GDPR Enforcement in Hungary

Trend: Have the national data protection authorities in Hungary focused on certain types of non-compliance? Do you see a focus on certain industries/sectors? If so, which ones?

The Hungarian Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság, “NAIH”) prioritised the banking sector’s deployment of AI and related GDPR compliance through a thematic review of AI use, focusing on training data sources, validation of model accuracy, pseudonymisation/anonymisation and controls against “shadow AI”, with further large-scale sector reviews signalled for 2026.

The NAIH has also intensified enforcement around CCTV use, both in workplaces and in property management-related camera disputes (539 investigative proceedings, 133 formal applications, and 15 ex-officio enforcement actions). In the employment context, the NAIH fined an electronics manufacturer EUR 18,671 (HUF 7 million) for filming employees during breaks in cafeterias and rest areas.

The NAIH has also taken a firm stance against monitoring public roads or neighbouring properties for vehicle protection purposes without a formal arrangement with local authorities and where only speculative future harm is asserted.
The NAIH conducted ex-officio inspections of 21 webshops focusing on the adequacy of their website privacy notices. Recurring issues included fragmented and contradictory notices, outdated templates, texts describing formal compliance rather than actual data flows, notices that were hard to access and unclear identification of the controller.

The NAIH has also examined the healthcare sector in depth, finding, for example, violations of data minimisation and anonymisation principles in relation to the publication of a case study on a website containing details of a patient’s mental health data.

The NAIH also addressed miscellaneous GDPR compliance issues: debt collectors’ lawful basis for storing a debtor’s phone number, the data protection requirements for processing criminal record certificates and how online media content providers handle erasure requests.

While most of the decisions are not publicly available, the 2025 Annual Report of the NAIH contains a summary of all the above initiatives and enforcement actions.

Overall, what was the most significant fine in Hungary to date (recipient, amount, violation, sector, short summary)? Has it been challenged in court?

The highest fine for a GDPR violation in Hungary was imposed on Budapest Bank for approximately EUR 653,000 (HUF 250,000,000) due to unlawful AI analysis of customer calls which included assessing the emotional state and other characteristics of the speaker.

The NAIH found that the bank used AI-based speech-signal processing technology to automatically analyse a list of keywords and the emotional state of the customer. The detected keywords and emotions were also stored along with the call and the calls could be replayed within the voice analytics software for up to 45 days. The software ranked the calls and provided recommendations according to priority of the customers to be contacted.

The NAIH found that the bank’s customer service privacy notice did not contain any substantive information on voice analysis; it only mentioned quality assurance and complaint prevention as the purposes of the voice recording. Further, the bank based the voice analytics on its legitimate interest in retaining customers and improving the efficiency of its internal operations, yet the different data processing operations related to these interests were not separated either in the privacy notice or in the balancing of interest test ("LIA").

The bank's data protection impact assessment ("DPIA") concluded that this processing is high-risk for several reasons. However, the DPIA did not examine the proportionality of the data processing and its effects on data subjects nor provide substantive solutions to address these risks.

The NAIH did not find the use of AI per se to be unlawful. However, the NAIH concluded that Budapest Bank failed to fulfil its obligations as a data controller to perform an adequate DPIA and an LIA; therefore, it could neither rely on Article 6(1)(f) nor an alternative legal basis under Article 6(1) GDPR, thus leading to a violation of Articles 5(1)(a), 6(1) and 6(4) GDPR.

How is the data protection authority organised in [Country]? Budget, staff, assignment to a ministry?

The NAIH is responsible for the enforcement of the GDPR and the Hungarian Act 2011/CXII on Informational Self-determination and Freedom of Information.

• The NAIH is an autonomous administrative authority with its own legal personality. It does not report to any specific ministry.
• The NAIH consists of the cabinets of its President and Vice President and 9 main departments. The authority’s work is further organised into subgroups, expert subgroups and taskforces.
• The NAIH has 139 staff members, including the President and all employees.
• The annual budget, approximately EUR 6.4 million (HUF 2.4 billion) for 2026, is specified as an appropriation in the annual budget law, in accordance with Act LXIX of 2025 on the General Budget of Hungary for 2026.

How does a fine procedure work in Hungary? Can the authority impose fines itself? Procedural steps? Legal remedies?

• The NAIH may impose fines directly as part of its administrative proceedings.
• Administrative proceedings are governed by national law, namely the Act 2016/CL on the General Law on Administrative Law (“Ákr.”) and Act 2011/CXII on Informational Self-determination and Freedom of Information.
• The authority will initiate a proceeding at the request of any individual (data subject) or may initiate proceedings on ex officio. The NAIH has 150 days to act. In the event that the facts of the case need more clarification, the NAIH may request that the parties provide more proof/information. The respective data controller or data processor is able to provide a response on both factual and legal aspects of the case and it must also answer the specific questions asked by the NAIH. The NAIH will carefully consider these before reaching its decision, which may involve penalties such as the imposition of an administrative fine for a data protection violation (or violations).
• In specific cases, the NAIH may suspend its official proceedings if it raises an issue which falls within the jurisdiction of another body or person or if the NAIH would be unable to reasonably decide without another decision or procedure undertaken by the NAIH which is closely related to the given case.
• To reflect the practicalities raised in recent administrative proceedings, the law now authorises the NAIH to order the erasure of unlawfully processed personal data in a manner specified by the NAIH or temporarily or permanently restrict the processing of the data.
• Beyond its powers under the GDPR, the NAIH may oblige hosting providers and intermediary service providers to temporarily remove personal data if the delay in the protection of personal data would cause unavoidable and serious harm to a child or leave special personal data categories or criminal personal data vulnerable.
• Data controllers and data processors may appeal against administrative fines with the competent courts within 30 days of the notification.

