a)  Hungary / b)  Constitutional Court / c) / d)  13-04-1991 / e)  15/1991 / f) / g)  Magyar Közlöny (Official Gazette), 39/1991 / h) .
Keywords of the systematic thesaurus:
Fundamental Rights - Civil and political rights - Right to private life - Protection of personal data.
Keywords of the alphabetical index:
Data-gathering / Data-processing / Personal identification number (PIN), use.
In the absence of a definite purpose and for arbitrary future use, the collection and processing of personal data is unconstitutional. The right to the protection of personal data, known as the right to informational self-determination, as guaranteed under Article 59 of the Constitution, permits everyone the freedom to decide about the disclosure and use of their personal data to the extent that the approval of the person concerned is generally required to register and use it. In addition Article 59 of the Constitution ensures that such person can monitor the entire route of data processing thereby guaranteeing the right to know who used the data and when, where and for what purpose it was used. A statute could exceptionally require the compulsory supply of personal data and prescribe the manner of its use provided it complied with Article 8 of the Constitution.
The petitioner sought the constitutional review of several legal rules on the grounds that they violated the right to the protection of personal data under Article 59 of the Constitution.
Law Decree 10/1986 on the State Population Register provided, inter alia, that:
a.   the objective of the Register was to promote the enforcement of the citizens' rights and the fulfilment of their duties, and to provide assistance for the activity of state and private organisations (Article 1.1);
b.   the function of the Register was the collection of data necessary for unified personal data records and the keeping and supply thereof (Article 1.2);
c.   there was an obligation to supply data on education and professional training (Article 3);
d.   the Register was to contain the citizen's personal identification number ("PIN"), and basic identification and residence data, the scope of which was delegated to the Council of Ministers (Article 4);
e.   the compulsory introduction of the PIN into the Register and into the procedures for the administration of the State and of the judiciary was allowed (Article 6.2);
f.   the Register could use data from other records if the organisation concerned approved (Article 7.1);
g.   a private person could request another person's data to which he or she was entitled or had a lawful interest, such application being certified by his/her own statement or by an official document. The Register was to supply data to state and private organisations to facilitate the performance of their duties (Article 7.2);
h.   mandatory regular data to be supplied to certain organisations for the performance of their basic tasks, such organisations to be determined by decree of the Council of Ministers (Article 7.3);
i.   provision of data could be refused if it violated a citizen's personal rights (Article 8);
j.   each citizen had the right to correct the data on him or herself (Article 10.2); and
k.   personal data could only be made public in cases specified by a statute or by decrees of the Council of Ministers (Article 10.3).
The petitioner submitted that:
a.   the Law Decree was unconstitutional because it did not comply with the Constitution or the regulatory level necessary for the regulation of fundamental rights as required by Act XI of 1987 on Legislation;
b.   the provision of mandatory data was prescribed in such a way that the scope of data to be provided was to be determined by the Council of Ministers which also conflicted with Act XI of 1987. The authorisation did not specify the subject or the limit of its scope. Consequently the Council regulated fundamental rights and duties, which it was not authorised to do; and
c.   it was unconstitutional that a Decree of the Council of Ministers could determine who received the mandatory data and who, based on such data, established rights and duties; moreover the protection of personal data in the hands of such recipients could not be guaranteed.
According to Article 59 of the Constitution everyone is entitled to the protection of his/her reputation, and to privacy, including privacy of the home and to the protection of personal secrets and data. The Constitutional Court did not interpret the right to the protection of personal data as a traditional protective right, but as an informational right to self-determination. Thus, the right to the protection of personal data, as guaranteed by Article 59 of the Constitution, means that everyone has the right to decide about the disclosure and use of his/her personal data. Hence, approval by the person concerned is generally required to register and use personal data; the entire route of data processing and handling shall be made accessible to everyone, i.e. everyone has the right to know who uses his/her data, and when, where and for what purpose it is used. In exceptional cases, a statute exceptionally requires the compulsory supply of personal data and prescribes the manner in which this data may be used. Such a statute restricts the fundamental right to informational self-determination, and it is constitutional only if it is in accordance with the requirements specified in Article 8 of the Constitution.
Adherence to the purpose to be achieved is a condition of and at the same time the most important guarantee for exercising the right to informational self-determination. It follows from the principle of adherence to the purpose to be achieved that collecting and storing data without a specific goal, "for the purpose of storage", for an unspecified future use, is unconstitutional.
The other basic guarantee is the restriction on the forwarding and publication of data. Personal data may be made accessible to a third party, other than the concerned party and the original data user, and thereby data processing systems may be linked together, only if all the conditions required for data forwarding are fulfilled in relation to each item of data.
The contested Law Decree was unconstitutional because it failed to meet the basic requirement of the adherence to the purpose to be achieved.
The principle of adherence to the purpose to be achieved was a condition of and the guarantee for exercise of the right to informational self-determination. Personal data might therefore only be processed for a definite and legally-justified purpose to which every stage of the process had to conform. The person concerned was to be informed of the purpose for the data processing in a manner which allowed him to assess its effect on his/her rights, to make a well-founded decision on its provision and to enforce his/her rights were the use of such data to deviate from the original purpose. If there were any possible alteration in the purpose, the person was to be notified unless a statute permitted otherwise.
