The Right to Be Forgotten Under GDPR: Hungarian Perspectives in 2026

Introduction

The right to be forgotten — or, more precisely, the right to erasure — is one of the most powerful and frequently invoked data-subject rights under the General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”). Enshrined in Article 17 of the GDPR, this right enables individuals to request the deletion of their personal data when certain conditions are met. In Hungary, the right to erasure operates within the framework of the GDPR and the national Act CXII of 2011 on Informational Self-Determination and Freedom of Information (Infotv.), and has been the subject of significant enforcement activity and case law by the National Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság, “NAIH”).

This article provides a comprehensive analysis of the right to be forgotten as it is applied in Hungary in 2026, covering the legal foundations, practical procedures, key exceptions, search-engine delisting, the balance between privacy and press freedom, and NAIH’s enforcement approach.

Legal Foundations

Article 17 GDPR: The Right to Erasure

Article 17(1) of the GDPR provides that the data subject has the right to obtain from the controller the erasure of personal data concerning them without undue delay, and the controller has the obligation to erase the data without undue delay, where one of the following grounds applies:

1. Purpose fulfilment: The personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed.
2. Consent withdrawal: The data subject withdraws consent on which the processing is based (under Article 6(1)(a) or Article 9(2)(a)), and there is no other legal ground for the processing.
3. Objection: The data subject objects to the processing under Article 21(1), and there are no overriding legitimate grounds for the processing; or the data subject objects to processing for direct marketing under Article 21(2).
4. Unlawful processing: The personal data has been unlawfully processed.
5. Legal obligation: The personal data must be erased for compliance with a legal obligation in EU or Member State law.
6. Children’s data: The personal data was collected in relation to the offer of information society services to a child under Article 8(1).

Obligation to Inform Third Parties

Article 17(2) extends the right to erasure by requiring the controller to take reasonable steps — including technical measures — to inform other controllers that are processing the data that the data subject has requested the erasure of any links to, or copies or replications of, that data. This is particularly relevant in the context of online publication and search-engine indexing.

Exceptions Under Article 17(3)

The right to erasure does not apply to the extent that processing is necessary for:

• Exercising the right of freedom of expression and information (Article 17(3)(a));
• Compliance with a legal obligation under EU or Member State law (Article 17(3)(b));
• Public interest in the area of public health (Article 17(3)(c));
• Archiving in the public interest, scientific or historical research, or statistical purposes (Article 17(3)(d));
• The establishment, exercise, or defence of legal claims (Article 17(3)(e)).

These exceptions are of critical importance in Hungary, as they frame the balancing exercise that NAIH and Hungarian courts must undertake in each case.

Google Delisting: The Right to Be Forgotten in Practice

The CJEU’s Google Spain Judgment

The right to be forgotten gained international prominence through the Court of Justice of the European Union’s landmark judgment in Case C-131/12 Google Spain SL v. Agencia Española de Protección de Datos (13 May 2014). The CJEU held that the operator of a search engine is a data controller within the meaning of EU data-protection law and is obliged, under certain conditions, to remove links to web pages from search results displayed following a search based on a person’s name — even if the underlying web page is lawful and the information was published by a third party.

How Delisting Works in Hungary

In Hungary, individuals may submit a delisting request directly to search engines such as Google, Bing, or Yahoo. The search engine must assess whether the information linked in the search results is:

• Inadequate, irrelevant, or excessive in relation to the purposes for which it was processed;
• No longer relevant in light of the time that has elapsed;
• Outweighed by the data subject’s privacy interests over the public’s interest in access to the information.

If the search engine refuses the request, the data subject may file a complaint with NAIH, which will conduct an investigation and may order the search engine to delist the relevant results. Alternatively, the data subject may bring an action before the Hungarian courts.

NAIH’s Approach to Delisting

NAIH has developed a substantial body of practice on delisting requests. Key principles emerging from NAIH decisions include:

• Public figures enjoy a reduced expectation of privacy regarding information related to their public role. However, even public figures may request delisting of information that is purely private and has no connection to their public activity.
• Spent criminal convictions: NAIH has generally supported the delisting of search results relating to criminal convictions that have been spent under Hungarian criminal law, on the grounds that continued accessibility undermines the rehabilitative purpose of the sentence.*
• Commercial information: Business-related information (e.g., a company’s tax debts, regulatory sanctions) is generally considered to be of legitimate public interest and is less likely to be delisted.
• Time factor: The passage of time is a significant factor. Information that may have been relevant and proportionate at the time of publication can become disproportionate if it continues to appear prominently in search results years later.

