Budapest Főváros IV. Kerület Újpest Önkormányzat Polgármesteri Hivatala – CJEU Judgment (Hungary, 2024)
CJEU judgment — not a DPA enforcement action
This is a Court of Justice ruling, not an enforcement action by a data protection authority. It is not included in cookie statistics or the Risk Calculator.
The Court of Justice ruled that a Hungarian local government must erase personal data it collected without properly informing residents. The court decided that data protection authorities can order data erasure even if no one has specifically requested it. This ruling strengthens the enforcement powers of data protection authorities.
What happened
The Újpest administration collected personal data without informing residents and was ordered to erase it.
Who was affected
Hungarian residents whose personal data was collected by the Újpest administration.
What the authority found
The Court held that data protection authorities can order the erasure of unlawfully processed personal data without a request from the individuals concerned.
Why this matters
This decision reinforces the authority of data protection agencies to act on their own to protect individuals' privacy, which is crucial for all organizations handling personal data.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
In February 2020, the Újpest administration (the controller) obtained personal data about Hungarian residents from the Hungarian Treasury and Budapest district office. The intent was to determine eligibility for a program seeking to provide financial supports to residents made vulnerable by the COVID-19 pandemic. The Hungarian DPA initiated an investigation after a report alerted it of the processing. The DPA determined that the controller failed to timely inform data subjects of the categories of personal data processed, the purposes of processing, or how they could exercise their rights in relation to the processing. On 22 April 2021, it found that the controller violated Articles 5, 14, and 12(1) GDPR. Pursuant to Article 58(2)(d), the DPA ordered the controller to erase the personal data of data subjects who were entitled to the right to erasure but had not requested it. The controller challenged the DPA’s order before the Fővárosi Törvényszék (Budapest High Court), arguing that Article 58(2)(d) GDPR does not empower the DPA to order the erasure of personal data in the absence of an Article 17 GDPR request from the data subject. Seeking clarification on the interpretations of Article 17 and 58(2)(d) GDPR, the Budapest High Court referred two questions to the CJEU: # Can a DPA order a controller or processor to erase unlawfully processed personal data despite the absence of a request from the data subject? # If the DPA can exercise such corrective power, is that so whether or not the personal data were obtained from the data subject? In deciding the first question, the Court held that some corrective powers under Article 58(2) GDPR, namely 58(2)(d) and (g) GDPR, may be exercised by the DPA on its own motion. Article 58(2)(c) GDPR, on the other hand, does require a prior data subject request. The Court noted that the plain language of Article 58(2)(d) and (g) GDPR does not require a data subject request to authorize the DPA’s corrective power. Article 58 GDPR
Outcome
CJEU Judgment
A judgment by the Court of Justice of the European Union, typically on a preliminary reference from a national court.
Related Cases (0)
No other cases found for Budapest Főváros IV. Kerület Újpest Önkormányzat Polgármesteri Hivatala in HU
This is the only recorded case for this entity in this jurisdiction.
Details
Judgment Date
14 March 2024
Authority
Court of Justice of the European Union
About this data
Cite as: Cookie Fines. Budapest Főváros IV. Kerület Újpest Önkormányzat Polgármesteri Hivatala - Hungary (2024). Retrieved from cookiefines.eu
Last updated: