CJEU - C-77/21 - Digi: Difference between revisions

From GDPRhub
No edit summary
No edit summary
Line 70: Line 70:
}}
}}


The CJEU interpreted [[Article 5 GDPR#1b|Articles 5(1)(b) GDPR]] and [[Article 5 GDPR#1e|5(1)(e) GDPR]]. The controller created a ‘test database’ to store data of its customers. The CJEU held that the controller violated [[Article 5 GDPR#1e|Article 5(1)(e) GDPR]] because the storage of personal data in the test database was deemed unnecessary.
The CJEU answered preliminary questions regarding [[Article 5 GDPR#1b|Articles 5(1)(b) GDPR]] and [[Article 5 GDPR#1e|5(1)(e) GDPR]]. The controller created a ‘test database’, containing personal data of its customers, which was breached by an ethical hacker. The CJEU held that the controller violated [[Article 5 GDPR#1e|Article 5(1)(e) GDPR]] because the storage of personal data in the test database was deemed unnecessary.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
This case concerned a provider for internet and television services in Hungary (controller) and the Hungarian DPA.  
This case concerned a Hungarian provider for internet and television services (controller) and the Hungarian DPA.  


A technical error caused problems for the functioning of the controller’s server. After this, the controller created a database for testing (test database), to which the personal data of a third of its customers was copied. This personal data was originally kept in another database (original database), which was coupled with the website of the controller. This database contained personal data from subscribers for its newsletter, for the purpose of direct marketing. It also contained data from system administrators who provided access to the interface of the website.  
A technical error caused problems for the functioning of the controller’s server. After this, the controller created a database for testing (test database), to which the personal data of one third of its customers was copied. This personal data was originally kept in another database (original database), which was coupled with the website of the controller. This database contained personal data from subscribers for its newsletter, for the purpose of direct marketing. It also contained data from system administrators who provided access to the interface of the website.  


On the 23 September 2019, an ethical hacker managed to get access to the test database which contained the data of 320,000 data subjects. The hacker notified the controller and provided a line of code from the test database as proof of the security issue. The controller fixed this issue, signed an NDA with the hacker and gave him a reward. The controller also deleted the test database.
On the 23 September 2019, the controller learned that an ethical hacker managed to get access to the test database which contained the data of 320,000 data subjects. The hacker notified the controller and provided a line of code from the test database as proof of the security issue. The controller fixed this issue, signed an NDA (Non Disclosure Agreement) with the hacker and gave him a reward. The controller also deleted the test database.


The controller notified the DPA on 25 September 2019, which started an investigation. In its decision of 18 May 2020, the DPA held that the controller violated [[Article 5 GDPR#1b|Articles 5(1)(b) GDPR]] and [[Article 5 GDPR#1e|5(1)(e) GDPR]] by not deleting the test database after conducting the necessary tests and fixing the errors. By not deleting this database, the controller kept the personal data of data subjects without any purpose for almost one and a half years. The DPA ordered the controller to investigate all its databases and also gave the controller a fine of 100,000,000 Forint. The controller appealed this decision at the Fővárosi Törvényszék (Judge for the agglomeration of Budapest), which asked the following preliminary questions to the Court of Justice of the European Union (CJEU).  
The controller notified the DPA on 25 September 2019, which started an investigation into the controller. In its decision of 18 May 2020, the DPA held that the controller violated [[Article 5 GDPR#1b|Articles 5(1)(b) GDPR]] and [[Article 5 GDPR#1e|5(1)(e) GDPR]] by not deleting the test database after conducting the necessary tests and fixing the errors. By not deleting this database, the controller kept the personal data of data subjects without any purpose for almost one and a half years. The DPA ordered the controller to investigate all its databases and also gave the controller a fine of 100,000,000 Forint. The controller appealed this decision at the Fővárosi Törvényszék (Judge for the agglomeration of Budapest), which asked the following preliminary questions to the Court of Justice of the European Union (CJEU).  


1) Should the purpose limitation ([[Article 5 GDPR#1b|Article 5(1)(b) GDPR]]) be interpreted in such a way that it allows a controller to store personal data, which has been collected and stored in a lawful and purposeful manner, in another database? Or is the storage of this personal data in a parallel database no longer compatible with the lawful purposes for which the data were collected?
1) ''Should the purpose limitation ([[Article 5 GDPR#1b|Article 5(1)(b) GDPR]]) be interpreted in such a way that it allows a controller to store personal data, which has been collected and stored in a lawful and purposeful manner, in another database?''


2) If this parallel storage of personal data is not compatible with the purpose limitation principle, is it compatible with the storage limitation principle (Article [[Article 5 GDPR#1e|5(1)(e) GDPR)]] for the controller to store in parallel in another database personal data that has otherwise been collected and stored in a lawful and purposeful manner?"
2) ''If this parallel storage of personal data is not compatible with the purpose limitation principle, is it compatible with the storage limitation principle (Article [[Article 5 GDPR#1e|5(1)(e) GDPR)]] for the controller to store in parallel in another database personal data that has otherwise been collected and stored in a lawful and purposeful manner?"''


Both the Hungarian DPA and the controller doubted the admissibility of the preliminary questions. Both held that the questions were not relevant for the facts of the case.  
Both the Hungarian DPA and the controller doubted the admissibility of the preliminary questions. Both held that the questions were not relevant for the facts of the case.  
Line 96: Line 96:
<u>Admissibility of the preliminary questions</u>  
<u>Admissibility of the preliminary questions</u>  


The CJEU determined that that the questions were admissible. The CJEU held that only national Courts had the authority to decide whether or not preliminary questions were relevant.  
The CJEU determined that that the preliminary questions were admissible. The CJEU held amongst other things that only national courts had the authority to explain and implement national law.  


