that the controller processed the personal data in question excessively and unlawfully, and therefore had breached multiple GDPR provisions. As a consequence, NAIH imposed a data protection fine of HUF 35,000,000 on the controller.
Dispute
Is the controller’s general data processing practice in compliance with the GDPR in connection with collecting personal data from pregnancy booklets and patient records for the purpose of reviewing the eligibility of a couple for repayment suspension for a “childbirth incentive loan” construction?
Holding
The conditions of a special loan called as “childbirth incentive loan” are set out in a respective Hungarian Government Decree. According to the relevant rules, parents, or parents expecting a child are eligible for suspension of repayment, where specific criteria are met, including that the fetus is at least 12 weeks old.
In order to verify this, certain documents must be presented. The controller in this case requested, amongst others, the copy of the complete pregnancy booklet, with all the information in it, as well as the patient records.
The pregnancy booklet contains a wide range of personal data regulated specifically in a ministerial decree, e.g., detailed information about the health status of the mother, including data related to possible previous pregnancies, details about the circumstances of previous childbirth, or miscarriages.
Regarding the legal basis of the above data processing, NAIH highlighted, that the fact of being pregnant is in itself health data, and as such, can only be processed if one of the legal bases in Article 6 (1) and an additional criterion under Article 9 (2) of the GDPR apply.
Article 9 (2) of the GDPR does not contain an exception that would explicitly allow the processing of health data for the purpose of performing a contract. According to Article 9 (2) (a) of the GDPR, health data may be processed if data subjects give their explicit consent. Pursuant to Section 9 (2) of the relevant Government Decree, the spouses must expressly state in the loan agreement that they consent to the processing of data regarding the 12th week of pregnancy and the expected date of childbirth. By this, the Government Decree settles the legal basis for the processing of health data. However, NAIH raised issues as to the validity of the consent. NAIH is of the opinion that it is questionable whether the consent is freely given, since without the prior consent of the contractor, no loan agreement would be concluded.
NAIH concluded, that the controller violated the principle of data minimization by copying the entire pregnancy booklet, containing excessive health data and other highly sensitive data, as it is not strictly necessary in light of the purpose of the processing. In addition to the excessive collection of special categories of personal data, NAIH highlighted that the affected individuals were in an extremely vulnerable situation.
NAIH also held, that the data controller had, in fact, no appropriate legal basis for the processing.
NAIH held that the continuous nature of the violation of the data subjects’ rights, and the large number of affected individuals were aggravating factors in the case. On the other hand, NAIH acknowledged the fact that the controller reconsidered and changed its data processing operations, and ended its unlawful practice of keeping copies of pregnancy booklets and patient records.
Comment
NAIH has already considered the copying of personal and other documents and processing identification documents by controllers in multiple cases. According to NAIH's practice, copying of documents is generally not necessary for concluding a contract or for pre-contractual screening. Processing of identification documents and relevant identification numbers is also generally unnecessary for the given purpose of processing, unless it is prescribed by law.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Hungarian original. Please refer to the Hungarian original for more details.
Case number: NAIH / 2020/2546/15. Subject: Decision H A T Á R O Z A T Before the National Authority for Data Protection and Freedom of Information (hereinafter referred to as the Authority), the […] hereinafter referred to as the “Customer”) prior to the conclusion of contracts for the provision of a baby waiting loan, or, during the term of the contracts, the lending, the related discounts, the handling of documents containing personal data in connection with grants, and the lawfulness of information on data processing during the granting of a baby waiting loan, the general ex officio data protection to verify compliance with the Data Protection Regulation In administrative proceedings, the Authority shall take the following decisions: I. Finds that the Customer (1) infringed Article 5 (1) (c) of the General Data Protection Regulation (GDPR); the principle of data saving in accordance with the principle of non - compliance with personal data, including health data, in copies of final reports managed that were not necessary to achieve the purpose of the data processing; (2) handled without a legal basis prepared pregnancy books and prepared final reports personal data, including health data, recorded in copies Article 6 (1) of the GDPR and, in the case of health data, Article 9 of the GDPR. Article 1 (1); (3) did not provide clear and transparent information to those concerned about the baby waiting loan and the processing of data during the life of the concluded loan agreements Article 12 (1) of the GDPR. II. Instructs Customer to do so within 60 days of this decision becoming final (1) delete any pregnancy books and final reports still available destroy electronic copies, paper copies, and have done so credibly to the Authority. (2) reshape the baby waiting loan application as well as the contracts concluded information management practices in a manner consistent with Article 12 of the GDPR. transparency requirement under Article 1 (1). III. Due to the unlawful data processing, the Customer shall be informed of the 30th day after the final adoption of this decision within a day HUF 35,000,000, ie thirty-five million forints data protection fine obliges to pay. _______________________________________________________________________________________________________________ 1055 Budapest Tel .: +36 1 391-1400 ugyfelszolgalat@naih.hu Falk Miksa utca 9-11. Fax: +36 1 391-1410 www.naih.hu 2 * * * The fine was imposed on the Authority’s centralized revenue collection forint settlement account (10032000- 01040425-00000000 Centralized direct debit account IBAN: HU83 1003 2000 0104 0425 0000 0000) to be paid for. When transferring the amount, NAIH / 2020/2546. JUDGE. should be referred to. If the Customer fails to meet its obligation to pay the fine within the time limit, a late payment surcharge obliged to pay. The rate of late payment is the statutory interest, which is the calendar affected by the delay equal to the central bank base rate valid on the first day of the first half of the year. A II. obligation under point III. non - payment of the fine and penalty for late payment in accordance with point In that case, the Authority shall order the enforcement of the decision. Until the expiry of the time limit for bringing an action against the decision, or an administrative action until the final decision of the court, the data involved in the disputed data processing shall not can be deleted or not destroyed. A II. within 8 days of the implementation of the measures provided for in point together with supporting evidence, shall notify the Authority. To the Customer as evidence, it must be accompanied by a document fully documenting the fact and IT circumstances of the cancellations a record (s) and a statement that all copies of the said data deleted. There shall be no administrative appeal against this Decision, but it shall be subject to a right of appeal within 30 days of notification An appeal addressed to the Metropolitan Court may be challenged in an administrative lawsuit within one day. THE The application shall be submitted to the Authority, electronically, which shall forward it together with the case file to the court. For those who do not receive a full personal tax exemption, there is an administrative lawsuit fee HUF 30,000, the lawsuit is subject to the right to record material taxes. In the proceedings before the Metropolitan Court, the legal representation is mandatory. I N D O K O L Á S I. Procedure (1) The Authority has received a notification in the public interest in which the notifier has submitted that took a loan with his spouse from the Client. The applicant and his spouse have requested the Client to suspension of loan repayment. The Customer's administrator copied the entire a pregnancy care book to prove that the fetus was 12 weeks old. (2) On the basis of the notification in the public interest, the circumstance giving rise to the initiation of the official inspection came to the Authority, so that the Authority, on 24 January 2020, issued NAIH / 2020/1156. case number of the Customer initiated a formal inspection to verify that the Customer whether its general data management practices in relation to baby loans are in line with a GDPR requirements. 3. The Authority shall make a declaration at the same time as it notifies the initiation of the official control called the Customer. The Client's statement was received by the Authority on 14 February 2020. 3 (4) Based on the Client's statement and additional information revealed during the official inspection it was probable that the Client had breached the provisions of the GDPR, therefore the Authority is In its case, NAIH / 2020/2546 initiated ex officio data protection proceedings on 28 February 2020. case number. The investigation period covered the period from 1 July 2019 to 28 February 2020. (5) In addition to the notification of the data protection authority procedure, the Authority shall clarify the facts In order to do so, he invited the Client to make a statement, and in his order he reserved the ones already concluded loan transactions performed by the Client on the maternity books, the adoption paper - based decisions, abortion or stillbirth documents, and electronic copies. The Authority left the seized copies of the documents in the custody of the Client. THE It was necessary to order a seizure because, on the basis of the Client's statement, its there is a risk that the copies of the records, in the context of the Client's own review of deleted before the end of the data protection authority procedure. (6) In its statement dated 15 May 2020 (NAIH / 2020/2546/2), the Client informed the Authority to comply with the attachment order, the paper - based and destruction of electronic copies of documents, deletion from systems upon receipt of the order suspended after. (7) On 22 June 2020, the Authority adopted Decision NAIH / 2020/2546/3. clarification of the facts in its order no In order to do so, he invited the Client to make a statement and send various copies of the documents. (8) In the Client's letter dated 8 July 2020, the deadline for reply is an additional 15 The Authority requested the extension of the application by NAIH / 2020/2546/5. No. in his order. The Client's statement and the requested documents are electronic, with a password A copy of the protected copies was received by the Authority on 30 July 2020. (9) In order to clarify the facts, the Authority should amend NAIH / 2020/2546/9. in his order no invited the client to make a statement on October 20, 2020. Customer Statement November 2020 He arrived at the Authority on the 25th. (10) The Authority shall, in the course of loan transactions already concluded by the Client in the care of pregnant women books, adoption decisions, proof of miscarriage or stillbirth seizure of paper and electronic copies of documents on 14 December 2020 terminated by order of. II. Clarification of the facts (11) Decree 44/2019 on the baby waiting allowance. (III.12.) Government Decree (hereinafter: Government Decree) under the baby waiting loan interest subsidized, the transaction interest on behalf of the state to the Treasury disbursed to the credit institution. (12) Beneficiaries - ie the spouses with whom the financial institution is expecting a baby loan are entitled to a suspension of repayment - other after the 12th week of pregnancy, including the post-natal period or if they adopt a child together. (13) Beneficiaries are entitled to a non-refundable fee in the event of the second or third child childbirth allowance, the amount of which is for the second child from the baby-waiting loan 30% of the outstanding debt and, in the case of a third child, the remaining 4 amount corresponding to the loan debt. Childbirth allowance to suspend repayment similarly after the 12th week of pregnancy, including the postpartum period, or can be requested in case of adoption. (14) An application for suspension of repayment and child-raising allowance should be submitted to the credit institution. to be submitted, which must be accompanied by the provisions of Section 9 (2) (b) and (c) of the Government Decree. which are as follows: • the 12th week of pregnancy and the expected date of delivery to prove the maternity care book, the data content of which is 26/2014 on maternity care. (IV. 8.) Annex 1 of the EMMI Decree (or, after 1 July 2020, in the Government Decree a document issued by the treating physician with a specific content); • in the case of a blood child, proof of birth: the child's birth birth certificate, official certificate of residence and tax ID; • in the case of an adopted child, the final authorizing the adoption decision, the official identity card of the child and the tax ID; • a statement in full private evidence from the beneficiaries stating that that they live in a household; • in the case of stillbirth or miscarriage, the document certifying the occurrence, In client practice, the final report was (fetal death as of July 1, 2020) in the case of a document pursuant to Annex 3 of the Government Decree; stillbirth on the examination of the dead and the procedure relating to the dead in the case of a document according to a government decree, or in the event of the death of a child born alive death certificate). (15) In order to suspend repayment and apply for childbirth allowance, the Client shall use the same a systematized the form. For these requests, the original of the above documents demanded a presentation, of which he made a copy, not including in a household declaration of origin, as it required it to be submitted in the original. This […] Of the Regulations (hereinafter: the Product Regulations). (16) Electronic copies of the above documents shall be sent to the Customer on or after 1 November 2019 prior to that, its predecessors recorded and stored them in their process management systems. (17) […] From 1 November 2019, paper-based documents in the customer files in the branches have been placed. (18) With regard to the handling of paper-based documents and copies of documents, since 1 November 2019, the The practice of the Customer 's bank branches is uniform, it is stated in Annex […] of the Product Regulations and regulated by its annexes […]. (19) In the course of the procedure, the Client referred to the previous decision of the Authority - Data Protection Officers 2019. conference, received from data protection officials, not in the context of video presentations expressed in question 25 of the document "Answered questions" that "A Authority shall accept copies if the employer, as data controller, is such develop a practice of making copies only of data whose 5 otherwise entitled to handle it. In this case, copy the data on the document data management operation, but not a new data management purpose compared to the original purpose of data collection, but a way of collecting data for the original purpose of data processing and the related legal basis, which otherwise helps to ensure the accuracy of the data. " (20) The Client shall list and make available on the […] website the information related to the baby waiting loan documents, including documents governing data management, e.g. […]. (21) The Client informed the Authority that between 1 July 2019 and 30 January 2020 in total […] Persons applied for a baby waiting loan from him, of which […] granted a baby waiting loan to a person, which means a total of […] transactions. […] Transaction was suspended