The definition by the Law Decree of the purpose and scope of data collection violated a person's right to human dignity. The protection of the right to informational self-determination in the process of data forwarding was to be ensured through guarantee-based regulations and the adherence to the purpose to be achieved which had to be present at every stage from the supply to the elimination of such data from a record. Since the Register, whose data processing was "for the purpose of storage" lacked any tangible objective, this resulted in a lack of continuity of purpose from the data-forwarding stage onwards as well as a lack of legitimacy of an alteration in the purpose thereof. Moreover it was clear that a data user with an undefined scope for data collecting would become familiar with personal data in its entirety and in its context. Taken out of its original context, the data used to create a "personality profile" violated the personality rights of the person concerned.
The main legal provisions on the population register, with respect to the collection of data and its processing, were unconstitutional. Article 1 of the Law Decree provided a definition of the objective of the Register and its duties which was inadequate and vague, incapable of guiding data processing in a definite direction or restricting it in any way. In addition under Article 4, data collection for storage purposes had no definite purpose or scope: there was no detailed list of the data to be included in the Register and instead the Law Decree gave a broad authorisation to the Council of Ministers to draw up such a list. However it had gone beyond its authorisation under Articles 3-4 when it included for compulsory registration the PIN of the person's father, mother, children and spouse, thereby violating the personality rights of the person since it used relationships without his/her knowledge.
Further, Article 7 was unconstitutional since it gave unlimited freedom to the data processing of the Register. The person concerned was not required to give his/her approval to the processing, nor was there a duty that once the specific service had been completed the data was to be deleted or that a record of such amendments was to be kept with the data. Moreover, when combined with data from other sources, the data in the Register could provide different information on a person who would be ignorant of its provision. Consequently, in order to render constitutional the acquisition of data from other records or its forwarding, the data would have to be used solely for the purpose of original record-keeping and made available only to the audience with whom the person would have to deal in connection with the original record-keeping. Data outside the collection remit of the Register would have to be deleted after forwarding while the request and forwarding of data would need to be documented.
In addition, different stipulations under Article 7 provided for data supply or forwarding to private persons, i.e. having a "lawful interest" in another person's data, or to organisations "to facilitate the performance of their duties" which did not sufficiently take into account a person's right to data protection. These objective conditions were of themselves incapable of providing the requisite basis for protection under Article 8, according to which supply could be refused if it violated personality rights. The supply of personal data for the performance of a specifically-defined task and the performance of which possibly justified the risk involved in the supply alone complied with personality rights protection. Only organs of state administration and the judiciary were given such tasks so that identical restrictive conditions were to be imposed on providing data to these "organisations" other than the aforementioned organs and to private persons - the right to informational self-determination could be enforced if based on a right documented and certified in writing on the same footing as private persons. Finally the requirement of mandatory regular data supply in Article 7.3 to local authorities and to ministries for the performance of their basic tasks was insufficient to permit constitutional data-forwarding and those entitled could only be determined by statute, not merely by executive decree.
The express guarantees of personality rights in the Law Decree failed to meet all the criteria of constitutionality. For instance, Article 10.2 only provided the right to make corrections for the person concerned. Since the essence of the right to informational self-determination was that the party concerned might know and follow the route and circumstances of the use of his/her personal data, the preconditions necessary for the exercise of this right were to be ensured: applications for data on certain subjects were to be officially documented in the Register, i.e. records on whose data was supplied to whom, when and for what purpose, as well as the use of other data systems. Certification would also facilitate possible corrections which would need to be made in all registers receiving the wrong item of data. Further, the right to correction should also be extended to deletions. By Article 10.3, personal data could only be made public in cases specified by statute or government decree where general authorisation, in view of the current Decision, was also unconstitutional. The right to informational self-determination might be limited only in unavoidable situations, the justified exceptions to the rule being determined by statute. Therefore only where the person concerned could forbid the provision of his/her data recorded in the Register would the protection of personality rights satisfy the Constitution.
Finally the concept of a universal and unified PIN available for unlimited use was unconstitutional. Article 6.2 permitted the use of PINs in any official document and record or computerised register system and was thus broader in scope than the Register: indeed, it failed to limit or impose conditions on the use of PINs. The PIN threatened personality rights particularly where data was acquired from various databases without informing the person concerned: he or she was therefore limited in or deprived of the possibility of monitoring the dataflow. Further this mass of interconnected data, of which the person generally had no knowledge, rendered him defenceless and created unequal communication conditions so that one party possessed information giving a particular (possibly distorted) image of which the other party concerned was unaware. The power of the state administration in using PINs was also markedly extended. Where they were used outside the ambit of the administration, this increased the power not only of the data user over the parties concerned but also of the State since it further broadened the possibility of control through use of such data. Taken together, they seriously jeopardised the right to self-determination and human dignity. Accordingly PINs remained contrary to the right to data protection, to the principle of divided information systems with adherence to the purpose to be achieved and to the main rule that data was to be acquired from persons with their knowledge and consent.