Background information
- Date of final decision: 2 November 2023
- Cross-border case
- LSA: Hungarian SA
- and CSAs: Slovak SA
- Controller: a foundation (hereinafter: Foundation or Controller)
- Legal Reference(s): Article 5 (Principles relating to processing of personal data), Article 6 (Lawfulness of processing), Article 26 (Joint controllers)
- Decision: Compliance order
- Key words: Joint controllers, Children, Education
Summary of the Decision
Origin of the case
The Slovak Supervisory Authority (SA) objected to processing carried out by a Foundation as the presumed controller of two Hungarian –language websites.
According to the position of the Slovak SA, certain recordings available on the Foundation's websites presumably violated Articles 5 and 6 GDPR. The recordings featured children performing and singing specifically from a Slovak Primary School.
Key Findings
The Hungarian SA examined who determined - whether independently or together with others - the goals and means of data processing, i.e. who (the Slovak school or the Foundation) had a decision-making role with regard to take purposes and means of processing.
The joint participation in processing between the Primary School and the Foundation in terms of purposes was achieved by the entities concerned pursuing closely related or complementary purposes.
Article 26(1) GDPR requires joint controllers to transparently determine and adopt their respective responsibilities for compliance with the obligations under this regulation.
The Hungarian SA established that there was no arrangement between the Foundation and the Primary School within the meaning of Article 26(1) GDPR with regard to joint processing and their respective responsibilities because the cooperation agreement concluded by and between them did not cover the regulation of these issues. Therefore, the Hungarian SA found that the Foundation breached Article 26(1) GDPR.
Decision
Based on Article 58(2)(d) GDPR and Section 56(1) of the Privacy Act the Hungarian SA gave notice to the Foundation to meet the requirements for joint controllers in the course of its joint processing activities in the future.
For further information: decision in national language
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.