Budapest Főváros IV. Kerület Újpest Önkormányzat Polgármesteri Hivatala – CJEU Judgment (Hungary, 2024)
CJEU judgment — not a DPA enforcement action
This is a Court of Justice ruling, not an enforcement action by a data protection authority. It is not included in cookie statistics or the Risk Calculator.
In February 2020, the Újpest administration (the controller) obtained personal data about Hungarian residents from the Hungarian Treasury and Budapest district office. The intent was to determine eligibility for a program seeking to provide financial supports to residents made vulnerable by the COVID-19 pandemic. The Hungarian DPA initiated an investigation after a report alerted it of the processing. The DPA determined that the controller failed to timely inform data subjects of the categories of personal data processed, the purposes of processing, or how they could exercise their rights in relation to the processing. On 22 April 2021, it found that the controller violated Articles 5, 14, and 12(1) GDPR. Pursuant to Article 58(2)(d), the DPA ordered the controller to erase the personal data of data subjects who were entitled to the right to erasure but had not requested it. The controller challenged the DPA’s order before the Fővárosi Törvényszék (Budapest High Court), arguing that Article 58(2)(d) GDPR does not empower the DPA to order the erasure of personal data in the absence of an Article 17 GDPR request from the data subject. Seeking clarification on the interpretations of Article 17 and 58(2)(d) GDPR, the Budapest High Court referred two questions to the CJEU: # Can a DPA order a controller or processor to erase unlawfully processed personal data despite the absence of a request from the data subject? # If the DPA can exercise such corrective power, is that so whether or not the personal data were obtained from the data subject? In deciding the first question, the Court held that some corrective powers under Article 58(2) GDPR, namely 58(2)(d) and (g) GDPR, may be exercised by the DPA on its own motion. Article 58(2)(c) GDPR, on the other hand, does require a prior data subject request. The Court noted that the plain language of Article 58(2)(d) and (g) GDPR does not require a data subject request to authorize the DPA’s corrective power. Article 58 GDPR
GDPR Articles Cited
In February 2020, the Újpest administration (the controller) obtained personal data about Hungarian residents from the Hungarian Treasury and Budapest district office. The intent was to determine eligibility for a program seeking to provide financial supports to residents made vulnerable by the COVID-19 pandemic. The Hungarian DPA initiated an investigation after a report alerted it of the processing. The DPA determined that the controller failed to timely inform data subjects of the categories of personal data processed, the purposes of processing, or how they could exercise their rights in relation to the processing. On 22 April 2021, it found that the controller violated Articles 5, 14, and 12(1) GDPR. Pursuant to Article 58(2)(d), the DPA ordered the controller to erase the personal data of data subjects who were entitled to the right to erasure but had not requested it. The controller challenged the DPA’s order before the Fővárosi Törvényszék (Budapest High Court), arguing that Article 58(2)(d) GDPR does not empower the DPA to order the erasure of personal data in the absence of an Article 17 GDPR request from the data subject. Seeking clarification on the interpretations of Article 17 and 58(2)(d) GDPR, the Budapest High Court referred two questions to the CJEU: # Can a DPA order a controller or processor to erase unlawfully processed personal data despite the absence of a request from the data subject? # If the DPA can exercise such corrective power, is that so whether or not the personal data were obtained from the data subject? In deciding the first question, the Court held that some corrective powers under Article 58(2) GDPR, namely 58(2)(d) and (g) GDPR, may be exercised by the DPA on its own motion. Article 58(2)(c) GDPR, on the other hand, does require a prior data subject request. The Court noted that the plain language of Article 58(2)(d) and (g) GDPR does not require a data subject request to authorize the DPA’s corrective power. Article 58 GDPR
Outcome
CJEU Judgment
A judgment by the Court of Justice of the European Union, typically on a preliminary reference from a national court.
Related Cases (0)
No other cases found for Budapest Főváros IV. Kerület Újpest Önkormányzat Polgármesteri Hivatala in HU
This is the only recorded case for this entity in this jurisdiction.
Details
Judgment Date
14 March 2024
Authority
Court of Justice of the European Union
GDPRhub ID
gdprhub-cjeu-7727About this data
Cite as: Cookie Fines. Budapest Főváros IV. Kerület Újpest Önkormányzat Polgármesteri Hivatala - Hungary (2024). Retrieved from cookiefines.eu
Last updated: