NAIH (Hungary) - NAIH/962-10/2026
Hungarian DPA fines media controller €140,590 for unlawful processing of 200,000 data subjects' personal and special
Summary
Hungary's National Authority for Data Protection and Freedom of Information (NAIH) issued a fine of HUF 50,000,000 (approximately €140,590) against a media service provider for violating GDPR Articles 6(1) and 9(1). The controller unlawfully processed personal data of nearly 200,000 data subjects by providing accessible links to a map containing sensitive information during a pre-election period, without proper legal basis or consent. The DPA found the controller lacked legitimate interest, misclassified vulnerable data subjects as public figures, and ignored prior warnings; it issued a reprimand and prohibited further publication of articles linking to the map.
Full text
Help NAIH (Hungary) - NAIH/962-10/2026: Difference between revisions From GDPRhub Jump to:navigation, search ← Older editVisualWikitext Revision as of 11:33, 28 May 2026 view sourceAp (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators653 editsmTag: Visual edit← Older edit Latest revision as of 09:04, 29 May 2026 view source Ap (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators653 editsmTag: Visual edit Line 85: Line 85: The DPA found a violation of [[Article 6 GDPR#1|Article 6(1) GDPR]], as the controller did not have a legal basis to process this data.<ref>The DPA took into consideration national case law on privacy related lawsuits against media service providers, which make a distinction between value judgments and factual statements. In this case, however, the DPA stated that this case does not concern a value judgment or factual statement, but rather a “new” type of processing activity (providing access to personal data through the link to the map). Therefore, constitutional standards and judicial precedents apply to a limited extent to this case. The DPA also took into consideration its past cases where media service providers published data subjects’ data, where the DPA assessed whether the provider in question could demonstrate a legitimate interest to publish this data. However, the DPA stated that this case was different, as it concerned almost 200,000 data subjects. Therefore, the controller’s arguments regarding legitimate interest must be appropriate for all affected data subjects.</ref> The DPA stated that the controller could not rely on [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] to process the data. In addition to the lack of public interest, the controller acted against the DPA’s notice. The DPA noted that the controller could have reported the existence of the map without making the link accessible. Furthermore, the controller failed to take into account the vulnerable position of the affected data subjects, and miscategorised them as public figures. Since the controller did not have a legitimate interest to process the data, the DPA did not determine whether the data processing was necessary or proportionate. The DPA found a violation of [[Article 6 GDPR#1|Article 6(1) GDPR]], as the controller did not have a legal basis to process this data.<ref>The DPA took into consideration national case law on privacy related lawsuits against media service providers, which make a distinction between value judgments and factual statements. In this case, however, the DPA stated that this case does not concern a value judgment or factual statement, but rather a “new” type of processing activity (providing access to personal data through the link to the map). Therefore, constitutional standards and judicial precedents apply to a limited extent to this case. The DPA also took into consideration its past cases where media service providers published data subjects’ data, where the DPA assessed whether the provider in question could demonstrate a legitimate interest to publish this data. However, the DPA stated that this case was different, as it concerned almost 200,000 data subjects. Therefore, the controller’s arguments regarding legitimate interest must be appropriate for all affected data subjects.</ref> The DPA stated that the controller could not rely on [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] to process the data. In addition to the lack of public interest, the controller acted against the DPA’s notice. The DPA noted that the controller could have reported the existence of the map without making the link accessible. Furthermore, the controller failed to take into account the vulnerable position of the affected data subjects, and miscategorised them as public figures. Since the controller did not have a legitimate interest to process the data, the DPA did not determine whether the data processing was necessary or proportionate. In addition, the DPA found a violation of [[Article 9 GDPR#1|Article 9(1) GDPR]], as the controller unlawfully processed special categories of personal data. The DPA clarified that, the controller must have a lawful legal basis under [[Article 6 GDPR#1|Article 6(1) GDPR]], and one of the exceptions under [[Article 9 GDPR#2|Article 9(2) GDPR]] must apply in order to process sensitive personal data lawfully. The controller did not have a legal basis under [[Article 6 GDPR|Article 6(1) GDPR]], and could not rely on any of the exceptions under [[Article 9 GDPR#2|Article 9(2) GDPR]]. This is because the data subjects did not consent ([[Article 9 GDPR|Article 9(2)(a) GDPR]]), the data was not made manifestly public by the data subjects ([[Article 9 GDPR|Article 9(2)(e) GDPR]]), and the exception of substantial public interest did not apply ([[Article 9 GDPR|Article 9(2)(g) GDPR]]). In addition, the DPA found a violation of [[Article 9 GDPR#1|Article 9(1) GDPR]], as the controller unlawfully processed special categories of personal data. The DPA clarified that the controller must have a lawful legal basis under [[Article 6 GDPR#1|Article 6(1) GDPR]], and one of the exceptions under [[Article 9 GDPR#2|Article 9(2) GDPR]] must apply in order to process sensitive personal data lawfully. The controller did not have a legal basis under [[Article 6 GDPR|Article 6(1) GDPR]], and could not rely on any of the exceptions under [[Article 9 GDPR#2|Article 9(2) GDPR]]. This is because the data subjects did not consent ([[Article 9 GDPR|Article 9(2)(a) GDPR]]), the data was not made manifestly public by the data subjects ([[Article 9 GDPR|Article 9(2)(e) GDPR]]), and the exception of substantial public interest did not apply ([[Article 9 GDPR|Article 9(2)(g) GDPR]]). The DPA fined the controller HUF 50,000,000 (approximately €140,590). The DPA considered this a significant violation, especially as it involved processing of [[Article 9 GDPR]] data during a politically charged pre-election period. The DPA took into account the high number of affected data subjects and the controller’s previous data protection violations as aggravating factors, and the fact that the controller removed the link the same day as the articles were published as a mitigating factor. In addition, the DPA issued a reprimand for the violation of [[Article 9 GDPR#1|Article 9(1) GDPR]], and prohibited the controller from publishing articles containing links to the map.The DPA fined the controller HUF 50,000,000 (approximately €140,590). The DPA considered this a significant violation, especially as it involved processing of [[Article 9 GDPR]] data during a politically charged pre-election period. The DPA took into account the high number of affected data subjects and the controller’s previous data protection violations as aggravating factors, and the fact that the controller removed the link the same day as the articles were published as a mitigating factor. In addition, the DPA issued a reprimand for the violation of [[Article 9 GDPR#1|Article 9(1) GDPR]], and prohibited the controller from publishing articles containing links to the map. Latest revision as of 09:04, 29 May 2026 NAIH - NAIH/962-10/2026 Authority: NAIH (Hungary) Jurisdiction: Hungary Relevant Law: Article 6(1) GDPR Article 6(1)(f) GDPR Article 9(1) GDPR Article 9(2) GDPR Article 85 GDPR Type: Investigation Outcome: Violation Found Started: 21.11.2025 Decided: Published: 26.05.2026 Fine: 50,000,000 HUF Parties: Mediaworks Hungary Zrt. National Case Number/Name: NAIH/962-10/2026 European Case Law Identifier: n/a Appeal: Unknown Original Language(s): Hungarian Original Source: NAIH (in HU) Initial Contributor: ap The DPA fined a media company HUF 50,000,000 (approximately €140,590) for publishing articles linking to an interactive map containing the personal data of data subjects affiliated to a political party. The map contained data subjects’ name, addresses, and contact information. Contents 1 English Summary 1.1 Facts