Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Hungary: NAIH fines a company HUF 10M for unlawful data processing under the GDPR

On May 17, 2024, the Hungarian National Authority for Data Protection and Freedom of Information (NAIH) issued decision No. NAIH/3977-4/2023, in which it fined a company HUF 10 million (approx. $28,213) for violating the General Data Protection Regulation (GDPR).

Background to the decision

The NAIH outlined that a company published personal data based on the applicant's testimony in a criminal proceeding regarding the applicant's professional activity as a midwife and their role in the criminal proceeding in an online article. The applicant objected to the processing of personal data and requested its deletion. Unsatisfied with the fulfillment of the requests, the applicant proceeded to raise a complaint with the NAIH.

Findings of the NAIH

The NAIH found that the company disclosed the applicant's personal data without an appropriate legal basis, violating Article 6 of the GDPR. Furthermore, the NAIH found that, following a data subject request from the applicant, the company carried out an assessment of interests supporting its legitimate interests, disregarding the applicant's rights, and as a result, the company did not delete the illegally processed personal data, in violation of  Article 17(1), 17(3), and 21(1) of the GDPR.

The NAIH also stated that the company infringed Articles 14(2), 15(1), and 15(3) of the GDPR by not providing the applicant with information on the processing of personal data and the personal data managed by the company in relation to the applicant. Lastly, the NAIH found that the company did not prove the legal purpose of processing personal data as falling under public interest, thus violating Articles 5(1)(a) to (c) and 5(2) of the GDPR.


Following the conclusions above, the NAIH ordered the company:

  • to pay a fine of HUF 10 million (approx. $28,213);
  • to erase the personal data illegally processed; and
  • restrict access to personal data until the expiry of the legal deadline for challenging the decision or, in the case of an administrative lawsuit, until the final decision of the court.

You can download the decision, only available in Hungarian, here.