No violation was committed by the hospital that did not delete a patient’s former psychiatric treatment records upon the expiry of the legally stipulated deadline for keeping such data on file. Medical records kept on file, in compliance with the deadlines established under section 30(1) of Act XLVII of 1997 on the Handling and Protection of Medical and Related Data (the “MDA”), serve the interests of the patient by allowing the retrieval of and access to these data by the physician (subject of course to confidentiality) and by the patient himself.

Just the opposite, namely the violation of data security and filing procedure was at the crux of another case, in which the investigation began last year. The patient’s records did not contain the results of control lab tests which the patient could have used to enforce a claim for damages against his employer. The petitioner has the right to legal redress against the data controller under sections 17-18 of the DP&FOIA. However, this will not affect his ability to receive compensation for occupational disease, because the legal grounds for seeking damages are distinct in the two cases.

A number of petitions concerned the confidentiality obligation of health-care workers. One particular question that emerged was whether this confidentiality constituted proper grounds for the employees to withhold medical information even from the patient’s close relatives. Section 7(2) of the MDA provides that the data controller cannot be exempted from the confidentiality obligation unless the transfer of the data has been consented to by the subject in writing or is ordered by law. Section 25(3) of Act CLIV of 1997 on Health Care (the “HCA”) adds that the medical data of the patient must be released even in the absence of his or her consent, whenever ordered by law, or so demanded by the exigency of protecting the life, bodily integrity, and health of any other person, and when the information is necessary for the patient’s caretaker to prevent a deterioration of the patient’s condition.

These conditions do not apply when the person seeking information in connection with the decease of the patient, including copies of medical records, is the patient’s legal guardian, close relative, or heir, provided that the information is requested in writing. Section 7(7) of the MDA guarantees this privilege as the sovereign right of the applicant, in equity for his or her intimate relation to the deceased data subject.

In one case, the patient asked a patient rights representative to find out the circumstances of a clerical error which had resulted in the recording and transfer of the wrong medical information about the patient. The representative, after his inquiry was refused by the head of the institute, contacted the Commissioner with the question whether he as representative had the right to know not only the reason for the error in the particular case but also how the hospital proposed to prevent such mistakes in the future. Finally, was he entitled to general information about the hospital’s routine of processing data? Since medical records contain sensitive personal information, the enhanced security of data is of utmost importance in health care. This implies a willingness on the part of the data controller to adopt an information policy certified by international standards, as well as the dedication of material and human resources necessary for the proper operation of the system. These goals not only empower the patient rights activist but positively command him to notify persons responsible for the data of any circumstance of which he has become aware through a complaint in connection with the data processing practices of the provider. This means that he has the right to access the records pertaining to the given case, in addition to general information to which any ordinary citizen would be entitled.

The Commissioner found that the patient rights representatives were bound by Point 4 of their Service Agreement with ÁNTSZ, which universally prohibited them from “disclosing any information to a third party without the Client’s permission.” This stipulation challenged the representative’s ability to act on objective grounds, on the basis of the DP&FOIA and various sectoral privacy regulations, in cases involving a conflict between the interests of the patients and their health care providers. As the representative was also bound by confidentiality with respect to the personal data accessed through his work, this was sufficient to ensure that no unauthorized person could get hold of information susceptible to abuse.

From the venture points of the “principle of purposefulness” and the conditions for data transfer, the Commissioner did not find sufficient grounds for a request by the county institutes of the ÁNTSZ for the medical data of a specific group of patients. Act XI of 1991 on the ÁNTSZ required registered providers to supply general health data for certain tasks, listed under section 3(a)-(d), to be carried out by the Service. It followed from the nature of these tasks - such as periodic epidemiological analyses performed by the county institutes of the ÁNTSZ - that there was no need to identify uniquely each morbidity?. Consequently, the providers administering care had to transfer the medical data without the personal data of the individual patients. This made sense as the case was not about a unique decision brought by ÁNTSZ as an epidemiological authority whereby the competent institute of the Service would establish direct contact with the patient. In such a scenario, it would have indeed been necessary for the acting authority to handle the data of the patient as the client of the procedure.

As it had been the case in past years, several citizens objected to the possibility of inspecting forensic reports. The Commissioner took the view that the possibility of access remained compatible with the principle of purposefulness spelled out in section 5 of the DP&FOIA, as long as it served the interests of the official procedure. In this way, there could be no appreciable justification for keeping personal data secret if they were spoken on the record in open trial - including forensic testimony elaborated verbally in court.

If the statement of medical information was relevant to judging a case, such as in a forensic report establishing the severity of bodily injury or a mental condition, public evaluation constituted an important procedural guarantee precisely for the data subject. Nevertheless, such information was regarded under the DP&FOIA as sensitive personal data which had to be documented in such a way as to prevent unauthorized access and use for purposes other than those of the official procedure itself. The regulation of these issues on the parliamentary level had been on the legislative agenda for years, but until such time as a new law was enacted, court (and public notary) procedures would have to remain subject to the currently in force Instruction of the Minister of Justice 123/1973 (IK.1974.1).