When fines are imposed: Where does the money go? (state treasury / authority budget / other)

Data controllers and data processors pay the fine to the centralised collection account belonging to the NAIH (the respective decisions contain the precise account information). The fines imposed and collected by the NAIH are transferred to the central government budget in their entirety.

Is there an official calculation methodology for fines in Hungary?

There is no publicly available common calculation methodology. The NAIH refers to the EDPB’s 04/2022 Guidelines on the calculation of administrative fines under the GDPR.

Can public authorities be fined in Hungary? If yes: Where does this money go?

Yes, the NAIH’s mandate encompasses imposing fines on public authorities for data protection violations, up to a limited amount. The Hungarian Act 2011/CXII on Informational Self-determination and Freedom of Information provides that the maximum fine is EUR 50,000 (HUF 20 million).

Does the authority publish information on individual fine cases (website/annual report)? Are companies identifiable?

• The NAIH may order the publication of its decision in an individual fine case, including identifying the controller or processor, if: (i) the decision affects a wide range of persons, (ii) it was made in the context of the activities of a public body or (iii) the seriousness of the infringement justifies disclosure.
• The NAIH may publish its decisions in other individual fine cases too, by anonymising the controller or processor and the identifiable circumstances/trade secrets. (In the course of any given proceedings, controllers and processors may provide information in their submissions which they consider to be trade secrets and NAIH is to redact these if it decides to publish the underlying decision).
• The NAIH provides information on the commencement of an investigation or procedural steps only in very exceptional cases, usually when investigating a case where the circumstances (such as a potential data breach) became public via the media and the media suggests that a statement from the NAIH would be welcome.

If no individual publication: aggregated figures? Provide annual figures from 2019 onwards (if available).

In addition to publishing information on individual fine cases, the NAIH also provides aggregated information on the total number of cases and the total amount of fines in its annual reports.

• In 2025, the NAIH had 4855 investigation procedures in progress (compared to procedures 3561 in 2024, 862 procedures in 2023, 2,273 procedures in 2022 and 1,960 procedures in 2021). As a result of these initial investigations, the NAIH initiated inspection proceedings in 893 cases (compared to 587 cases in 2024, 715 cases in 2023, 940 cases in 2022 and 630 cases in 2021).
• The total fines imposed by the NAIH in 2025 amounted to approximately EUR 250,000 (HUF 98 million), compared to EUR 947,493 (HUF 355 million) in 2024. This total consisted of EUR 178,819 (HUF 67 million) in data protection fines, EUR 74,427 (HUF 28 million) in procedural fines and EUR 8,184 (HUF 3 million) in enforcement fines. 

Does Hungary have model declaratory proceedings/class actions in data protection law?

• Hungary does not have bespoke model declaratory proceedings or US‑style class actions for data protection claims. However, two collective litigation routes are permitted by the Act CXXX of 2016 on the Hungarian Code of Civil Procedure.
• First, “public interest actions” allow a claimant authorised by law to sue to defend a defined group of private individuals; the beneficiaries are not formal parties, the judgment must specify the affected group and proof of membership and the court may order performance in their favour; the final judgment will also bind notified beneficiaries unless they opt out and keep their individual right to sue. 
• Second, “associated actions” permit at least ten claimants to proceed through a single, representative lawsuit when their rights and facts are essentially identical, but only in pre-defined subject‑matters, notably consumer contract and employment disputes; data protection claims fit here only if they arise within those categories.
• In addition to the specific cases outlined above, the general civil procedural rules enable more than one claimant to bring actions if (i) the judgment would have a material effect on them even if they did not take part in the action, (ii) the claims arise from the same legal relationship or (iii) the claims arise from a similar factual and legal basis and the jurisdiction of the same court may be established against all the defendants.

What is more relevant: fines from authorities or court proceedings (damages/injunctions)? Outlook for the coming 12 months?

• Court proceedings in the enforcement of GDPR violations are less relevant, overall. The possible reasons for this are litigation costs, longer proceedings, a lack of established judicial practice and a lack of visibility as regards data protection cases.
• The fines imposed by the NAIH are considerably stronger tools, mostly due to the gravity of the fines, their general preventive effect and their visibility.
• Based on how actively the NAIH pursues data protection infringements – investigation procedures rose 37 % and inspection proceedings rose 52 % year-on-year in 2025 – it can be assumed that its role in enforcing the GDPR is going to remain crucial in the foreseeable future.