CJEU - C-46/23 - Újpesti Polgármesteri Hivatal

From GDPRhub
CJEU - C-46/23 Újpesti Polgármesteri Hivatal
Cjeulogo.png
Court: CJEU
Jurisdiction: European Union
Relevant Law: Article 17 GDPR
Article 58(2)(d) GDPR
Article 58(2)(g) GDPR
Decided: 14.03.2024
Parties: Budapest Főváros IV. Kerület Újpest Önkormányzat Polgármesteri Hivatala
Nemzeti Adatvédelmi és Információszabadság Hatóság
Case Number/Name: C-46/23 Újpesti Polgármesteri Hivatal
European Case Law Identifier: ECLI:EU:C:2024:239
Reference from: Supreme Court (Hungary)
Language: 24 EU Languages
Original Source: Judgement
Initial Contributor: lm


The CJEU held that DPAs can exercise corrective powers under Article 58(2)(d) and (g) GDPR to order erasure of personal data by their own motion, regardless of where the data originated or whether the data subject requested its erasure.

English Summary

Facts

In February 2020, the Újpest administration (the controller) obtained personal data about Hungarian residents from the Hungarian Treasury and Budapest district office. The intent was to determine eligibility for a program seeking to provide financial supports to residents made vulnerable by the COVID-19 pandemic.

The Hungarian DPA initiated an investigation after a report alerted it of the processing. The DPA determined that the controller failed to timely inform data subjects of the categories of personal data processed, the purposes of processing, or how they could exercise their rights in relation to the processing. On 22 April 2021, it found that the controller violated Articles 5, 14, and 12(1) GDPR. Pursuant to Article 58(2)(d), the DPA ordered the controller to erase the personal data of data subjects who were entitled to the right to erasure but had not requested it.

The controller challenged the DPA’s order before the Fővárosi Törvényszék (Budapest High Court), arguing that Article 58(2)(d) GDPR does not empower the DPA to order the erasure of personal data in the absence of an Article 17 GDPR request from the data subject. Seeking clarification on the interpretations of Article 17 and 58(2)(d) GDPR, the Budapest High Court referred two questions to the CJEU:

  1. Can a DPA order a controller or processor to erase unlawfully processed personal data despite the absence of a request from the data subject?
  2. If the DPA can exercise such corrective power, is that so whether or not the personal data were obtained from the data subject?

Holding

In deciding the first question, the Court held that some corrective powers under Article 58(2) GDPR, namely 58(2)(d) and (g) GDPR, may be exercised by the DPA on its own motion. Article 58(2)(c) GDPR, on the other hand, does require a prior data subject request.

The Court noted that the plain language of Article 58(2)(d) and (g) GDPR does not require a data subject request to authorize the DPA’s corrective power. Article 58 GDPR uses different wording to distinguish between corrective measures that may only be adopted following a data subject request, such as Article 58(2)(c) GDPR, and corrective measures that may be ordered by an authority of its own motion, such as Article 58(2)(d) and (g) GDPR. In addition, the Court found that Article 17(1) GDPR distinguishes between the right of the data subject to obtain erasure of their data and the obligation of the controller to erase such personal data without undue delay. The controller’s obligation thus attaches regardless of whether the data subject requests erasure.

With regard to the second question, the Court concluded that the DPA’s power to order erasure of unlawfully processed data applies both to data collected from the data subject and to data originating from another source. It noted that the text of the provisions does not suggest that a DPA's corrective powers are contingent on the origin of the data.

Comment

In challenging the DPA's order before the Budapest High Court, the controller relied on a prior ruling of the Kúria (Hungarian Supreme Court), Kfv.II.37.001/2021/6, which held that the DPA lacked the authority to order erasure of personal data where the data subject has not made an Article 17 GDPR request. The Hungarian DPA subsequently filed an action of unconstitutionality to set aside the Hungarian Supreme Court's judgment. The Alkotmánybíróság (Hungarian Constitutional Court) agreed with the DPA: it set aside the Hungarian Supreme Court's ruling and held that the DPA is empowered to order erasure of unlawfully processed personal data of its own motion, regardless of whether a request has been made by the data subject.

The Budapest High Court's referral to the CJEU sought clarification in light of the Hungarian Constitutional Court's ruling.

Further Resources

Share blogs or news articles here!