On 20 October 2022, the Court of Justice of the European Union (“CJEU”) issued its decision in Case C-77/21 Digi Távközlési és Szolgáltató Kft. (“Digi”) v. Nemzeti Adatvédelmi és Információszabadság Hatóság (National Authority for Data Protection and Freedom of Information, “NAIH”), relating to the request for a preliminary ruling presented by the Court of Budapest-Capital.
Specifically, the CJEU provided clarification of how Articles 5(1)(b) and 5(1)(e) of the GDPR, which deal with the principles relating to processing of personal data, are to be construed in relation to a dispute between one of the principal internet and broadcasting service providers in Hungary and the NAIH, vis-à-vis a personal data breach in a database owned by Digi.
In its decision, the CJEU concluded that Article 5(1)(b) of the GDPR must be construed in the sense that the purpose limitation principle does not necessarily prevent the recording and storing by the data controller in a database created for the purpose of analysing and rectifying errors, of personal data collected and stored in a distinct database, provided said supplementary processing is compatible with the specific purposes for which the personal data was initially collected.
The foregoing condition must therefore be analysed in light of the standards referred to in Article 6(4) of the GDPR, i.e., taking into account:
- the link between the purposes for which the personal data was collected and the purposes of the intended further processing;
- the context in which the personal data was collected, in particular regarding the relationship between data subjects and the controller;
- the nature of the personal data and whether special categories are processed;
- the possible consequences of the intended further processing; and
- the existence of appropriate safeguards such as encryption or pseudonymisation.
On the other hand, the CJEU resolved that Article 5(1)(e) of the GDPR must be construed in the sense that the storage limitation principle indeed impedes the data controller from storing personal data originally collected for different purposes in a database created for the purpose of running tests and rectifying errors, for a prolonged period beyond that required for conducting such analysis.
The full CJEU decision can be accessed here.
Please contact Jose Saras and Xavier Prida if you have any questions about the regulatory principles applicable to personal data processing activities.
The material in this article is only for general review of the topics covered and does not constitute legal advice. No legal or business decision should be based on its content.