This was the stance adopted by the Commissioner when he decided in connection with a particular case that drug users’ data could not be legally given out to the police even upon written request, unless the data sought are those of a person suspected of a specific crime and the request specifies the type of data needed for the investigation. It was inadmissible to transfer indiscriminately the full medical records of the patient.

Several citizens protested against their employers’ violations in handling various personal identification numbers; some objected to being asked to supply their personal identification code. The Commissioner for Citizens’ Rights, filling in for the Data Protection Commissioner, pointed out that employers had no right to control the personal identification code, because they were neither authorized by law nor did they fulfil a task specified by law that would require them to do so. By the same token, employers were not entitled even to the last four digits of the identification code as these, when combined with personal data (sex and date of birth) kept on file lawfully, would be sufficient to reconstruct the personal identification code in its entirety.

The Finance Director of Semmelweis University’s School of Medicine sent out a memo to unit administrators, asking them for the employees’ personal identification number. The University Finance Directorate, which had issued the instruction to collect the numbers, said the data were needed for the purpose of accounting wages and salaries. Act XX of 1996 on the Identification Codes and Methods Superseding the Personal Identification Number (the “Identification Act”) provides an itemized list, in section 32, of the entities authorized, on certain conditions, to keep personal identification codes on file. This list does not include employers. The Finance Director subsequently informed the Commissioner that the University was aware it had no right to control the data in question, and that the call for the codes had slipped into the memo by mistake. In his reply the Commissioner warned the university management to destroy the personal identification codes obtained and to improve compliance with privacy principles in the future.

The executive of a joint stock company wanted to know if it was legal to use tax identification numbers to identify employees uniquely. Acting on behalf of the Data Protection Commissioner, the Commissioner for Citizens’ Rights explained that entities, including employers, subject to mandatory supply of employee data to the tax authority under section 19 of the Identification Act were prohibited from controlling tax identification numbers except in connection with this particular task. The use of these data for any divergent purpose, including that of internal identification, would run counter to the principle of purposefulness.

In another case, similar in subject matter without concerning civil servants, a person filed a complaint against the Chief Financial Officer (“CFO”) who required employees to make a written statement of family ties and ties of friendship among each other, as well as with service providers and contractors working for the company. The cover sheet enclosed with the form featured the following notice: “Providing untruthful information may entail termination of employment.” Upon the intervention of the Commissioner, the CFO was called to task for threatening termination. The executive’s reply also revealed that the idea of requiring the statement had originated from the German owner who claimed to have “uncovered abuses that were assisted by precisely such acquaintances and family ties.” The statements were subsequently forwarded to Germany. The Commissioner concluded that the violation consisted not simply in the intimidation of the employees but also in the collection, storage and cross-border transfer of the data themselves. No employer had the right to make such a statement mandatory for employees. The company committed further violations by not informing the employees of who would process their data and for what purpose. The Commissioner urged the executive to discontinue the illegal control of the employees’ data.

One petitioner, whose application was handled by the provider’s Fáy Street branch, was shocked to find out that several copies had been made of his entire personal identification document, and that he was supposed to sign every single page. A clerk told the petitioner that one copy was to be sent to the Data Processing Bureau of the Ministry of the Interior for a check, while the other copies were for the files of the company itself. What he did not know was where and in what circumstances those files were maintained. The senior administrator of the office claimed that the copies were required by internal instruction. The petitioner encountered the same situation in every other branch he visited.

Another citizen turned to the Commissioner for help when he found out that his identity document was copied by a Pannon GSM clerk without his knowledge. The copy was presented to him for signature only when he returned to the counter from the cashier. He was also told that the copy would be forwarded to the Centre whether or not it was signed. The petitioner believed that his data were processed without his permission, and that the copy was made in a fraudulent manner. He refused to consent to the further use of the copy of his photo.

Another petitioner wished to know whether Pannon GSM was authorized to make copies of his personal identification document when he purchased the company’s tariff package called “Pannon Praktikum.” In his experience, the provider followed the same routine at every one of its branches. The salesperson told the petitioner that one customer was entitled to a discount package only three times, which explained why copies had to be made and kept on file.

Based on this and similar petitions, the Commissioner contacted the provider’s Privacy Manager, asking him to explain why the company kept ignoring both the provisions of the DP&FOIA and his own previous Recommendations. In his reply, the Manager insisted that making copies of the subscribers’ documents was justified by the rising number of abuses involving cellular phone sets originally sold at a much lower price than their actual value as a discount package benefit. Over time, the abuses of the promotional system would ultimately interfere with service quality, and the financial losses would hurt subscribers in the form of higher rates. The company introduced the photocopying of documents reluctantly as an unavoidable measure to help prevent and uncover abuses. In case of both regular and promotional subscribers’ contracts, the customer service staff always asked for the applicant’s verbal consent to the copying; the signatures served to verify that consent for future reference. In principle, then, the company policy did not make room for copying documents unbeknown to their bearer. Customers were free to choose between using the discounts offered by the provider or buying what is known as a “prepaid” subscription, available upon the presentation of certain documents.

