Ide kerülhet az előadás címe Dr. Attila Péterfalvi President, Hon. Univ. Prof Fate of our personal data after decease Ide kerülhet az előadás címe Ide kerülhet az előadás címe
INTRODUCTION The Hungarian National Authority for Data Protection and Freedom of Information received a complaint in August 2015 from an anonymous person. The complainant informed the Authority about a sad incident that happened between a Hungarian woman and a foreign man. The woman and the foreign man got to know each other on Facebook. They have never met in real life. The man wanted to convince the lady to get divorced from her present husband and marry him instead. When the husband learned about the secret online relationship of his wife, he murdered her, their children than committed suicide.
After this horrible tragedy, the foreign national man contacted some Hungarian tabloid newspapers and revealed his relationship with the murdered woman. Moreover, he posted to his Facebook profile some conversations with the woman, and also intimate photos of the woman. These were public posts, anyone could look up them.
Question of the anonymous complainant: What is the Authority’s standpoint about the publication of personal data of the deceased? The legal problems arising from the case can affect the interests of many people in the future. Our online presence becomes more and more significant present days: social media, forums, chat, blogs, online games etc. The Authority decided on 11. November 2015 to publish a recommendation on the topic: Faith of personal data after death (NAIH/2015/4998/V).
On the general protection of personal data Personal data concept of the Hungarian Privacy Act (3. § 1.): any data relating to the data subject (name, identification number, other factors, conclusion drawn from the data). Personal data can be processed when data subject has given prior consent, or it is decreed by the law (5. § (1)). According to the general interpretation of the Privacy Act, the right to protection of personal data (right to information self-determination) only granted to the living.
Faith of personal data after decease There are other statutory norms governing the protection of the personal data of the deceased. However, it is rather unclear in many situations what happens to the already processed personal data when the data subject dies. This problem is especially unclear in online environments, when data processing is based on the consent of the data subject, which was given before he/she passed away.
Some effects of the deceased’s personal data to the descendents The obligation to protect the data after the person's death does not cease completely. Processing the deceased's data or its disclosure can affect the descendants' privacy as well. The Privacy Act does not currently authorize the relatives to control personal data associated with the deceased person (such as deletion of the processed data, rectification etc.) But: There are related provisions in the Hungarian Civil Code in the so called ‚right of reverence’ (2:50. §).
Provisions of the Hungarian Civil Code: ‚the right of reverence’ If any infringement of the memory of the deceased occurs, the relatives or successor may seek remedy in front of the court. (Civil Code 2:50. § (1)) The infringement of the memory of the deceased needs to be examined in the light of personal rights while he/she was still alive. The above mentioned possibility only complies with the situation, when the memory of the deceased was violated through data processing.
Hungarian DPA’s opinion on extending data protection rights to the descendents The social purpose of the protection of personal data would not be compatible with such a provision, that would extend the deceased’s data protection rights on the relatives and successors (e.g.: right to information). However, deletion of these data has currently no statutory legal basis too. The only possibility for relatives if the data controller (e.g.: an online service provider) provides an opportunity for the deletion under the terms of use:
We drew attention in our recommendation that the established contract (terms of use) between the data subject and the data controller is typically terminated after the person's death. With the termination of the contract, the purpose of the processing of personal data is also eliminated. Therefore in principle, the data related to the deceased person should be deleted as well. But: In most situations data controllers are not aware of the data subject’s death.
Hungarian DPA’s recommendation The Hungarian DPA considers that it may be necessary in the future to create a new plea based on the law that regulates data procession based on consent related to the deceased person. This plea would allow the deletion and termination of such data by relatives and successors. This may be necessary because the service provider typically cannot verify that by the death of the concerned person, the purpose of the processed data has already ceased. This right, however, should not include the right to access to the deceased person's user profile and stored privacy (such as private correspondence).
How to practice the new right This right should be exercised only by the relatives and successors of the deceased by proving their family membership, the death of the data subject and by properly identifying the data provided by the deceased person. The requests to delete personal data should only affect the data which the deceased has provided in relation to the service of the data controller. Data created by third party in connection with the deceased cannot be affected: for example (non memory-infringing) photos published by a third person.
Consequences of the Hungarian DPA’s recommendation The DPA called the Hungarian Minister of Justice to examine the possibility of creating a legal basis and procedure, which grant the deceased's relatives and successors these special rights. The Ministry of Justice examined the possibility and elaborated a possible legal background. According to the concept, there are two possibilities regarding the personal data of the deceased: If the deceased made a testimony in his/her life in a form of an authentic instrument or private document with full probative value. In this case the relatives and successors can practice data protection rights.
2. If no „last will on personal data” is available, than rectification or deletion can be requested by the relatives from the data controller under two circumstances: If data processing was illegal even in the data subject’s life or, When the purpose of the data processing has ceased with the death of the data subject. Possible only with the necessary documents provided: death certificate, ID of the relative.
Deadline for exercising the right The deadline for exercising the above mentioned rights would be 5 years after the death of the data subject! Applies for both circumstances: 1. if the data subject has a ‚last will on personal data’ 2. and also if he/she did not have one.
Recommendation about a procedure in case of parallel claims The Hungarian DPA also recommended the Ministry of Justice to elaborate a procedure in cases when there are more claims on behalf of the relatives. If there are more than one requests on behalf of the relatives: The data controller must inform the later requester about the measures taken. When the later requester disagrees, than may seek remedy by the court. If the data controller receives more requests at the same time and no measures have been taken yet regarding the data, than the data controller must suspend the procedure and should inform the requesters that they can turn to the court. However, the Ministry prefers a „first come first served” solution.
Thank you for your attention! Dr. Attila Péterfalvi H-1125 Budapest, Szilágyi Erzsébet fasor 22/c. H-1530 Budapest, Pf. 5. Tel.: +36 391-1400 Fax: +36 391-1410 attila.peterfalvi@naih.hu ugyfelszolgalat@naih.hu www.naih.hu