Blog
Blog » CJEU DECISION IN A HUNGARIAN GDPR CASE - IS THE PRINCIPLE OF LIMITS OF ACTION APPLICABLE TO GDPR-INFRINGEMENTS?
CJEU DECISION IN A HUNGARIAN GDPR CASE - IS THE PRINCIPLE OF LIMITS OF ACTION APPLICABLE TO GDPR-INFRINGEMENTS?
21 March 2024
Do supervisory authorities have the power to order the erasure of unlawfully processed personal data even if the data subject has not made such request? What is more important: ensuring the high level of protection required by the GDPR or respecting the data subject's private autonomy which is served by the principle of limits of action? In its fresh decision, the Court of Justice of the European Union had to answer these questions in a case related to Hungary.
1. Facts
During the first wave of the COVID-19 pandemic the Municipal Administration of a Budapest district (“Municipal Administration”) decided to provide financial support to residents that had been made vulnerable by the COVID-19 pandemic and who satisfied certain eligibility conditions.
To verify the eligibility conditions, the Municipal Administration requested personal data of the residents concerned from the Hungarian State Treasury and the competent Government Office and then processed the received data.
The Hungarian Supervisory Authority started an investigation in relation to the above data processing operations and established that the authorities and the Municipal Administration infringed the provisions of the GDPR. According to the Supervisory Authority the Municipal Office failed to inform the data subjects about the details of the data processing and their respective rights. Thus, the Supervisory Authority ordered the Municipal Administration to erase the personal data of the data subjects who were entitled to the support but had not applied for it.
2. Court procedure in Hungary
The Municipal Administration has challenged the decision of the Hungarian Supervisory Authority before the Budapest High Court (“Referring Court”) arguing that the authority does not have the power under the GDPR to order the erasure of the personal data in the absence of a request from the data subject.
In this regard, the Municipal Administration relied on a decision of the Hungarian Supreme Court which declared that the right to erasure set out by the GDPR is solely intended as a right of the data subject thus the supervisory authority does not have the power to order the erasure of the personal data ‘ex officio’.
In the meantime, the Constitutional Court of Hungary set aside the above-mentioned judgement. Nevertheless, the Referring Court still has doubts with regards to the interpretation of the right to erasure, namely whether the supervisory authority has the power to order the erasure of personal data in the absence of the request of the data subject. Thus, the Referring Court sent the case to the Court of Justice of the European Union (“CJEU”).
3. Does ‘ex officio’ erasure exist based on the GDPR?
In essence, the question of the Referring Court was whether the Supervisory Authority is entitled, in the exercise of its corrective powers, to order the controller or processor to erase unlawfully processed personal data, even though no request to that effect has been made by the data subject.
By analysing Article 17 of the GDPR which declares the right to erasure, the CJEU came to the conclusion that it governs two independent situations: on the one hand, the erasure of data at the request of the data subject and, on the other, erasure arising from the existence of a standalone obligation borne by the controller, irrespective of any request from the data subject.
Such distinction is necessary, as also confirmed by the European Data Protection Board, since there might be scenarios where a data subject has not necessarily been informed of the processing of his personal data, for example in case of unlawful processing.
According to the Court, given that the supervisory authority shall ensure that personal data processing complies with the provisions of the GDPR and shall make good situations where there has been a breach of the GDPR, it is necessary for the authority to exercise some of the corrective powers of its own motion. This interpretation is also supported by the objectives pursued by the GDPR which is to ensure a high level of protection of the rights and freedoms of the natural persons regarding the processing of personal data.
The Luxembourg Court added that a requirement that there be a prior request from the data subject would mean that the controller, in the absence of such request, could retain the personal data at issue and continue to process them unlawfully. Such an interpretation would undermine the effectiveness of protection laid down by the GDPR since persons who take no actions would be deprived of protection, even though their personal data have been processed unlawfully.
4. Is the origin of the personal data relevant?
Further, the Referring Court wanted to know whether the origin of the personal data is relevant in relation to the corrective powers of the Supervisory Authority, that is to say if the power of the authority to order the erasure of unlawfully processed personal data may apply both to data collected from the data subject and to data originating from other source.
The CJEU pointed out that neither the provision on the corrective powers of the supervisory authority, nor the provision on the right to erasure of the GDPR contains anything to suggest that the corrective powers or the obligation of the controller to erase unlawfully processed personal data is contingent on the origin of the data concerned.
Besides, the objectives of the GDPR, namely, to provide a high level of protection, also justify that no distinction should be made between situations where the personal data was collected from the data subject and where such data is originating from other sources.
Thus, the Luxembourg Court declared that the power of the supervisory authority to order the erasure of unlawfully processed personal data may apply both to data collected from the data subject and to data originating from another source.
5. Conclusion
In the analysed decision, the CJEU has clearly held that the principle of limits of actions does not apply to the erasure of unlawfully processed data. Indeed, the high level of protection required by the GDPR is ensured if, by exercising its corrective powers, the supervisory authority can ‘ex officio’ order the erasure of unlawfully processed personal data, regardless of the source of the data.
In this article we analysed decision C-46/23 of the CJEU.
-
WHAT ARE THE FORMAL AND CONTENT REQUIREMENTS OF COMPANY DOCUMENTS IN B2B TRANSACTIONS IN HUNGARY?
Few people may know, but legislation often imposes formal and content requirements for certain documents. In most cases, these rules are for the sake of identification, which is in the interest of both parties, so it is important to pay attention to them to avoid misunderstandings. In this article, we examine the content requirements for documents used in business to business (B2B) transactions.
Read more » -
HOW FAR THE EMPLOYER’S SPHERE OF CONTROL EXTENDS IN HUNGARY, ACCORDING TO THE SUPREME COURT?
Under Hungarian labour law, the employer may be exempted from compensating the employee for damage caused in connection with the employment relationship if the damage was caused by circumstances beyond the employer’s control. But how far does the employer's control extend, and does it really have to take every eventuality into account, even the most unpredictable? In its recent decision, the Hungarian Supreme Court addressed this question.
Read more » -
WE ARE 15!
Recently we celebrated our 15th Anniversary, which is a very important milestone for us. Looking back, our Office went through a long improvement until the formation of our present profile: providing legal support in domestic and international commercial law issues and helping our clients doing business in Hungary.
Read more »