On March 14, 2024, the Court of Justice of the European Union (CJEU) published its judgment in Case C-46/23 Újpesti Polgármesteri Hivatal, clarifying the powers of a data protection authority, following the Budapest High Court referring a matter to the CJEU for a preliminary ruling. 

Background

The CJEU noted that the Hungarian data protection authority, the National Authority for Data Protection and Freedom of Information (NAIH), found that the municipal administration of Újpest, the Hungarian State Treasury, and the government office of the fourth district of Budapest breached the rules of the General Data Protection Regulation (GDPR) when processing personal data to provide financial support to citizens who were made vulnerable during the COVID-19 pandemic. The NAIH subsequently ordered the municipal administration of Újpest to erase the personal data of persons who had not applied for financial support.

Additionally, the CJEU noted that the municipal administration of Újpest contested this decision before the Budapest High Court, arguing that the NAIH did not have the power to order the erasure of personal data without a request from the data subject.

Findings of the CJEU

The CJEU held that data protection authorities of Member States may order the erasure of unlawfully processed personal data, even in the absence of a prior request by the data subject if such a measure is necessary to fulfill its responsibility of enforcing the GDPR under Articles 58(2)(d) and 58(2)(g) of the GDPR.

You can read the press release here and the judgment, only available in French and Hungarian, here.