during the repayment of the first after child and […] supported couple claimed childbirth allowance for the second or after the third child. (22) Upon receipt of the Client's order to initiate official control reviewed its rules of procedure and the forms requested. Of this abolished the pregnancy books, the adoption permit copies of decisions, documents certifying miscarriage or stillbirth, and this information, prepared separate model certificates to prove the circumstances, on which the beneficiary declares the on the correctness of the data ordered by the Government Decree on the basis of the presented documents. To prove this, the statement is accompanied by the amended […] Product Regulations in […] of which the Client has expressly stated that it is to be presented documents (maternity care book, adoption decision, stillbirth or birth certificate) abortion certificate) is strictly forbidden. In addition to these, the Authority made available the amended annexes - [kidolg] - and the newly developed certificates - to the […] - patterns as well. (23) The Client has also reviewed the documents of the baby waiting loan from the point of view of data protection, which were not affected by the Authority's request. On the implementation of the amendments on 15 May 2020 informed the Authority, the amended Product Regulations, in its statement dated […] application for support and to verify the data in the […] pregnancy care book attached to his statement of 27 July 2020. (24) The Client has stated that in respect of the transactions already concluded in which In the absence of legal authorization, copies were made pursuant to Section 9 (2) (b) and (b) of the Government Decree c), decided to make copies of paper-based documents on the annulment of the decision, on the recording of the fact of the destruction, and on the the indication of the data required by law and the deletion of electronic copies of documents, and has begun to do so, following an order by the Authority ordering a seizure suspended. (25) At the request of the Authority, the Client provided the Authority with the information from 1 July 2019 to 2019. 1 August 2020 and 1 January 2020-2020. in the periods between January 30 and pregnancy copies of books. (26) No copy of the adoption decision was made during the period under review, while abortion or death A total of 2 copies were made of the birth certificate - the final report - the other two In this case, the abortion has already been verified with a sample of the certificate prepared by the Client, which only the natural identity data, address of the pregnant woman, 6 of the 12th week of pregnancy miscarriage or stillbirth and to identify the specialist contain the necessary details and signature. (27) In order to verify the actual application of the new amended certificates, the Client shall 5 from the period from 1 February to 15 March 2020, signed by the parties concerned, a a copy of the certificate marked with the number […] certifying the presentation of the maternity care book made available to him. III. Applicable legal provisions Following the period under review, the Government Decree was amended several times. The Authority is the Government. Regulation took into account the provisions in force during the period under review on the lawfulness of data processing in its assessment. Pursuant to Article 2 (1) of the GDPR, the GDPR applies to the processing of data in the present case. The relevant provisions of the GDPR in the present case are the following: GDPR Recital 35: Personal health data include the data subject health data which provide information on the past, current or future physical or mental health. These include: a personal data relating to a natural person which are provided to the individual in accordance with Directive 2011/24 / EU for the purposes of healthcare referred to in Directive (9) of the European Parliament and of the Council during registration or provision of such services, the natural person number, sign or data assigned to it for individual identification for health purposes, any part of the body or constituent material of the body, including genetic data and biological samples - information resulting from testing or examination, and any, such as the data subject illness, disability, disease risk, medical history, clinical treatment or information on its physiological or biomedical condition, whatever its source, which it can be, for example, a doctor or other healthcare professional, a hospital, a medical device or in vitro diagnostic test. GDPR Article 4, point 15: "health data" means the physical or mental health of a natural person personal data, including health care provided to the natural person services that also carry information about the natural person’s health status. GDPR Article 5 (1) (c): Personal data for the purposes of data processing they must be appropriate and relevant and limited to what is necessary (“Data saving”). GDPR Article 6 (1) (b) and (c) and (3): Processing of personal data only lawful if and to the extent that at least one of the following is met: (b) the processing is necessary for the performance of a contract to which one of the parties is a party, or necessary to take steps at the request of the data subject before concluding the contract; (c) processing is necessary for compliance with a legal obligation to which the controller is subject; 3. The legal basis for the processing referred to in points (c) and (e) of paragraph 1 shall be determined by: (a) Union law, or (b) the law of the Member State to which the controller is subject. 7 The purpose of the processing shall be defined by reference to this legal basis or in paragraph 1 (e) with regard to the processing of such data, it must be necessary in the public interest or in the public interest task performed in the framework of the exercise of a public authority delegated to a data controller to implement. This legal basis may include adjustments to the application of the rules contained in this Regulation provisions governing the lawfulness of data processing by the controller conditions, the type of data which are the subject of the processing, the data subjects, the legal with which personal data may be communicated and the purposes of such communication for the purpose of data processing restrictions on the duration of data storage and data processing operations, as well as other data management procedures so as to ensure lawful and fair data management measures, including those set out in Annex IX. for other specific data management situations as defined in Chapter for. Union or Member State law must pursue a public interest objective and be proportionate for the legitimate aim pursued. GDPR Article 9 (1): Racial or ethnic origin, political opinion, religion or belief personal data referring to worldviews or trade union membership, and genetic and biometric data for the unique identification of natural persons, health data and on the sexual life or sexual orientation of natural persons the processing of personal data is prohibited. GDPR Article 12 (1): The controller shall take appropriate measures to ensure that referred to in Articles 13 and 14 concerning the processing of personal data information and Articles 15 to 22. and 34, each information in a concise, transparent, comprehensible and in an easily accessible form, in a clear and comprehensible manner, in particular: for any information addressed to children. The information shall be provided in writing or otherwise - including, where appropriate, the electronic route. Oral information at the request of the data subject provided that the identity of the data subject has been otherwise established. Article 58 (2) (b), (d) and (i) GDPR: Acting in the corrective power of the supervisory authority: (b) condemn the controller or the processor if his or her data processing activities have infringed this provisions of this Regulation; (d) instruct the controller or processor to carry out its data processing operations, where applicable in a specified manner and within a specified period, in accordance with the provisions of this Regulation; (i) impose an administrative fine in accordance with Article 83, depending on the circumstances