CJEU case C-169/23 Másdi – CJEU Judgment (Hungary, 2024)
CJEU judgment — not a DPA enforcement action
This is a Court of Justice ruling, not an enforcement action by a data protection authority. It is not included in cookie statistics or the Risk Calculator.
A data subject received a certificate confirming his vaccination against COVID-19 from the Budapest Office (‘controller’). On 30 April 2021, the data subject lodged a complaint with the Hungarian DPA, claiming that (i) the Budapest Office did not create or publish a privacy notice on the issuance of these certificates and (ii) there was insufficient information regarding the purpose and legal basis of the processing, and the rights of the data subject, as well as how those rights should be exercised. The controller explained that the issuance of these certificates relied on a national Hungarian Law, Decree 60/2021. Therefore, the legal basis for the processing was Article 6(1)(e) GDPR and the processing of special categories of data under Article 9(2)(i) GDPR. In accordance with Decree 60/2021, the controller obtained the personal data by an automated transmission from the Electronic Healthcare Service Space operator and from the body responsible for recording the personal data and addresses. Therefore, the controller also argued that pursuant to Article 14(5)(c) GDPR, it was not required to provide information on the processing. The controller nonetheless created a privacy notice and published it on its website. On 15 November 2021, the Hungarian DPA dismissed the complaint considering that the controller did not have an obligation to provide information since the derogation laid down in Article 14(5)(c) GDPR was applicable to the processing. The DPA found that the fact that the controller published the information on the processing on its website even though it had no legal obligation to do so was deemed to be a good practice. The data subject challenged the decision of the Hungarian DPA before the Budapest High Court which annulled the DPA decision and ordered it to conduct a new procedure. The Budapest High Court claimed that Article 14(5)(c) was not applicable as some of the data related to the certificates were not collected by another body but were rather ge
GDPR Articles Cited
National Law Articles
A data subject received a certificate confirming his vaccination against COVID-19 from the Budapest Office (‘controller’). On 30 April 2021, the data subject lodged a complaint with the Hungarian DPA, claiming that (i) the Budapest Office did not create or publish a privacy notice on the issuance of these certificates and (ii) there was insufficient information regarding the purpose and legal basis of the processing, and the rights of the data subject, as well as how those rights should be exercised. The controller explained that the issuance of these certificates relied on a national Hungarian Law, Decree 60/2021. Therefore, the legal basis for the processing was Article 6(1)(e) GDPR and the processing of special categories of data under Article 9(2)(i) GDPR. In accordance with Decree 60/2021, the controller obtained the personal data by an automated transmission from the Electronic Healthcare Service Space operator and from the body responsible for recording the personal data and addresses. Therefore, the controller also argued that pursuant to Article 14(5)(c) GDPR, it was not required to provide information on the processing. The controller nonetheless created a privacy notice and published it on its website. On 15 November 2021, the Hungarian DPA dismissed the complaint considering that the controller did not have an obligation to provide information since the derogation laid down in Article 14(5)(c) GDPR was applicable to the processing. The DPA found that the fact that the controller published the information on the processing on its website even though it had no legal obligation to do so was deemed to be a good practice. The data subject challenged the decision of the Hungarian DPA before the Budapest High Court which annulled the DPA decision and ordered it to conduct a new procedure. The Budapest High Court claimed that Article 14(5)(c) was not applicable as some of the data related to the certificates were not collected by another body but were rather ge
Outcome
CJEU Judgment
A judgment by the Court of Justice of the European Union, typically on a preliminary reference from a national court.
Related Cases (0)
No other cases found for CJEU case C-169/23 Másdi in HU
This is the only recorded case for this entity in this jurisdiction.
Details
Judgment Date
1 January 2024
Authority
Court of Justice of the European Union
GDPRhub ID
gdprhub-cjeu-7970About this data
Cite as: Cookie Fines. CJEU case C-169/23 Másdi - Hungary (2024). Retrieved from cookiefines.eu
Last updated: