The Court of Justice clarified the power of the national data protection authority
Based on a Hungarian case, on 14 March 2024 the Court of Justice ruled that the supervisory authority of a Member State, to ensure that the GDPR is fully enforced, may order the erasure of unlawfully processed data even if prior request by the data subject has not been submitted. Such erasure may cover data collected from the affected person and data originating from another source.
The basis of the ruling is the decision of the municipality of Újpest (District IV of Budapest), which in 2020 decided to provide financial support to persons affected by COVID-19 pandemic. The municipality had asked the Hungarian State Treasury and the government office of District IV of Budapest to provide it with the personal data needed to verify the eligibility requirements for receiving the aid. The Hungarian data protection authority was informed of this practice and found that the authorities had jointly breached the rules of the GDPR and imposed related fines, as the Újpest municipality had failed to inform the data subjects, within one month provided for that purpose, of the actual use of their data, the purpose thereof and of their rights in relation to data protection. As a sanction, it also called the municipality to erase the data of eligible persons who had not applied for the support. The municipality then challenged that decision before the Budapest Regional Court. In its opinion, the national authority does not have the power to order the erasure of personal data in the absence of a prior request made to that effect by the data subject, as Article 17 of the GDPR explicitly defines the right of erasure as the right of the data subject.
Based on the above, the Hungarian court has suspended the procedure and asked for the interpretation of the GDPR from the Court of Justice, which stated that the data protection authority of a Member State, based on Article 58 of the GDPR, may take the necessary measures to fulfil its responsibility to ensure the enforcement of the GDPR. If the authority finds that the treatment of data does not comply with the GDPR, it must remedy the infringement, even without a prior request from the data subject, as if a related request would be required, it would mean that the controller, where no request is made, could continue to process them unlawfully. Based on the above, the authority may, even in the absence of a prior request made by the data subject, order the erasure of unlawfully processed data, regardless of whether those data originate directly from the data subject or another source.
As the Court of Justice does not decide the dispute itself, the procedure shall continue before the Hungarian court, with regard to the preliminary ruling.