CJEU case C-169/23 Másdi – CJEU Judgment (Hungary, 2024)
CJEU judgment — not a DPA enforcement action
This is a Court of Justice ruling, not an enforcement action by a data protection authority. It is not included in cookie statistics or the Risk Calculator.
The Court of Justice ruled that a Hungarian office did not adequately inform a person about their rights when issuing COVID-19 vaccination certificates. This decision is important because it emphasizes the need for transparency in how personal data is processed. Companies should ensure they provide clear information about data handling.
What happened
The Court ruled that the Budapest Office failed to provide sufficient information about the processing of vaccination certificate data.
Who was affected
The individual who received the vaccination certificate and lodged a complaint was affected.
What the authority found
The Court found that the Budapest Office did not meet its obligations under GDPR to inform the individual about their data rights.
Why this matters
This case sets a precedent for the importance of transparency in data processing. Organizations must ensure they communicate clearly about how they handle personal information.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
A data subject received a certificate confirming his vaccination against COVID-19 from the Budapest Office (‘controller’). On 30 April 2021, the data subject lodged a complaint with the Hungarian DPA, claiming that (i) the Budapest Office did not create or publish a privacy notice on the issuance of these certificates and (ii) there was insufficient information regarding the purpose and legal basis of the processing, and the rights of the data subject, as well as how those rights should be exercised. The controller explained that the issuance of these certificates relied on a national Hungarian Law, Decree 60/2021. Therefore, the legal basis for the processing was Article 6(1)(e) GDPR and the processing of special categories of data under Article 9(2)(i) GDPR. In accordance with Decree 60/2021, the controller obtained the personal data by an automated transmission from the Electronic Healthcare Service Space operator and from the body responsible for recording the personal data and addresses. Therefore, the controller also argued that pursuant to Article 14(5)(c) GDPR, it was not required to provide information on the processing. The controller nonetheless created a privacy notice and published it on its website. On 15 November 2021, the Hungarian DPA dismissed the complaint considering that the controller did not have an obligation to provide information since the derogation laid down in Article 14(5)(c) GDPR was applicable to the processing. The DPA found that the fact that the controller published the information on the processing on its website even though it had no legal obligation to do so was deemed to be a good practice. The data subject challenged the decision of the Hungarian DPA before the Budapest High Court which annulled the DPA decision and ordered it to conduct a new procedure. The Budapest High Court claimed that Article 14(5)(c) was not applicable as some of the data related to the certificates were not collected by another body but were rather ge
Outcome
CJEU Judgment
A judgment by the Court of Justice of the European Union, typically on a preliminary reference from a national court.
Related Cases (0)
No other cases found for CJEU case C-169/23 Másdi in HU
This is the only recorded case for this entity in this jurisdiction.
Details
Judgment Date
1 January 2024
Authority
Court of Justice of the European Union
GDPRhub ID
gdprhub-cjeu-7970About this data
Cite as: Cookie Fines. CJEU case C-169/23 Másdi - Hungary (2024). Retrieved from cookiefines.eu
Last updated: