NAIH (Hungary) - NAIH/962-10/2026

Summary

Hungary's National Authority for Data Protection and Freedom of Information (NAIH) fined Mediaworks Hungary Zrt. HUF 50,000,000 (approximately €140,590) for violating GDPR Articles 6 and 9 by publishing articles with links to an interactive map containing personal data of nearly 200,000 individuals associated with a Hungarian political party. The data breach occurred in November 2025 and included names, addresses, contact information, and political opinions. The DPA rejected the publisher's claims of legitimate interest and freedom of press, finding the indirect provision of access to sensitive personal data unlawful even though the publisher removed the links the same day.

Full text

Help NAIH (Hungary) - NAIH/962-10/2026: Difference between revisions From GDPRhub Jump to:navigation, search VisualWikitext Revision as of 11:26, 28 May 2026 view sourceAp (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators647 edits Tag: submission [1.0] Latest revision as of 11:33, 28 May 2026 view source Ap (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators647 editsmTag: Visual edit Line 76: Line 76: Mediaworks Hungary Zrt. (the controller) is a Hungarian media company and publisher of several daily newspapers, magazines and websites. In November 2025, an unknown person published a website containing an interactive map. This map allowed persons to search through data of almost 200,000 data subjects associated with one of the political parties in Hungary, including their names, addresses, and contact information (email addresses and phone numbers). In addition, it was also possible to infer the data subjects’ political opinions. The controller published several articles on its websites, including a link to the map. Mediaworks Hungary Zrt. (the controller) is a Hungarian media company and publisher of several daily newspapers, magazines and websites. In November 2025, an unknown person published a website containing an interactive map. This map allowed persons to search through data of almost 200,000 data subjects associated with one of the political parties in Hungary, including their names, addresses, and contact information (email addresses and phone numbers). In addition, it was also possible to infer the data subjects’ political opinions. The controller published several articles on its websites, including a link to the map. The DPA initiated an ex-officio investigation after receiving a large number of complaints from data subjects. During its investigations, the DPA found that the data from the map originated from a data breach of the Hungarian political party. The DPA had previously issued a statement outlining the data protection requirements for media service providers when reporting about the data breach. The DPA emphasised that the media providers must comply with the GDPR regardless of the unlawfulness of the data breach or person creating the map. The DPA stated that it was unlawful to make the data from the map available to the public, even if this was done indirectly (e.g. by publishing a link to the map).The DPA initiated an ex-officio investigation after receiving a large number of complaints from data subjects. During its investigations, the DPA found that the data from the map originated from a data breach of the Hungarian political party. The DPA had previously issued a statement emphasising that media providers must comply with the GDPR when reporting about the map and data breach. The DPA stated that it was unlawful to make the data from the map available to the public, even if this was done indirectly (e.g. by publishing a link to the map). The controller argued that the processing was lawful on freedom of speech grounds, and that the press has a duty to draw the attention of the public to matters of public interest. In addition, the controller argued it had a legitimate interest in processing the data, and therefore the processing was lawful under [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]].The controller argued that the processing was lawful on freedom of speech grounds, and that the press has a duty to draw the attention of the public to matters of public interest. In addition, the controller argued it had a legitimate interest in processing the data, and therefore the processing was lawful under [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]]. === Holding ====== Holding === The DPA first noted that under national law, the exercise of freedom of press should not (among others) infringe upon the personal rights of others. This includes the right to personal data protection. Processing of personal data for journalistic purposes is also regulated under [[Article 85 GDPR|Article 85 GDPR]]. However, the DPA stated that there are no specific national law provisions regarding data processing for journalistic purposes that would exempt the controller from its data obligations [see also case No. Kfv. 37.978/2021/10 from the Hungarian Supreme Court]. The DPA also clarified that the controller did not process personal data by publishing the articles, but by making the map available through the articles. The DPA stated that the controller could not justify the processing of names, addresses and contact information of data subjects in the map under public interest, and making the map available did not fall under the scope of exercising freedom of press. The DPA first noted that under national law, the exercise of freedom of press should not (among others) infringe upon the personal rights of others. This includes the right to personal data protection. Processing of personal data for journalistic purposes is also regulated under [[Article 85 GDPR]]. However, the DPA stated that there are no specific national law provisions regarding data processing for journalistic purposes that would exempt the controller from its data obligations.<ref>See also case No. Kfv. 37.978/2021/10 from the Hungarian Supreme Court</ref> The DPA also clarified that the controller did not process personal data by publishing the articles, but by making the map available through the articles. The DPA stated that the controller could not justify the processing of names, addresses and contact information of data subjects in the map under public interest, and making the map available did not fall under the scope of exercising freedom of press. The DPA found a violation of [[Article 6 GDPR#1|Article 6(1) GDPR]], as the controller did not have a legal basis to process this data. The DPA took into consideration national case law on privacy related lawsuits against media service providers, as well as its past complaints on data processing by media service providers [FOOTNOTE]. The DPA stated that the controller could not rely on [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] to process the data. In addition to the lack of public interest, the controller acted against the DPA’s notice. The DPA noted that the controller could have reported the existence of the map without making the link accessible. Furthermore, the controller failed to take into account the vulnerable position of the affected data subjects, and miscategorised them as public figures. Since the controller did not have a legitimate interest to process the data, the DPA did not determine whether the data processing was necessary or proportionate. The DPA found a violation of [[Article 6 GDPR#1|Article 6(1) GDPR]], as the controller did not have a legal basis to process this data.<ref>The DPA took into consideration national case law on privacy related lawsuits against media service providers, which make a distinction between value judgments and factual statements. In this case, however, the DPA stated that this case does not concern a value judgment or factual statement, but rather a “new” type of processing activity (providing access to personal data through the link to the map). Therefore, constitutional standards and judicial precedents apply to a limited extent to this case. The DPA also took into consideration its past cases where media service providers published data subjects’ data, where the DPA assessed whether the provider in question could demonstrate a legitimate interest to publish this data. However, the DPA stated that this case was different, as it concerned almost 200,000 data subjects. Therefore, the controller’s arguments regarding legitimate interest must be appropriate for all affected data subjects.</ref> The DPA stated that the controller could not rely on [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] to process the data. In addition to the lack of public interest, the controller acted against the DPA’s notice. The DP

Entities