Can the authority order of its own motion the erasure of unlawfully processed personal data?

The Court of Justice of the European Union has ruled that competent authorities have the right and the obligation to order data controllers to erase unlawfully processed personal data, even in the absence of a formal request from the data subject. This ensures full compliance with the General Data Protection Regulation.

The Újpest administration (public authority in Hungary) requested citizens’ personal information in order to provide financial support to people affected by the COVID-19 pandemic. The Hungarian Personal Data Supervisory Authority decided that the request was in breach of the General Data Protection Regulation (GDPR) as long as individuals were not informed about the processing of their personal data and the purposes for which it was being processed. The Authority ordered the Újpest administration to erase the personal data of data subjects who were entitled to that support but had not applied for it. The Újpest administration challenged the measure on the grounds that there had been no formal request for erasure from the data subjects.

In this context, the Hungarian courts asked the CJEU to clarify whether the supervisory authority can of its own motion order the erasure of unlawfully processed personal data. The courts also asked whether a distinction could be made between the situation where the data were collected directly from the data subject and the situation where they were obtained from another source.

The CJEU ruled that the supervisory authority may order the erasure of unlawfully processed personal data even in the absence of an express request from the data subject. The GDPR does not limit the authority’s power to act only at the request of the data subject but allows the authority to intervene ex officio to ensure compliance with the Regulation. Also, according to the Court, the source of the unlawfully processed data is irrelevant.

The CJEU recalled that data controllers have an autonomous obligation to ensure that data processing complies with the GDPR. This obligation exists independently of any request from data subjects. If the processing is unlawful, the data controller is responsible for erasing the data without undue delay.

Read more

Share this

Continuous recruitment


    doc,docx,pdf,odc file types with 4mb maximum size

    Think ahead!


      doc,docx,pdf,odc file types with 6mb maximum size


      doc,docx,pdf,odc file types with 6mb maximum size


      doc,docx,pdf,odc file types with 6mb maximum size

      Vrei să știi cum îți vom utiliza datele cu caracter personal? Click aici pentru mai multe detalii.

      Think ahead! Practice at Filip & Company!


        doc,docx,pdf,odc file types with 6mb maximum size


        doc,docx,pdf,odc file types with 6mb maximum size


        doc,docx,pdf,odc file types with 6mb maximum size

        Vrei să știi cum îți vom utiliza datele cu caracter personal? Click aici pentru mai multe detalii.

        Legal Assistant


          doc,docx,pdf,odc file types with 4mb maximum size

          Webinars


            doc,docx,pdf,odc file types with 4mb maximum size

            Energy Lawyer


              doc,docx,pdf,odc file types with 4mb maximum size

              Corporate, M&A and Capital markets


                doc,docx,pdf,odc file types with 4mb maximum size

                Competition lawyer


                  doc,docx,pdf,odc file types with 4mb maximum size

                  Commercial lawyer


                    doc,docx,pdf,odc file types with 4mb maximum size

                    Continuous recruitment


                      doc,docx,pdf,odc file types with 4mb maximum size

                      Think ahead! Practice at Filip & Company!


                        doc,docx,pdf,odc file types with 6mb maximum size


                        doc,docx,pdf,odc file types with 6mb maximum size


                        doc,docx,pdf,odc file types with 6mb maximum size

                        Vrei să știi cum îți vom utiliza datele cu caracter personal? Click aici pentru mai multe detalii.

                        Webinars