9.1 Trade secret

The requesting party wished to have access to specific data of contracts con- cluded by a business organisation in the exclusive ownership of the municipality with a third person; in the relevant investigative procedure, the Authority ex- plained that a given document (such as a contract or price quotation) may in- clude data, which do not belong to any of the data categories indicated in Section 27(3) of the Privacy Act (for instance, priced budget, know-how), or data which have been classified as a trade secret by the other party to the contract with the business organisation held by the municipality. The Authority summarised its position concerning the collision of trade secrets and the freedom of informa- tion in its recommendation issued under NAIH/2016/1911/V. According to the recommendation, business organisations at least the majority of which is held by the state/a municipality may not invoke trade secrets with regard to the pub- lic duty performed by them (including the management of public assets); at the same time, facts, information, solutions or data qualified as trade secrets are of paramount importance for a business organisation subject to market competi- tion because their corporate and economic plans and strategies are based on them, this information is the basis of their decisions, which ensure their place in the market, thus disclosure of such information may result in them being driven out of the market. Resolving the conflict between trade secrets and the freedom of information, Section 27(3) of the Privacy Act qualifies “quasi” trade secrets related to the budget of the central government and the local governments, the use of European Union funds, benefits and allowances involving the budget, the management, possession, use, utilisation and disposal and encumbering of cen- tral and local government assets, and the acquisition of any right in connection with such assets, as data accessible on public interest grounds with a view to ensuring the transparency of managing public funds. If the holder of the secrets (whether the municipal company or its contracted partner) took the necessary legal measures to keep the trade secret (e.g. express marking of parts concern- ing the trade secret and detailed explanation of the justification of protection), the business organisation held by the municipality and its contracted partner may not make it public without authorisation. If these data and protected information were to be accessed by the competitors of the business organisation in public ownership, or its contracted partner, it could result in the violation of the legiti- mate business interests of the contracting parties. [NAIH-6203/2023]

9.2 Generating new data

According to the practice of the Constitutional Court, the ordinary courts and the Authority, restriction of the accessibility of data of public interest is only possible at the level of the law, by ensuring the discretion and the obligation of the con- troller with a view to protecting the interests specified in the Privacy Act; criteria of convenience may not justify the rejection of a data request.

In the case under investigation, the notifier did not ask for the forwarding of a complete register, he only asked for access to a line of data, which can be que- ried with a simple IT query operation. In view of Constitutional Court Decision 13/2019. (IV. 8.) AB, Justification paragraph [55], the Authority explained: if the data request applies to the selection by queries according to specific criteria, of existing and processed (recorded) data and, for instance, organising them in a table, the request may not be denied. The request must be complied with, irre- spective of the form of recording and irrespective of whether the data has to be found through the review of the controller’s records and/or documents stored by the controller. Just as the controller may not deny compliance with the data request on the basis that it would require the review of the documented pro- cesses and the separation of the accessible and the inaccessible data in it. The Authority also underlined that mere administrative considerations may not result in the restriction of the freedom of information. [Constitutional Court Decision 12/2004. (IV. 7.) AB]

In summary, the Authority consistently holds the position that the performance of simple IT operations, such as query and adding up, do not qualify as the gen- eration of qualitatively new data. To comply with the data request constituting the subject matter of the case, there was no need to perform operations beyond simple IT, mathematical or other operations causing substantial difficulties. In the case of the data request under investigation, the subject matter was to query data stored, data that could be queried by simple (or additional) work as set forth in Constitutional Court Decision AB 13/2019. (IV. 8.), so compliance with the re- quest did not require the obtaining or collection of new data from other organs, the provision of explanations or drawing conclusions.

A merely formal reference to Constitutional Court Decision 13/2019. (IV. 8.) AB without the actual examination of the content of the individual issues of the re- quest for data for public interest and of the answers to be given to them quali- fies as undue restriction of a fundamental right set forth in Article VI.(3) of the Fundamental Law clashing with Article I.(3), and therefore it is anti-constitutional. [NAIH-9111-2/2023]

9.3. Government Integrated Portal for the Disclosure of Data of Public Interest (KIKAP Portal), Authority Integrated Portal for the Disclosure of Data for Public Interest (HIKAP Portal)

In the investigations of the Authority based on complaints against the operation of the HIKAP and KIKAP Portals, all the complaints objected to the fact that the data of public interest or data accessible on public interest grounds made public through an URL were accessible for 15 days after uploading, thereafter the data were archived and erased after 90 days. The data of public interest “made public” on the HIKAP and the KIKAP Portals are accessible exclusively to the request- ing party or to the person who has the URL sent by the controller for download- ing the data, for 15 days.

The controller (the organ issuing the data) does not monitor whether the request- ing party receives the data or document requested to be accessed by him. The requesting party has to notify that he is unable to access the requested docu- ment for some reason, in which case the controller sends a link again to the e- mail address of the requesting party. An additional problem discovered in the course of the investigation was that the KIKAP and the HIKAP systems automat- ically place two watermarks on the given document: the e-mail address of the re- questing party and the KIKAP caption. According to the controllers, the purpose of this is the “one step identification” of the requesting party.

According to the position of the Authority, the watermark applied on documents issued upon requests for data of public interest – even if the watermark does not block the data of public interest in a given case – impedes the right to dissemi- nate data of public interest as ensured by the Fundamental Law, particularly if the watermark also includes the personal data of the requesting party (such as his e-mail address). [NAIH-7525/2023., NAIH-44/2023., NAIH-584/2023.]

9.4. Portal used by the Hungarian Association of Judicial Officers (MBVK) to comply with data requests

According to a complaint related to granting a data request, the download did not start when clicking on the “Download” button, and the series of data disap- peared. The complainant also objected to the fact that he could have been able to download the answer uploaded for the data request only once within a period of two weeks, and that the watermark running across the entire page, including his personal data (his name, the date of the data request and his e-mail address) blocked one of the key data.

To provide data of public interest electronically, MBVK developed a portal for providing data. According to MBVK, its advantages include the minimisation of data loss, an increasingly transparent form of the uploaded materials and com- plete protection of the personal data of the requesting parties. The provider of the data receives confirmation of the downloads sent to the users. At the same time, the controller does not ascertain whether the requesting party has actually accessed or downloaded the data of public interest. As a result of the investiga- tion, the watermark is no longer applied and downloading the uploaded docu- ments is no longer restricted.

9.5. Portal to grant data requests used by the Supervisory Authority of Regulated Activities (SZTFH)

The notifier objected to the fact that SZTFH answered his data request in a for- mat, which he could not access and the answer was archived. The notifier did not receive any information about how long the answer would be accessible and how many times could be downloaded.

The HIKAP Portal is used for uploading data of public interest and data accessi- ble on public interest grounds made public through compliance with requests for data of public interest and for sending them to the requesting parties. In addition, SZTFH cited the rationalisation of internal administrative operations and increas- ingly efficient, more secure and faster management of cases as arguments in favour of the use of the system. The requesting party receives the URL for data access and information on legal remedy in a letter sent to his e-mail address pro- vided in the course of requesting the data.

As a result of the investigation, SZTFH has modified the general operation of the HIKAP Portal so that the answer to the data request is accessible for a year fol- lowing publication on the portal, after which the data content is archived for 90 days.