The Court of Justice of the European Union has ruled that competent authorities have the right and the obligation to order data controllers to erase unlawfully processed personal data, even in the absence of a formal request from the data subject. This ensures full compliance with the General Data Protection Regulation.
The Újpest administration (public authority in Hungary) requested citizens’ personal information in order to provide financial support to people affected by the COVID-19 pandemic. The Hungarian Personal Data Supervisory Authority decided that the request was in breach of the General Data Protection Regulation (GDPR) as long as individuals were not informed about the processing of their personal data and the purposes for which it was being processed. The Authority ordered the Újpest administration to erase the personal data of data subjects who were entitled to that support but had not applied for it. The Újpest administration challenged the measure on the grounds that there had been no formal request for erasure from the data subjects.
In this context, the Hungarian courts asked the CJEU to clarify whether the supervisory authority can of its own motion order the erasure of unlawfully processed personal data. The courts also asked whether a distinction could be made between the situation where the data were collected directly from the data subject and the situation where they were obtained from another source.
The CJEU ruled that the supervisory authority may order the erasure of unlawfully processed personal data even in the absence of an express request from the data subject. The GDPR does not limit the authority’s power to act only at the request of the data subject but allows the authority to intervene ex officio to ensure compliance with the Regulation. Also, according to the Court, the source of the unlawfully processed data is irrelevant.
The CJEU recalled that data controllers have an autonomous obligation to ensure that data processing complies with the GDPR. This obligation exists independently of any request from data subjects. If the processing is unlawful, the data controller is responsible for erasing the data without undue delay.