CJEU rules that a DPA can order the erasure of unlawfully processed data even in the absence of a request from a data subject exercising the right to be forgotten

15.03.2024

On 14 March 2024, the Court of Justice of the European Union (CJEU) delivered its judgment in Case C-46/23, Újpesti Polgármesteri Hivatal.

First, the CJEU concluded that Article 58(2) of the GDPR should be interpreted as allowing a data protection authority (DPA) to order a controller or processor to erase unlawfully processed personal data in the absence of a prior request to that effect from a data subject exercising the right to be forgotten according to Article 17(1) of the GDPR.

In reaching this conclusion, the CJEU held, inter alia, that:

DPAs must take appropriate measures to remedy the shortcomings identified, whatever their origin or nature, if, after an investigation, they consider that the data subject does not enjoy an adequate level of protection.
Article 58(2) of the GDPR distinguishes between corrective measures that can be ordered ex officio, and those that can only be adopted following a request made by the data subject to exercise his or her rights under the GDPR. The one consisting in ordering the erasure of personal data falls into the first category, as Article 58(2)(g) does not condition it in any way on the existence of a request to that effect from the data subject.
Article 17(1) regulates two independent scenarios: (i) the erasure of data at the request of the data subject, and (ii) the erasure of data resulting from the existence of an autonomous obligation on the part of the controller, independent of any request by the data subject.
A contrary interpretation that DPAs can only act upon a request from a data subject would allow controllers to retain and unlawfully process personal data in the absence of such requests.

Second, the CJEU concluded that the exercise of the power to take corrective measures under Article 58(2)(d) and (g) of the GDPR cannot depend on whether or not the personal data in question were collected directly from the data subject, as the relevant provisions of the GDPR do not contain any requirements regarding the origin of the data collected.

The CJEU’s decision is available here.

Tags:CJEU JudgmentCorrective measuresPersonal Data ProcessingRight of erasureRight to be forgottenUpdate

-                                        Number of fines
-                                        Highest fine
+,000 €
-                                        Lowest fine
+€
-                                        Total amount of fines
+,000 €
-                                        Number of corrective measures
-                                        Number of fines triggered by data breach notifications
-                                        Number of fines triggered by complaints
-                                        Legal provisions mentioned in press releases
+                                        Article 24 (1), Article 32 (1) b), d), (2) of GDPR, Article 18 (2) of Law 102/2005

Dismissal of the data protection officer

Minimum data protection checklist on future law on whistleblowing protection

Introducing NIS 2 – main things to know and follow

Iurie Cojocaru

Partner, Head of the Data Protection practice

Roxana Ionescu

(1981-2023)

CJEU rules that a DPA can order the erasure of unlawfully processed data even in the absence of a request from a data subject exercising the right to be forgotten

15.03.2024

Statistics

Subscribe to NNDKP’s newsletters

Statistics

More In the spotlight

Statistics

Subscribe to NNDKP’s newsletters