D.A.A.A (Data Subjects) v. Infotv

€1,228 in fines


The Hungarian DPA fined a hotel booking service for sending direct marketing emails without valid legal basis, not obtaining separate consent for specific purposes, not expressly mentioning data processing purposes in the privacy policy.

Our analysis

A hotel booking website was fined by the Hungarian DPA for violating GDPR laws by sending unsolicited commercial emails to two data subjects. The website's privacy policy provided misleading information as it claimed the legal basis for processing personal data for newsletters and marketing was consent under Article 6(1)(a) GDPR, while mentioning the legitimate interest of the controller. This hidden information caused confusion for the data subjects as to which legal basis was actually used, violating Article 12(1) GDPR.
Moreover, the controller did not obtain separate consent for specific purposes as there were no separate checkboxes for data marketing purposes, thereby amounting to bundling of consent. The DPA found a violation of Article 6(1) GDPR as the consent given by the data subjects was not informed. Additionally, the controller violated Article 7(1) GDPR as it did not have proof of consent and Article 5(2) GDPR as it did not send the requested proofs of consent or an assessment of balancing the legitimate interests at stake.


A hotel booking service was fined €1,228 by the Hungarian DPA for sending direct marketing emails without a valid legal basis by bundling consent and not complying with GDPR data subject rights, including access, rectification, erasure, and objection to data processing under Articles 12, 15, 17, and 21(2).


D.A.A.A (Data Subjects) and Infotv

Case number


Related deceptive patterns

Related laws

Legal enforcement database by Leiser, Santos and Doshi

The information about laws and cases on this website is brought to you by the Leiser, Santos and Doshi enforcement database.

About us