<u>Question 1: Does [[Article 5 GDPR#1b|Article 5(1)(b) GDPR]] allow a controller to store personal data that has been collected and stored in a lawful and purposeful manner, in another database?</u>
<u>Question 1: Does [[Article 5 GDPR#1b|Article 5(1)(b) GDPR]] allow a controller to store personal data that has been collected and stored in a lawful and purposeful manner, in another database?</u>
Line 104: Line 104:
(1) The Court determined that the initial processing/collection by the controller was done with specified, explicit and legitimate purposes and held that the controller was using [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]] as a legal ground to provide subscription-contracts for its customers.  
(1) The Court determined that the initial processing/collection by the controller was done with specified, explicit and legitimate purposes and held that the controller was using [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]] as a legal ground to provide subscription-contracts for its customers.  


(2) The Court held that the creation of the new database and the transfer of personal data to this database, was actually a form of ‘further processing’. It stated that [[Article 5 GDPR#1b|Article 5(1)(b) GDPR]] did not provide any additional requirements to assess if this further processing was compliant with the purpose of the original collection of personal data. In order to resolve this, the Court stated that the question of whether or not the purposes of further processing are compliant with the original purposes, is only relevant when these purposes are actually different from each other. The Court stated that this could be deducted by reading [[Article 5 GDPR|Articles 5(1)(b)]], [[Article 6 GDPR|6(1)(a)]] and [[Article 6 GDPR#4|6(4) GDPR]] together.  
(2) The Court held that the creation of the new database and the transfer of personal data to this database was actually a form of ‘further processing’. To support this, It held that this processing operation fell under the definition of processing (Article 4(2) GDPR) and used the literal interpretation of the word 'further' to aplly this to this processing operation. The court also stated that [[Article 5 GDPR#1b|Article 5(1)(b) GDPR]] did not provide any additional requirements to assess if this further processing was compliant with the purpose of the original collection of personal data. The Court held that the question of whether or not the purposes of further processing were compliant with the original purposes, is only relevant when these purposes are actually different from eachother. The Court stated that this could be deducted by reading [[Article 5 GDPR|Articles 5(1)(b)]], [[Article 6 GDPR|6(1)(a)]] and [[Article 6 GDPR#4|6(4) GDPR]] together.  


The Court also named several factors to assess the compatibility of further processing when this was not conducted for the original purposes and was not based on the consent of the data subject or on a provision of Union or Member State law: ([[Article 6 GDPR#4|Article 6(4) GDPR]] and recital 50)
The Court continued by providing several factors for assessing the compatibility of further processing, when this processing was not conducted for the original purposes and was not based on the consent of the data subject or on a provision of Union or Member State law ([[Article 6 GDPR#4|Article 6(4) GDPR]] and recital 50):


(a) Any link between the purposes for which the personal data were collected and the purposes of the intended further processing.  
(a) Any link between the purposes for which the personal data were collected and the purposes of the intended further processing.  
Line 118: Line 118:
(e) The existence of appropriate safeguards, both in the initial processing and in the envisaged further processing.  
(e) The existence of appropriate safeguards, both in the initial processing and in the envisaged further processing.  


The CJEU answered the first preliminary question by stating that these factors ([[Article 6 GDPR#4|Article 6(4) GDPR]]) should be used by national Courts to make an assessment. It also held that [[Article 5 GDPR#1b|Article 5(1)(b) GDPR]] did not prevent the controller to conduct tests and correct errors using the tests database.   
The CJEU answered the first preliminary question by stating that these factors ([[Article 6 GDPR#4|Article 6(4) GDPR]]), alongside all the concrete circumstances of a case, should be used by national Courts to make an assessment. The national court had to determine the orginal purpose(s), the purpose(s) of further processing and wheter or not these purposes were compatible. It also held that [[Article 5 GDPR#1b|Article 5(1)(b) GDPR]] did not prevent the controller to conduct tests and correct errors using the tests database.   


Despite leaving it up to the national Courts to make a decision, the Court provided additional guidance for the national Court by looking at the specifics of this case.  
Despite leaving it up to the national Courts to make a decision, the Court provided additional guidance for the national court by looking at the specifics of this case.  
The Court determined that the original purpose of the collection by the controller was to provide subscription contracts for its customers. The Court stated that the controller created the test database to conduct tests and to correct errors in its files regarding subscribers. The Court suggested that the purpose of conducting tests and correcting errors in subscription files was related to the performance of the subscription contract, because these errors could have consequences for the performance of this contract.  
The Court determined that the original purpose of the collection by the controller was to provide subscription contracts for its customers. The Court stated that the controller created the test database to conduct tests and to correct errors in its files regarding subscribers. The Court suggested that the purpose of conducting tests and correcting errors in subscription files was related to the performance of the subscription contract, because these errors could have consequences for the performance of this contract.


<u>Question 2: Does [[Article 5 GDPR#1e|Article 5(1)(e) GDPR]]) allow a controller to store personal data that has been collected and stored in a lawful and purposeful manner, in another database?</u>
<u>Question 2: Does [[Article 5 GDPR#1e|Article 5(1)(e) GDPR]]) allow a controller to store personal data that has been collected and stored in a lawful and purposeful manner, in another database?</u>


The Court answered the second question by stating that the controller violated [[Article 5 GDPR#1e|Article 5(1)(e) GDPR]] with its processing.   
The Court answered the second question by stating that the controller violated [[Article 5 GDPR#1e|Article 5(1)(e) GDPR]] with its processing.   
The Court held that the controller should be able to prove that is did not keep personal data for longer than necessary for the purposes for which the data was originally collected ([[Article 5 GDPR|Article 5(2) GDPR]]). This could also mean that an originally legitimate processing operation could become incompatible with the GDPR when the personal data was no longer necessary for the original purposes (C-136/17, EU:C:2019:773, par 74). The Court also stated that personal data should be deleted when the purposes have been fulfilled.  
 
The Court held that when a controller did not rely on consent ([[Article 6 GDPR#1a|Article 6(1)(a) GDPR]]), its processing should be necessary for the used purposes ([[Article 6 GDPR|Articles 6(1)(b – e)]] and ([[Article 5 GDPR|5(1)(c) GDPR]])). It determined that the controller stored the personal data in the test database for longer than was necessary for the provided purposes. The fact that the controller stated that it had not deleted the data because of carelessness was deemed irrelevant by the Court.
The Court held that according to Article 5(1)(e) GDPR, the controller should be able to prove that is did not keep personal data for longer than necessary for the purposes for which the data was originally collected ([[Article 5 GDPR|Article 5(2) GDPR]]). This could also mean that an originally legitimate processing operation could become incompatible with the GDPR when the personal data was no longer necessary for the original purposes (C-136/17, EU:C:2019:773, par 74). The Court also stated that personal data should be deleted when the purposes have been fulfilled (C‑553/07, EU:C:2009:293, punt 33).  
 
The Court also held that each processing operation should be compliant with Articles 5 and 6 GDPR. When a controller did not rely on consent ([[Article 6 GDPR#1a|Article 6(1)(a) GDPR]]), its processing should be necessary for the used purposes ([[Article 6 GDPR|Articles 6(1)(b – e)]] and ([[Article 5 GDPR|5(1)(c) GDPR]])).  
 
In the end, the CJEU determined that the controller stored the personal data in the test database for longer than was necessary for the provided purposes. The fact that the controller stated that it had not deleted the data because of carelessness was deemed irrelevant by the Court.


== Comment ==
== Comment ==

Revision as of 10:11, 31 October 2022

CJEU - C-77/21
Courts logo1.png
Court: CJEU (European Union)
Jurisdiction: European Union
Relevant Law: Article 5(1)(b) GDPR
Article 5(1)(e) GDPR
Article 5(2) GDPR
Article 6(1)(a) GDPR
Article 6(1)(b) GDPR
Article 6(4) GDPR
Decided: 20.10.2022
Published:
Parties:
National Case Number/Name: C-77/21
European Case Law Identifier: ECLI:EU:C:2022:805
Appeal from: Fővárosi Törvényszék
Appeal to:
Original Language(s): Hungarian
Original Source: CJEU (in Hungarian)
Initial Contributor: n/a

The CJEU answered preliminary questions regarding Articles 5(1)(b) GDPR and 5(1)(e) GDPR. The controller created a ‘test database’, containing personal data of its customers, which was breached by an ethical hacker. The CJEU held that the controller violated Article 5(1)(e) GDPR because the storage of personal data in the test database was deemed unnecessary.

English Summary

Facts

This case concerned a Hungarian provider for internet and television services (controller) and the Hungarian DPA.

A technical error caused problems for the functioning of the controller’s server. After this, the controller created a database for testing (test database), to which the personal data of one third of its customers was copied. This personal data was originally kept in another database (original database), which was coupled with the website of the controller. This database contained personal data from subscribers for its newsletter, for the purpose of direct marketing. It also contained data from system administrators who provided access to the interface of the website.

On the 23 September 2019, the controller learned that an ethical hacker managed to get access to the test database which contained the data of 320,000 data subjects. The hacker notified the controller and provided a line of code from the test database as proof of the security issue. The controller fixed this issue, signed an NDA (Non Disclosure Agreement) with the hacker and gave him a reward. The controller also deleted the test database.

The controller notified the DPA on 25 September 2019, which started an investigation into the controller. In its decision of 18 May 2020, the DPA held that the controller violated Articles 5(1)(b) GDPR and 5(1)(e) GDPR by not deleting the test database after conducting the necessary tests and fixing the errors. By not deleting this database, the controller kept the personal data of data subjects without any purpose for almost one and a half years. The DPA ordered the controller to investigate all its databases and also gave the controller a fine of 100,000,000 Forint. The controller appealed this decision at the Fővárosi Törvényszék (Judge for the agglomeration of Budapest), which asked the following preliminary questions to the Court of Justice of the European Union (CJEU).

1) Should the purpose limitation (Article 5(1)(b) GDPR) be interpreted in such a way that it allows a controller to store personal data, which has been collected and stored in a lawful and purposeful manner, in another database?

2) If this parallel storage of personal data is not compatible with the purpose limitation principle, is it compatible with the storage limitation principle (Article 5(1)(e) GDPR) for the controller to store in parallel in another database personal data that has otherwise been collected and stored in a lawful and purposeful manner?"

Both the Hungarian DPA and the controller doubted the admissibility of the preliminary questions. Both held that the questions were not relevant for the facts of the case.

The controller and the DPA did not agree about the specific nature of the purpose of further processing. The controller stated that the test database was necessary for provide access for its customers until the errors had been corrected. Therefore, the controller held that this purpose was identical to the original purpose. The DPA stated that the original purpose and the purpose of further processing were different, since the purpose of the further processing was to conduct tests and to correct errors.

The controller also stated that it did not delete the personal data from the test database because it had been careless.

Holding

Admissibility of the preliminary questions

The CJEU determined that that the preliminary questions were admissible. The CJEU held amongst other things that only national courts had the authority to explain and implement national law.

Question 1: Does Article 5(1)(b) GDPR allow a controller to store personal data that has been collected and stored in a lawful and purposeful manner, in another database?

The Court determined that Article 5(1)(b) GDPR contained two requirements, (1) one for the purpose of the original collection of personal data and (2) the other regarding any further processing of this personal data, which cannot occur for purposes that are incompatible with the original ones.

(1) The Court determined that the initial processing/collection by the controller was done with specified, explicit and legitimate purposes and held that the controller was using Article 6(1)(b) GDPR as a legal ground to provide subscription-contracts for its customers.

(2) The Court held that the creation of the new database and the transfer of personal data to this database was actually a form of ‘further processing’. To support this, It held that this processing operation fell under the definition of processing (Article 4(2) GDPR) and used the literal interpretation of the word 'further' to aplly this to this processing operation. The court also stated that Article 5(1)(b) GDPR did not provide any additional requirements to assess if this further processing was compliant with the purpose of the original collection of personal data. The Court held that the question of whether or not the purposes of further processing were compliant with the original purposes, is only relevant when these purposes are actually different from eachother. The Court stated that this could be deducted by reading Articles 5(1)(b), 6(1)(a) and 6(4) GDPR together.

The Court continued by providing several factors for assessing the compatibility of further processing, when this processing was not conducted for the original purposes and was not based on the consent of the data subject or on a provision of Union or Member State law (Article 6(4) GDPR and recital 50):

(a) Any link between the purposes for which the personal data were collected and the purposes of the intended further processing.

(b) The context in which the personal data have been collected, in particular as regards the relationship between the data subjects and the controller.

(c) The nature of the personal data.

(d) The possible effects of the envisaged further processing on the data subjects.

(e) The existence of appropriate safeguards, both in the initial processing and in the envisaged further processing.

The CJEU answered the first preliminary question by stating that these factors (Article 6(4) GDPR), alongside all the concrete circumstances of a case, should be used by national Courts to make an assessment. The national court had to determine the orginal purpose(s), the purpose(s) of further processing and wheter or not these purposes were compatible. It also held that Article 5(1)(b) GDPR did not prevent the controller to conduct tests and correct errors using the tests database.

Despite leaving it up to the national Courts to make a decision, the Court provided additional guidance for the national court by looking at the specifics of this case. The Court determined that the original purpose of the collection by the controller was to provide subscription contracts for its customers. The Court stated that the controller created the test database to conduct tests and to correct errors in its files regarding subscribers. The Court suggested that the purpose of conducting tests and correcting errors in subscription files was related to the performance of the subscription contract, because these errors could have consequences for the performance of this contract.

Question 2: Does Article 5(1)(e) GDPR) allow a controller to store personal data that has been collected and stored in a lawful and purposeful manner, in another database?

The Court answered the second question by stating that the controller violated Article 5(1)(e) GDPR with its processing.

The Court held that according to Article 5(1)(e) GDPR, the controller should be able to prove that is did not keep personal data for longer than necessary for the purposes for which the data was originally collected (Article 5(2) GDPR). This could also mean that an originally legitimate processing operation could become incompatible with the GDPR when the personal data was no longer necessary for the original purposes (C-136/17, EU:C:2019:773, par 74). The Court also stated that personal data should be deleted when the purposes have been fulfilled (C‑553/07, EU:C:2009:293, punt 33).

The Court also held that each processing operation should be compliant with Articles 5 and 6 GDPR. When a controller did not rely on consent (Article 6(1)(a) GDPR), its processing should be necessary for the used purposes (Articles 6(1)(b – e) and (5(1)(c) GDPR)).

In the end, the CJEU determined that the controller stored the personal data in the test database for longer than was necessary for the provided purposes. The fact that the controller stated that it had not deleted the data because of carelessness was deemed irrelevant by the Court.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Hungarian original. Please refer to the Hungarian original for more details.

Language of document : Bulgarian
Spanish
Czech
Danish
German
Estonian
Greek
French
Italian
Latvian
Lithuanian
Hungarian
Maltese
Dutch
Polish
Portuguese
Romanian
Slovak
Slovenian
Finnish
Swedish
Croatian
ECLI:EU:C:2022:805
JUDGMENT OF THE COURT (first panel) 2022. October 20(*)"Preliminary decision-making - Protection of natural persons in relation to the processing of personal data - Regulation (EU) 2016/679 - Points b) and c) of paragraph (1) of Article 5 - The principle of "purposiveness" - The principle of "limited storage" - Creation of a database from an existing database for carrying out tests and correcting errors - Further data processing - The compatibility of the further processing of these data with the purposes of the original data collection - The duration of the storage in view of these purposes" C‑77/21. s. in the matter of the request for a preliminary ruling submitted pursuant to Article 267 of the EUSZ, which was submitted to the Court by the Capital Court (Hungary) on February 8, 2021, with its decision of January 21, 2021, submitted by Digi Távközlési és Szolgáltató Kft.ésa National Data Protection Authority and Freedom of Information in an ongoing proceeding between authorities, THE COURT (First Chamber), members: A. Arabadjiev, President of the Chamber, L. Bay Larsen, Deputy President, acting as President of the First Chamber, Judges P. G. Xuereb, A. Kumin and I. Ziemele (Rapporteur) , chief counsel: P. Pikamäe, registrar: councilor Illéssy, with regard to the written stage and the hearing on January 17, 2022, taking into account the comments submitted by the following:- R. Hatala and László on behalf of Digi Távközlési és Szolgáltató Kft. A. D. lawyers, represented by the National Data Protection and Freedom of Information Authority, lawyer G. Barabás, assistants: G. J. Dudás and Á Hargita. lawyers, - Zs. Biró-Tóth and M. Z. Fehér, representing the Hungarian government, in the capacity of attorney, - T. Machovičová, M. Smolek and J. Vláčil, representing the Czech government, in the capacity of attorney, - P. Barros, representing the Portuguese government da Costa, L. Inez Fernandes, I. Oliveira, J. Ramos and C. Vieira Guerra, in the capacity of authorized representative, –       V. Bottka and H. Kranenborg, in the capacity of authorized representative, on behalf of the European Commission, in response to the Advocate General's motion of March 31, 2022 after hearing it at the hearing, made the following Judgment1 The request for a preliminary ruling on the protection of natural persons with regard to the processing of personal data and the free flow of such data and the repeal of Directive 95/46/EC of April 27, 2016 ( EU Regulation 2016/679 of the European Parliament and of the Council (General Data Protection Regulation) (OJ 2016 L 119, p. 1; corrections: OJ 2016 L 314, p. 72; OJ 2018 L 127, p. 2) refers to the interpretation of points b) and e) of paragraph (1) of Article 5. 2 This request was submitted by Digi Távközlési és Szolgáltató Kft. (hereinafter: Digi), one of the most important Hungarian internet and television provider, and the National Data Protection and Freedom of Information Authority (Hungary) (hereinafter: the Authority) was submitted in the context of an ongoing legal dispute regarding the violation of personal data contained in one of Digi's databases. Legal background3 Recitals (10) and (50) of Regulation 2016/679 state the following: "(10) In order to ensure a consistent and high level of protection of natural persons and to remove obstacles to the flow of personal data within the Union, natural persons with the processing of such data rights and freedoms in this context must be accorded the same level of protection in all Member States. The consistent and uniform application of the rules for the protection of the basic rights and freedoms of natural persons related to the management of their personal data must be ensured throughout the Union. […][…](50) The processing of personal data for purposes other than the original purpose of their collection is only permitted if the data processing is compatible with the original purposes of the data processing for which the personal data were originally collected. In this case, there is no need for a separate legal basis other than the one that enabled the collection of personal data. […] In order to determine whether the purpose of further data processing is compatible with the original purpose of collecting personal data, the data controller – after fulfilling all the requirements for the legality of the original data processing – takes into account, among other things, everything between the mentioned original purposes and the planned further data processing purposes existing connection, the circumstances of the data collection, including in particular the data subject's reasonable expectations regarding the further use of data, based on the existing relationship with the data controller, as well as the nature of the personal data, the consequences of the planned further data processing for the data subjects, as well as the existence of appropriate guarantees for both the original and during the planned further personal data processing operations.[…]"4        Article 4 of Regulation 2016/679 entitled "Definitions" provides as follows: "For the purposes of this regulation:[…]2. »data management«: any operation or set of operations performed on personal data or data files in an automated or non-automated manner, such as the collection, recording, organization, segmentation, storage, transformation or change, query, insight, use, transmission, distribution or otherwise by making it available, coordination or connection, restriction, deletion or destruction;[…]” 5       According to Article 5 of the aforementioned regulation entitled “Principles for the handling of personal data”: “(1)      The personal data: a)        shall be handled lawfully and must be done fairly and transparently for the data subject ("legality, fair procedure and transparency"); in accordance with paragraph (1) of Article 89, further data processing for the purpose of archiving in the public interest, for scientific and historical research purposes or for statistical purposes ("boundedness for purpose") is not considered incompatible with the original purpose; c) they must be appropriate and relevant in terms of the purposes of data processing , and must be limited to what is necessary ("data saving"); d) must be accurate and, if necessary, up-to-date; all reasonable measures must be taken in order to immediately delete or correct personal data that is inaccurate in terms of the purposes of data management ("accuracy"); ; personal data may only be stored for a longer period of time if the personal data will be processed in accordance with Article 89, paragraph (1) for the purpose of archiving in the public interest, for scientific and historical research purposes or for statistical purposes, the rights of the data subjects and taking into account the implementation of the appropriate technical and organizational measures required to protect your freedoms ("limited storage capacity"); including protection against its loss, destruction or damage ("integrity and confidentiality"). (2) The data controller is responsible for compliance with paragraph (1) and must be able to demonstrate this compliance ("accountability"). "That Article 6 entitled "lawfulness of data management" provides as follows: "(1) The processing of personal data is only legal if and to the extent that at least one of the following is fulfilled: a) the data subject has given his consent to the processing of his personal data for one or more specific purposes;b ) data processing is necessary for the fulfillment of a contract in which the data subject is one of the parties, or it is necessary to take steps at the request of the data subject prior to the conclusion of the contract; c) data processing is necessary for the fulfillment of the legal obligation of the data controller; necessary for the protection of the vital interests of a natural person; e) data processing is in the public interest or necessary for the execution of a task performed in the context of the exercise of a public authority conferred on the data controller; f) data processing is necessary for the enforcement of the legitimate interests of the data controller or a third party, unless this interest against which the interests or fundamental rights and freedoms of the data subject that require the protection of personal data take precedence, especially if the data subject is a child.[…](4) or is based on Member State law, which is considered a necessary and proportionate measure in a democratic society to achieve the goals set out in Article 23, paragraph (1), to determine whether data management for a different purpose is compatible with the purpose for which the personal data were originally collected, the data controller takes into account, among other things: a) the purposes of collecting personal data and the possible relationships between the purposes of the planned further data management; , that according to Article 9 whether it is about the processing of special categories of personal data, or whether it is about the processing of data relating to the establishment of criminal liability and criminal offenses in accordance with Article 10; d) what possible consequences the planned further processing of the data would have for the data subjects; e ) the existence of appropriate guarantees, which may also mean encryption or pseudonymization." The main proceedings and the issues submitted for preliminary ruling7 Digi is one of the most important internet and television service providers in Hungary.8 In April 2018, following a technical error affecting the operation of one of its servers, Digi created a database called "test" (hereinafter: test database) into which its residential customers he copied the personal data of approximately one-third of them, and stored the latter data in another database called "digihu" connected to the digi.hu website, which contained the up-to-date data of those who subscribed to the newsletter for direct marketing purposes and the data of the system administrator giving access to the website's interface. 9        2019. on September 23, Digi learned that an "ethical attacker" had accessed the personal data of approximately 322,000 individuals stored with it. The hacker himself reported the attack to Digi by retrieving a line of the test database as evidence. Digi corrected the error that allowed access, concluded a confidentiality agreement with the mentioned person and offered him a reward. 10 Following the deletion of the test database, Digi reported the personal data breach to the Authority on September 25, 2019, which consequently launched an official audit. 11 With its decision of May 18, 2020, the Authority found, among other things, that Digi violated points b) and e) of Article 5 (1) of Regulation 2016/679 by not deleting the test database after running the necessary tests and correcting the error deleted it immediately, and thus the large amount of personal data stored in this test database was stored in a record system for the next 18 months without a purpose, in a way suitable for the identification of the persons concerned. Consequently, the Authority ordered Digit to review all its databases and imposed a fine of HUF 100,000,000 (approximately EUR 248,000).12 Digi disputed the legality of this decision before the referring court.13 This court notes that the The collection of personal data copied by Digi into the test database took place for the purpose of concluding and fulfilling subscriber contracts, and that the legality of the original collection of personal data was not questioned by the Authority. However, you have doubts as to whether the copying of the originally collected data into another database has the consequence that the purpose of the original collection and management of this data changes. It adds that it must also determine whether the purpose of the original data collection is compatible with the creation of the test database and the continuation of the management of customer data in this database. He believes that the principle of "purpose limitation" provided for in Article 5(1)(b) of Regulation 2016/679 does not allow him to determine the internal systems in which the data controller is authorized to manage legally collected data, nor to determine that the can the latter data controller copy this data into a test database without changing the original purpose of the data collection. 14 In the event that the creation of the test database is incompatible with the purpose of the original data collection, the referring court is also looking for the answer that if the subscriber data in another database the purpose of its management is not error correction, but the conclusion of a contract, then the necessary storage time is adjusted to the error correction, or rather to the time required to fulfill the contractual obligations, based on the principle of "purposefulness" contained in Article 5 (1) point e) of Decree 2016/679.15 Under these circumstances, the Capital Court (Hungary) decided decided to suspend the proceedings and submit the following questions to the Court for a preliminary ruling: "(1) Should Article 5(1) of Decree […] 2016/679 [...] be interpreted as song] b) that it still meets the "purpose limitation" if the data controller stores the personal data collected and stored for a lawful purpose in parallel in another database, or with respect to the parallel database, the lawful purpose of the data collection is no longer 2) If the answer to question 1 is that parallel data storage itself is not compatible with the principle of "purpose limitation", is it compatible with Article 5(1) of Decree 2016/679? )) with the principle of "limited storage" if the data controller stores the otherwise legally collected and stored personal data in another database in parallel?" Regarding the admissibility of the questions submitted for a preliminary ruling16 The Authority and the Hungarian government expressed doubts about the admissibility of the questions for a preliminary ruling, on the grounds that these questions do not correspond to the facts of the underlying legal dispute and are not directly relevant from the point of view of its assessment.17 In this regard first of all, it should be recalled that, following the permanent case law of the Court of Justice, it is solely the duty of the national court acting in the main case and responsible for the decision to be made to assess whether, in view of the particular characteristics of the case, a preliminary ruling is necessary for the judgment to be rendered, and whether the Court whether the questions circulated are relevant. Consequently, if the questions asked relate to the interpretation or validity of a provision of EU law, the Court is – as a general rule – obliged to make a decision. It follows that the relevance of the questions submitted by the national courts must be assumed. The rejection by the Court of a request for a preliminary ruling submitted by the national courts is only possible if it is clear that the requested interpretation is not related to the facts or the subject of the main proceedings, or if the problem in question is of a hypothetical nature, or the Court does not have the factual and knowledge of the legal elements that are necessary to give a useful answer to the said questions (judgment of 16 July 2020 Facebook Ireland and Schrems, C‑311/18, EU:C:2020:559, paragraph 73, and there cited jurisprudence).18 In the present case, Digit as a data controller is referred to the referring court on the basis of the principle of "purpose limitation" and "limited storage capacity" contained in points b) and e) of Article 5 (1) of Regulation 2016/679 filed an action for the annulment of the decision imposing sanctions due to the alleged violation of the he database containing personal data. However, the questions submitted for a preliminary ruling refer precisely to the interpretation of these provisions, so it cannot be considered that the requested interpretation of EU law is not related to the facts or subject of the main proceedings, or is hypothetical in nature. In addition, the decision referring to a preliminary ruling contains sufficient factual and legal elements to be able to give a useful answer to the questions asked by the referring court. 19 Secondly, it should be recalled that the procedure prescribed in Article 267 TFEU is based on a clear division of tasks between the national courts and the Court of Justice. within the framework of this, only the national court has the authority to interpret and apply the national legal provisions, while the Court of Justice can only take a position on the interpretation and validity of the EU legal provisions based on the facts provided by the national court (Zagračka banka judgment of May 5, 2022, C‑567 /20, EU:C:2022:352, point 45, and the jurisprudence referred to there).20 Consequently, the argument regarding the inadmissibility of the questions submitted for preliminary ruling, essentially based on the fact that the for preliminary ruling e in their opinion, the questions submitted do not correspond to the facts of the main proceedings. 21 Consequently, the questions submitted for preliminary ruling are admissible. On the merits of the case On the first question22 With its first question, the referring court is essentially waiting for an answer as to whether point b of paragraph (1) of Article 5 of Regulation 2016/679 should be interpreted as contrary to the principle of "purposiveness" provided for in this provision, if the data controller records and stores personal data previously collected and stored in another database in a database created for the purpose of carrying out tests and correcting errors. 23 According to permanent jurisprudence, in order to interpret an EU legal provision, not only its text but also the context in which it fits must be taken into account , as well as the objectives of the legal act of which it is a part (the HOLD Fund Management judgment of August 1, 2022, C‑352/20, EU:C:2022:606, point 42, and the case law referred to there). 24      In this regard, it must first be established that paragraph (1) of Article 5 of Regulation 2016/679 lays down the principles for the management of personal data, which k are mandatory for the data controller, and with which he must be able to prove compliance in accordance with the principle of accountability prescribed in paragraph (2) of this article. 25 More specifically, pursuant to point b) of paragraph (1) of Article 5 of this regulation, which states the principle of "purposefulness" , on the one hand, personal data must be collected for specific, clear and legitimate purposes, and on the other hand, they cannot be handled in a way that is incompatible with these purposes.26 Thus, it is clear from the text of this provision that it contains two requirements: one for the purpose of the original collection of personal data, the and another concerns the subsequent processing of this data.27 As regards, first of all, the requirement according to which personal data must be collected for specific, clear and legitimate purposes, it follows from the jurisprudence of the Court of Justice that it means, first of all, that the purpose of data management must be at the latest the personal when collecting data, it must be identified and that you agree the purposes of this data management must be determined, and finally, that the purposes of said data management must, among other things, ensure the legality of the management of this data within the meaning of Article 6 (1) of Regulation 2016/679 (see in this sense: February 24, 2022‑ i Valsts eizumenu dienests [Processing of personal data for tax purposes] judgment, C‑175/20, EU:C:2022:124, 64–66. point).28      In the present case, it is clear from the text of the first question and the reasons for the decision referring to the preliminary ruling that the personal data in question in the main case were collected for a specific, clear and legal purpose, and the referring court also clarifies that the collection of this data was carried out in the 2016/ In accordance with Article 679, paragraph (1), point b) it was carried out for the purpose of concluding and fulfilling the subscriber contracts concluded by Digi with its customers. it must be stated, on the one hand, that the recording and storage of personal data stored in another database in a database newly created by the data controller is considered "further processing" of this data.30 The concept of "data processing" is broadly defined in point 2 of Article 4 of Regulation 2016/679 in a way that includes personal data or performed any operation or set of operations on data files in an automated or non-automated manner, including, among other things, the collection, recording and storage of this data. 31 In addition, in accordance with the usual meaning of the term "further" accepted in general language, any personal data processing that is the original collection of this data is carried out after data processing, it is considered "further" processing of said data, regardless of the purpose of this further processing. 32 On the other hand, it must be stated that Article 5(1)(b) of Regulation 2016/679 does not contain information on the conditions under which the further processing of personal data can be considered compatible with the purpose of the original data collection. 33 Second, the context in which this provision fits provides useful clarifications in this regard. 34 Article 5(1)(b), Article 6 ( 1) point a) k and Article 6, paragraph (4), it is clear from the combined reading that the question of whether the further processing of personal data iscan this be done with the purposes of the original collection of the data, only arises if the purposes of the mentioned subsequent data management are not the same as the purposes of the original data collection. 35 In addition, it follows from the paragraph (4) of Article 6 above, interpreted in the context of recital (50) of the aforementioned regulation, that if data processing for a purpose other than the purpose of data collection is not based on the consent of the person concerned, EU law or the law of a Member State, in order to determine whether data processing for other purposes is compatible with the purpose of the original collection of personal data, the the following: firstly, the possible relationship between the purpose of personal data collection and the purpose of the planned further data processing, secondly, the circumstances of the collection of personal data, especially in relation to the relationship between the data subjects and the data controller, thirdly, the nature of the personal data, fourthly, the purpose of the planned further data processing affected their possible consequences, and finally, fifthly, the existence of appropriate safeguards both in the context of the original data management and the planned further data management. 36 As pointed out essentially in points 28, 59 and 60 of the general counsel's motion, these criteria are the original collection of personal data express the need for a specific, logical and sufficiently close connection between its purpose and the further processing of this data, and make it possible to ensure that this further data processing does not deviate from the legitimate expectations of subscribers regarding the further use of their data.37 Thirdly, these criteria - as stated by the General Counsel he essentially emphasized in point 27 of his motion - moreover, they enable the further use of previously collected personal data to be limited, ensuring on the one hand the need for predictability and legal certainty regarding the purposes of handling previously collected personal data, and on the other hand the data controller balance between a certain degree of flexibility recognized for the processing of this data, and thereby contribute to the achievement of the objective of ensuring a consistent and high level of protection of natural persons, set out in recital (10) of Regulation 2016/679.38 Based on the above, the task of the national court is to taking into account the criteria mentioned in point 35 of this judgment and taking into account the totality of the circumstances specific to the given case, it determines the purposes of both the original personal data collection and the further processing of this data, and if the purposes of this further data processing differ from the purpose of the original data collection, the examination of whether the whether the further processing of said data is compatible with the purposes of the said original data collection. 39 In addition, the Court may, during the assessment of the request for a preliminary ruling, provide clarifications that help the national court in determining the above (see in element: Fuhrmann‑2 judgment of April 7, 2022, C‑249/21, EU:C:2022:269, point 32)40 In the present case, first of all, as recalled in point 13 of this judgment, the preliminary it is clear from the decision referring to decision-making that the personal data was originally collected by Digi, the data controller, for the purpose of concluding and fulfilling subscription contracts with its residential customers.41 Second, the parties involved in the main proceedings do not agree with the personal data in question in the test database by Digi regarding the specific purpose of its recording and preservation. While Digi claims that the specific purpose of creating the test database was to ensure access to subscriber data until the errors are corrected, and thus this purpose is the same as the purpose of the original data collection, the Authority claims that the specific purpose of further data management is different from this purpose, as it was aimed at carrying out tests and correcting errors. 42 In this regard, it should be recalled that the jurisprudence referred to in point 19 of this judgment shows that within the framework of the procedure provided for in Article 267 of the TFEU based on a clear division of tasks between the national courts and the Court of Justice only the national court has the authority to interpret and apply the national legal provisions, while the Court of Justice can only take a position on the interpretation and validity of the EU legal provisions based on the facts provided by the national court. ogy, the test database was created by Digi for the purpose of carrying out tests and correcting errors, so the referring court must assess with regard to these purposes whether further data processing is compatible with the purpose of the original data collection, which is aimed at concluding and fulfilling subscription contracts. 44 Thirdly, on this evaluation, it must be established that the execution of tests and the correction of errors affecting the subscriber database are specifically related to the fulfillment of the subscription contracts of residential customers, for which the data were originally collected, since these errors may have a detrimental effect on the provision of the service provided for in the contract. As the general counsel noted in point 60 of his motion, this data management is not far from the legitimate expectations of subscribers regarding the further use of their personal data. On the other hand, it does not appear from the decision referring to the preliminary ruling that some or all of this data would have been special data, or that the further processing of the data in question would have had harmful consequences for the subscribers, or that there would not have been adequate guarantees attached to it, which in any case will be examined it is the task of the court submitting the question. 45 From the sum of the above considerations, it follows that the answer to the first question must be that point b of paragraph (1) of Article 5 of Regulation 2016/679 should be interpreted as meaning that the " it is not contrary to the principle of purpose-boundness" if the data controller records and stores personal data previously collected and stored in another database in a database created for the purpose of carrying out tests and correcting errors, if such further data processing corresponds to the specific purposes for which the personal data were originally collected, which is set out in Article 6 (4) of the aforementioned regulation must be determined with regard to the aspects included in Regarding the second question 46 It must be stated at the outset that the referring court's second question, which refers to whether it complies with the principle of "limited storage" in Article 5(1)(e) of Regulation 2016/679, if the personal data of Digi's customers stored in the test database, this court will only ask in the event that the reworded first question must be answered in the affirmative, i.e. in the event that this storage is incompatible with the "purpose" contained in Article 5(1)(b) of the aforementioned regulation 47 However, as the General Counsel pointed out in point 24 of his motion, the principles contained in Article 5 of Decree 2016/679 concerning the management of personal data are applicable together. As a consequence, the storage of personal data must not only respect the principle of "purpose limitation", but also the principle of "limited storage capacity". aims to ensure a high level of protection of natural persons within the Union, and to this end ensure the consistent and uniform application of the rules for the protection of the basic rights and freedoms of these persons related to the management of their personal data throughout the Union. 49 For this purpose, the above Regulation II. and III. chapter lays down the principles governing the processing of personal data, as well as the rights of the data subject, which must be respected by all personal data processing. More specifically, all personal data management must be in accordance with the principles relating to data management provided for in Article 5 of the aforementioned regulation, and on the other hand - with particular regard to the principle of the legality of data management provided for in point a) of paragraph (1) of this article - it must comply with the legality of data management of one of the conditions listed in Article 6 of the same decree (see in this sense: judgment of Latvijas Republikas Saeima [Penal points] of 22 June 2021, C‑439/19, EU:C:2021:504, paragraph 96; 24 February 2022 ‑i Valsts eizumenu dienests [Processing of personal data for tax purposes] judgment, C‑175/20, EU:C:2022:124, point 50).50      In view of these considerations, even if the referring court formally addressed the second question exclusively to also put forward in the event that the reworded first question must be answered in the affirmative, this circumstance does not constitute an obstacle for the Court of Justice to apply EU law to the national court in the case pending before it it is useful for its assessment, it provides all its interpretation aspects (see in this sense: Daimler judgment of 17 March 2022, C‑232/20, EU:C:2022:196, point 49), and therefore provides an answer to the second question.51 Under these circumstances, it must be established that with this question the referring court is essentially waiting for an answer as to whether point e) of Article 5, paragraph (1) of Regulation 2016/679 should be interpreted as meaning that with the principle of "limited storage capacity" provided for in this provision it is against the law if the data controller stores personal data previously collected for other purposes in a database created for the purpose of performing tests and correcting errors for a longer time than is necessary to perform these tests and correct these errors.52 First of all, it must be established that Article 5 of Regulation 2016/679 ( Pursuant to point e) of paragraph 1, personal data must be stored in a form that allows the identification of the data subjects only for the time necessary to achieve the purposes of data management 53 It is therefore clear from the text of this article that the principle of "limited storage" requires the data controller to be able, in accordance with the principle of accountability mentioned in point 24 of this judgment, to prove that personal data is stored only for the time necessary to achieve the purposes for which they were collected or further managed.54 It follows from this that over time even originally legal data management may become incompatible with Decree 2016/679 if these data are no longer necessary to achieve these goals (2019. judgment of 24 September GC et al. GC et al. [Delete links to special data], C‑136/17, EU:C:2019:773, paragraph 74), and that the data must be deleted if these purposes are achieved (see in this sense: Rijkeboer judgment of 7 May 2009, C‑553/07, EU:C:2009:293, paragraph 33).55 This interpretation is secondly in accordance with Article 5 of Regulation 2016/679 ( 1) with the context of paragraph e) 56 In this regard, paragraph 49 of this judgment recalled that all personal data management must be in accordance with the data management principles provided for in Article 5 of the aforementioned regulation and must comply with the legality of data management in Article 6 of the same regulation one of the listed conditions.57 On the one hand, as is clear from the aforementioned Article 6, if the data subject has not consented to the processing of his personal data for one or more specific purposes in accordance with Article 6 (1) point a) of Regulation 2016/679, the data processing – as e it is evident from points b)-f) of the above paragraph of the mentioned article - it must meet the requirement of necessity.58 On the other hand, such necessity requirement also follows from the principle of "data economy" prescribed in point c) of paragraph 1 of Article 5 of this regulation, according to which the personal data must be appropriate and relevant for the purposes of data management, and they must be limited to what is necessary. 59 Thirdly, this interpretation corresponds to the purpose pursued by Article 5(1)(e) of Regulation 2016/679, which, as it is recalled in point 48 of this judgment, among other things, with regard to the management of personal data, it is aimed at ensuring a high level of protection of natural persons within the EU. 60 In the present case, Digi argued that the personal data of some of its residential customers stored in the test database was not deleted due to carelessness after carrying out the tests and correcting the errors.61      Suffice to point out in this regard point out that this argument is not relevant for the assessment of whether the data were stored longer than necessary to achieve the purposes of their further processing, in violation of the "limited storage capacity" provided for in Article 5(1)(e) of Regulation 2016/679 62 From the above considerations, it follows that the answer to the second question is that Article 5(1)(e) of Regulation 2016/679 must be interpreted as meaning that with the principle of "limited storability" provided for in this provision it is contrary if the data controller stores personal data previously collected for other purposes in a database created for the purpose of performing tests and correcting errors for longer than is necessary to perform these tests and correct these errors. On the costs63 As this procedure constitutes a phase of the ongoing procedure before the referring court for the parties to the main proceedings, this court will decide on the costs. The costs incurred in connection with submitting comments to the Court, with the exception of the costs of the mentioned parties, cannot be reimbursed. Based on the above reasons, the Court (First Chamber) ruled as follows: 1) On the protection of natural persons with regard to the processing of personal data and such data Article 5(1)(b) of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 (General Data Protection Regulation) on the free movement of data and the repeal of Directive 95/46/EC shall read as follows interpret: it is not contrary to the principle of "boundedness to purpose" provided for in this provision, if the data controller records and stores personal data previously collected and stored in another database in a database created for the purpose of carrying out tests and correcting errors, if such further data processing corresponds to the specific purposes that purposes for which the personal data were originally collected, which the aforementioned regulation It must be determined with regard to the aspects included in Article 6, paragraph (4). 2) Point e of Article 5, paragraph (1) of Regulation 2016/679 must be interpreted as follows: it is contrary to the principle of "limited storage capacity" provided for in this provision, if the data controller previously store personal data collected for other purposes in a database created for the purpose of performing tests and correcting errors for longer than necessary to perform these tests and correct these errors. Arabadjiev Bay LarsenXuereb Announced in Luxembourg at the public meeting on October 20, 2022.A. Calot Escobar A. Arabadjiev Acting Council President