of the case in addition to or instead of the measures referred to in paragraph 1; Article 83 (1) to (2) and (5) (a) to (b) of the GDPR: 1. Each supervisory authority shall ensure that: infringements of this Regulation referred to in paragraphs 4, 5, 6 administrative fines should be effective, proportionate and dissuasive in each case. 2. Administrative fines shall be imposed in accordance with Article 58 (2) (a) to (2), depending on the circumstances of the case. It shall be imposed in addition to or instead of the measures referred to in points (h) and (j). When deciding that whether it is necessary to impose an administrative fine or the amount of the administrative fine In each case, due account shall be taken of the following: (a) the nature, gravity and duration of the breach, taking into account the nature of the processing in question; the scope or purpose of the infringement and the number of persons affected by the infringement and by them the extent of the damage suffered; (b) the intentional or negligent nature of the infringement; 8 (c) the mitigation of damage suffered by the data subject by the controller or the processor any measures taken to (d) the extent of the responsibility of the controller or processor, taking into account the Technical and organizational measures taken pursuant to Article 32; (e) relevant infringements previously committed by the controller or the processor; (f) the supervisory authority to remedy the breach and the possible negative effects of the breach the extent of cooperation to alleviate (g) the categories of personal data affected by the breach; (h) the manner in which the supervisory authority became aware of the infringement, in particular whether the controller or processor reported the breach and, if so, in what detail; (i) if, previously against the controller or processor concerned, on the same subject matter, ordered one of the measures referred to in Article 58 (2), the compliance with measures; (j) whether the controller or processor has considered itself approved in accordance with Article 40 codes of conduct or approved certification mechanisms in accordance with Article 42; and (k) other aggravating or mitigating factors relevant to the circumstances of the case, such as: financial gain obtained or avoided as a direct or indirect consequence of the infringement loss. 5. Infringements of the following provisions in accordance with paragraph 2 shall not exceed 20 000 000 With an administrative fine of EUR 1 million or, in the case of undertakings, the previous financial year in full amounting to a maximum of 4% of its annual worldwide turnover, a higher amount should be charged: (a) the principles of data processing, including the conditions for consent, in accordance with Articles 5, 6, 7 and 9; (b) the rights of data subjects under Articles 12 to 22. in accordance with Article Infotv. Pursuant to Section 2 (2), the General Data Protection Decree is indicated therein shall apply with the additions provided for in Infotv. Pursuant to Section 60 (1), the enforcement of the right to the protection of personal data In order to do so, the Authority may initiate ex officio data protection proceedings. The data protection authority procedure CL of the General Administrative Procedure of 2016. Act (hereinafter: Act) rules shall apply with the additions specified in the Information Act and the general data protection with derogations under this Regulation. Infotv. Section 61 (6): Until the expiry of the time limit for bringing an action open to challenge the decision, or, in the case of the initiation of an administrative lawsuit, until the final decision of the court is involved in the disputed data processing data cannot be deleted or destroyed. Infotv. Section 71 (2): The Authority shall obtain a document or data lawfully obtained in the course of its proceedings you may use another means of proof in another procedure. Infotv. 75 / A. § the Authority in Article 83 (2) - (6) of the General Data Protection Regulation shall exercise its powers in accordance with the principle of proportionality, in particular by: legislation on the processing of personal data or in a binding act of the European Union for the first time in the event of a breach of the rules, to remedy the breach in accordance with Article 58 of the General Data Protection Regulation, in particular the controller or by alerting the data controller. 9 Section 9 (2) (b) and (c) of the Government Decree (in force between 1 July 2019 and 29 February 2020) time status): The loan agreement contains the beneficiaries (b) a statement that the 12th week of pregnancy and the expected date of confinement are certified by the maternity care book and contribute to the management of this data, (c) a statement that, if not after the birth or adoption of the child claim family support or, if they are claimed at a family the child's birth certificate, official certificate proving the address and tax certificate, or, in the case of an adopted child, the final decision authorizing the adoption, and an official identity card and a tax certificate proving the residence of the adopted child, and in a private document of full probative value living in the household or, in the event of the death of the fetus, in accordance with Annex 3 a document with a specific content, in the case of stillbirth, on the examination of the dead and with the dead or a child born alive in the event of his death, a death certificate certifying that this has taken place, within a maximum of 60 days presented to the credit institution and consent to the management of that data. Government Decree § 14 (1) and (4): Beneficiaries to suspend repayment eligible (a) after a fetus of at least 12 weeks of gestation, if the gestation is due to the loan application on or after the date of submission of the loan and at the latest from the disbursement of the loan reaches the 12th week of pregnancy within a period of 5 years, or (b) adopted after the entry into force of this Regulation and adopted jointly by the beneficiaries after the child, if the decision authorizing the adoption after the submission of the loan application, but it will become final no later than 5 years after the disbursement of the loan. 4. An application for suspension of repayment shall be submitted to the credit institution. Attach to the application the documents specified in Section 9 (2) (b) and (c), respectively. Section 19 (1), (2), (5), (7), (8) of the Government Decree: The supported persons in paragraph (2) meets certain conditions (a) in the case of their second child, 30% of the outstanding debt under this Regulation amount, (b) in the case of their third child, corresponding to the total outstanding debt under this Regulation amount are entitled to a non-refundable childbirth allowance. (2) Childbirth allowance (a) in the event of pregnancy occurring on or after the date on which the loan application is submitted, may be claimed after a fetus of at least 12 weeks of gestation for beneficiaries, and (b) adopted after the entry into force of this Regulation and adopted jointly by the beneficiaries may be applied for after a child if the decision authorizing adoption is the submission of a loan application becomes final after. 5. An application for child-raising allowance shall be submitted to the credit institution. Attach to the application the documents specified in Section 9 (2) (b) and (c), respectively. (7) The fulfillment of the eligibility conditions shall be established by the credit institution on the basis of the submitted certificates. (8) In the case of recourse to childbirth allowance with regard to the fetus, the childbirth allowance the expected date of confinement must be indicated when the allowance is fixed. 26/2014 on pregnant care. (IV. 8.) of EMMI Decree 1 the contents of a pregnancy care book. 10 About the identification methods that replace the personal identification mark and the use of identification codes XX of 1996 (hereinafter: Szaztv.) Section 7 (2): The data controller who is appointed by law does not authorize the use of an identification code, the identification code specified in § 6 can only be used by the citizen preliminary, in accordance with Article 4 (11) of Regulation (EU) 2016/679 of the European Parliament and of the Council with your consent or with the consent given in the administrative order. The Szaztv. § 23 determines which bodies are entitled to manage the TAJ number and for what purpose. ARC. Decision: IV.1. The need to process personal data recorded in the pregnancy care book (28) Pursuant to Section 9 (2) (b) of the Government Decree - in force at the beginning of the official proceedings - the beneficiaries must declare at the time of concluding the loan agreement that: the 12th week of pregnancy and the expected date of delivery with a pregnancy care book verify and consent to the processing of this data. The 12th week of pregnancy and the proof of the expected date of confinement is required if the fetus is 12 weeks old the assisted couple wishes to claim a discount, ie to suspend the repayment, or childbirth allowance. (29) Section 14 (4) and Section 19 (5) of the Government Decree provide that the repayment application for childcare allowance or childbirth allowance a must be submitted to a credit institution providing a baby waiting loan, to which the Government Decree must be attached Documents pursuant to Section 9 (2) (b) and (c). The Government Decree does not define that submission how the term is to be understood, as a presentation at the bank branch when submitting the application or as a document a copy to the application. Subject to Section 9 (2) (b) of the Government Decree which is only expected for the 12th week of pregnancy and childbirth and that from 13 June 2020 the Government Decree § 9 (2) In accordance with paragraph 2 (b), the above data shall relate to obstetrics with the content specified in Annex 2. may also be attested by a certificate issued by a gynecologist, in the opinion of the Authority submission shall be construed in a narrower sense as a presentation. (30) What data should be recorded and what data can be recorded in pregnancy care 26/2014 on Pregnancy Care. (IV. 8.) EMMI Decree (hereinafter: EMMI Regulation). In the pregnancy care book, the pregnant woman is natural In addition to the personal identification data, the social security number is indicated sign, place of residence, place of residence, place of work, occupation, education, telephone number, a the name and address of the next of kin (page 1). They shall also indicate: data on those involved in maternity care, ie the area nurse, the GP, the obstetrician, the various details of a gynecologist or midwife, e.g. name, address, phone number, email address (Page 2). (31) At the expected time of confinement or in addition to the fact that the obstetrician-gynecologist in which week the pregnant woman appeared - from which it can be calculated that the 12th week of pregnancy when loaded - a number of additional details will be recorded in the pregnancy care book, some of which are health data. The pregnancy care book contains the pregnant woman blood group, risk classification of pregnancy, data on previous births and pregnancies (3. side). These data include that if a pregnant woman has already given birth, when was she born, in how many weeks of pregnancy, how many grams was the newborn born, what was it like 11 whether its position - cranial position, pelvic end, transverse position - was there any complication during labor, vaginal delivery - episiotomy or barrier protection, or by gripping surgery or vacuum extraction - or by cesarean section, or that the child what state of health you are in when you are admitted to another pregnancy. (32) Data on ‘failed pregnancies’ indicate in which year, the number of pregnancies how many weeks and how the pregnancy was terminated: with an artificial or spontaneous abortion, or whether it was angina or ectopic pregnancy in a pregnant woman. (33) In addition to the above, a history of diseases, diseases, surgeries - developmental disorders in the parents' family, inherited diseases, drug sensitivity or test finding (page 4). It is also recorded by the dentist study findings (page 4), records of those involved in pregnancy care (pages 8-13), in which they record when, in what week of pregnancy the size of the pregnant woman was body weight, blood pressure, heart rate, abdominal circumference and the position of the fundus, as well as symptoms observed during the studies and the therapy or measure recommended for them. (34) Also included in the Pregnancy Care Book (pages 6-7) according to the EMMI Regulation free, mandatory examinations - e.g. various blood tests, urine tests, ultrasound tests or genetic testing (page 14) if the pregnant woman is 37 years of age at conception assessment and any specialist comments, and when it was the first day of the last menstrual period, usually how long a menstrual cycle is and what the birth is expected date. (35) The Authority notes that there is no explicit section in the Pregnancy Care Book in which it could be indicated when the 12th week of pregnancy was loaded, it can only be calculated may be from when, in what week of pregnancy the proof of pregnancy occurred. This should or can be listed in two places in the pregnancy care book, first inside it on page 7, which is completed by the nurse, and on page 7, “The ultrasound of intrauterine pregnancy examination ’, completed by the obstetrician and gynecologist performing the examination. (36) As acknowledged by the customer, the Client supported it in accordance with its general practice during the period considered on a women’s pregnancy care book who, along with their spouses, applied for a baby-waiting loan suspension of childbirth or childbirth allowance made a copy for the 12th week of pregnancy, sometimes to varying degrees. (37) The Authority examined the pregnancy books provided by the Client made copies showing that […] the practice of each account was not uniform the extent to which a copy of the pregnancy care book was made. Some […] accounts copied the entire pregnancy care book, others only natural pages with personal information and the expected date of delivery. Also a copy attached is the Client, which was made exclusively from the page of the pregnancy care book on which the specialist indicates the expected date of delivery. However, in addition to these, there are also copies were made which did not contain the pages on which the expected date of confinement was given or from which the 12th week of pregnancy could have been calculated. (38) The data content of the copies of the pregnancy books of each beneficiary varies according to the depending on the personal circumstances of the spouses, the number of their children or whether at what stage of pregnancy did the Client turn to suspend the repayment, or 12 application for childbirth allowance, as the more advanced the pregnancy, the more several test results are recorded in the pregnancy care book. (39) In addition to the data specified in the EMMI Regulation, nurses and general practitioners are unique comments have also been included in pregnancy books, e.g. how many days was the the menstrual cycle of a pregnant woman at the age of 15 or the age of her first child breastfed. (40) The processing of data listed in the above paragraphs, in particular health data, is not necessary to complete the 12th week of pregnancy and the expected date of delivery a supported by the Client are certified to the Client, i.e. by the Client in the Pregnancy Books data handled in copies - excluding the expected date of delivery and the pregnancy is loaded are not appropriate for the purpose of data processing and are not relevant, they go far beyond the required range of data and the Authority therefore concludes that that the Customer has violated the principle of data protection pursuant to Article 5 (1) (c) of the GDPR. IV.2. Handling of personal information contained in copies of maternity care books legal basis (41) Certain conditions for the use of the baby waiting loan and related aid are a Government Decree, in addition to in accordance with Section 4 (4) of the Government Decree a loan agreement may be concluded only with claimants who are covered by the credit institution's general internal rules according to which it qualifies as creditworthy for the borrowing requested. (42) According