Is A Data Controller Obligated To Erase Personal Data Without A Request From A Data Subject?

Investigating Businesses Process Data

Budapest Főváros IV Kerület Újpest Önkormányzat Polgármesteri Hivatala v Nemzeti Adatvédelmi és Információszabadság Hatóság, Case C-46/23

Case background

In 2020, the Budapest-district Újpest launched a social scheme to financially support people who had been made vulnerable by the Covid-19 pandemic. To verify who would be eligible for the scheme, the Újpest obtained personal data from the Hungarian State Treasury and the district office.

The Újpest collated the data received in a database and created a unique identifier and barcode for each set of data. In September 2020, the Hungarian supervisory authority initiated an investigation into the Újpest’s processing of the personal data in accordance with the scheme.

Following an investigation, the Hungarian supervisory authority found that the Újpest had infringed several provisions of the GDPR. In particular, the supervisory authority criticised the Újpest for not having informed the data subjects of the categories of personal data processed, the purpose of the processing, or how they could exercise their rights.

The supervisory authority ordered the Újpest to erase the personal data of the data subjects who were entitled to the support under the scheme but had not applied for it. The Újpest did not accept that the supervisory authority had the power to make such an order in circumstances where the data subject themselves had not exercised their right to erasure. They therefore referred the matter to the Budapest High Court.

The law

Under Article 17(1) of the GDPR, a data subject has the right to obtain from the controller the erasure of their personal data where the data in question has been unlawfully obtained.

Under Article 58(2)(g) of the GDPR, a supervisory authority has the power to order the rectification or erasure of personal data pursuant to Articles 16, 17, and 18.

Decision

Two questions were referred to the Budapest High Court for consideration:

1. Whether a supervisory authority can order the controller or processor to erase unlawfully processed personal data if the data subject has not asked for their data to be erased; and

2. If so, whether the supervisory authority can order the erasure of data collected directly from the data subject and originating from another source.

First question

The Court considered the precise wording of the GDPR and noted that Article 58(2) draws a distinction between corrective action that may be ordered by an authority and those actions that may only be made following a request from a data subject. For example, Article 58(2)(c) states:

to order the controller or the processor to comply with the data subject’s requests to exercise his or her rights pursuant to this Regulation.”

It is clear from this wording that this power would only be exercised following a request by the data subject.

Article 58(2)(g) states that the supervisory authority shall have the power to:

order the rectification or erasure of personal data pursuant to Articles 16, 17 and 18 and the notification of such actions to recipients to whom the personal data have been disclosed pursuant to Article 17(2) and Article 19”.

There is no reference here to a prior request from the data subject.

The Court also considered the precise wording of Article 17(1) of the GDPR. Article 17(1) states:

the data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies…” [emphasis added].

The Court took the view that the use of the word “and” makes it clear that this provision governs two independent situations:

(1) where a data subject has asked for their data to be erased; and

(2) erasure arising from an obligation on the controller irrespective of a request from a data subject.

The Court commented as follows:

In order to ensure effective application of the GDPR, it is of particular importance that that authority has genuine powers to take effectual action against infringements of that regulation, and in particular to bring them to an end, including in situations where data subjects have not been informed that their personal data has been processed, are not aware of it, or in any event have not requested the erasure of those data.”

The Court determined that by virtue of the above, Article 58(2)(d) and (g) of the GDPR must be interpreted as the supervisory authority having the power to exercise its corrective powers under these provisions irrespective of whether the data subject has exercised his or her right to erasure.

Second question

Again, the Court considered the precise wording of Article 58(2) of the GDPR and observed that there is nothing within this provision to suggest that the supervisory authority’s powers are contingent on the origin of the data. It was therefore determined that the power to order the erasure of unlawfully processed personal data applies to both data collected from the data subject and data originating from another source.

Comment

While the above is not binding on the UK Courts, this decision is likely to shape the way that the ICO deals with exercising its powers under Article 58(2) of the GDPR in the future. It will be interesting to see how this ruling affects the enforcement action taken by the ICO going forward.

How can Nelsons helpInvestigating Businesses Process Data

Ruby Ashby is a Senior Associate in our expert Dispute Resolution team, specialising in data breach claims, inheritance and Trust disputes and defamation claims.

If you need any advice, please do not hesitate to contact Ruby or another member of the team in Derby, Leicester, or Nottingham on 0800 024 1976 or via our online enquiry form.

  • Email us

Contact us today

We're here to help.

Call us on 0800 024 1976

Main Contact Form

Used on contact page

  • Email us