University of Szeged – €5,000 Fine (Hungary, 2026)

The University of Szeged (SZTE, the controller) is a Hungarian private university. Under national law, the controller has the obligation to provide need based scholarships, including for student accommodation. During its dormitory admission procedure, the controller processed personal data of students. The legal basis was public interest (Article 6(1)(e) GDPR), and Article 9(2)(b) and (g) GDPR (legal obligation and public interest respectively) for special categories of personal data. This is because national law allowed the controller to provide dormitory accommodation on the basis of an application. Under national law, the controller could process a wide range of data related to data subjects, such as their address, medical and disability expenses, academic performance, or family background and living situation. The controller argued that not processing this data to take into consideration the data subject’s background would be a violation of national law. Furthermore, the processing of personal data ensured that the controller provided equal opportunities for data subjects with disabilities. Data subjects consented to the data processing by accepting the declaration on the data form, which could not be submitted without this consent. In terms of data minimisation, the controller claimed that it complied with Article 5(1)(c) GDPR by requesting data subjects to substantiate their individual circumstances with a single supporting document. It also accepted documents where unnecessary data was redacted. Finally, while documents were stored for five years, the controller revoked the reviewing committee’s access after the application process had ended (access was limited to dormitory data processors). The DPA began an ex-officio investigation in 2025. == The DPA first noted that the controller had the obligation to comply with provisions under the GDPR, even if the legislator does not include data protection obligations in its law allowing the processing under Artic