to Section 9 (2) (b) of the Government Decree in force during the period under review, the repayment pause and childbirth allowance for the 12th week of pregnancy and the expected date of confinement must be evidenced by the pregnancy record book if the to apply for discounts to the Customer to submit the child takes place before birth. (43) The processing of this data by the Client is necessary in order to be able to ascertain the the eligibility of applications for benefits and the benefits can ensure the use of this data between the beneficiaries and the necessary to fulfill the contracts concluded between the beneficiaries. That doesn't change that nor that as a condition for the use of the grant the processing of these data by Government Decree makes it binding on the Client within the framework of the contractual relationship. Therefore, the data on the completion of the 12th week of pregnancy and the expected date of delivery, which the legal basis for the processing of a pregnant woman's personal data under Article 6 of the GDPR is Article 6 (1) of the GDPR paragraph (b). (44) It should also be emphasized that the fact of pregnancy is in itself the health of the pregnant person including how many weeks of pregnancy you are going and when you are expected to to give birth. According to Article 9 of the GDPR, personal data are personal data and their handling is, in principle, prohibited. Health data legally they can only be dealt with if one of the legal bases set out in Article 6 (1) of the GDPR In addition, there is a circumstance within the meaning of Article 9 (2) of the GDPR. (45) Article 9 (2) of the GDPR does not contain an exception which is expressly a contract would allow the processing of health data in order to meet Article 9 (2) of the GDPR (a), health data may be processed if one or more of the specific data subject 13 express consent. According to Section 9 (2) of the Government Decree, the spouses a they must expressly state in the loan agreement that the 12th week of pregnancy contribute to the processing of data on the loading and expected date of confinement, that is, the Government Decree apparently settles the legal basis for the processing of health data. THE In the Authority's view, the contribution is voluntary as one of the contributions whether the condition of validity is fully enforced during the data management is questionable, since a without the prior consent of the contracter at the time of conclusion of the contract no loan agreement would be concluded. (46) The Client may not review or act on the laws of the Member States which govern it on the contrary, the Authority finds that in the case of spouses who have they wish to take advantage of the benefit provided for in the Government Decree with regard to their fetuses, legally manages the 12th week of pregnancy and the expected date of delivery data. (47) The Client shall lawfully manage the data contained in the pregnancy care book in addition to the spouses ’natural identity and contact information, and the pregnant woman data on the occupation and education of the Client, which is managed by the Client and the necessary for the performance of a contract between spouses, including before the conclusion of the contract credit assessment - and, on the other hand, to fulfill its various legal obligations, e.g. money laundering and contributing to the prevention and deterrence of terrorist financing. These the Client has an appropriate purpose and legal basis for its management. (48) The Authority has a copy of the TAJ number of the pregnant woman in the copy of the pregnancy care book considers it necessary to emphasize that the TAJ number is in line with the Szaztv. according to an identification code that is handled and transmitted only by statutory rules that is, that is, the data controller who is not authorized by law to use the TAJ number only with the consent of the GDPR concerned in accordance with Article 4 (11). The Szaztv. Section 23 also determines which bodies are authorized to manage the TAJ number, for what purpose, however, no financial institutions are listed among them, nor is there any other sectoral law authorizes them, and the parties concerned have not demonstrably contributed to the TAJ for their handling by the Client, ie they are managed by the Client without a legal basis. (49) Section III.1 of the Decision. The treatment of the health data described in (45), supplemented by the fact that the processing of these data is not limited to Article 9 of the GDPR. None of the circumstances set out in Article 2 (2) apply, but also to the Client admittedly, it does not have a legal basis under Article 6 of the GDPR. In the Pregnancy Care Book pregnant women have not demonstrably contributed to the processing of the health data they are not necessary for the fulfillment of the loan agreement - not including the pregnancy 12th week and the expected date of delivery - their management by the Client not necessary to fulfill its legal obligation. In addition, the Customer is in the public interest does not perform a task, does not exercise public power, the data management of the data subjects or other natural protection of personal vital interests is not necessary, as well as the Customer these cannot present a legitimate interest in the management of those concerned rights and freedoms. (50) The findings made in the previous paragraph with regard to Article 6 (1) of the GDPR are as follows: personal data not mentioned as hitherto, which do not qualify as health data - who is the pregnant woman GP, nurse, dentist. 14 (51) In the Authority’s view, the Client should have recognized that the Government Decree It shall apply subject to the provisions of the GDPR and in conjunction with that legislation a prudent, proportionate data management practice in line with the principles of data management to design. (52) On the basis of the above, the Authority concludes that by the 12th week of pregnancy, the expected with the exception of the data referred to in point (47) of the Decision all additional data in pregnancy books, including health data the Client did not have an adequate legal basis for dealing with the breach, in breach of Article 6 (1) of the GDPR. as well as Article 9 (1) of the GDPR as regards health data. IV.3. Necessity and legal basis for the processing of the data recorded in the final reports (53) According to Section 9 (2) (c) of the Government Decree - in force during the period under review - the subsidized persons must also declare their commitment, dead, when concluding the loan agreement in the case of birth or miscarriage, a certificate certifying that this has taken place within a maximum of 60 days a presented to the credit institution and contribute to the management of that data. (54) Section 14 (4) and Section 19 (5) of the Government Decree provide that the repayment application for childcare allowance or childbirth allowance a must be submitted to a credit institution providing a baby waiting loan, to which the Government Decree must be attached Documents pursuant to Section 9 (2) (b) and (c). The Government Decree does not define that submission how the term is to be understood, as a presentation at the bank branch when submitting the application or as a document a copy to the application. Section 9 (2) (c) of the Government Decree expressly it provides for the presentation, not the copying, of the documents listed there. (55) The Client made a copy of the final report on the miscarriage of two subsidized women to the period in order to verify the above. The final report is a natural identity for women In addition to the data, it includes the tests performed, the therapy used, and the tests performed description of the intervention. The health status of women, the examinations, their results, the performed information on interventions, as well as the fact of miscarriage, Article 4 (15) of the GDPR health data which are not necessary for the fact of a miscarriage inappropriate and irrelevant to achieve the purpose of the data processing, therefore the Authority finds that by handling these, the Client has violated Article 5 (1) of the GDPR (c). (56) The Authority finds that, as explained in point (49) of this Decision, the Client does not in addition to the fact of the abortion and the date thereof, in the final report in breach of Article 6 (1) of the GDPR, and Article 9 (1). IV.4. Information on data management during the application and granting of a baby waiting loan transparency (57) The Client provides information in several different documents regarding the application for the baby waiting loan, respectively in the case of the conclusion of a loan agreement, of the data processing carried out in the course of that agreement, which documents on the Client 's website, under the […] tab, collected in a clickable form and grouped under […] addresses are easily accessible. 15 (58) The Authority shall assess the adequacy of the information provided by the Client on the processing of personal data a examined on the basis of the following documents: […] prospectus; […] Prospectus (a hereinafter referred to as the Data Management Information); […] (Hereinafter: Application Form); […] (hereinafter: Business Rules). (59) According to the Code of Conduct […], the purpose, legal basis and processing of personal data detailed rules, the data management rights of the Clients on the website and at the bank branches detailed in the data management information provided. The Terms and Conditions expressly a no further information on data management in connection with a baby waiting loan contain. (60) The prospectus […] is of a general nature and covers data processing of a general nature carried out by […], thus also for the data management performed by the Client in connection with the baby waiting loan - in which intends to provide data subjects with information on the aspects of the processing of their personal data. (61) Section […] of the prospectus sets out the possible processing of data by group members. objectives in a general way, such as “interest in a service, requesting a service procedure "or" conclusion of a contract, performance of a contract ". Data management is possible its legal bases are listed in point […]. The scope of managed data under the title is managed data categories are described, for example […]. (62) In Section […], the Data Protection Prospectus describes in a similar way to Prospectus […] the the possible purposes of data management, which are detailed in […]. (63) In […], the Customer defines the processed data for data management purposes, their "Types", the legal basis for the processing and the retention period uniformly for all […] in connection with the service. This means that the prospectus is not broken down into individual financials products separately, e.g. mortgage loan, personal loan, baby waiting loan, family home creation discount, etc. As a result, any personal data or personal information data category is listed among the managed data for which you have some type of credit or necessary for the performance of the contract by the Client during the provision of a cash loan. (64) In the Authority's view, the definition of the purpose of data processing alone is' with the Bank data processing required for the performance of a contract ”is too broad, not specific, precise and final, it is difficult to determine what the aspects of the contract are and related data management is included because e.g. […] the provision and provision of the service for the customer as a separate data management purpose, although the general meaning of the words, and Chapter according to the concept of contract, performance of the contract is nothing more than under contract provision of a service to be performed. (65) In the Authority's view, in order for the data management to be transparent to the Client set more specific data management goals, such as the 12th week of pregnancy and the purpose of the processing of personal data concerning the expected date of delivery is that the Client sets be able to verify the legitimacy of the claim or subsequently verify that the grant is supported persons wish to take advantage of the benefits provided for in the Government Decree with regard to their fetus. THE Authority does not dispute whether the suspension of repayment or childbirth allowance is provided within the contractual relationship during the performance of the contract, but the in the absence of a sufficiently specific definition of data management purposes for data subjects it is clear why they need to make some of their data available to the Client. 16 (66) In the Authority’s view, the data and categories of data processed in the Data Management Information Sheet […] its listing in this way does not meet the requirement of transparency either, since it is there approximately all personal information that the Customer has any credit is listed or in connection with a loan agreement. As a result, it is difficult for those involved to be convinced that the fulfillment of their credit or loan agreement with the Client, certain aspects thereof exactly what information they will need to provide. In the present case, for example, a Beneficiaries do not have to provide a details of their property insurance or details of their property sold to the Client within five years, as these data are irrelevant to the credit they use, while, for example, fetal data is one they are not relevant in a personal loan agreement. In this regard, the Authority also notes that it is not entirely clear exactly what data the Client understands fetal data, as the fetus is not yet legal, the 12th week of pregnancy and the data on the expected date of delivery are the health data of the mother. (67) In addition, the Data Protection Information Statement states that the purpose of data processing is to: fulfillment of the reporting obligation to the Hungarian State Treasury (hereinafter: MÁK). It does not appear from the Data Protection Information that such a reporting obligation is When it exists for a customer, it affects what kind of contract stakeholders. (68) Section 26 of the Government Decree also prescribes the obligation to provide information to the MÁK for control purposes, and specifies which of the persons supported or the child born must transfer your personal data to the Customer. Defined in the Privacy Policy the scope of data does not correspond to the scope of data specified in the Government Decree, e.g. the Data Management is not indicated in the prospectus of the identity card of the supported persons, travel document or card format driving license number as data to be transmitted [Gov. Section 26 (1) (bd) of the Decree]. (69) The Application Form must indicate the identity of the applicants for the baby loan, the credit assessment necessary personal data, data of the requested loan, statements according to the Government Decree, which are necessary to establish the eligibility conditions, and […]. (70) Under the heading “[…]”, the Client essentially agrees with the contract, its conclusion and conditions. provides information on a total of […] points. The Government has been inserted in point […]. statements concerning data processing pursuant to Section 9 (2) of the Decree. According to point […] and [consent to the processing of their personal data]. In the Authority 's view, privacy statements should have been separated by the Customer from other contractual provisions in the interests of transparency. Furthermore, the wording of point […] is incorrect may give the impression to those concerned that their personal data provided on the Application Form their legal basis for their management. (71) In the light of the above, the […] prospectus, the Privacy Notice and the Application Form The information provided by the customer on the handling of personal data is not transparent, not sufficiently specific and not suitable for the persons concerned to know and see through the personal process of handling their data and be aware of exactly which Customer is for what purpose and on what legal basis they process their personal data. The Authority finds that Customer does not provide clear and transparent information to those concerned about the baby waiting loan and the processing of data during the life of the concluded loan agreements Article 12 (1) of the GDPR 17 IV.5. Legal consequences (72) The Authority finds that the Client has infringed Article 5 (1) (c) GDPR, Article 6 Article 9 (1), Article 9 (1) and Article 12 (1). (73) Pursuant to Article 58 (2) (d) of the GDPR, the Authority instructs the Client to electronic of the pregnancy books and final reports available to him delete copies, destroy paper-based copies, and credit for doing so duly substantiated to the Authority. (74) Pursuant to Article 58 (2) (d) of the GDPR, the Authority instructs the Client to restructure the application for a baby waiting loan and data management during the concluded contracts information practice in such a way as to comply with Article 12 (1) of the GDPR transparency requirements. (75) The Authority has examined whether it is justified to impose a data protection fine on the Client. E In particular, the Authority considered all the circumstances of the case under Article 83 (2) of the GDPR. In view of the circumstances of the case, the Authority found that it had been identified in the present proceedings in case of infringement - Infotv. 