A citizen, who reported the theft of his prepaid card phone and requested a block on the call number and the handset, was told by a clerk that the company needed to see the police minutes and the home address card to issue the block. Without these documents the security department was unable to register the handset as stolen, and the personal identification document was only valid together with the card certifying the bearer’s home address. The copies initially made of the customer’s documents at the time he signed the contract were kept on file, but it might take up to 30 days to retrieve them from the company’s archives. If the customer refused to authorize new copies to be made, the security department would have to get the data from the central records of the Ministry of the Interior. Until such time as the data came in, the handset could not be blocked but simply registered as lost.

The Commissioner took the view that it was unnecessary to enclose the entire police minutes. A photocopy of just the relevant part sufficed to prove that the theft had been reported; no further personal data were needed to take the appropriate steps. As the Commissioner had already explained in previous Recommendations, the provider had no authorization by law to make copies of identification documents or to use its customers’ photographs. In the absence of authorization by law, the handling of these data required the express consent of the subject. The provider’s practice could be qualified as unlawful if it did not meet the above conditions, and if this could be proved to have been the case beyond the shadow of a doubt.

Yet another petition concerned Westel 900 GSM, Hungary’s other major cellular provider. The policy of “Domino” package sales that was enclosed by the petitioner informed the customers of their right “to deny consent to having copies made” of their personal identification document, but it did not say this could result in the company’s refusal to enter into contract. The Commissioner asked the petitioner to inform the Office if this should nevertheless happen.

The petitioner thought the method was insecure because it enabled anyone in physical possession of the set, by theft or otherwise, to send out the SMS inquiry and read the reply. [...] The time lapse between the inquiry and the return message was so brief that it made unauthorized access very unlikely. The system always allowed users the choice between SMS and the Internet as the medium through which to call the codes, and to pick freely the date and time for the most secure transmission of the personal data in question. This applied equally to requests submitted through the Internet. The Commissioner argued that it was unfeasible for providers to somehow conceal codes, as it were keeping secret their existence, function, method of access, etc. The instructions supplied with the sets offered useful guidance. As a solution supplementing the current system, the Commissioner recommended the method of sending out the codes in sealed envelopes, of course at the option of the user. Having assured the petitioner that the disputed way of handling information
harboured no greater danger than telephone use in general, the Commissioner pointed out that no one else had voiced similar concerns, before or since the petitioner lodged his complaint.

Another petitioner asked the Commissioner to examine how her unlisted phone number could have been found out by her brother who has been in proceedings to date on threat and harassment charges. The telephone company responded to the complaint by promptly issuing a new number to the subscriber, and considered the case closed. The petitioner then went to the Interior Control Division of Matáv, the telephone company, but the employee there referred her to the police.

The Commissioner pointed to his lack of investigative authority as the obstacle to his clarifying the circumstances of the data transfer in question. It was the competence of the police to take any further action, and the petitioner certainly had that recourse even after she had been issued with a new number. However, before anyone exercised the option of filing charges against an unknown offender, the Commissioner thought it made sense to consider the possibility - as this often turned out to be the case - that the number could have been divulged in sheer good will by a family member or acquaintance who had not known about the troubled relationship between the petitioner and her brother.

Another citizen claimed to have found himself in an awkward situation more than once after he had lost his personal identity document, because it was listed as lost or stolen in the obsolete database of a telecommunications company.

There was no doubt that the mentioned company had the right to process the data of its subscribers’ identity document. Pursuant to section 17(4) of Act LXVI of 1992 on the Name and Address Records of Citizens, legal entities are entitled to receive information from the central records about a personal ID of a specified number, including about its issue, expiry, loss, theft, destruction, and recovery - provided that they are able to certify the grounds and purpose of processing the data requested. However, the company had no authorization by law to keep the acquired personal data on file once it had used them to determine eligibility for service. The Commissioner had already investigated the creation of such databases in connection with another petition in 1999. On 14 October of that year, he addressed a letter to the CEO of a Hungarian cellular service provider, asking for information about the list of lost or stolen identity papers on the basis of data acquired from the Central Bureau of Data Processing, Records, and Elections. Having found that the company disregarded privacy principles in its information practices in more ways than one, the Commissioner called on the executive to discontinue the violations. Databases like the one above are often not only set up without any legal grounds and for no specific purpose, but in addition they are seldom up-to-date. The lawful course of action for telecommunications providers would be to apply to the Central Bureau for data about the personal identification document in question every time a person wants to sign up for service.

