Hungarian SA’s decision on the handling of access request by an airline company

Background information

  • Date of final decision: 15 August 2022
  • Cross-border case
  • LSA: HU SA
  • and CSAs: Belgium, Norway, Sweden, Portugal, Denmark, Italy, Germany, Spain, Poland
  • Controller: airline company
  • Legal Reference (s): Article 5 (Principles relating to processing of personal data), Article 6 (Lawfulness of processing),  Article 9 (Processing of special categories of personal data),  Article 15 (Right to access by the data subject)
  • Decision: Warning
  • Key words: Reprimand to controller, Right of access, Lawfulness of processing,
    Personal data breach,  Right of access


Summary of the Decision


Origin of the case  

The Complainant flew on one of the flights of the Company. He lodged a complaint with the Company in which he mentioned information about his health. The Complainant’s flight ticket was booked by a travel agency. The Company sent its information on the handling of the complaint and the list of documents required for the handling of the complaint and also the complaint itself to the e-mail address which was used to book the ticket so the Complainant’s data was transferred to a third party. After the Complainant became aware of the data transfer, he requested information on the legal basis on which the Company transferred his personal data to third parties. The Company incorrectly informed the Complainant about the transfer of his personal data. The complainant claimed that his personal data, including his personal health data, were transferred unlawfully by the data controller (hereinafter: Company).


Key Findings 

The Hungarian Supervisory Authority (SA)established that the transfer of the Complainant’s personal data to a third party was a data protection breach. The transfer or communication of personal data also constitutes processing and it can therefore be lawful only if it has a legal basis under GDPR Article 6(1). Where the processing also involves special categories of personal data the controller must have a legal basis under Article 6(1) GDPR or the processing must also comply with one of the situations set out in Article 9(2) GDPR.

The reply of the Company to the request of access contained incorrect, faulty and misleading information, as the Company's employee wrongly informed the Complainant that the travel agency that booked the flight had the right to participate in the complaint procedures in connection with the trip, while the Complainant could request that the communication be sent directly to him.


The Company infringed Article 5(1f) GDPR by unauthorised disclosing the Complainants personal data – including health data – to a third party.
The Company, due to the negligence of its employee, unlawfully forwarded the Complainant's complaint, including his health data, to a third party, without a proper legal basis, in violation of Article 6(1) and Article 9(1) GDPR in relation to health data.

The company also infringed Article 15 (1) GDPR by failing to provide information on the legal basis for the transfer of his data and instead providing incorrect information on the complaint handling process.

Because of these infringements, the Hungarian SA reprimanded the Company based on Article 58(2)(b) GDPR.

For further information:


The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.