The NAIH warned that it could be unlawful — and even criminal — if a political party fails to implement adequate data security measures to safeguard the personal information it stores electronically, and unauthorized individuals gain access to or obtain that data. The authority confirmed that it has received multiple complaints regarding the use of leaked data from the Tisza Vilag [Tisza World] app and its volunteer database by various media outlets. While the issue may be of public interest, the NAIH stressed there is no legal basis for anyone exploiting a security flaw to store or publish personal information from such databases. Furthermore, if a media outlet reports on the data leak and uses information illegally released to the public in its coverage, it must still comply with the General Data Protection Regulation (GDPR) and respect the balance between freedom of the press and data privacy, the agency stated.
Handle the Data Leaked through Tisza with Caution
The authority underlined that when personal data is stored or used in media content, the media provider bears full responsibility for the handling of the data. This responsibility remains in place even if the political party failed to ensure proper security measures or if the personal data had previously been leaked. The NAIH said media outlets must apply the principle of proportionality when deciding how and for what purpose they use personal data.
For example, if a journalist uses contact information solely to verify facts or to reach out to individuals for comment, such use may comply with GDPR requirements,
the statement reads.
However, the NAIH warned that it may violate data protection rules if a publication makes personal data available — even indirectly — that was obtained through unlawful means. Doing so only amplifies the breach and further harms the individuals’ privacy. The authority also noted that those affected by the breach are vulnerable, since they did not choose to make their data public; it was exposed by an individual who exploited a data security flaw. Before publishing any personal details, media outlets must assess whether the individual had previously expressed political opinions publicly, and if so, in what form and context — particularly regarding their public role or profession, the agency added.