A citizen alleged that Matáv, the phone company, regularly listened in on his Internet sessions. By way of evidence, the petitioner attached his phone bill in which the company recorded the fact of Internet use and the types of data transmission between the subscriber and specified third parties. The petitioner protested the “eavesdropping” as an illegal activity.

The Commissioner attempted to reassure the petitioner on the grounds that, although Matáv, as the company supplying the connection, did distinguish in the technical sense between phone sessions and Internet use, this did not mean that it monitored the content of communications. The differentiated handling of traffic data did not prove such monitoring; it was necessary simply to itemize the different rates charged for various services. In the interest of reliable billing, the provider had to have recourse to solutions enabling the precise identification of the services used, while satisfying the requirements of data protection. In the case at hand, there was no indication that Matáv handled the user’s personal data illegally.

In misdemeanour cases brought on serious intimidation charges, the company also turned down court requests for subscriber information, and it invoked section 80(1)(a) of Act LXIX of 1999 on Misdemeanours in refusing to obey a subpoena for documents containing telecommunications data.

APEH, the tax authority, joined local governments in demanding subscriber data from the company, with reference to Act XCI of 1990 on Taxation. The typical question was whether X.Y. had a subscription and how much he paid in bills over a specified period of time. The company habitually declined such requests on the basis of section 37(3) of the Taxation Act, which provides that persons whose confidentiality obligation has not been waived cannot be forced to testify on professional secrets. The company argued that the institution of testimony was the means of confirming a particular fact or data, rather than a tool for a blanket acquisition of information. The tax authority had used a form entitled “Address disclosure request” to solicit a subscriber’s personal data, such as date of birth, address, mother’s name, occupation, tax ID number, etc. A blank copy of the form was subsequently sent to the Commissioner, whose response could be summarized as follows.

Pursuant to section 151 of the Misdemeanours Act, in force since 1 March 2000, misdemeanour proceedings on serious intimidation charges were delegated to the competence of the courts. These proceedings were normally brought against unknown offenders who threatened the petitioners over the phone. Section 119(3)(d), authorized the courts to seek data from other organizations, subject to various legal conditions stipulated elsewhere, and provided that this is necessary to clarify the circumstances of a case. However, while the law thus ensured the right to request information, it did not at the same time spell out the obligation for the other side to supply the data. The Commissioner contacted the Minister of the Interior, who conceded the need to amend the Taxation Act to the effect of requiring compliance with such requests. Work is now under way to prepare the amendment.

As part of the drafting process, the Minister of the Interior has promised to examine the possibility of inserting a provision similar to article 118(1) of the Code of Criminal Procedure. “This paragraph,” the Commissioner wrote to the company, “not only vests the courts with the right to seek data but also prescribes a deadline of 30 days for the organization contacted to comply with the request. Taking into account the provisions under paragraph (3), I have a discrepancy with the interpretation advanced by you: I do not think the company has the right to refuse to hand out the data citing section 24(1) and (3) of Act LXXII of 1992 on Telecommunications.

In another petition, the Commissioner was asked whether the Post had the right to require add-up sheets, complete with name and address, from customers wishing to make multiple payments-in by postal cheques. Although the post office branches eventually did not introduce the add-up sheet on a mandatory basis, they thought it was a good method of minimizing mistakes in cash traffic. The Post’s Business Policy did not contain a binding stipulation of the add-up sheet, and if one was used, the personal data were handled on the basis of the customer’s voluntary consent. Subsequent to the daily inventory of individual counters, the sheets were culled into the daily and monthly clearing of accounts at the branch, to be kept on file for 18 months after that. According to the Post’s General Director, the sheets would continue to help with the work of postal employees irrespective of the prevailing level of automation, and would serve the clients’ interests in case of payments made in error.

Since Act XLV of 1992 on the Post did not allow otherwise, the Commissioner pointed out that Post was liable to obtain the voluntary consent of the subjects as a condition for processing their personal data. While there was nothing wrong with the use of the sheet itself as a means of facilitating cash transactions, this function did not require the name and address of the customer. The procedure also seemed unjustified in light of the fact that most postal clerks used calculators to check the customer’s calculation, and there was no possibility to make corrections once a payment had been made. By the same token, the practice of keeping the personal data on file for such an extended period was both unnecessary and in conflict with the legal principle of purposefulness in processing data. Even though the law required customers to be told whether the supply of personal information was mandatory or optional, no such notice was posted in the branch offices - just as customers were left in the dark as for how long and to what end the Post was going to use their data. In conclusion, the Commissioner called on the Director to take the appropriate steps.

