Hungary's privacy decision on direct marketing asks: how much consent is required for direct marketing through different channels?


In decision No. NAIH-2501-10/2022 of 12 September 2022, the Hungarian Data Protection and Freedom of Information Authority (NAIH) imposed a HUF 30 million (EUR 74,500) data protection fine on Magyar Éremkibocsátó Kft.

The fine was imposed after the company handled contact data of thousands of individuals in the absence of adequate prior privacy information, a concretely defined purpose, and a valid legal basis.

In line with the GDPR, the NAIH also instructed the company to delete contact data used for direct marketing purposes for which it cannot obtain a new, appropriate consent, or does not have another valid legal basis for processing them for non-direct marketing purposes (e.g. contractual contact).

The decision is highly important because this is the first time the NAIH has addressed how many consents are required for a company to perform direct marketing activities through different channels. Following the NAIH's findings, companies engaged in direct marketing activities must immediately review their privacy consent forms, privacy notices and telephone scripts and determine whether they meet the authority's expectations.

The NAIH's most important findings regarding the duties of the companies include:

  • Separate consent is required for each purpose and channel. In the text of a privacy consent, receiving direct marketing "electronically" is too broad a term. Individuals must be able to choose if they only wish to consent to direct marketing in certain channels (e.g. only by post, only by phone or only by e-mail, or by any combination of these). This does not preclude the provision of an option where consent can be given to all specified purposes at the same time. It should, however, be possible to give separate consent only for certain purposes. Companies must review the design of their privacy consents – primarily, the number of checkboxes and the way they are worded.
  • Separate consent is required for Google and Facebook advertising. Direct marketing sent via other channels (e.g. targeted advertisements on the Google and Facebook advertising systems) also require separate consent, and separate information must be provided on the use of similar mass automated advertising systems. Companies must also review the design of their privacy consents and the content of their privacy notices.
  • Specific information is required on the marketing method. The purpose of processing contact data cannot be a flexible goal such as "receiving more favourable offers". Direct marketing is an umbrella concept, and companies must indicate the specific implementation (e.g. sending advertisements on their own or third-party products on a given channel or specific channels). Companies must also highlight in their privacy notices any important circumstances that are not customary and individuals may not reasonably expect, such as a foreign data processor and its clear, concise, easily understandable role. Companies must review the text of their privacy consents and the content of their privacy notices.
  • Companies must provide information on the location of their privacy notice for the currently used communication channel. In the case of offline communication, it is not enough to refer only to the availability of the online privacy notice, because there may be many individuals who do not have internet access or cannot find the information on the internet during or before ordering by mail or telephone. Companies must review the information they provide on the availability of their privacy notice.

For more information on this NAIH decision and privacy laws in Hungary, contact your CMS client partner or local CMS experts.