CJEU - C-77/21 - Digi

From GDPRhub
(Redirected from CJEU - C-77/21)
CJEU - C-77/21 Digi
Cjeulogo.png
Court: CJEU
Jurisdiction: European Union
Relevant Law: Article 5(1)(e) GDPR
Article 5(2) GDPR
Article 6(1)(a) GDPR
Article 6(1)(b) GDPR
Article 6(4) GDPR
Decided: 20.10.2022
Parties: Digi Távközlési és Szolgáltató Kft.
Nemzeti Adatvédelmi és Információszabadság Hatóság
Case Number/Name: C-77/21 Digi
European Case Law Identifier: ECLI:EU:C:2022:805
Reference from: Metropolitan Court of Budapest (Hungary)
105.K.705.596/2020/11
Language: 24 EU Languages
Original Source: AG Opinion
Judgement
Initial Contributor: n/a


The CJEU answered preliminary questions regarding Articles 5(1)(b) GDPR and 5(1)(e) GDPR and held that national courts had to determine, using the factors of Article 6(4) GDPR, whether further processing was compliant with the original purposes. It also held that Article 5(1)(e) GDPR does not allow the controller to store data longer than necessary in a 'test database'.

English Summary

Facts

This case concerned a Hungarian provider for internet and television services (controller) and the Hungarian DPA.

A technical error caused problems for the functioning of the controller’s server. After this, the controller created a database for testing (test database), to which the personal data of one third of its customers was copied. This personal data was originally kept in another database (original database), which was coupled with the website of the controller. This original database contained personal data of subscribers for the controller's newsletter, for the purpose of direct marketing. The original database also contained data of system administrators who provided access to the interface of the website.

On the 23 September 2019, the controller learned that an ethical hacker managed to get access to the test database which contained the data of 320,000 data subjects. The hacker notified the controller and provided a line of code from the test database as proof of the security issue. The controller fixed this issue, signed an NDA (Non Disclosure Agreement) with the hacker and gave him a reward. The controller also deleted the test database.

The controller notified the DPA on 25 September 2019, which started an investigation into the controller. In its decision of 18 May 2020, the DPA held that the controller violated Articles 5(1)(b) GDPR and 5(1)(e) GDPR by not deleting the test database after conducting the necessary tests and fixing the errors. By not deleting this database, the controller kept the personal data of data subjects without any purpose for almost one and a half years. The DPA ordered the controller to investigate all its databases and also gave the controller a fine of 100,000,000 Forint (€248,000). The controller appealed this decision at the Fővárosi Törvényszék (Judge for the agglomeration of Budapest), which asked the following preliminary questions to the Court of Justice of the European Union (CJEU).

1) Should the purpose limitation (Article 5(1)(b) GDPR) be interpreted in such a way that it allows a controller to store personal data, which has been collected and stored in a lawful and purposeful manner, in another database?

2) If this parallel storage of personal data is not compatible with the purpose limitation principle, is it compatible with the storage limitation principle (Article 5(1)(e) GDPR) for the controller to store in parallel in another database personal data that has otherwise been collected and stored in a lawful and purposeful manner?"

Both the Hungarian DPA and the controller doubted the admissibility of the preliminary questions. Both held that the questions were not relevant for the facts of the case.

The controller and the DPA did not agree about the specific nature of the purpose of further processing. The controller stated that the test database was necessary for provide access for its customers until the errors had been corrected. Therefore, the controller held that this purpose was identical to the original purpose. The DPA stated that the original purpose and the purpose of further processing were different, since the purpose of the further processing was to conduct tests and to correct errors.

The controller also admitted that it did not delete the personal data from the test database as a result of inattention.

Holding

Admissibility of the preliminary questions

The CJEU determined that that the preliminary questions were admissible. It held amongst other things that only national courts had the authority to assess the relevance of the preliminary questions and whether to ask these questions or not. These questions of Union law were subject to a presumption of relevance. The CJEU stated several exceptions to this presumption, but these did not apply in the present case. It also determined that the national courts had exclusive jurisdiction to interpret and apply national law whereas the CJEU had exclusive jurisdiction to rule on the interpretation or validity of a provision of European Union law on the basis of the facts defined by the national court (Article 267 TFEU and C-567/20, EU: C:2022:352, paragraph 45 and case-law cited there).