75 / A. § - warning is disproportionate and dissuasive sanction and therefore a fine should be imposed. (76) In particular, the Authority took into account that the nature of the infringements committed by the in accordance with Article 83 (5) (a) and (b) of the GDPR constitute an infringement falling within the category of fines. (77) In setting the fine, the Authority took into account the following as aggravating circumstances: • Infringements committed by Customer are considered serious infringements as follows [Article 83 (2) (a) GDPR]: o Infringements found - breach of the principle of data protection, legal basis without prejudice to the transparency of data processing and the transparency of information, were continuous in nature, given that during the period considered persisted .; o The infringement affects a large number of persons concerned [Article 83 (2) (a) GDPR]: ▪ personal data in connection with the baby waiting loan Infringement by inadequate information on the management of Clients are all baby waiters who have a loan agreement or are waiting for a baby affects your customer in need of a loan. The Client did it during an official inspection According to the statement, during the period under review, […] persons requested a baby waiting room a loan, of which the Client has entered into a contract with […] persons; ▪ the health data in the pregnancy care book is illegal treatment involved a total of […] women during the study period. o The subject of the present case is a financial arrangement in which the Client contractual partners in families or in any special life situation women who are in their most personal life situation during childbearing they come into contact with the Client to ensure the existential future of their family in order to. The Authority considers the attached documents from the circumstances of the present case on the basis of which he concluded that he was particularly violating his privacy by having children personal and health data relating to such numbers are of a general nature his treatment. • Customer has a significant amount of personal information that is a special category prepared health data on pregnancy books without a legal basis copies and the two final reports [Article 83 (2) (g) GDPR]; (78) The Authority considered the following as mitigating circumstances: • In connection with the personal data handled by the Client in the copies of the pregnancy books admitted to them - not including the 12th week of pregnancy and childbirth expected unlawfully handled and ordered the erasure of the copies, or destruction. [Article 83 (2) (c) GDPR]; • Customer has reviewed its applicable data management practices and terminated the copying pregnancy books and final reports for the future. Sample certificates the introduction and application of which are suitable so that they cannot be avoided in the future line can again be used to process data in the context of a baby waiting loan grants which are not necessary to achieve the purpose of the processing and which has no legal basis for dealing with it. [Article 83 (2) (f) GDPR]; • The Government Decree did not fully regulate the issues of data management, it did not decide clearly state how the data will be handled (eg submission under the word presentation or copying), thus creating an uncertain legal situation in matters of data management created at baby-waiting loan financial institutions, including the Client. The Authority considers it necessary to note that in such a case the data controller is concerned with the data processing decisions need to be made even more carefully when applying data protection legislation and in particular to enforce data protection principles. [Article 83 (2) GDPR paragraph (b) and (k)]. (79) In imposing the fine, the Authority also took into account that the Client had not committed previously relevant data breach. GDPR Article 83 (2) (e)] (80) In imposing the fine, the Authority did not consider Article 83 (2) (d), (h), (i), (j), as they cannot be interpreted in the light of the specific case. (81) The total amount of the Client's balance sheet in 2019 was HUF […] million, HUF […] million. (82) The amount of the fine was determined by the Authority in accordance with its statutory discretion. V. Other issues: (83) The powers of the Authority are limited by Infotv. Section 38 (2) and (2a), its jurisdiction is covers the whole country. (84) The decision is based on Article 80.-81. § and Infotv. It is based on Section 61 (1). The decision is based on Ákr. 82. § (1), it becomes final with its communication. 19 (85) Art. § 112 and § 116 (1) and § 114 (1), respectively there is a right of appeal against an administrative action. (86) The rules of administrative litigation are laid down in Act I of 2017 on the Procedure of Administrative Litigation (a hereinafter: Kp.). A Kp. Pursuant to Section 12 (1) by a decision of the Authority The administrative lawsuit against the court falls within the jurisdiction of the court. Section 13 (3) a) The General Court has exclusive jurisdiction under subparagraph (aa) of A Kp. Section 27 (1) Legal representation shall be mandatory in proceedings falling within the jurisdiction of the General Court under paragraph 1 (b). A Kp. Pursuant to Section 39 (6), the filing of an application is an administrative act has no suspensive effect. (87) A Kp. Section 29 (1) and with this regard Pp. Applicable pursuant to Section 604, electronic CCXXII of 2015 on the general rules of administration and trust services. Act (a hereinafter: E-Administration Act) pursuant to Section 9 (1) (b) of the Customer's legal representative obliged to communicate electronically. (88) The time and place of the submission of the application are set out in Kp. Section 39 (1). THE Information on the possibility to request a hearing can be found in Kp. Section 77 (1) - (2) based on. The amount of the fee for an administrative lawsuit is set out in Act XCIII of 1990 on Fees. law (hereinafter: Itv.) 45 / A. § (1). From the advance payment of the fee is Itv. Section 59 (1) and Section 62 (1) (h) shall release the party initiating the proceedings. (89) If the obligor fails to provide adequate evidence of compliance with the required obligation, the Authority will considers that it has failed to fulfill its obligations within the prescribed period. The Acre. According to § 132, if a the obligor has not complied with the obligation contained in the final decision of the authority, it shall be enforceable. The decision of the Authority Pursuant to Section 82 (1), it becomes final upon notification. The Acre. Section 133 of the Act - unless otherwise provided by law or government decree - ordered by the decision-making authority. The Acre. Pursuant to Section 134 of the Act - if law, a government decree or, in the case of a municipal authority, a local government decree otherwise does not have - is carried out by the state tax authority. Infotv. Pursuant to Section 60 (7) a Authority to carry out a specific act contained in a decision, specified the decision as to the obligation to conduct, tolerate or cease shall be carried out by the Authority. Budapest, December 16, 2020 Dr. Attila Péterfalvi President c. professor