NAIH (Hungary) - NAIH-6752-10/2023

From GDPRhub
NAIH - NAIH-6752-10/2023
Authority: NAIH (Hungary)
Jurisdiction: Hungary
Relevant Law: Article 5(1)(a) GDPR
Article 6(1)(a) GDPR
Article 9(1) GDPR
Article 12(1) GDPR
Article 13(1) GDPR
Article 13(2) GDPR
Article 26(1) GDPR
Type: Complaint
Outcome: Upheld
Decided: 20.12.2023
Fine: n/a
Parties: n/a
National Case Number/Name: NAIH-6752-10/2023
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Hungarian
Original Source: Nemzeti Adatvédelmi és Információszabadság Hatósághoz (in HU)
Initial Contributor: ar

The Hungarian DPA found three joint controllers to have breached Article 6(1)(a) GDPR, Article 9(1) GDPR, as well as Article 12 and 13 GDPR for having unlawfully contacted a data subject after the latter had signed up to support a political movement.

English Summary


After joining the movement supporting the election of Karácsony Gergely as prime minister, a data subject complained to the Hungarian DPA that between 14 and 20 September 2021, they received unsolicited telephone inquiries via SMS and telephone calls from two phone numbers by LINK Mobility Kft.

The DPA then contacted LINK Mobility Kft to request information. For further information regarding the SMS messages, the DPA was re-directed to Datadat Kft, which had tasked its subcontractor, Datadat GmbH, to send the messages. Datadat GmbH explained that it had sent the SMS messages on behalf of the association Ninety-Nine Movement (the Association).

The DPA requested the Association to provide information on the matter but did not receive any reply.


In the context of the processing under investigation, the DPA found that the Association, Datadat Kft and Datadat GmbH had decided together to send the SMS message to the data subject. Consequently, the DPA established the three to be joint controllers for the purposes of the data processing under examination under Article 26(1) GDPR.

Next, the DPA acknowledged that the joint controllers claimed to be using consent as a legal basis pursuant to Article 6(1)(a) GDPR. From the information provided, it was understood that 36,000 data subjects' contact details were gathered by direct collection through the website, aimed to support the election of Karácsony Gergely. Specifically, on the website, under the "Join" option, data subjects could show their support by entering their full name, e-mail address, and telephone number, among other details.

However, the DPA found that the joint controllers had infringed Article 5(1)(a) GDPR for not providing the data subjects with adequate information on the purposes of the processing. On the website in question, they had not clearly indicated that the data subjects' information would be used for further contact, nor explained the specific purposes to which the data subjects consented. Moreover, the DPA noted that the website's privacy policy did not deliver adequate information on all the actual processing purposes. It did not provide data subjects with clear and detailed information on what they were consenting to. For example, when signing up, some details were mandatory to insert, and the privacy policy did not elucidate the reasons. The DPA further added that the privacy policy lacked information on the activities of each one of the joint controllers and legal persons involved in the data processing.

Based on the above, the DPA concluded that the joint controllers violated Article 12(1) GDPR in conjunction with Article 13(1) and (2) GDPR for failing to provide the data subjects with clear, adequate and fair information on their processing of personal data.

Consequently, the DPA found that the consent of the data subject to the processing lacked the elements necessary to establish the legal basis since consent was not informed. As a result, the joint controllers processed personal data without a valid legal basis, violating Article 6 GDPR. Since the data provided by the data subjects were also sensitive data, given that they revealed political opinions, the processing violated Article 9(1) GDPR as well. Lastly, considering that the Association did not respond to the information requests made by the DPA, it also breached the duty to cooperate under Article 31 GDPR.

Therefore, the DPA ordered the joint controllers to bring their processing operations into compliance with the GDPR.


Due to the automated translation of the decision, we apologise for any mistakes in the translation of entities or for misunderstandings. Should you note any discrepancy, please do not hesitate to modify this page directly or let us know.

In this case, LINK Mobility Kft seems to be a processor of the joint controllers. However, in the decision, the relationship between LINK Mobility Kft, the data subject and the joint controllers is not explicitly elucidated.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Hungarian original. Please refer to the Hungarian original for more details.

File history
Click on a date/time to view the file as it appeared at that time.
current14:07, 16 February 2024 (769 KB)Ar (talk | contribs)
You cannot overwrite this file.File usage
There are no pages that use this file.