Question 1: Does Article 5(1)(b) GDPR allow a controller to store personal data that has been collected and stored in a lawful and purposeful manner, in another database?

The CJEU determined that Article 5(1)(b) GDPR contained two requirements, (1) one for the purpose of the original collection of personal data and (2) the other regarding any further processing of this personal data, which cannot occur for purposes that are incompatible with the original ones.

(1) It stated that the initial processing/collection by the controller was done with specified, explicit and legitimate purposes and held that the controller was using Article 6(1)(b) GDPR as a legal basis to provide subscription contracts for its customers.

(2) The CJEU further determined that the creation of the new database and the transfer of personal data to this database was actually a form of ‘further processing’. To support this, it held that this processing operation fell under the definition of processing (Article 4(2) GDPR) and used the literal interpretation of the word 'further' to define this processing operation of the controller. It also stated that Article 5(1)(b) GDPR did not provide any additional requirements to assess if this further processing was compliant with the purpose of the original collection of personal data. It held that the question of whether or not the purposes of further processing were compliant with the original purposes, is only relevant when these purposes are actually different from each other. The CJEU stated that this could be deducted by reading Articles 5(1)(b), 6(1)(a) and 6(4) GDPR together.

The CJEU continued by providing several factors for assessing the compatibility of further processing, when this processing was not conducted for the original purposes and was not based on the consent of the data subject or on a provision of Union or Member State law (Article 6(4) GDPR and recital 50):

(a) Any link between the purposes for which the personal data were collected and the purposes of the intended further processing.

(b) The context in which the personal data have been collected, in particular as regards the relationship between the data subjects and the controller.

(c) The nature of the personal data.

(d) The possible effects of the envisaged further processing on the data subjects.

(e) The existence of appropriate safeguards, both in the initial processing and in the envisaged further processing.

It answered the first preliminary question by stating that these factors (Article 6(4) GDPR), alongside all the concrete circumstances of a case, should be used by national courts to make an assessment. The national court had to determine the original purpose(s), the purpose(s) of further processing and whether or not these purposes were compatible.

Despite leaving it up to the national courts to make a decision, the CJEU provided additional guidance for the national court by looking at the specifics of this case. It determined that the original purpose of the collection by the controller was to provide subscription contracts for its customers. The controller created the test database to conduct tests and to correct errors in its files regarding subscribers. The CJEU suggested that the purpose of conducting tests and correcting errors in subscription files was related to the performance of the subscription contract, because these errors could have consequences for the performance of this contract.

Question 2: Does Article 5(1)(e) GDPR) allow a controller to store personal data that has been collected and stored in a lawful and purposeful manner, in another database?

The CJEU held that according to Article 5(1)(e) GDPR, the controller should be able to prove that is did not keep personal data for longer than necessary for the purposes for which the data was originally collected (Article 5(2) GDPR). This could also mean that an originally legitimate processing operation could become incompatible with the GDPR when the personal data was no longer necessary for the original purposes (C-136/17, EU:C:2019:773, par 74). The CJEU also held that personal data should be deleted when the purposes have been fulfilled (C‑553/07, EU:C:2009:293, point 33).

It also held that each processing operation should be compliant with Articles 5 and 6 GDPR. According to Article 6 GDPR, when a controller did not rely on consent (Article 6(1)(a) GDPR), its processing should be necessary for the used purposes (Articles 6(1)(b – e). This requirement for the necessity also followed from Article 5(1)(c) GDPR (data minimisation principle), which states that personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

Based on these considerations, the CJEU determined that Article 5(1)(e) GDPR did not allow the controller to retain personal data, which was previously stored in another database, for longer than necessary in a new database for testing and error correction purposes. The fact that the controller stated that it had not deleted the data because of inattention was deemed irrelevant.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

Decision

The decision is available in English.