In his reply of 11 May 2001, the Director informed the Commissioner of having acknowledged the Recommendation and acted to discontinue the contested practices. As part of these measures, he filed a proposal with the Telecommunications Inspectorate to modify the Post’s business policy, and himself ordered changes in the organization’s internal rules and instructions, which he proceeded to send out to the individual branches. In spite of these auspicious developments, the Commissioner had to warn the Director that many branch offices continued to display a virtually identical form under the title “sample of list of items.” Having found that branch offices were not uniform in their application of the official changes in their daily routine, the Commissioner urged the Director to review anomalies of data control within the organization, to take all necessary steps to comply with the Recommendation in earnest, and to keep him posted on the results of the review.

The Commissioner was asked to make a statement about the possibility of creating free-access databases on the Internet listing the data of companies and members of professional chambers. In his reply the Commissioner pointed out that “as the data of business organizations in the company register are not personal data, I am not authorized to examine the terms of their processing. I remind you, however, that the data of self-employed individuals do fall under the effect of the DP&FOIA, and as such their processing is subject to authorization by law or the consent of the individuals themselves.”

In two similar cases, the petitioners asked for guidance in connection with plans to set up a public database of outstanding creditors’ claims that would include the data of debtors. Having emphasized that providing legal advice to attorneys did not normally form part of his duties, the Commissioner nevertheless agreed to the consultation on the grounds that the issue had consequences for the privacy rights of a large group of individuals. “Since the law defines the notion of personal data in the context of individuals,” he argued, “the rules of protecting personal data must be understood to apply to the right of individuals to informational self-determination. As far as the limits of the individual rights due to legal entities and the means of their protection are concerned, I do not feel authorized to make statements.

A number of petitioners wanted to know the legal ways of sending promotional e-mails and of direct marketing on the Net. Answering the questions in his capacity of substituting for the Data Protection Commissioner, the Commissioner for Citizens’ Rights explained that the lack of provisions designed to regulate unsolicited messages (spams) made it inevitable to apply the rules of the DP&FOIA, which stipulated authorization by law or the subject consent as the condition for processing personal data. This consent could be considered granted if it was given in awareness of the identity of the data controller and of the circumstances of the processing, including its purpose, method, and duration. To put it simply, all this information had to be posted on the web page in question. Furthermore, the subjects had the right to know if a data processor was hired to process their data. Once collected, the data could only be used for the purpose for which the subjects originally released them, and may not be transferred to a third party without their consent. Pursuant to the DP&FOIA, subjects were entitled to have their data deleted or corrected, and they had to be informed of this right.

A petitioner took issue with the policy of the Ministry of Education to post photos of every staff member on its intranet phone book. Since the list of data authorized for use in the Annex to Act XXIII of 1992 on the Legal Status of Civil Servants did not mention photos, and because the employees had not consented to the use of their images, the Commissioner called on the leaders of the Ministry to discontinue the violation. The Administrative State Secretary responded by removing the photos from the intranet the day after receiving the Commissioner’s letter.

It was probably the wrong setting, possibly defect, of a provider’s mail programme that caused an on-line business weekly to send a message to a petitioner which contained hundreds of e-mail addresses belonging to various users. In his reply the Commissioner determined that the occurrence amounted to an infringement on data security, and informed the operator of its liability to eliminate the chance of recurrence by changing the settings of the system.

A petitioner wanted to know if one’s e-mail address constituted personal data, and filed a petition against a direct marketing company that had taken her e-mail address from her web page and listed it in its database. Acting on behalf of the Data Protection Commissioner, the Commissioner for Citizens’ Rights invoked the DP&FOIA to explain that “the e-mail address should be regarded as personal data only when it makes it possible to restore the connection between it and the person to whom it belongs. In this way, the e-mail address containing the owner’s name is certainly personal information. The e-mail address is also personal in nature if it is at once the address of the operator of a web page, because it renders the data of that person available to anyone on-line based on the domain name. [...] Unsolicited business messages, also known as spams, are unlawful in the absence of the addressee’s consent since they involve the use of data for a purpose unintended by the subject. If you find that a direct marketing company is using your e-mail address to this end, you have the right under the DP&FOIA to have your data deleted, and to take the company to court if it denies the request.”

A petitioner sought the Commissioner’s opinion on whether employers were authorized to inspect their employees’ electronic correspondence at the workplace. Building on the applicable provisions of the DP&FOIA, the Commissioner suggested that - “a distinction must be made between e-mail addresses given to employees for their personal use which may contain a fragment or the entirety of their names, and e-mail addresses for managing the company’s affairs that are not tied to individual employees. The employer is entitled to inspect messages at this latter type of address, even if the employee with access to the mailbox - and aware of this consequence - has used it for private correspondence. By contrast, communication through an assigned mailbox, in principle accessible to the employee and the system administrator only, is subject to the same privacy considerations as conventional personal correspondence or telephone calls. In the absence of the subjects’ consent or authorization by law, then, the employer is prohibited from examining, withholding or destroying any mail received by employees at the workplace, and also from eavesdropping on their phone calls. By the same token, he cannot legally inspect, forward or delete messages sent to or from any personal e-mail address until he has secured the employee’s consent.”

