NAIH (Hungary) - NAIH/962-10/2026

Summary

Hungary's data protection authority (NAIH) fined Mediaworks Hungary Zrt. HUF 50,000,000 (approximately €140,590) for publishing articles containing links to an interactive map with personal data of ~200,000 individuals affiliated with a political party. The map, sourced from a data breach, exposed names, addresses, email addresses, and phone numbers. The DPA rejected the publisher's freedom-of-press defense, ruling that making the map publicly available violated GDPR Article 6(1) even indirectly via hyperlinks.

Full text

Help NAIH (Hungary) - NAIH/962-10/2026: Difference between revisions From GDPRhub Jump to:navigation, search Newer edit →VisualWikitext Revision as of 11:26, 28 May 2026 view source Ap (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators647 edits Tag: submission [1.0]Newer edit → (No difference) Revision as of 11:26, 28 May 2026 NAIH - NAIH/962-10/2026 Authority: NAIH (Hungary) Jurisdiction: Hungary Relevant Law: Article 6(1) GDPR Article 6(1)(f) GDPR Article 9(1) GDPR Article 9(2) GDPR Article 85 GDPR Type: Investigation Outcome: Violation Found Started: 21.11.2025 Decided: Published: 26.05.2026 Fine: 50,000,000 HUF Parties: Mediaworks Hungary Zrt. National Case Number/Name: NAIH/962-10/2026 European Case Law Identifier: n/a Appeal: Unknown Original Language(s): Hungarian Original Source: NAIH (in HU) Initial Contributor: ap The DPA fined a media company HUF 50,000,000 (approximately €140,590) for publishing articles linking to an interactive map containing the personal data of data subjects affiliated to a political party. The map contained data subjects’ name, addresses, and contact information. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts Mediaworks Hungary Zrt. (the controller) is a Hungarian media company and publisher of several daily newspapers, magazines and websites. In November 2025, an unknown person published a website containing an interactive map. This map allowed persons to search through data of almost 200,000 data subjects associated with one of the political parties in Hungary, including their names, addresses, and contact information (email addresses and phone numbers). In addition, it was also possible to infer the data subjects’ political opinions. The controller published several articles on its websites, including a link to the map. The DPA initiated an ex-officio investigation after receiving a large number of complaints from data subjects. During its investigations, the DPA found that the data from the map originated from a data breach of the Hungarian political party. The DPA had previously issued a statement outlining the data protection requirements for media service providers when reporting about the data breach. The DPA emphasised that the media providers must comply with the GDPR regardless of the unlawfulness of the data breach or person creating the map. The DPA stated that it was unlawful to make the data from the map available to the public, even if this was done indirectly (e.g. by publishing a link to the map). The controller argued that the processing was lawful on freedom of speech grounds, and that the press has a duty to draw the attention of the public to matters of public interest. In addition, the controller argued it had a legitimate interest in processing the data, and therefore the processing was lawful under Article 6(1)(f) GDPR. Holding The DPA first noted that under national law, the exercise of freedom of press should not (among others) infringe upon the personal rights of others. This includes the right to personal data protection. Processing of personal data for journalistic purposes is also regulated under Article 85 GDPR. However, the DPA stated that there are no specific national law provisions regarding data processing for journalistic purposes that would exempt the controller from its data obligations [see also case No. Kfv. 37.978/2021/10 from the Hungarian Supreme Court]. The DPA also clarified that the controller did not process personal data by publishing the articles, but by making the map available through the articles. The DPA stated that the controller could not justify the processing of names, addresses and contact information of data subjects in the map under public interest, and making the map available did not fall under the scope of exercising freedom of press. The DPA found a violation of Article 6(1) GDPR, as the controller did not have a legal basis to process this data. The DPA took into consideration national case law on privacy related lawsuits against media service providers, as well as its past complaints on data processing by media service providers [FOOTNOTE]. The DPA stated that the controller could not rely on Article 6(1)(f) GDPR to process the data. In addition to the lack of public interest, the controller acted against the DPA’s notice. The DPA noted that the controller could have reported the existence of the map without making the link accessible. Furthermore, the controller failed to take into account the vulnerable position of the affected data subjects, and miscategorised them as public figures. Since the controller did not have a legitimate interest to process the data, the DPA did not determine whether the data processing was necessary or proportionate. In addition, the DPA found a violation of Article 9(1) GDPR, as the controller unlawfully processed special categories of personal data. The DPA clarified that, the controller must have a lawful legal basis under Article 6(1) GDPR, and one of the exceptions under Article 9(2) GDPR must apply in order to process sensitive personal data lawfully. The controller did not have a legal basis under 6(1) GDPR, and could not rely on any of the exceptions under Article 9(2) GDPR. This is because the data subjects did not consent (Article 9(2)(a) GDPR), the data was not made manifestly public by the data subjects (Article 9(2)(e) GDPR), and the exception of substantial public interest did not apply (Article 9(2)(g) GDPR). The DPA fined the controller HUF 50,000,000 (approximately €140,590). The DPA considered this a significant violation, especially as it involved processing of Article 9 GDPR data during a politically charged pre-election period. The DPA took into account the high number of affected data subjects and the controller’s previous data protection violations as aggravating factors, and the fact that the controller removed the link the same day as the articles were published as a mitigating factor. In addition, the DPA issued a reprimand for the violation of Article 9(1) GDPR, and prohibited the controller from publishing articles related to the map. Comment Share your comments here! Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the Hungarian original. Please refer to the Hungarian original for more details. .............................................................................................................................................................................................................................................................................. 1055 Budapest Tel.: +36 1 391-1400 naih.hu/adatkezelesi-tajekoztatok Falk Miksa utca 9-11. KR ID: 429616918 ugyfelszolgalat@naih.hu Case number: NAIH/962-10/2026 Subject: Decision establishing a violation of law in an ex officio data protection authority proceeding Precedence: NAIH-16609/2025 NAIH-16611/2025 NAIH/16613/2025 NAIH-957/2026 NAIH-963/2026 D E R I S S O N C I O N The National Data Protection and Freedom of Information Authority (hereinafter: Authority) with Mediaworks Hungary Zrt. (registered office: 1082 Budapest, Üllői út 48., company registration number: 01 10 047955; tax number: 24785725-2-44, hereinafter referred to as: Client) in the data protection authority proceedings initiated ex officio against the Authority, the following decisions are made. I. The Authority, pursuant to Article 58(2)(b) of Regulation (EU) No 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Regulation 95/46/EC (General Data Protection Regulation) (hereinafter referred to as: General Data Protection Regulation), finds the Client guilty of intentionally infringing Article 6

Entities