Final decision of Hungarian SA about infringement of Article 26 GDPR by a foundation

1 February 2024

Background information

  • Date of final decision: 2 November 2023
  • Cross-border case
  • LSA: Hungarian SA
  • and CSAs: Slovak SA
  • Controller: a foundation (hereinafter: Foundation or Controller)
  • Legal Reference(s): Article 5 (Principles relating to processing of personal data), Article 6 (Lawfulness of processing),  Article 26 (Joint controllers)
  • Decision: Compliance order
  • Key words: Joint controllers, Children, Education

Summary of the Decision

Origin of the case  

The Slovak Supervisory Authority (SA) objected to processing carried out by a Foundation as the presumed controller of two Hungarian –language websites.
According to the position of the Slovak SA, certain recordings available on the Foundation's websites presumably violated Articles 5 and 6 GDPR. The recordings featured children performing and singing specifically from a Slovak Primary School.


Key Findings 

The Hungarian SA examined who determined - whether independently or together with others - the goals and means of data processing, i.e. who (the Slovak school or the Foundation) had a decision-making role with regard to take purposes and means of processing.  

The joint participation in processing between the Primary School and the Foundation in terms of purposes was achieved by the entities concerned pursuing closely related or complementary purposes. 

Article 26(1) GDPR requires joint controllers to transparently determine and adopt their respective responsibilities for compliance with the obligations under this regulation.

The Hungarian SA established that there was no arrangement between the Foundation and the Primary School within the meaning of Article 26(1) GDPR with regard to joint processing and their respective responsibilities because the cooperation agreement concluded by and between them did not cover the regulation of these issues. Therefore, the Hungarian SA found that the Foundation breached Article 26(1) GDPR.



Based on Article 58(2)(d) GDPR and Section 56(1) of the Privacy Act the Hungarian SA gave notice to the Foundation to meet the requirements for joint controllers in the course of its joint processing activities in the future.

For further information: decision in national language

The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.