A recent decision by Hungary’s Data Protection Authority (NAIH) offers a deceptively modest outcome, a €5,000 fine, but sends a much stronger signal on the evolving expectations around data minimization under the GDPR and ultimately, the US State Privacy laws.

The decision reflects a strict, controller-centric approach, making clear that the key question in a data minimization analysis is whether the data actually retained by the controller is necessary and proportionate to the stated purpose. not whether individuals were given the opportunity to limit what they submitted. In this case, the authority emphasized that transparency and internal access controls do not cure the overcollection of personal data.

As U.S. state privacy laws place increasing emphasis on data minimization, particularly in the context of sensitive data and employment practices, this decision may foreshadow a similar regulatory direction in the United States.

The Case: When “Optional Redaction” Isn’t Enough

In the case at hand, a private university in Hungary collected medical documentation from students seeking accommodation-related scholarships. Unsurprisingly, such records often included highly sensitive personal data beyond what was strictly necessary to assess eligibility.

The university’s allowed students were to redact unnecessary information before submission and instituted internal access controls limiting who could view the data.

However, many students submitted documents without redactions.

The NAIH rejected the university’s approach. It held that the obligation to enforce data minimization rests squarely with the controller, despite warnings to the individual. In other words, it was not sufficient to allow students to minimize their data; the university was required to ensure that unnecessary data was not processed at all.

The authority further found that access controls alone do not cure overcollection. Even if only a limited group of employees could view the documents, the fact that those employees were exposed to irrelevant sensitive data constituted a violation of the GDPR’s data minimization principle.

Key Takeaway: Data Minimization Requires Process Design, Not Just Permissions

The decision underscores that data minimization under GDPR is a proactive proactive and architectural controller obligation.

Controllers must:

  • Design intake processes that prevent submission of unnecessary data;
  • Implement technical or procedural filtering, redaction, or standardized forms; and
  • Avoid relying on individuals to make judgment calls about what is “necessary.”

Why This Matters in the U.S.

While the fine itself is small, the underlying logic is highly relevant to the U.S. privacy landscape, where the legal standard for data minimization is, effectively, the same or stricter than under GDPR and where data minimization is rapidly becoming a central compliance obligation.

3. Implications for Sensitive Data Collection

Modern state privacy laws, and notably that of Maryland, increasingly restrict the collection of personal data, especially sensitive data, under a standard ranging from baseline ‘reasonably necessary to increasingly stricter approaches of “strictly necessary for the service requested”, a limitation not cured even by consent.

The NAIH decision suggests how regulators may interpret these provisions in practice, not as a flexibility standard, but as a strict limitation on collection itself and as a controller design responsibility.

If U.S. regulators follow a similar path, companies may need to ensure that workflows involving sensitive data are tightly scoped at the point of collection, rather than relying on downstream safeguards like access controls or confidentiality policies.

3. Implications for Employment and the “California Employer Sweep”

The implications may be especially significant in the employment context. With California regulators actively scrutinizing employer data practices, including through an ongoing enforcement “sweep,” organizations are under increasing pressure to justify the scope of employee data they collect.

The NAIH’s reasoning suggests a potential enforcement posture where:

  • Employers cannot rely on employees to self-filter or redact submissions (e.g., medical leave documentation, accommodation requests, background materials);
  • Overcollection of incidental or extraneous sensitive data may itself constitute a violation; and
  • Process design (e.g., standardized forms, required fields, document upload constraints) will be a key area of regulatory focus.

Practical Considerations for Controllers

Organizations should consider reassessing their intake and documentation processes, particularly where sensitive data is involved. As yourself:

  • Are we collecting more information than is strictly necessary, even inadvertently?
  • Do we rely on users, employees, or customers to self-redact or self-limit submissions?
  • Could we replace open-ended document requests with structured forms or targeted data fields?
  • Are our access controls being used as a substitute for, rather than a complement to, data minimization?