NAIH (Hungary) - NAIH-3344-1/2026

Summary

The Hungarian Data Protection Authority (NAIH) fined a Hungarian university HUF 1,500,000 for violating GDPR Articles 5, 6, and 13 in its dormitory admissions process. The university processed excessive personal data (residence card details, identification numbers, full authority decisions) without adequate legal basis, failed to provide proper privacy notices, and misleadingly referenced consent as a legal basis when relying on public interest. The DPA ordered the university to cease unlawful processing, delete improperly collected data, update its privacy notice, and demonstrate compliance within 45 days.

Full text

Help NAIH (Hungary) - NAIH-3344-1/2026: Difference between revisions From GDPRhub Jump to:navigation, search Newer edit →VisualWikitext Revision as of 10:31, 13 May 2026 view source Bms (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators38 edits Tag: submission [1.0]Newer edit → (No difference) Revision as of 10:31, 13 May 2026 NAIH - NAIH-3344-1/2026 Authority: NAIH (Hungary) Jurisdiction: Hungary Relevant Law: Article 5(1)(a) GDPR Article 5(1)(c) GDPR Article 6(1) GDPR Article 13 GDPR Type: Investigation Outcome: Violation Found Started: 07.04.2025 Decided: 30.01.2026 Published: Fine: 1,500,000 HUF Parties: n/a National Case Number/Name: NAIH-3344-1/2026 European Case Law Identifier: n/a Appeal: Unknown Original Language(s): Hungarian Original Source: NAIH (in HU) Initial Contributor: bms The Hungarian DPA fined the Hungarian University HUF 1,500,000 for excessive and insufficiently transparent data processing in dormitory admissions, lacked a legal basis for those data, and wrongly referred to consent in its forms. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts The Hungarian University (the controller) operated dormitory admissions through an academic software. Students could also submit a separate social situation assessment request. This was not formally mandatory, but students who did not submit it received zero social points in the dormitory ranking. The dormitory score included social circumstances, academic performance, and institutional, professional, academic and public life activities. The controller processed personal data from application forms and supporting documents, including data relating to students, household members, relatives, witnesses, and, in some cases, health or social-status information. During the 2022-2024 application periods, the controller did not have a separate privacy notice for dormitory admissions. The application forms also stated that submitting an application amounted to consent for the controller to forward the documents to the relevant reviewers, although the controller mainly relied on public-interest processing and, partly, pre-contractual steps. The Hungarian DPA investigated the controller’s legal basis, compliance with data protection principles, and transparency obligations in the dormitory admission and related social situation assessment procedures. Holding The DPA held that the controller violated Articles 5(1)(a), 5(1)(c), 6(1), and 13(1)-(2) GDPR. The DPA accepted that Article 6(1)(e) GDPR could apply where the controller processed data necessary to assess statutory social criteria. However, the controller could not process data going beyond what was necessary to verify those criteria. The DPA found that the controller breached the principle of data minimisation by processing excessive data from residence cards, including document numbers, personal identification numbers and issuance-related data. The DPA also found that the controller unlawfully processed full authority decisions on disadvantaged or multiply disadvantaged status, although only proof of the relevant status was necessary. The DPA further held that the controller lacked a legal basis for those excessive data. In addition, the controller failed to provide adequate prior information under Article 13 GDPR and breached transparency by referring to consent in the application forms, even though consent was not the applicable legal basis. The DPA ordered the controller to stop the unlawful processing, delete unlawfully processed data, amend its privacy notice, and provide proof of compliance within 45 days. It also imposed a HUF 1,500,000 fine. Comment Share your comments here! Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the Hungarian original. Please refer to the Hungarian original for more details. DECISION The National Data Protection and Freedom of Information Authority (hereinafter: Authority) makes the following decisions in an ex officio data protection authority procedure regarding the compliance of the data processing practices of the Hungarian University of Agricultural and Life Sciences (seat: 2100 Gödöllő, Páter Károly u. 1.a; hereinafter: MATE) with Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter: General Data Protection Regulation) in relation to dormitory admissions, including the examination of the application of the principles of data processing, the legal basis for data processing and the appropriate prior information. 1. The Authority condemns MATE for negligently infringing Article 5(1)(a) and (c), Article 6(1) and Article 13(1)-(2) of the GDPR, as explained in the statement of reasons. 2. The Authority prohibits MATE from processing data without a legal basis, as set out in Sections V.5.3 and V.5.8.1 of the Decision, as of the date of receipt of this Decision, with effect for the future. To this end, the Authority orders MATE to erase all personal data unlawfully processed. 3. The Authority further orders MATE to comply with the provisions of Section V.6 of the Decision. modify the content of its data management information in accordance with the requirements set out in point 1 of this Article and prove this to the Authority by sending the data management information and referring to the relevant points or by preparing and sending a new data management information. 4. The Authority obliges MATE to pay a data protection fine of HUF 1,500,000, i.e. one million five hundred thousand forints, for the violations established above. MATE must prove in writing to the Authority that it has taken the measures prescribed in points 2 and 3 within 45 days of receiving this decision, together with the submission of supporting evidence, a deletion protocol and a data management information. The data protection fine must be paid within 30 days of receipt of this decision to the Authority's centralized revenue collection target settlement forint account (10032000- 01040425-00000000 Centralized collection account IBAN: HU83 1003 2000 0104 0425 0000 0000). When transferring the amount, reference must be made to the NAIH-3344/2026. BÍRS. number. If MATE fails to meet its obligation to pay the fine within the deadline, it shall pay a late payment surcharge to the above account number. The rate of the late payment surcharge is the statutory 2 interest, which is the same as the central bank base interest rate valid on the first day of the calendar half-year affected by the delay. In the event of failure to comply with the obligations under points 2 and 3, and failure to pay the data protection fine and the late payment fee, the Authority shall order the enforcement of the decision. Until the expiry of the deadline for filing an action to challenge the decision, or until the final decision of the court in the event of an administrative lawsuit, the data affected by the disputed data processing may not be deleted or destroyed. There is no right of appeal against this decision through administrative means, but it may be challenged in administrative proceedings by means of a statement of claim addressed to the Metropolitan Court within 30 days of its notification. The statement of claim shall be submitted to the Authority electronically1, which shall forward it to the court together with the case documents. The request for a hearing shall be indicated in the statement of claim. For those not entitled to full personal exemption from fees, the administrative lawsuit fee is HUF 30,000, and the lawsuit is subject to the right to record the subject matter of the fee. Legal representation is mandatory in the proceedings before the Metropolitan Court. The Authority publi

Entities