Final decision of Hungarian Supervisory Authority about infringement of Article 26 of the GDPR caused by a foundation

3 January 2024

Background information

  • Date of final decision: 2 November 2023
  • Cross-border case
  • Hungarian National Authority for Data Protection and Freedom of Information (Hungarian Supervisory Authority, SA)
  • and CSAs: Office for Personal Data Protection of the Slovak Republic (Slovak Supervisory Authority, SA)
  • Controller: a foundation (hereinafter: Foundation or Controller)
  • Legal Reference(s): Article 5 (Principles relating to processing of personal data), Article 6 (Lawfulness of processing),  Article 26 (Joint controllers)
  • Decision: Violation identified, compliance order
  • Key words: Joint controllers, Children, Education


Summary of the Decision


Origin of the case  

The Slovak Supervisory Authority (SA) objected to processing carried out by a Foundation as the presumed controller of two Hungarian – language websites.

According to the position of the Slovak SA, certain recordings available on the Foundation's websites presumably violate the provisions of Articles 5 and 6 of the GDPR. The recordings feature children performing and singing specifically from a Slovak Primary School (hereinafter: School).


Key Findings 

The Hungarian Supervisory Authority (SA) examined who determined - whether independently or together with others - the goals and means of data processing, i.e. who (the Slovak school or the Foundation) had a decision-making role with regard to take purposes and means of processing.  
The joint participation in processing between the School and the Foundation in terms of purposes was achieved by the entities concerned pursuing closely related or complementary purposes. 
Article 26(1) of the General Data Protection Regulation requires joint controllers to transparently determine and adopt their respective responsibilities for compliance with the obligations under this regulation.

The Hungarian SA established that there was no arrangement between the Foundation and the School within the meaning of Article 26(1) of the GDPR,  with regard to joint processing and their respective responsibilities.  , The Foundation was found in breach of Article 26(1) of the GDPR, as the cooperation agreement between them did not address the issues required by this provision.


Based on Article 58(2)(d) of the GDPR and Section 56(1) of the Privacy Act the Hungarian Supervisory Authority (SA) gave notice to the Foundation ordering it to meet the requirements for joint controllers in the course of its joint processing activities in the future.

For further information: decision in national language


The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.