The National Authority for Data Protection and Freedom of Information – Violation Found (Hungary, 2022)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
In Hungary, a parent complained that their child's school changed the child's grades without notice and failed to provide access to the data. The Hungarian DPA found that the school did not properly handle the data access request. This case underscores the importance of transparency and access rights in educational data management.
What happened
A school allegedly altered a student's grades without notification and did not provide access to the data when requested.
Who was affected
The student whose grades were changed and whose data access request was denied.
What the authority found
The Hungarian DPA found that the school failed to properly handle the parent's request for access to the student's personal data.
Why this matters
This case emphasizes the need for educational institutions to ensure transparency and proper data management practices. Schools must be prepared to provide access to personal data and maintain clear records of any changes made.
GDPR Articles Cited
National Law Articles
Entities Involved
A minor student (the data subject) alleged that his grade had been amended before the semester grading meeting without notification. The parent of the data subject requested access to his personal data contained in the eKRÉTA (Public Education Registration and Study Fund) system. This system was used by the school (the controller) to record and capture the grade history of pupils, including the data subject. The controller failed to provide the requested personal data. However, it did ask KRÉTA (the processor) whether additional information regarding manipulation of grades can be exracted from the system and informed the parent that no such possibility existed. Consequently, the parent of the data subject filed a complaint with the Hungarian DPA. The parent submitted that the overwriting and deletion of the data subject's grades could not be tracked on the eKRÉTA administrative interface accessible to parents. The parent proved their right of representation before the DPA with the child's birth certificate. The DPA initiated an investigation into the matter. The DPA reitarrated, based on the definitions of the GDPR, that a subject grade is data related to the data subject's academic evaluation and should be considered personal data. Hence, any operation performed on the data is considered data processing. In the present case, the personal data was allegedly modified or overwritten at a time other than when the semester grade notice was issued to pupils. With regard to the personal data of a minor, the parent is not considered to be the data subject pursuant to Article 4(1) GDPR. At the same time, the parent can submit a data subject request to the controller on behalf of the minor data subject. The parent wanted to exercise this right in order to have access to the information related to the management of the grade, regarding the overwriting and deletion of the grade, based on Article 15(1) GDPR. The purpose was to establish the legality of the data mana
Outcome
Violation Found
The DPA found a violation but did not impose a fine.
Related Enforcement Actions (0)
No other enforcement actions found for The National Authority for Data Protection and Freedom of Information in HU
This is the only recorded action for this entity in this jurisdiction.
Details
Decision Date
22 September 2022
Authority
Nemzeti Adatvédelmi és Információszabadság Hatóság
GDPRhub ID
gdprhub-5480About this data
Cite as: Cookie Fines. The National Authority for Data Protection and Freedom of Information - Hungary (2022). Retrieved from cookiefines.eu
Last updated: