DATA PROTECTION
CJEU interprets purpose and storage limitation principles under the GDPR.
The Court of Justice of the European Union ('CJEU') issued its judgment in Case C-77/21 Digi Távközlési és Szolgáltató Kft. v. Nemzeti Adatvédelmi és Információszabadság Hatóság, concerning the request for a preliminary ruling submitted by the Court of Budapest-Capital.
In particular, the CJEU reported that the preliminary ruling concerned the interpretation of Articles 5(1)(b) and 5(1)(e) of General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') which arose in the context of a dispute between one of the leading internet and broadcasting service providers in Hungary and the National Authority for Data Protection and Freedom of Information ('NAIH'), in relation to a breach of personal data contained in a database owned by the former.
Further to the above, the CJEU took the view that:
In particular, the CJEU reported that the preliminary ruling concerned the interpretation of Articles 5(1)(b) and 5(1)(e) of General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') which arose in the context of a dispute between one of the leading internet and broadcasting service providers in Hungary and the National Authority for Data Protection and Freedom of Information ('NAIH'), in relation to a breach of personal data contained in a database owned by the former.
Further to the above, the CJEU took the view that:
- article 5(1)(b) of the GDPR must be interpreted as meaning that the principle of purpose limitation does not prevent the registration and storage by the data controller in a database created for the purpose of carrying out tests and correcting errors, of personal data previously collected and stored in another database, if such further processing is compatible with the specific purposes for which the personal data was initially collected, a circumstance that must be determined in the light of the criteria referred to in Article 6(4) of the GDPR; and
- article 5(1)(e) of the GDPR must be interpreted as meaning that the principle of storage limitation prevents the data controller from storing personal data previously collected for other purposes in a database created for the purpose of carrying out tests and correcting errors, for a period of time longer than that necessary for carrying out said activities.
