Author: Federico Giamporcaro
Publication date: 19/03/2024
The General Data Protection Regulation (GDPR) is a landmark piece of legislation that has fundamentally reshaped the data landscape in the European Union (EU). Implemented in 2018, the GDPR empowers individuals with greater control over their personal information. It grants them rights to access, rectify, erase, and restrict processing of their data. Additionally, the GDPR strengthens the role of data protection authorities in ensuring compliance by organizations. These authorities are tasked with supervising the application of the regulation and investigating potential breaches.
Hungarian Case Highlights Key GDPR Issues
A recent judgment by the Court of Justice of the European Union (CJEU) in Case C-46/23 – Újpesti Polgármesteri Hivatal, offers valuable insights into the enforcement powers of DPAs under the GDPR. The case centered around the Hungarian municipal administration of Újpest. In response to the COVID-19 pandemic, Újpest collected personal data from citizens to verify their eligibility for financial support.
Data Protection Authority Steps In
Hungary's data protection authority investigated Újpest's data practices following a report. The investigation revealed that Újpest, along with other parties involved, had breached GDPR regulations. These breaches included failing to inform individuals within the mandated time frame about the purpose for which their data was being used and their rights under the GDPR. Notably, the authority ordered Újpest to erase the data of eligible persons who hadn't applied for financial support.
Újpest Challenges Authority's Decision
Újpest contested the data erasure order, arguing that the data protection authority lacked the power to do so without a prior request from the data subject themselves. This disagreement prompted the Hungarian court to seek interpretation of the GDPR from the CJEU.
CJEU Empowers Data Protection Authorities with Proactive Enforcement
The CJEU's judgment was a significant victory for data protection authorities. The court affirmed the authority's right to order data erasure on its own motion. In simpler terms, the authority can take action to ensure compliance with the GDPR even if a data subject hasn't submitted a specific request. The CJEU emphasized the data protection authority's responsibility to actively enforce the GDPR. If a data breach is identified, the authority can implement corrective measures, including data erasure, to ensure compliance. The court reasoned that requiring a prior request from the data subject would create a loophole. It could allow organizations to retain and unlawfully process data indefinitely if individuals remained unaware of the breach or did not submit a request.
Broad Scope of Authority's Power to Order Erasure
The CJEU's judgment further clarified the scope of the data protection authority's power to order data erasure. The court ruled that the authority's power extends to all unlawfully processed data, regardless of its origin. This means the authority can order erasure of data collected directly from individuals or obtained from other sources. For instance, if Újpest had obtained data from a third party without following proper legal procedures, the data protection authority could order its erasure.
Impact of the CJEU Judgment
This landmark judgment by the CJEU strengthens the enforcement capabilities of data protection authorities under the GDPR. It ensures that individuals' rights are upheld and that organizations are held accountable for their data practices. The judgment clarifies that DPAs can take proactive measures to enforce the GDPR, even in the absence of a specific request from a data subject. This empowers DPAs to be more effective in safeguarding individual privacy rights within the EU.
Looking Ahead: Continued Importance of GDPR Compliance
The CJEU judgment serves as a reminder to organizations operating within the EU of the importance of GDPR compliance. Organizations must ensure they have robust data governance practices in place to collect, use, and store personal data lawfully. This includes obtaining clear and informed consent from individuals before processing their data, implementing appropriate technical and organizational safeguards to protect data security, and being transparent about how data is used. By following GDPR regulations, organizations can minimize the risk of enforcement actions by data protection authorities and build trust with their customers.
You can also read about:
Reference List: