CJEU rules that a DPA can order the erasure of unlawfully processed data even in the absence of a request from a data subject exercising the right to be forgotten


On 14 March 2024, the Court of Justice of the European Union (CJEU) delivered its judgment in Case C-46/23, Újpesti Polgármesteri Hivatal.

First, the CJEU concluded that Article 58(2) of the GDPR should be interpreted as allowing a data protection authority (DPA) to order a controller or processor to erase unlawfully processed personal data in the absence of a prior request to that effect from a data subject exercising the right to be forgotten according to Article 17(1) of the GDPR.

In reaching this conclusion, the CJEU held, inter alia, that:

  • DPAs must take appropriate measures to remedy the shortcomings identified, whatever their origin or nature, if, after an investigation, they consider that the data subject does not enjoy an adequate level of protection.
  • Article 58(2) of the GDPR distinguishes between corrective measures that can be ordered ex officio, and those that can only be adopted following a request made by the data subject to exercise his or her rights under the GDPR. The one consisting in ordering the erasure of personal data falls into the first category, as Article 58(2)(g) does not condition it in any way on the existence of a request to that effect from the data subject.
  • Article 17(1) regulates two independent scenarios: (i) the erasure of data at the request of the data subject, and (ii) the erasure of data resulting from the existence of an autonomous obligation on the part of the controller, independent of any request by the data subject.
  • A contrary interpretation that DPAs can only act upon a request from a data subject would allow controllers to retain and unlawfully process personal data in the absence of such requests.

Second, the CJEU concluded that the exercise of the power to take corrective measures under Article 58(2)(d) and (g) of the GDPR cannot depend on whether or not the personal data in question were collected directly from the data subject, as the relevant provisions of the GDPR do not contain any requirements regarding the origin of the data collected.

The CJEU’s decision is available here.