CJEU. A question of law vs ethics & human dignity.

The Hungarian supervisory authority ordered the erasure of personal data of data subjects who were indeed entitled to COVID-19 support but had not applied for it.

On 14-March 2024, the CJEU ruled in favour of GDPR (Article 58). But was it a ruling against ethics and human dignity??

The following information is taken directly from the CJEU’s own report.?

“In February 2020, the Hungary újpest administration decided to provide financial support to residents who … had been made vulnerable by the COVID-19 pandemic.”

“It approached the Hungarian State Treasury and … the district government office, in order to obtain the personal data needed to verify the eligibility requirements. That information included in particular the basic identity data and social security numbers of natural persons. The Hungarian State Treasury and the district office provided the requested data.”

“The újpest administration collated the data received in a database established to implement its support scheme and created a unique identifier and barcode for each set of data.”

“After being alerted by a report, the Hungarian supervisory authority, acting of its own motion, initiated an investigation on 2 September 2020 into the processing of the personal data on which the above mentioned support scheme was based. In a decision of 22 April 2021, the authority found that the újpest administration had infringed several provisions of Articles 5 and 14 as well as Article 12(1) of the GDPR. It found in particular that the újpest administration had not informed the data subjects, within a period of one month, of the categories of personal data processed in the framework of that scheme, the purposes of the processing at issue or how those persons could exercise their rights in that regard.”

“The Hungarian supervisory authority ordered the újpest administration, … [with reference to] … Article 58(2)(d) of the GDPR, to erase the personal data of data subjects who, according to the information provided by the district government office and the Hungarian State Treasury, were indeed entitled to that support but had not applied for it.”

On those grounds, the CJEU ruled:

“1.? ? ? Article 58(2)(d) and (g) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation),

must be interpreted as meaning that the supervisory authority of a Member State is entitled, in the exercise of its corrective powers foreseen under those provisions, to order the controller or processor to erase unlawfully processed personal data, even though no request to that end has been made by the data subject with a view to exercising his or her rights pursuant to Article 17(1) of that regulation.

2.? ? ? Article 58(2) of Regulation 2016/679

must be interpreted as meaning that the power of the supervisory authority of a Member State to order the erasure of unlawfully processed personal data may apply both to data collected from the data subject and to data originating from another source.”

Reference: CJEU.?

Derek Ray Havelock

Asia Privacy Action.

[email protected]