NAIH (Hungary) - NAIH-359-10/2026
Hungarian DPA fines news outlet Blikk Kft. €70,590 for unlawful processing of sensitive personal data.
Summary
Hungary's National Authority for Data Protection and Freedom of Information (NAIH) has fined Blikk Kft., a news website operator, HUF 25,000,000 (approximately €70,590) for violating GDPR. The company published articles containing sensitive personal data, including details about a data subject's gender identity and court proceedings, without proper consent. The DPA found that the combined information made the individual identifiable and that the use of initials was insufficient to protect their privacy.
Full text
Help NAIH (Hungary) - NAIH-359-10/2026: Difference between revisions From GDPRhub Jump to:navigation, search VisualWikitext Revision as of 08:10, 9 June 2026 view sourceAp (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators672 edits Tag: submission [1.0] Latest revision as of 08:11, 9 June 2026 view source Ap (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators672 editsmTag: Visual edit Line 73: Line 73: === Facts ====== Facts === Blikk Kft. (the controller) is a company that operates a news website. In 2024, a data subject filed a complaint with the DPA. According to the data subject, the controller published two articles that contained a significant amount of their personal data without their consent. The articles included a blurred picture of the data subject, as well as their name (former and current, but initials for their last name), former place of employment, information related to the data subject’s gender reaffirming surgery, and information related to court proceedings they were involved in. Before filing the complaint to the DPA, the data subject also requested the controller to remove their picture and full name from the articles. However, the data subject did not receive a response. Blikk Kft. (the controller) is a company that operates a news website. In 2024, a data subject filed a complaint with the DPA. According to the data subject, the controller published two articles that contained a significant amount of their personal data without their consent. The articles included a blurred picture of the data subject, as well as their name (former and current, but initials for their last name), former place of employment, information related to the data subject’s gender reaffirming surgery, and information related to court proceedings they were involved in. Before filing the complaint to the DPA, the data subject also requested the controller to remove their picture and full name from the articles. However, the data subject did not receive a response. The controller argued that publishing the article was a matter of public interest in connection to investigative journalism. The controller claimed that the data in the article did not allow third parties to identify the data subject, and therefore it was not processing personal data when publishing the articles. The controller also claimed to have deleted the articles at the request of the DPA. Finally, the controller stated that the lack of response to the data subject’s request for erasure was due to an administrative error.The controller argued that publishing the article was a matter of public interest in connection to investigative journalism. The controller claimed that the data in the article did not allow third parties to identify the data subject, and therefore it was not processing personal data when publishing the articles. The controller also claimed to have deleted the articles at the request of the DPA. Finally, the controller stated that the lack of response to the data subject’s request for erasure was due to an administrative error. The DPA investigated the lawfulness of the processing from the data subject’s complaint, and did an ex-officio investigation on the data subject’s erasure request.The DPA investigated the lawfulness of the processing from the data subject’s complaint, and did an ex-officio investigation on the data subject’s erasure request. === Holding ====== Holding === The DPA first clarified that the controller processed personal data. The DPA stated that the definition of personal data is broad, and that the combined information made the data subject easily identifiable to third parties. The DPA also clarified that while a person’s gender alone is not sensitive personal data, data relating to the data subject’s gender identity and medical procedures fall in the scope of sensitive personal data under [[Article 9 GDPR|Article 9 GDPR]]. Finally, the DPA stated that the use of initials could not be considered a security measure to prevent unlawful processing of personal data. Para 63The DPA first clarified that the controller processed personal data. The DPA stated that the definition of personal data is broad, and that the combined information made the data subject easily identifiable to third parties. The DPA also clarified that while a person’s gender alone is not sensitive personal data, data relating to the data subject’s gender identity and medical procedures fall in the scope of sensitive personal data under [[Article 9 GDPR]]. Finally, the DPA stated that the use of initials could not be considered a security measure to prevent unlawful processing of personal data. The DPA found a violation of Article 6(1) and 9(1) GDPR. The DPA considered that the controller processed the data subject’s personal data unlawfully, as it could have covered the court proceedings without disclosing the data subject’s data. According to the DPA, the press generally relies on legitimate interest (Article 6(1)(f) GDPR) when processing personal data. However, the controller argued that it did not process personal data. Therefore, it did not assess whether less intrusive means were available, and did not conduct a balancing test for the rights and interests involved. The DPA concluded that the controller did not have a legal basis under [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]]. The DPA did not consider it necessary to assess whether the exceptions under [[Article 9 GDPR#2|Article 9(2) GDPR]] apply, as the controller did not have a legal basis to process the data in any case. Finally, the DPA noted that the controller had acted in bad faith by including this information, despite also reporting the data subject’s explicit objection to having their name and picture included in the articles.The DPA found a violation of [[Article 6 GDPR|Articles 6(1)]] and [[Article 9 GDPR|9(1) GDPR]]. The DPA considered that the controller processed the data subject’s personal data unlawfully, as it could have covered the court proceedings without disclosing the data subject’s data. According to the DPA, the press generally relies on legitimate interest ([[Article 6 GDPR|Article 6(1)(f) GDPR]]) when processing personal data. However, the controller argued that it did not process personal data. Therefore, it did not assess whether less intrusive means were available, and did not conduct a balancing test for the rights and interests involved. The DPA concluded that the controller did not have a legal basis under [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]]. The DPA did not consider it necessary to assess whether the exceptions under [[Article 9 GDPR#2|Article 9(2) GDPR]] apply, as the controller did not have a legal basis to process the data in any case. Finally, the DPA noted that the controller had acted in bad faith by including this information, despite also reporting the data subject’s explicit objection to having their name and picture included in the articles. The DPA also found a violation of [[Article 12 GDPR#4|Article 12(4) GDPR]], as the controller did not take any measures in response to the data subject’s erasure request. The DPA also found a violation of [[Article 12 GDPR#4|Article 12(4) GDPR]], as the controller did not take any measures in response to the data subject’s erasure request. The DPA fined the controller HUF 25,000,000 (approximately €70,590). The DPA considered the harm done to the data subject and the fact that sensitive personal data was processed as aggravating factors. The DPA also took into consideration the fact that the controller later voluntarily deleted the articles entirely.The DPA fined the controller HUF 25,000,000 (approximately €70,590). The DPA considered the harm done to the data subject and the fact that sensitive personal data was processed as aggravating factors. The DPA also took into consideration the fact that the controller later voluntarily deleted the articles entirel