Balancing Privacy and Press Freedom

The Constitutional Framework

The Hungarian Fundamental Law (Alaptörvény) protects both the right to privacy (Article VI) and the freedom of the press and freedom of expression (Article IX). These rights can come into conflict when an individual requests the erasure or delisting of information published by a media outlet.

The Media Exemption

Hungarian law recognises a media exemption consistent with Article 85 of the GDPR, which requires Member States to reconcile data-protection rules with the right to freedom of expression and information, including processing for journalistic purposes. Under the Infotv. and the Act CIV of 2010 on the Freedom of the Press and the Fundamental Rules of Media Content (Smtv.), processing of personal data for journalistic purposes benefits from derogations from certain GDPR provisions — including the right to erasure — to the extent necessary to reconcile data protection with press freedom.

In practice, this means that:

• A newspaper article containing personal data published for legitimate journalistic purposes cannot simply be deleted upon the data subject’s request;
• However, the data subject may request that a search-engine operator delist the article from search results — because delisting does not remove the article itself, but merely reduces its discoverability;
• NAIH and the courts will perform a case-by-case balancing exercise, considering the public interest in the information, the data subject’s privacy, the passage of time, and the potential harm caused by continued accessibility.

Notable Hungarian Cases

Hungarian courts have addressed the tension between privacy and press freedom in several instructive cases:

• In a 2023 ruling, the Budapest-Capital Regional Court (Fővárosi Törvényszék) upheld a data subject’s request to delist search results linking to a decade-old news article about a minor criminal conviction, finding that the data subject’s rehabilitation interest outweighed the (diminished) public interest in the information.
• In contrast, the Curia (Kúria), Hungary’s Supreme Court, has emphasised that the right to erasure must not be used to suppress information about matters of genuine public concern, including ongoing legal proceedings involving public funds.

Practical Guide: How to Exercise the Right to Erasure in Hungary

Step 1: Identify the Controller

Determine who is processing your personal data. This may be a website operator, a social-media platform, a search engine, a public authority, or any other entity.

Step 2: Submit a Written Request

Send a written erasure request to the data controller. Your request should:

• Clearly identify the personal data you want erased;
• State the legal ground for erasure (e.g., the data is no longer necessary, you withdraw consent, or the processing is unlawful);
• Include sufficient identification information to verify your identity;
• Be specific about whether you are requesting deletion of the data itself, delisting from search results, or both.

Step 3: Await the Controller’s Response

The controller must respond within one month of receiving your request. This period may be extended by two additional months for complex or numerous requests, but the controller must inform you of the extension within the first month.

If the controller refuses to act on the request, it must inform you of the reasons and of your right to lodge a complaint with NAIH or to seek a judicial remedy.

Step 4: Escalate to NAIH If Necessary

If the controller refuses your request or fails to respond, you have two options:

1. File a complaint with NAIH: NAIH will investigate the complaint and may order the controller to erase the data. NAIH complaints are free of charge.
2. Bring a court action: You may bring a civil action before the competent court under Article 79 of the GDPR. Hungarian courts with jurisdiction are the regional courts (törvényszékek), and the data subject may choose to bring the action at the court of their habitual residence.

Step 5: Claim Compensation If Applicable

Under Article 82 of the GDPR, if you have suffered material or non-material damage as a result of the controller’s failure to erase your data, you may claim compensation. The controller is liable unless it can prove that it is not in any way responsible for the event giving rise to the damage.

NAIH Enforcement Statistics and Trends

NAIH has been increasingly active in enforcing erasure rights. Key trends observed in 2025–2026 include:

• A rising number of complaints relating to social-media platforms refusing to delete accounts or personal data;
• Increased scrutiny of public-sector data processing, particularly in relation to the publication of personal data in public registers and official gazettes;
• Greater attention to the erasure of biometric data and health data, reflecting public concern about the processing of sensitive categories of data;
• An emphasis on the effectiveness of erasure — NAIH has criticised controllers who technically delete data from their active systems but retain it indefinitely in backup systems without justification.

Conclusion

The right to be forgotten under the GDPR is a powerful but nuanced instrument. In Hungary, its exercise requires a careful analysis of the legal grounds for erasure, the applicable exceptions, and the balance between privacy and other fundamental rights — particularly press freedom. NAIH’s enforcement practice provides valuable guidance, but each case turns on its specific facts.

Whether you are an individual seeking to exercise your right to erasure or a controller navigating an erasure request, Dr. Ildikó Nagy’s law office can provide expert advice grounded in Hungarian and EU data-protection law.