Another petitioner raised the question whether it was lawful to disclose e-mail traffic data and the content of the messages themselves to the police, with reference to article 118 of Act I of 1973 on the Code of Criminal Procedure. Comparing this provision with the special rules stipulated under section 69(1)(d) of Act XXXIV on the Police, the Commissioner decided that the police were not normally authorized to access and use e-mail contents or traffic data, except in possession of a court warrant facilitating the investigation of a serious crime. Regarding the police request which the petitioner attached to his petition, the Commissioner found that article 118 of the Code on Criminal Procedure did not constitute sufficient grounds for the disclosure of the e-mail data sought (senders, addressees, date and time of transmission, and the content of the messages).

A citizen asked if he had the right to initiate the deletion of his contributions to an open-access on-line forum. The Commissioner replied that, in the spirit of the DP&FOIA, the fact and substance of someone’s contribution to a forum had to be regarded as personal data. Section 11(1)(b) permitted subjects to ask their personal data to be deleted, except when the control of the data was ordered by law; section 14(2)(b) made it mandatory to perform the deletion upon the subject’s request.

Considering that, in the given case, the data were not controlled by order of law but based on the subject’s consent, the Commissioner made it clear that the petitioner was entitled to ask for the deletion, and that the data controller had no choice but to satisfy the request.

Another petitioner remonstrated about the disclosure of her e-mail address in the on-line discussion forum run by RTL Klub, a commercial television station, as a result of which she received several e-mail comments on her contribution to the forum. The investigation revealed that applicants wishing to join one of the station’s forums were required to supply their name, nickname and e-mail address in order to be registered. Users could register on a separate page maintained for this purpose, which displayed the following notice: “The information you provide here will be available to all forum visitors.” Under the circumstances, the Commissioner concluded that registration itself implied acceptance of the above term, and therefore amounted to a tacit form of the consent that is stipulated by the DP&FOIA. Consequently, the forum had committed no violation in the way it processed the petitioner’s data.

A petitioner objected to questions about family status and monthly net income featured on the credit application form used by Postabank és Takarékpénztár (Postal Bank and Savings). As the Commissioner explained, it followed from the principle of purposefulness in processing data that banks were not authorized to demand information from their clients in excess of what was strictly necessary to achieve the purpose of the processing. By placing a loan, banks assumed a certain credit risk, which they sought to minimize by becoming familiar with the client’s financial situation and income. The questions remonstrated by the petitioner targeted basic banking data which the bank was fully authorized to process in agreement with the principle of purposefulness.

In another case, the citizen lodged a complaint against OTP Bank for requiring the tax ID number from applicants for its “C” line of credit. The Commissioner informed the bank that, pursuant to section 16 of Act XCI of 1990 on Taxation, the individual did not have to release his tax number to the bank unless the transaction involved a payout or withdrawal subject to taxation by law. Given that the bank’s “C” line of credit was a consumer loan with no tax implications, the processing of the applicant’s tax number violated the principle of purposefulness. The bank argued that the failure to provide the tax number did not entail discrimination against the applicant, for whom this financial service remained available on the same terms as for any other client. The Commissioner pointed out that it was certainly in the client’s interest to conclude the credit agreement with the bank, but also to limit the exercise of his right to informational self-determination - namely by giving his voluntary consent to the processing of his personal data - to the extent required for this specific purpose. No client could be expected to supply data in excess of what was adequate to enter into the contract. Verifying the client’s identity would be no more legitimate as a purpose for requiring the number, since the bank could not have used it to check on the identity of the applicant in the databases of agencies authorized to keep the tax numbers of citizens on file. The Commissioner turned to the Chairman of the National Financial Supervisory Authority to help bring the case to a close. The Chairman thought that the request for the tax number was no reason for concern, as long as that the “answer optional” notice was printed directly next to the relevant box on the application form.

It was also a citizen’s complaint that led the Commissioner to examine what type of personal data banks were entitled to collect for opening accounts. The management of the bank in question explained that occupation, employment and family data enabled the institution to deliver better focused information to its clients, and they were also indispensable for surveys and statistics helping with the work of product development. The bank emphasized that the supply of the data was entirely optional. The Commissioner reminded the bank to call the attention of clients to this fact, both on the form itself and in the instructions on how to complete it. The bank promised to supplement the form with the notice that the supply of personal data about occupation, employment, and family status was not a condition for opening an account.

A citizen claimed to have found himself in an awkward situation more than once after he had lost his personal identity document, because it was listed as lost or stolen in the obsolete databases of banks. The Commissioner pointed out that financial institutions had no authorization by law to keep the personal data acquired from the central records on file once they had used them to determine eligibility for a contract. Such databases were often not only set up without any legal grounds and for no specific purpose, but they were seldom up-to-date in addition. The lawful course of action for financial service providers would be to apply to the Central Bureau for data about the personal identification document in question every time a person wants to enter into contract with them.

One citizen objected to his insurance company’s use of an ordinary domestic postal cheque, an instrument accessible to third parties, for paying a benefit. On the cheque the company indicated not only the beneficiary’s name and the amount payable, but also identified the title of the benefit and the property that had suffered the damage. The Commissioner took the view that Hungarian Post had to be regarded as a data processor in the relation between the insurance company and the client. Clients signing off on a policy had to be told who would control and process their data (name and seat of operation). Considering that the principle of purposefulness applied not only to data controllers but equally to data processors, the Commissioner did not think it was justified for the company to indicate the tangential information on the cheque. If the company found it necessary to supply that information - i.e. the title of the benefit and the damaged asset - it could have done so by file numbers previously established in the documents of the case. In the Commissioner’s position, the reassuring solution would be for the company to allow clients to choose the form of payment. This would enable clients to pick the method they thought best served the security of their data.

Another citizen voiced objection over the fact that her insurance company used an unsealed envelope for sending her information about the premiums due the following year on her life insurance policy. When contacted by the Commissioner, the company insisted that they sealed every single envelope properly, but the letters might sometimes break open as they pass through so many hands. The Commissioner asked the company to pay more attention to data security.

Having had his briefcase stolen in London, the petitioner asked the British police for a detailed report, which the officers declined citing privacy considerations. In the absence of such a report, the insurance company refused to pay out a benefit. Pursuant to Hungary’s Civil Code, policyholders are liable to report damage or loss to the insurance company within the stipulated deadline, together with all the necessary information, in such a manner as will allow the company to ascertain the truth of the report. In terms of property insurance, the accepted practice is to stipulate how the reporting should be done as one of the general contract terms. The contract of the insurance company in this case required policyholders to present a police report containing an itemized list of the stolen articles, complete with an estimated total amount of the loss. In addition to information about the policyholder, the report also contained the personal data of other individuals, which the insurance company would have been unauthorized to know except upon the consent of the individuals in question. Seeking a solution both respecting privacy principles and mindful of the policyholder’s reporting obligation as prescribed in the Civil Code in general and stipulated by the policy contract in particular, the Commissioner proposed the preparation of an abstract from the report which would avoid mention of other persons’ data but would contain all the information relevant to the insurance claim.

The General Director of the 20th Century Institute touched upon the same problem when he asked under what conditions it was legal for the soon-to-open “Museum of Dictatorship” to publicly display the data of the victims and perpetrators of the totalitarian era to be illustrated by the exhibit.

In his answer, the Commissioner explained the difference between the two groups of people in terms of their individual rights. Assuming in both cases that there was no doubt about the identity of the persons, it was lawful to disclose the name, position and other data of those who served in the agencies of the regime, without obtaining permission from them or their relatives. The lack of limitation in their case was justified since information in connection with the official function of a person acting on behalf of the State always constituted data of public interest. There were of course no strings attached to displaying information that had already been published through legal channels, for instance in the newspapers and various publications of the period.

In contrast, all the personal data of the victims of the forces of repression enjoyed protection by the Constitution, the DP&FOIA, and other laws. As a guiding principle, the public disclosure of the victims’ data was subject to their consent given personally or, if they were no longer alive, by their living relatives on behalf of the deceased. Considering however the large number of the victims, the acquisition of everyone’s positive consent could be replaced by generally giving them or their relatives the opportunity to dissent. The Commissioner stressed that it was unlawful to publish the name or other data of the victim who had elected to exercise this right. Moreover, such publicly available information had to be deleted upon the victim’s request, even if it had been originally published in other forums lawfully.

Besides these two major groups, special attention was due to the personal data of historic figures, many of whom were alternately instruments and victims of successive authoritarian regimes. They and their relatives were entitled to protest the disclosure only if, and to the extent that, it involved a wider range of their personal data than what prominent public figures normally and by law had to surrender to the public anyway.

The lack of sectoral regulations makes it inevitable to apply the general rules of inspection. One of these rules requires the data controller to render documents anonymous before giving them out for research, even if it entails a charge for the researcher. If the nature of the research makes this impossible, the researcher must treat documents containing personal data in compliance with Act CXIX of 1995 on Handling Names and Addresses in Research and Direct Marketing, and must also take into account Instruction of the Minister of Justice No. 123/1973 (IK 1974.1) on the Rules of Judicial Procedure. (Incidentally, this latter regulation raises some serious constitutional doubts, not to mention that it merely touches on the issue of inspecting court documents.)

