CJEU - C-77/21 - Digi
| CJEU - C-77/21 Digi | |
|---|---|
 | |
| Court: | CJEU |
| Jurisdiction: | European Union |
| Relevant Law: | Article 5(1)(b) GDPR Article 5(1)(e) GDPR |
| Decided: | 20 Octobre 2022 |
| Parties: | Digi Távközlési és Szolgáltató Kft. Nemzeti Adatvédelmi és Információszabadság Hatóság |
| Case Number/Name: | C-77/21 Digi |
| European Case Law Identifier: | EU:C:2022:805 |
| Reference from: | Metropolitan Court (Hungary) |
| Language: | 24 EU Languages |
| Original Source: | AG Opinion Judgement |
| Initial Contributor: | n/a |
English Summary[edit | edit source]
Facts[edit | edit source]
1 The applicant is one of the leading internet and television providers in Hungary.
2 In April 2018, with a view to conducting tests and correcting errors, the applicant created a database known as the ‘test’ database (the ‘test database’) to which it copied the personal data of approximately one third of its private customers. In another database known as the ‘digihu’ database, linkable to the digi.hu website, it stored, for direct marketing purposes, the up-to-date data of newsletter [Or. 2] subscribers and of systems administrators that provide access to the website interface. This database contained the data of almost 3% of its private customers and the user data of forty systems administrators with full or partial administration rights.
3 On 23 September 2019, the applicant became aware that the personal data (name, mother’s name, place and date of birth, address, identity card number or, as the case may be, personal number, e-mail address, landline and mobile telephone numbers) of a total of some 322 000 data subjects (297 000 customers and subscribers and 25 000 newsletter subscribers) had been accessed via the www.digi.hu website. It was the hacker himself who alerted the applicant to the attack, in writing, in an e-mail of 21 September 2019, in the process producing, by way of evidence, one of the records from the database and explaining the technicalities of the error. The applicant then corrected the error, concluded a confidentiality agreement with the ethical hacker and offered him a reward. The ‘digihu’ database was not affected by the attack but it could have been.
4 On 25 September 2019, the applicant reported the personal data security breach to the defendant, which responded by launching an official review procedure on 8 October 2019.
5 By decision [...] of 18 May 2020, the defendant found as follows:
(a) that the applicant had infringed Article 5(1)(b) and (e) of the Regulation in having neglected, once the necessary tests and corrections of errors had been carried out, to delete the test database affected by the data security breach, which was originally created to correct errors, and in having thereby stored in the test database a large volume of customer data for almost a further year and a half for no purpose and in such a way as to allow those customers to be identified, and that the failure to take the measure (to delete the test database) had directly facilitated the personal data security breach;
(b) that the applicant had infringed Article 32(1) and (2) of the Regulation.
The defendant ordered the applicant to review all its databases containing personal data with a view to determining whether there were grounds for applying an encryption system to them and to inform it of the outcome of that review. It also imposed on the applicant a data protection fine in the amount of HUF 100 000 000 and ordered that the decision be published.
6 In the grounds of its decision, the defendant cited the following provisions of the Regulation: Article 2(1); Article 4(12); Article 5(1)(b) and (e) and (2);
Article 17(1)(a); Article 32(1)(a) and (2); and Article 33(1), (2), (4) and (5).
7 The defendant noted that the Regulation has been applicable in Hungary since 25 May 2018 and that, since the data processing affected by the personal data security breach (storage of customer data) carried on after that date, the Regulation was applicable in this case pursuant to Articles 2(1) and 99(2).
8 It stated that the purpose of creating the test database (to conduct tests and correct errors) was different from the initial purpose of processing the personal data stored in the database (to perform contracts), given that correcting the errors had also caused the purpose other than data processing (to conduct tests and correct errors) to disappear. Consequently, the failure to delete the databases after the errors had been corrected constituted an infringement of the fundamental principle of ‘storage limitation’.
9 As regards data security measures relating to data storage, the defendant took the view, principally, that the data security breach could be put down to the – long-known about and repairable – vulnerability of the ‘Drupal’ content management system used by the applicant, the errors in which the applicant had not corrected because the available repair package was not official. Relying on an expert report on information security which had been submitted in the course of the procedure, the defendant stated that the security breach could have been remedied with appropriate software, regular vulnerability checks and appropriate encryption, but he applicant, in not taking such measures, had infringed Article 32(1) and (2) of the Regulation.
10 In addition, the defendant imposed on the applicant a data protection fine in accordance with Article 83(2) of the Regulation and certain provisions of the az információs önrendelkezési jogról és az információszabadságról szóló 2011. évi CXII. törvény (Law CXII of 2011 on the right to self-determination as regards information and freedom of information).
Holding[edit | edit source]
Article 5(1)(b) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), must be interpreted as meaning that:
the principle of ‘purpose limitation’, laid down in that provision, does not preclude the recording and storage by the controller, in a database set up for the purpose of testing and correcting errors, of personal data previously collected and stored in another database, where such further processing is compatible with the specific purposes for which the personal data were initially collected, which must be determined in the light of the criteria referred to in Article 6(4) of that regulation.
Article 5(1)(e) of Regulation 2016/679 must be interpreted as meaning that:
the principle of ‘storage limitation’, laid down in that provision, precludes the storage by the controller, in a database set up for the purpose of testing and correcting errors, of personal data previously collected for other purposes for a period exceeding that necessary for carrying out those tests and correcting those errors.
Comment[edit | edit source]
The case is of interest as it recognises - under certain conditions - that using personal data collected for a purpose and processed by an IT system for testing the IT system (performing the same function) is compatible with the original purpose. The condition "where such further processing is compatible with the specific purposes for which the personal data were initially collected" has to be noted, which refers to the criteria referred to in Article 6(4) GDPR.
Further Resources[edit | edit source]
Share blogs or news articles here!
