[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fgm7eT_pAskvxvTCgQBKkMjMVVJv8ah-3ivRImAasAfE":3},{"article":4,"iocs":47},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":24,"category":25,"article_tags":29},"3c7a555a-bba4-48ba-af70-05fb3e46c235","NAIH (Hungary) - NAIH-359-10\u002F2026","naih-hungary-naih-359-10-2026-6a56cd","Created page with \"{{DPAdecisionBOX |Jurisdiction=Hungary |DPA-BG-Color=background-color:#7f0037; |DPAlogo=LogoHU.jpg |DPA_Abbrevation=NAIH |DPA_With_Country=NAIH (Hungary) |Case_Number_Name=NAIH-359-10\u002F2026 |ECLI= |Original_Source_Name_1=NAIH |Original_Source_Link_1=https:\u002F\u002Fnaih.hu\u002Fhatarozatok-vegzesek |Original_Source_Language_1=Hungarian |Original_Source_Language__Code_1=HU |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Source_Language__Code_...\" Show changes","Hungary's National Data Protection Authority (NAIH) has fined Blikk Kft., a news website operator, HUF 25,000,000 (approximately €70,590). The fine was imposed for unlawfully publishing personal data of an individual in articles related to court proceedings. The articles included a blurred picture, name, former employment details, information about gender reaffirming surgery, and court case details without consent. The DPA found violations of Article 6(1) and 9(1) of the GDPR, stating the data subject was identifiable and that sensitive personal data was processed unlawfully.","Hungary's NAIH fines Blikk Kft. €70,590 for unlawfully publishing personal data.","Help NAIH (Hungary) - NAIH-359-10\u002F2026: Difference between revisions From GDPRhub Jump to:navigation, search Newer edit →VisualWikitext Revision as of 08:10, 9 June 2026 view source Ap (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators672 edits Tag: submission [1.0]Newer edit → (No difference) Revision as of 08:10, 9 June 2026 NAIH - NAIH-359-10\u002F2026 Authority: NAIH (Hungary) Jurisdiction: Hungary Relevant Law: Article 6(1) GDPR Article 9(1) GDPR Article 12(4) GDPR Article 17 GDPR Type: Complaint Outcome: Upheld Started: 02.12.2024 Decided: 29.05.2026 Published: Fine: 25,000,000 HUF Parties: Blikk Kft. National Case Number\u002FName: NAIH-359-10\u002F2026 European Case Law Identifier: n\u002Fa Appeal: Unknown Original Language(s): Hungarian Original Source: NAIH (in HU) Initial Contributor: ap The DPA fined a news website HUF 25,000,000 (approximately €70,590) for unlawfully publishing the personal data of a data subject in articles related to court proceedings they were involved in. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts Blikk Kft. (the controller) is a company that operates a news website. In 2024, a data subject filed a complaint with the DPA. According to the data subject, the controller published two articles that contained a significant amount of their personal data without their consent. The articles included a blurred picture of the data subject, as well as their name (former and current, but initials for their last name), former place of employment, information related to the data subject’s gender reaffirming surgery, and information related to court proceedings they were involved in. Before filing the complaint to the DPA, the data subject also requested the controller to remove their picture and full name from the articles. However, the data subject did not receive a response. The controller argued that publishing the article was a matter of public interest in connection to investigative journalism. The controller claimed that the data in the article did not allow third parties to identify the data subject, and therefore it was not processing personal data when publishing the articles. The controller also claimed to have deleted the articles at the request of the DPA. Finally, the controller stated that the lack of response to the data subject’s request for erasure was due to an administrative error. The DPA investigated the lawfulness of the processing from the data subject’s complaint, and did an ex-officio investigation on the data subject’s erasure request. Holding The DPA first clarified that the controller processed personal data. The DPA stated that the definition of personal data is broad, and that the combined information made the data subject easily identifiable to third parties. The DPA also clarified that while a person’s gender alone is not sensitive personal data, data relating to the data subject’s gender identity and medical procedures fall in the scope of sensitive personal data under Article 9 GDPR. Finally, the DPA stated that the use of initials could not be considered a security measure to prevent unlawful processing of personal data. Para 63 The DPA found a violation of Article 6(1) and 9(1) GDPR. The DPA considered that the controller processed the data subject’s personal data unlawfully, as it could have covered the court proceedings without disclosing the data subject’s data. According to the DPA, the press generally relies on legitimate interest (Article 6(1)(f) GDPR) when processing personal data. However, the