Acting on behalf of the Data Protection Commissioner, the Commissioner for Citizens’ Rights told a petitioner it was not necessary to provide access to every one of the subjects’ personal (sensitive) data in order to allow scholars in Pittsburgh to keep track of the research project. Considering that on-line data transmission was far from being safe, the Commissioner recommended replacing the transfer of personal data with codes, composed of numbers, letters, and the combination of these, which would enable the foreign partner to follow the progress of the project without actually coming into possession of the subjects’ personal information.

Regardless of the purpose of the processing, section 9 of the DP&FOIA provides that the transfer of data abroad, even in possession of the subject’s consent, cannot be legal unless the foreign-based data controller can ensure the same level of protection as Hungary with respect to every single data processed. This means that the target country must have a privacy law comparable to that of Hungary, or else it must undertake a contractual obligation to provide equal protection.

The company identified section 19(1)(eb) of Act LXXXIV of 1999 on Public Traffic Records (the “Traffic Records Act”) which authorizes local notaries to obtain data from the records for its tasks in connection with public road management. However, the notary in the case at hand obtained the data from the register of vehicles for a different purpose, namely that of initiating proceedings against drivers in default of parking fees and penalties. The regulation of traffic on public roads, including the parking system, is the responsibility of local governments, whose tasks and powers are exercised by the board of representatives. Not only are the cities prohibited from reassigning their legally-mandated function to their notaries, but there is no law or regulation that would give notaries discretion in city parking matters. In this way, the cited provision of the Traffic Records Act did not justify the notary’s acquisition of data for purposes of parking enforcement. Under section 21 of the same Act, the city (board of representatives) or the parking company in its employ may request the data of the vehicle’s owner (operator), but on the application it must indicate all three major vehicle identification numbers: those of the licence plate, the chassis, and the engine. Since, however, neither the city nor its contractor possessed these numbers, they were unable to meet the requirements of filing the request. This is what led to the unlawful abuse of the notary’s powers to obtain the data. The Commissioner called on the notary of the City of Ferencváros, a district in Budapest, to discontinue the violation. Refusing to act on this first warning, the notary argued that the law delegated so few tasks in public road management to the notaries that their right under the Traffic Records Act to obtain data from the records would not make any practical sense if its exercise were limited to these duties. He also pointed out that, pursuant to Act I of 1998 on Public Traffic, parking fees and penalties had to be collected on the model of taxes, an area where notaries did have jurisdiction. Finally he suggested that the data processing in question could not have been unlawful, if only because it served the interests of drivers who failed to pay for their parking in the first place.

In his reply the Commissioner maintained that the acquisition of data was unlawful if it served the purpose of parking enforcement, because the law did not assign such a duty to the notary. The small number of road management tasks did not authorize the notary to overstep his powers and usurp a local government function. The Commissioner declined the notary’s argument that in the application of the law no distinction should be made between the city and the notary in terms of the right to access data, because the legislators behind the Traffic Records Act had clearly not intended to make such a distinction. The Commissioner countered that the law was positive in authorizing the notary, and equally specific in stipulating that this authorization applied only to data required for the notary’s own proper duties as described therein. It was wrong, the Commissioner claimed, to impose a patently stretched and strained interpretation on this provision simply because that provision did not seem to make sense in a particular context. While the notary pointed out correctly that the Public Traffic Act required parking fees and penalties to be collected on the model of taxes, this provision stood at odds with a parking measure of the Budapest Municipal Government which prescribed civil litigation for enforcing such city rights. The Commissioner found that the collection of parking fees and penalties was in reality organized on the basis of this city measure. He took the opinion that in such cases cities and their parking ventures should be able to get to know the name and address of the driver based on a single vehicle data instead of three (for instance the licence plate number) to facilitate parking fee enforcement. He would be in support of an amendment to this effect, as a way of eliminating the current situation in which the rights of those ultimately paying their parking tickets were pitched against the right to the protection of personal data. This latter was a fundamental right but not an absolute one: It was subject to restriction in the interest of enforcing other rights in conflict with it, but in the Republic of Hungary this took nothing less than legislation passed by Parliament. The prevailing law did not authorize the disputed method of acquiring data; and a rightful need in itself was not sufficient to justify the use of unlawful means. As a result of the Commissioner’s investigation, the City discontinued the violation and notified us of its plans to modify the measure at variance with the legal provision.

Some other complaints concerned the second method of parking fee collection, involving the acquisition of data in multiple steps. This solution required three companies. The first one would be in charge of managing parking fee finance on behalf of the city, and thus the one authorized to collect fees and penalties. This company would send the licence plate number of violators to a second company, which would use it to obtain the other two vehicle data (chassis and engine number) from the central records, and forward all the information to a third company. This third company, now in possession of all three vehicle identification numbers, would request the vehicle operator’s data from the same centre, which would not have released such personal data if the previous interim step had been skipped. In short, the companies met the conditions by having the supplier of the data put them in a position from which they could apply for those data in compliance with formal requirements. At this point of determining the facts we had to suspend the investigation after an action had been commenced in the case.