NAIH (Hungary) - 4094-1/2026

Summary

Hungary's National Data Protection and Freedom of Information Authority (NAIH) ruled that a guardianship authority unlawfully disclosed the residential address of a parent and their two minor children to an estranged grandparent. The authority included the address in a summons, violating GDPR's legal basis and data minimization principles, as the address was not necessary for client identification.

Full text

Help NAIH (Hungary) - 4094-1/2026: Difference between revisions From GDPRhub Jump to:navigation, search Newer edit →VisualWikitext Revision as of 10:28, 20 June 2026 view source Av (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators29 edits Tag: submission [1.0]Newer edit → (No difference) Revision as of 10:28, 20 June 2026 NAIH - 4094-1/2026 Authority: NAIH (Hungary) Jurisdiction: Hungary Relevant Law: Article 5(1)(c) GDPR Article 6(1) GDPR Article 58(2)(d) GDPR Type: Complaint Outcome: Upheld Started: Decided: 04.02.2026 Published: 17.06.2026 Fine: n/a Parties: n/a National Case Number/Name: 4094-1/2026 European Case Law Identifier: n/a Appeal: Unknown Original Language(s): Hungarian Original Source: NAIH (in HU) Initial Contributor: av A DPA held that a guardianship authority had violated Articles 6(1) and 5(1)(c) by disclosing the residential address of a parent and his two minor children to their estranged grandparent. The address information was not necessary for client identification. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts A grandfather filed a request with a guardianship authority (the controller) in 2024 in order to get the address information of his son and his two minor children (the data subjects). He wished to obtain visitation rights with the children but had not been in contact with their father in 10 years. The guardianship authority subsequently summoned the parties to a settlement hearing and included the residential address of the data subjects in the summons. The father filed a complaint with the supervisory authority on behalf of himself and his minor children. The data subjects argued that the disclosure of residential address data to the grandfather had been unlawful under the GDPR. The controller stated that the processing had been lawful. In addition, including the residential address of the data subjects in the summons had been necessary to arrange visitation rights and assign the case to the competent authority. The controller also pointed out that the data subjects did not request their address information to be treated as confidential, nor was this done ex officio. Holding First, the DPA held that the controller had violated Article 6(1) GDPR by failing to demonstrate that there had been an applicable legal basis for disclosing the residential address of the data subjects to the grandfather. Second, the DPA found an infringement of the principle of data minimization laid down in Article 5(1)(c) GDPR. Applicable national provisions only required that data necessary for client identification be included in official documents. Therefore, the DPA held that the summons should have contained the minimum amount of personal data necessary for client identification, even if no order of confidentiality had been issued. The residential address was unnecessary for identification purposes especially since the guardianship authority had only disclosed the address of the data subjects but remained silent about the address of the grandfather. The DPA ordered the controller to bring processing operations into compliance with the GDPR pursuant to Article 58(2)(d) GDPR. In particular, it instructed the controller to pay attention to the principle of data minimization by including as little personal data in its documents as possible. Furthermore, the DPA ordered the controller to specifically ensure that a legal basis exists for the disclosure of personal data contained in documents sent to the opposing party in child protection proceedings. Comment Share your comments here! Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the Hungarian original. Please refer to the Hungarian original for more details. ………………………………………………………………………………………………………… 1055 Budapest Tel.: +36 1 391-1400 naih.hu/adatkezelesi-tajekoztatok Falk Miksa utca 9-11. KR ID: 429616918 ugyfelszolgalat@naih.hu Case number: NAIH-4094-1/2026. Subject: decision granting the application D E C T I O N The National Data Protection and Freedom of Information Authority (hereinafter: Authority) […] (hereinafter: Applicant1) and the minor children represented by him, […] (hereinafter: Applicant2) and […] (hereinafter: Applicant3) (hereinafter: Applicants) – submitted on […] and completed on […] 2024 – in the data protection authority proceedings initiated on […] 2024 against the Budapest Metropolitan Government Office […] District Office (seat: 1181 Budapest, Városház u. 16., hereinafter: Applicant) regarding the unlawful processing of their residential address data, makes the following decisions: I. The Authority grants the Applicant’s application, and the natural The Authority hereby orders the Respondent to comply with Article 5(1)(c) and Article 6(1) of Regulation (EC) No 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Regulation (EC) No 95/46/EC (hereinafter referred to as the General Data Protection Regulation or GDPR) by including and transmitting the address details of the Applicants in the summons. II. In view of the infringements established in point I, the Authority ex officio 1. orders the Respondent to bring its data processing operations into line with the provisions of the GDPR by establishing an internal regulator to determine the minimum amount of personal data necessary for customer identification in relation to the decisions it takes. 2. orders that this decision, in addition to the anonymization of the identification data of the Applicants, be published on the Authority's website with the identification data of the Applicant. The Applicant must prove to the Authority in writing, together with the submission of supporting evidence, that he has fulfilled the obligation specified in point II.1 of the decision, within 30 days of the expiry of the deadline for filing an appeal against this decision. No procedural costs were incurred in the proceedings. There is no right of administrative appeal against this decision, but it may be challenged in an administrative lawsuit by filing a claim with the Metropolitan Court within 30 days of its notification. The claim must be submitted to the Authority electronically, which will forward it to the court together with the case documents.1 The request for a hearing must be indicated in the claim. For those who do not benefit from full personal exemption from fees, the administrative lawsuit fee is HUF 30,000, and the lawsuit is subject to the right to record the subject matter fee. Legal representation is mandatory in the proceedings before the Metropolitan Court. 1 The form NAIH_K01 is used to initiate an administrative lawsuit. The form can be filled out using the general form filling program (ÁNYK program). The form is available and can be downloaded from the Authority’s website: https://www.naih.hu/kozig-hatarozat-birosagi-felulvizsgalata 2 JUSTIFICATION I. R e p o s s i n g the application and the procedure (1) Applicant1 – on behalf of himself and his minor children – requested the initiation of data protection authority proceedings in his submission received by the Authority on […], 2024, citing that the Applicant had unlawfully and unnecessarily forwarded their residential address data in the authority proceedings initiated on […], 2024, at the request of the Applicant1’s father, at the […] number (hereinafter: main case or main proceedings). (2) Applicant1 stated that he had severed ties with his father for more than ten years, and therefore did not know his family and their addresses prior to the proceedings resulting in the complained-of data processing. In […] 2024, his father applied to the District Office of the Budapest Metropolitan Gover

Entities