DATA PROTECTION
EUCJ: national DPAs may order the erasure of unlawfully processed data even in the absence of a prior request by the data subject.
In 2020, the municipal administration of Újpest (Hungary) decided to provide financial support to persons who had been made vulnerable by the COVID-19 pandemic. To that end, it asked the Hungarian State Treasury and the government office of the fourth district of Budapest to provide it with the personal data needed to verify the eligibility requirements for receiving the aid.
After being alerted by a report, the Hungarian authority responsible for data protection (‘the supervisory authority’) found that the Újpest administration, the Hungarian State Treasury and the government office had breached the rules of the General Data Protection Regulation (GDPR).
Fines were imposed on that basis. The supervisory authority found that the Újpest administration had not informed the data subjects, within the one-month period provided for that purpose, of the actual use of their data, the purpose thereof, or of their rights in relation to data protection. It also ordered the Újpest administration to erase the data of eligible persons who had not applied for the support.
The Újpest administration has contested that decision before the Budapest High Court (Hungary). It argues that the supervisory authority does not have the power to order the erasure of personal data in the absence of a prior request made to that effect by the data subject. The Hungarian court has sought an interpretation of the GDPR from the Court of Justice.
In its judgment, the Court of Justice responds that the supervisory authority of a Member State may order of its own motion, namely even in the absence of a prior request made by the data subject to that effect, the erasure of unlawfully processed data if such a measure is necessary in order to fulfil its responsibility for ensuring that the GDPR is fully enforced. If that authority finds that the treatment of data does not comply with the GDPR, it must remedy the infringement found, even without a prior request from the data subject. A requirement that there be such a request would mean that the controller, where no request is made, could retain the data at issue and continue to process them unlawfully.
Moreover, the supervisory authority of a Member State may order the erasure of unlawfully processed personal data both where those data originate directly from the data subject or originate from another source.
(Source: Press Release EUCJ no. 48/2024 as of March 14thm 2024 - Ownership of the contents: EUCJ).
After being alerted by a report, the Hungarian authority responsible for data protection (‘the supervisory authority’) found that the Újpest administration, the Hungarian State Treasury and the government office had breached the rules of the General Data Protection Regulation (GDPR).
Fines were imposed on that basis. The supervisory authority found that the Újpest administration had not informed the data subjects, within the one-month period provided for that purpose, of the actual use of their data, the purpose thereof, or of their rights in relation to data protection. It also ordered the Újpest administration to erase the data of eligible persons who had not applied for the support.
The Újpest administration has contested that decision before the Budapest High Court (Hungary). It argues that the supervisory authority does not have the power to order the erasure of personal data in the absence of a prior request made to that effect by the data subject. The Hungarian court has sought an interpretation of the GDPR from the Court of Justice.
In its judgment, the Court of Justice responds that the supervisory authority of a Member State may order of its own motion, namely even in the absence of a prior request made by the data subject to that effect, the erasure of unlawfully processed data if such a measure is necessary in order to fulfil its responsibility for ensuring that the GDPR is fully enforced. If that authority finds that the treatment of data does not comply with the GDPR, it must remedy the infringement found, even without a prior request from the data subject. A requirement that there be such a request would mean that the controller, where no request is made, could retain the data at issue and continue to process them unlawfully.
Moreover, the supervisory authority of a Member State may order the erasure of unlawfully processed personal data both where those data originate directly from the data subject or originate from another source.
(Source: Press Release EUCJ no. 48/2024 as of March 14thm 2024 - Ownership of the contents: EUCJ).
