Blog
Blog » DOES THE VIOLATION OF THE GDPR ALWAYS MEAN UNLAWFUL DATA PROCESSING?
DOES THE VIOLATION OF THE GDPR ALWAYS MEAN UNLAWFUL DATA PROCESSING?
12 July 2023
Based on the GDPR, data controllers have several obligations, such as maintaining the records of data processing or in case of joint controllers, entering into an agreement which determines their respective responsibilities for compliance with their data protection related obligations. In a recent case, the Court of Justice of the European Union (‘CJEU’) needed to decide on the issue whether the non-compliance with these obligations constitutes unlawful processing resulting in the duty to erase the personal data of the data subject.
1. Background
Regarding the factual background of the case, the German Federal Office for Migration and Refugees (‘Federal Office’) rejected the applicant’s application for internal protection. The applicant attacked this decision before the administrative court; thus, the Federal Office sent an electronic file containing the applicant’s personal data to the court via the electronic court and administrative mailbox.
The administrative court had doubts as to whether the maintenance and the transmission of the electronic file complied with the GDPR for two reasons. First, the Federal Office did not produce a complete record of the processing activities relating to the electronic file in accordance with Article 30 of the GDPR. Second, in disregard of Article 26 of the GDPR, no national legislation governs the transmission of the electronic file, and the Federal Office did not provide an agreement on the joint responsibility.
In the above context, the German administrative court asked the CJEU whether the failure of the controller to comply with the accountability principle of the GDPR (Article 5), specifically not concluding an agreement determining joint responsibility for processing and not maintaining a record of processing activities constitutes unlawful processing conferring on the data subject a right to erasure or restriction of processing.
2. The decision of the CJEU
The CJEU recalled that the lawfulness of processing is precisely the subject of Article 6 of the GDPR. This means that a data processing may only be lawful if one of the six conditions set forth in Article 6 is met, for example if the data subject has given consent to the data processing or the data processing is necessary for the performance of a contract or for the legitimate interests of the controller.
However, compliance with the obligation laid down in Article 26 of the GDPR to conclude an arrangement determining joint responsibility for processing and the obligation to maintain a record of processing activities laid down in Article 30 is not among the grounds for lawfulness of processing set out in Article 6 of the GDPR.
Thus, the infringement of Articles 26 and 30 of the GDPR does not constitute unlawful processing in the sense of the right to erasure (Article 17 1. (d)) or of the right to restriction of processing (Article 18 1. (b)), since this breach as such does not mean that the controller violates the principle of “accountability” (Article 5).
This means that the ‘sanction’ of the violations of Article 26 and 30 of the GDPR is not the erasure of the personal data or the restriction of the data processing, but other corrective actions provided for by the GDPR, such as the obligation to bring the processing operations into compliance with the GDPR, the lodging of a complaint with the supervisory authority, or compensation for any damage caused by the controller.
3. Lesson learnt
The decision of the CJEU presented above is important because it makes a clear differentiation between the legal basis of the data processing and the “secondary” data protections related obligations of the controllers (and processors) under the GDPR.
The CJEU clarified that the lawfulness of the processing activity depends solely on the questions of whether a legal basis (based on Article 6) exists in relation with the data processing. In case the appropriate legal basis is missing, the data subject may demand the erasure of his personal data or the restriction of the data processing. By contrast, if the data processing has a legal basis in accordance with the GDPR, nevertheless the controller fails to comply with other obligations provided for by the GDPR, other corrective actions may be implied.
-
WHAT ARE THE FORMAL AND CONTENT REQUIREMENTS OF COMPANY DOCUMENTS IN B2B TRANSACTIONS IN HUNGARY?
Few people may know, but legislation often imposes formal and content requirements for certain documents. In most cases, these rules are for the sake of identification, which is in the interest of both parties, so it is important to pay attention to them to avoid misunderstandings. In this article, we examine the content requirements for documents used in business to business (B2B) transactions.
Read more » -
HOW FAR THE EMPLOYER’S SPHERE OF CONTROL EXTENDS IN HUNGARY, ACCORDING TO THE SUPREME COURT?
Under Hungarian labour law, the employer may be exempted from compensating the employee for damage caused in connection with the employment relationship if the damage was caused by circumstances beyond the employer’s control. But how far does the employer's control extend, and does it really have to take every eventuality into account, even the most unpredictable? In its recent decision, the Hungarian Supreme Court addressed this question.
Read more » -
WE ARE 15!
Recently we celebrated our 15th Anniversary, which is a very important milestone for us. Looking back, our Office went through a long improvement until the formation of our present profile: providing legal support in domestic and international commercial law issues and helping our clients doing business in Hungary.
Read more »