Nemzeti Adatvédelmi és Információszabadság Hatóság – CJEU Judgment (Hungary, 2024)
CJEU judgment — not a DPA enforcement action
This is a Court of Justice ruling, not an enforcement action by a data protection authority. It is not included in cookie statistics or the Risk Calculator.
The data subject had obtained an immunity certificate confirming the vaccination against COVID-19, issued by the respective authority (the controller). This certificate included data that was generated by the controller itself, especially an ID number and a QR code. In April 2021, the data subject filed a complaint with the Hungarian DPA alleging that the controller had not published any data protection statement concerning the issuing of vaccination certificates. During the subsequent procedure the controller declared that Article 6(1)(e) GDPR and Article 9(2)(i) GDPR were the respective legal bases for the processing. Furthermore, they stated that they obtained the personal data that it processed from another body, in accordance with the provisions of Decree No 60/2021. On that basis, it asserted that, pursuant to Article 14(5)(c) of the GDPR, it was not required to provide information on the processing of those data. It nonetheless drew up the requested statement concerning the protection of personal data and published it on its website. The Hungarian DPA dismissed the complaint and found that the processing fell under Article 14(5)(c) GDPR and the domestic law included appropriate safeguards for the legitimate interests of the data subject. The data subject challenged the decision in court. The first instance court considered that the exception laid down in Article 14(5)(c) GDPR was not applicable because certain personal data produced in relation to the immunity certificates were not collected from another body by the controller, but were generated by that controller itself in the performance of its tasks. In that court’s view, only personal data obtained from another body could be covered by the exception laid down in Article 14(5)(c) GDPR. This decision was appealed by the DPA. The court of appeals then stayed the proceedings and forwarded three questions to the CJEU for a preliminary ruling: # Does the exception laid down in Article 14(5)(c) also apply to da
GDPR Articles Cited
National Law Articles
The data subject had obtained an immunity certificate confirming the vaccination against COVID-19, issued by the respective authority (the controller). This certificate included data that was generated by the controller itself, especially an ID number and a QR code. In April 2021, the data subject filed a complaint with the Hungarian DPA alleging that the controller had not published any data protection statement concerning the issuing of vaccination certificates. During the subsequent procedure the controller declared that Article 6(1)(e) GDPR and Article 9(2)(i) GDPR were the respective legal bases for the processing. Furthermore, they stated that they obtained the personal data that it processed from another body, in accordance with the provisions of Decree No 60/2021. On that basis, it asserted that, pursuant to Article 14(5)(c) of the GDPR, it was not required to provide information on the processing of those data. It nonetheless drew up the requested statement concerning the protection of personal data and published it on its website. The Hungarian DPA dismissed the complaint and found that the processing fell under Article 14(5)(c) GDPR and the domestic law included appropriate safeguards for the legitimate interests of the data subject. The data subject challenged the decision in court. The first instance court considered that the exception laid down in Article 14(5)(c) GDPR was not applicable because certain personal data produced in relation to the immunity certificates were not collected from another body by the controller, but were generated by that controller itself in the performance of its tasks. In that court’s view, only personal data obtained from another body could be covered by the exception laid down in Article 14(5)(c) GDPR. This decision was appealed by the DPA. The court of appeals then stayed the proceedings and forwarded three questions to the CJEU for a preliminary ruling: # Does the exception laid down in Article 14(5)(c) also apply to da
Outcome
CJEU Judgment
A judgment by the Court of Justice of the European Union, typically on a preliminary reference from a national court.
Related Cases (1)
Other cases involving Nemzeti Adatvédelmi és Információszabadság Hatóság in HU
Details
Judgment Date
28 November 2024
Authority
Court of Justice of the European Union
GDPRhub ID
gdprhub-cjeu-8403About this data
Cite as: Cookie Fines. Nemzeti Adatvédelmi és Információszabadság Hatóság - Hungary (2024). Retrieved from cookiefines.eu
Last updated: