Nemzeti Adatvédelmi és Információszabadság Hatóság – CJEU Judgment (Hungary, 2024)
CJEU judgment — not a DPA enforcement action
This is a Court of Justice ruling, not an enforcement action by a data protection authority. It is not included in cookie statistics or the Risk Calculator.
The Court of Justice ruled on a case involving a complaint about vaccination certificates in Hungary. The court found that the authority responsible for issuing these certificates did not need to provide a data protection statement because they were following the law. This decision clarifies how data protection rules apply to government-issued documents.
What happened
The court ruled that the authority issuing vaccination certificates did not need to publish a data protection statement.
Who was affected
Individuals who received COVID-19 vaccination certificates from the Hungarian authority.
What the authority found
The court held that the authority had a valid legal basis for processing personal data under specific GDPR articles, which exempted them from providing additional information.
Why this matters
This ruling highlights that government bodies may not always need to provide detailed data protection statements when issuing official documents. It serves as a reminder for companies to understand their obligations under GDPR when handling personal data.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
The data subject had obtained an immunity certificate confirming the vaccination against COVID-19, issued by the respective authority (the controller). This certificate included data that was generated by the controller itself, especially an ID number and a QR code. In April 2021, the data subject filed a complaint with the Hungarian DPA alleging that the controller had not published any data protection statement concerning the issuing of vaccination certificates. During the subsequent procedure the controller declared that Article 6(1)(e) GDPR and Article 9(2)(i) GDPR were the respective legal bases for the processing. Furthermore, they stated that they obtained the personal data that it processed from another body, in accordance with the provisions of Decree No 60/2021. On that basis, it asserted that, pursuant to Article 14(5)(c) of the GDPR, it was not required to provide information on the processing of those data. It nonetheless drew up the requested statement concerning the protection of personal data and published it on its website. The Hungarian DPA dismissed the complaint and found that the processing fell under Article 14(5)(c) GDPR and the domestic law included appropriate safeguards for the legitimate interests of the data subject. The data subject challenged the decision in court. The first instance court considered that the exception laid down in Article 14(5)(c) GDPR was not applicable because certain personal data produced in relation to the immunity certificates were not collected from another body by the controller, but were generated by that controller itself in the performance of its tasks. In that court’s view, only personal data obtained from another body could be covered by the exception laid down in Article 14(5)(c) GDPR. This decision was appealed by the DPA. The court of appeals then stayed the proceedings and forwarded three questions to the CJEU for a preliminary ruling: # Does the exception laid down in Article 14(5)(c) also apply to da
Outcome
CJEU Judgment
A judgment by the Court of Justice of the European Union, typically on a preliminary reference from a national court.
Related Cases (1)
Other cases involving Nemzeti Adatvédelmi és Információszabadság Hatóság in HU
Details
Judgment Date
28 November 2024
Authority
Court of Justice of the European Union
GDPRhub ID
gdprhub-cjeu-8403About this data
Cite as: Cookie Fines. Nemzeti Adatvédelmi és Információszabadság Hatóság - Hungary (2024). Retrieved from cookiefines.eu
Last updated: