Preiskel & CoPreiskel & Co
Preiskel & Co
A boutique law firm in London
  • Home
  • About Us
    • Diversity, Social Responsibility, and Pro Bono
  • Services
    • Corporate
    • Commercial
    • Regulatory
    • Competition & Antitrust
    • Data Protection, Privacy, and Retention
    • Intellectual Property
    • Dispute Resolution
    • Employment
  • Sectors
    • Telecommunications
    • IT, Technology, & Internet
    • Media and Broadcasting
    • Websites, Blogging, & Social Media
    • Film & Television
    • Gambling & Online Gaming
    • Leisure & Retail
    • Energy & Minerals
    • Cryptocurrency & Blockchain
    • Creative Industries
  • People
    • Daniel Preiskel
    • Ronnie Preiskel
    • Tim Cowen
    • Jose Saras
    • Robert Dougans
    • Karthyaeni Vittala
    • Tina Cowen
    • Xavier Prida
    • Martina Raciti
    • Ewelina James
    • Rachael Machado
    • Maria Constantin
    • Peter Dally
    • Richard Stewart
    • Joanna Coombs-Huang
    • Paul Stelges
    • Hannah Leader
    • Alison MacFarlane
    • Ilanit Appelfeld
    • Daniel Oakland
    • Sophia Yakhno
    • Sue Warwick
    • D A T Green
    • Antony Corel
    • Stewart White
    • Mor Swiel
    • Stephen Hornsby
    • Tony Curzon-Price
    • Robert Harvey
    • Shardi Shameli
  • International
  • Blog
  • News
    • Publications
  • Contact
Menu back  

CJEU clarifies the interpretation of purpose and storage limitation principles under the GDPR

October 27, 2022By Preiskel & Co

On 20 October 2022, the Court of Justice of the European Union (“CJEU”) issued its decision in Case C-77/21 Digi Távközlési és Szolgáltató Kft. (“Digi”) v. Nemzeti Adatvédelmi és Információszabadság Hatóság (National Authority for Data Protection and Freedom of Information, “NAIH”), relating to the request for a preliminary ruling presented by the Court of Budapest-Capital.

Specifically, the CJEU provided clarification of how Articles 5(1)(b) and 5(1)(e) of the GDPR, which deal with the principles relating to processing of personal data, are to be construed in relation to a dispute between one of the principal internet and broadcasting service providers in Hungary and the NAIH, vis-à-vis a personal data breach in a database owned by Digi.

In its decision, the CJEU concluded that Article 5(1)(b) of the GDPR must be construed in the sense that the purpose limitation principle does not necessarily prevent the recording and storing by the data controller in a database created for the purpose of analysing and rectifying errors, of personal data collected and stored in a distinct database, provided said supplementary processing is compatible with the specific purposes for which the personal data was initially collected.

The foregoing condition must therefore be analysed in light of the standards referred to in Article 6(4) of the GDPR, i.e., taking into account:

  • the link between the purposes for which the personal data was collected and the purposes of the intended further processing;
  • the context in which the personal data was collected, in particular regarding the relationship between data subjects and the controller;
  • the nature of the personal data and whether special categories are processed;
  • the possible consequences of the intended further processing; and
  • the existence of appropriate safeguards such as encryption or pseudonymisation.

On the other hand, the CJEU resolved that Article 5(1)(e) of the GDPR must be construed in the sense that the storage limitation principle indeed impedes the data controller from storing personal data originally collected for different purposes in a database created for the purpose of running tests and rectifying errors, for a prolonged period beyond that required for conducting such analysis.

The full CJEU decision can be accessed here.

Please contact Jose Saras and Xavier Prida if you have any questions about the regulatory principles applicable to personal data processing activities.

The material in this article is only for general review of the topics covered and does not constitute legal advice. No legal or business decision should be based on its content.

Latest Preiskel & Co blog posts
  • CMA AI Report: The Foundation of the UK’s AI Response
    September 21, 2023
  • Navigating Health Data Compliance: A Roadmap for Employers
    September 21, 2023
  • Transatlantic convergence? Recent cases on advertising and privacy from the USA and UK
    September 15, 2023
  • Practical Guide – Net Neutrality in the UK
    September 14, 2023
  • Virgin succeeded in defending a claim by EE for loss of EE’s profits caused by Virgin’s breach of the MVNO Exclusivity Clause
    September 12, 2023
  • Getting out of a (data) scrape: global statement published for the protection of publicly accessible personal data online
    September 8, 2023
  • The dark side of design: the ICO and CMA call for businesses to rethink their website layouts
    August 18, 2023
  • Could the Supreme Court’s ruling on litigation funding agreements cause havoc for litigation funders?
    August 17, 2023
  • US Threats of a ‘Te(ch)xodus’ from the UK?
    August 17, 2023
  • Smoother Sailing for EU-US Data Transfers after GDPR Adequacy Decision
    August 4, 2023
  • Unlocking Data Flows: EU-US Data Privacy Framework Receives Adequacy Decision
    July 13, 2023
  • UK’s World Leading Approach on Artificial Intelligence – White Paper outlines 5 guideline principles for responsible use of AI
    July 5, 2023

The Preiskel Blog

  • CMA AI Report: The Foundation of the UK’s AI Response 21 Sep 2023
  • Navigating Health Data Compliance: A Roadmap for Employers 21 Sep 2023
  • Transatlantic convergence? Recent cases on advertising and privacy from the USA and UK 15 Sep 2023
  • Practical Guide – Net Neutrality in the UK 14 Sep 2023

Preiskel news

  • Practical Guide – Net Neutrality in the UK
  • Danny Preiskel featured in GCCM Magazine (June/July 2023 issue 55)  
  • Danny Preiskel moderating a panel at the MEF Connects – The Future of Fraud Prevention event (5th September 2023, hybrid)
  • Preiskel & Co advised TMT Analysis on the acquisition of Phronesis Technologies
Preiskel & Co LLP
4 King's Bench Walk,
Temple,
London
EC4Y 7DL
United Kingdom

Tel: +44 20 7332 5640
Email: info@preiskel.com

Find us on:

TwitterLinkedinMail
© Preiskel & Co LLP 2023 | Site map | Legal notices | Cookie Policy | Privacy