Hungary

University of Szeged

5,570 €

GDPR enforcement action by Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) on 2026-02-20.

Rank · Sector

#222

of 357 in Public Sector and Education

Rank · Hungary

#33

of 75

Rank · All fines

#1,672

of 3,050

Case details

Authority: Hungarian National Authority for Data Protection and the Freedom of Information (NAIH)
Date: 2026-02-20
Controller / Processor: University of Szeged
Sector: Public Sector and Education
Quoted Articles: Art. 5 (1) a), c) GDPR, Art. 6 (1) GDPR, Art. 9 (2) GDPR, Art. 13 (1), (2) GDPR
Type of violation: Insufficient legal basis for data processing

Summary

The Hungarian DPA has imposed a fine of EUR 5,570 on the University of Szeged. The controller operates student housing. To determine which students would receive a place, the university processed the personal data of applicants, including health data, to determine their social circumstances, which had to be taken into account in the decision-making process according to local law. However, the controller processed the data in an excessive manner. Rather than collecting only the necessary information, the controller often collected entire supporting documents containing information not necessary for the decision. In particular, with regard to special category data, the controller collected documents containing far more sensitive information than was necessary for the purpose. Additionally, the university failed to provide adequate privacy information.

Open original source Links to the regulator's original publication or another source.