CJEU rules that supervisory bodies can order the removal of unlawfully processed data without prior requests

In a recent legal ruling (Case C-46/23), the Court of Justice of the EU (CJEU) addressed the issue of safeguarding personal data, focusing on a case involving the municipal administration of Újpest in Hungary. The administration, aiming to assist individuals affected by the COVID-19 outbreak, gathered personal information from various channels without adequately informing the individuals concerned or upholding their rights as outlined in the General Data Protection Regulation (GDPR). Consequently, fines were levied for violations of GDPR regulations.

The Hungarian data protection authority mandated the deletion of unlawfully processed data, encompassing information from individuals who hadn’t sought aid without prior requests from those individuals. This directive was challenged, prompting a referral to the CJEU for clarification. The Court determined that supervisory bodies possess the authority to instruct the removal of unlawfully processed data even in the absence of prior requests from the individuals involved. Such actions are deemed essential for upholding GDPR standards. Furthermore, directives for data deletion can encompass information obtained directly from individuals or alternative sources.

Why does this matter?

This ruling elucidates the autonomy of supervisory entities in enforcing GDPR regulations, underscoring the significance of safeguarding personal data rights within the European Union. By affirming the power to order data erasure even without prior requests from individuals, the Court reinforces the stringent enforcement of GDPR standards, ensuring greater accountability and protection for individuals’ personal information in the digital age.