The principles relating to the general restriction on the processing of personal data also include the principle of data retention, according to which personal data should be stored in a form that allows the data subject to be identified for no longer than is necessary for the purposes for which the data is processed. This means that once the purposes of processing have been achieved, the data should be erased or anonymised (Article 5(1)(e) of the GDPR).
The interpretation of the above principles was of significant importance in the judgment delivered by the Court of Justice of the European Union (‘CJEU’) on 20 October 2022, Case C‑77/21. The dispute at the heart of the case was between the Hungarian company Digi, one of the main internet and television service providers in Hungary, and the Nemzeti Adatvédelmi és Információszabadság Hatóság (the national data protection and freedom of information authority in Hungary) concerning a breach of the protection of personal data contained in Digi’s database. In this case, the Hungarian court referred questions to the CJEU for a preliminary ruling concerning the compatibility of the parallel storage of the same data in another database with the principle of purpose limitation.
FACTS
In 2017, following a technical fault, Digi created a test database to which it copied the personal data of approximately one-third of its individual customers, stored in another database. Two years later, Digi learned that a ‘white hat hacker’ had gained access to the personal data it held and had notified the company of this. Digi rectified the error that had enabled this access and entered into a confidentiality agreement with that person, offering a reward. After deleting the test database a few days later, Digi notified the national authority of the personal data breach, following which the authority initiated an inspection procedure.
However, in its decision, the national authority found that Digi had infringed Article 5(1)(b) and (e) of the GDPR because, after carrying out the necessary tests and rectifying the error, it did not immediately delete the test database, with the result that a large amount of personal data, which allowed for the identification of the data subjects, was stored in that database without a specific and legitimate purpose for almost 18 months. Consequently, the authority imposed a financial penalty on the company, which the company challenged before the court, which subsequently referred questions to the CJEU.
CJEU’S POSITION
The Court held that the principle of purpose limitation set out in Article 5(1)(b) of the GDPR must be interpreted as not precluding the controller from recording and storing – in a database created for the purpose of carrying out tests and correcting errors – personal data previously collected and stored in another database, provided that such further processing is consistent with the specific purposes for which the personal data were originally collected.
The grounds for the judgment delivered by the CJEU indicate that the performance of tests and the correction of errors affecting the subscriber database demonstrate a specific link to the performance of subscriber contracts concluded with individual customers, for the performance of which the data was originally collected, as such errors may have a detrimental effect on the provision of the service provided for in the contract. In the CJEU’s view, such processing does not deviate from customers’ legitimate expectations regarding the further use of their personal data. This means that copying data to a new database for the purpose of correcting errors in the IT system must be regarded as further processing, and such action does not require additional consent from customers.
However, the CJEU noted that the principle of data retention limitation requires the controller to be able to demonstrate that personal data are stored only for the period necessary to achieve the purposes for which they were collected or for which they were further processed. In this case, Digi argued that, after carrying out tests and correcting errors, it did not immediately delete the personal data of some of its individual customers stored in the test database. In light of the above, the CJEU therefore held that such conduct by the company infringed the principle of data retention limitation, as the controller retained data previously collected for other purposes for a period longer than was necessary to carry out tests and correct errors.
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ EU L 2016 No 119, p. 1, as amended)
She specializes in civil, commercial and business law. In the corporate and energy department, her activities are mainly based on providing corporate services to companies, reviewing and preparing commercial contracts, drafting litigation and non-litigation pleadings and preparing analyses and legal opinions, particularly in the sphere of business law and energy law. She also has professional experience in administrative and civil proceedings, which she gained in Warsaw law firms. She supports the Firm's…
View profile →HWW lawyers offer consultations in Warsaw and online.
Do not miss the next analysis
Key legal changes and their business impact, once a month to your inbox.
By subscribing you accept the privacy policy. Unsubscribe with one click.
