NAIH (Hungary) - NAIH-359-10/2026

Summary

The Hungarian Data Protection Authority (NAIH) found a controller in violation of GDPR Articles 6(1) and 9(1) for unlawfully processing sensitive personal data, including gender identity and medical procedures. The controller failed to establish a legal basis for processing, did not conduct a balancing test, and acted in bad faith by including the information despite the data subject's objection. Additionally, the controller violated Article 12(4) by not responding to an erasure request.

Full text

Help NAIH (Hungary) - NAIH-359-10/2026: Difference between revisions From GDPRhub Jump to:navigation, search ← Older editVisualWikitext Revision as of 08:11, 9 June 2026 view sourceAp (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators680 editsmTag: Visual edit← Older edit Latest revision as of 07:30, 10 June 2026 view source Ap (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators680 editsmTag: Visual edit Line 81: Line 81: The DPA first clarified that the controller processed personal data. The DPA stated that the definition of personal data is broad, and that the combined information made the data subject easily identifiable to third parties. The DPA also clarified that while a person’s gender alone is not sensitive personal data, data relating to the data subject’s gender identity and medical procedures fall in the scope of sensitive personal data under [[Article 9 GDPR]]. Finally, the DPA stated that the use of initials could not be considered a security measure to prevent unlawful processing of personal data. The DPA first clarified that the controller processed personal data. The DPA stated that the definition of personal data is broad, and that the combined information made the data subject easily identifiable to third parties. The DPA also clarified that while a person’s gender alone is not sensitive personal data, data relating to the data subject’s gender identity and medical procedures fall in the scope of sensitive personal data under [[Article 9 GDPR]]. Finally, the DPA stated that the use of initials could not be considered a security measure to prevent unlawful processing of personal data. The DPA found a violation of [[Article 6 GDPR|Articles 6(1)]] and [[Article 9 GDPR|9(1) GDPR]]. The DPA considered that the controller processed the data subject’s personal data unlawfully, as it could have covered the court proceedings without disclosing the data subject’s data. According to the DPA, the press generally relies on legitimate interest ([[Article 6 GDPR|Article 6(1)(f) GDPR]]) when processing personal data. However, the controller argued that it did not process personal data. Therefore, it did not assess whether less intrusive means were available, and did not conduct a balancing test for the rights and interests involved. The DPA concluded that the controller did not have a legal basis under [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]]. The DPA did not consider it necessary to assess whether the exceptions under [[Article 9 GDPR#2|Article 9(2) GDPR]] apply, as the controller did not have a legal basis to process the data in any case. Finally, the DPA noted that the controller had acted in bad faith by including this information, despite also reporting the data subject’s explicit objection to having their name and picture included in the articles.The DPA found a violation of [[Article 6 GDPR|Articles 6(1)]] and [[Article 9 GDPR|9(1) GDPR]]. The DPA considered that the controller processed the data subject’s personal data unlawfully, as it could have covered the court proceedings without disclosing the data subject’s data. According to the DPA, the press generally relies on legitimate interest ([[Article 6 GDPR|Article 6(1)(f) GDPR]]) when processing personal data. However, the controller argued that it did not process personal data. Therefore, it did not assess whether less intrusive means were available, and did not conduct a balancing test for the rights and interests involved. The DPA concluded that the controller did not have a legal basis under [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]]. The DPA did not consider it necessary to assess whether the exceptions under [[Article 9 GDPR#2|Article 9(2) GDPR]] apply, as the controller did not have a legal basis to process the data in any case. Finally, the DPA noted that the controller had acted in bad faith by including this information, by reporting the data subject’s explicit objection to having their name and picture included in the articles. The DPA also found a violation of [[Article 12 GDPR#4|Article 12(4) GDPR]], as the controller did not take any measures in response to the data subject’s erasure request. The DPA also found a violation of [[Article 12 GDPR#4|Article 12(4) GDPR]], as the controller did not take any measures in response to the data subject’s erasure request. Latest revision as of 07:30, 10 June 2026 NAIH - NAIH-359-10/2026 Authority: NAIH (Hungary) Jurisdiction: Hungary Relevant Law: Article 6(1) GDPR Article 9(1) GDPR Article 12(4) GDPR Article 17 GDPR Type: Complaint Outcome: Upheld Started: 02.12.2024 Decided: 29.05.2026 Published: Fine: 25,000,000 HUF Parties: Blikk Kft. National Case Number/Name: NAIH-359-10/2026 European Case Law Identifier: n/a Appeal: Unknown Original Language(s): Hungarian Original Source: NAIH (in HU) Initial Contributor: ap The DPA fined a news website HUF 25,000,000 (approximately €70,590) for unlawfully publishing the personal data of a data subject in articles related to court proceedings they were involved in. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts Blikk Kft. (the controller) is a company that operates a news website. In 2024, a data subject filed a complaint with the DPA. According to the data subject, the controller published two articles that contained a significant amount of their personal data without their consent. The articles included a blurred picture of the data subject, as well as their name (former and current, but initials for their last name), former place of employment, information related to the data subject’s gender reaffirming surgery, and information related to court proceedings they were involved in. Before filing the complaint to the DPA, the data subject also requested the controller to remove their picture and full name from the articles. However, the data subject did not receive a response. The controller argued that publishing the article was a matter of public interest in connection to investigative journalism. The controller claimed that the data in the article did not allow third parties to identify the data subject, and therefore it was not processing personal data when publishing the articles. The controller also claimed to have deleted the articles at the request of the DPA. Finally, the controller stated that the lack of response to the data subject’s request for erasure was due to an administrative error. The DPA investigated the lawfulness of the processing from the data subject’s complaint, and did an ex-officio investigation on the data subject’s erasure request. Holding The DPA first clarified that the controller processed personal data. The DPA stated that the definition of personal data is broad, and that the combined information made the data subject easily identifiable to third parties. The DPA also clarified that while a person’s gender alone is not sensitive personal data, data relating to the data subject’s gender identity and medical procedures fall in the scope of sensitive personal data under Article 9 GDPR. Finally, the DPA stated that the use of initials could not be considered a security measure to prevent unlawful processing of personal data. The DPA found a violation of Articles 6(1) and 9(1) GDPR. The DPA considered that the controller processed the data subject’s personal data unlawfully, as it could have covered the court proceedings without disclosing the data subject’s data. According to the DPA, the press generally relies on legitimate interest (Article 6(1)(f) GDPR) when processing personal data. However, the controller argued that it did not process personal data. Therefore, it did not assess whether less intrusive means were available, and did not conduct a balancing test for the rights and interests involved. The DPA concluded that the controller did not have a legal basis under Article 6

Entities