controller argued that it did not process personal data. Therefore, it did not assess whether less intrusive means were available, and did not conduct a balancing test for the rights and interests involved. The DPA concluded that the controller did not have a legal basis under Article 6(1)(f) GDPR. The DPA did not consider it necessary to assess whether the exceptions under Article 9(2) GDPR apply, as the controller did not have a legal basis to process the data in any case. Finally, the DPA noted that the controller had acted in bad faith by including this information, despite also reporting the data subject’s explicit objection to having their name and picture included in the articles. The DPA also found a violation of Article 12(4) GDPR, as the controller did not take any measures in response to the data subject’s erasure request. The DPA fined the controller HUF 25,000,000 (approximately €70,590). The DPA considered the harm done to the data subject and the fact that sensitive personal data was processed as aggravating factors. The DPA also took into consideration the fact that the controller later voluntarily deleted the articles entirely. Comment Share your comments here! Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the Hungarian original. Please refer to the Hungarian original for more details. …………………………………………………………………………………………………... 1055 Budapest Tel.: +36 1 391-1400 naih.hu\u002Fadatkezelesi-tajekoztatok Falk Miksa utca 9-11. KR ID: 429616918 ugyfelszolgalat@naih.hu Case number: NAIH-359-10\u002F2026 NAIH-7459\u002F2025 NAIH-14033\u002F2024 Subject: decision granting the request D E R U S I O N The National Data Protection and Freedom of Information Authority (hereinafter referred to as the Authority) has, at the request of […] (hereinafter referred to as the Applicant) represented by the Háttér Company Association (registered office: 1136 Budapest, Balzac u. 8-10. fszt. 1.), Blikk Kft. (1122 Budapest, Városmajor utca 11. cjsz: 01- 09-187043 24873862#cégkapu, tax number: 24873862-2-43; hereinafter referred to as: The Applicant) and its legal successor, IndaNext Hungary Limited Liability Company (1122 Budapest, Városmajor utca 11.; cjsz: 01-09-061743, tax number: 10237580-2-43, hereinafter referred to as the “Obligation”), in the data protection authority proceedings initiated regarding the publication and deletion of personal data about the Applicant in articles published on the website www.blikk.hu, makes the following decisions: I. The Authority grants the Applicant’s request and condemns the Applicant, because the Applicant’s personal and sensitive personal data were published in articles published on the Applicant’s website (article titled “[…]” published on […] and article titled “[…]” published on […]) without legal basis. By doing so, the Respondent intentionally infringed Article 6(1)(f) and Article 9(1) of Regulation (EU) 2016\u002F679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95\u002F46\u002FEC (hereinafter referred to as the General Data Protection Regulation). II. The Authority ex officio condemns the Respondent for infringing Article 12(4) of the General Data Protection Regulation by failing to notify the Applicant of the reason for not fulfilling the data subject's request for erasure. III. Due to the infringement established in points I and II, the Authority ex officio orders the Respondent to pay a data protection fine of HUF 25,000,000, i.e. twenty-five million forints. IV. The Authority, pursuant to Section 61 (2) c) of Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (hereinafter referred to as the Information Act), ex officio orders the publication of its final decision by publishing the identification data of the Applicant and the Obligor on the Authority’s website. The fine must be paid within 30 days of the date on which this decision becomes final to the Authority’s centralized revenue collection account (10032000-01040425- 00000000 Centralized collection account IBAN: HU83 1003 2000 0104 0425 0000 0000). When transferring the amount, the reference number “NAIH-359\u002F2026 FINE.” number should be referred to. 2 If the Obligor fails t","https:\u002F\u002Fgdprhub.eu\u002Findex.php?title=NAIH_(Hungary)_-_NAIH-359-10\u002F2026&diff=51836&oldid=0","https:\u002F\u002Fgdprhub.eu\u002Fimages\u002F8\u002F85\u002FLogoHU.jpg","2026-06-09T08:10:02+00:00","2026-06-09T10:00:22.871933+00:00",7,[18,21],{"name":19,"type":20},"Blikk Kft.","vendor",{"name":22,"type":23},"news website","product","c5c77cdb-f7d7-4990-9436-c81dcbff1163",{"id":24,"icon":26,"name":27,"slug":28},null,"Policy","policy",[30,35,40,42],{"category":31},{"id":32,"icon":26,"name":33,"slug":34},"2e06f76c-d5b9-4f54-9eef-4d3447b10730","Breaches","breaches",{"category":36},{"id":37,"icon":26,"name":38,"slug":39},"3f0f8451-91df-4b6c-9a73-ef3b2509b7f1","GDPR","gdpr",{"category":41},{"id":24,"icon":26,"name":27,"slug":28},{"category":43},{"id":44,"icon":26,"name":45,"slug":46},"d95477d7-eb04-4fad-a2dc-be1428040ce7","Privacy Fines","privacy-fines",[]]