Decision 3110/2022. (III. 23.) on the supervisory powers of the data protection authority
23 March 2022
Decision number: Decision 3110/2022. (III. 23.)
Subject of the case:
Constitutional complaint aimed at establishing the lack of conformity with the Fundamental Law and annulling the judgement No. Kfv.II.37.001/2021/6 of the Curia (supervisory powers of the data protection authority, ordering ex officio erasure of unlawfully processed personal data)
The Constitutional Court declared that the challenged judgements of the Curia and of the Budapest-Capital Regional Court were in conflict with the Fundamental Law and annulled them. The petitioner data protection authority received a notification, in which the notifier objected to the data controller’s processing of data relating to the collection of signatures to force joining the European Public Prosecutor’s Office. The petitioner conducted a data protection investigation procedure, followed by an ex officio procedure, and in its decision found that the controller had collected personal data without legal basis, had not provided adequate information to the data subject, and therefore the authority ordered the controller to delete the data and to pay a data protection fine. The Budapest-Capital Regional Court, acting on an appeal by the data controller, annulled the provision of the decision ordering the data controller to delete the data. The judgement stated that, under the GDPR, the data subject is the person who has the right to request the controller to erase personal data relating to him or her without undue delay. According to the reasoning of the judgement, the data protection authority was not entitled to order the erasure of personal data in the absence of a request by the data subjects. Following a request for review by the defendant authority, the Curia upheld the judgement of the first instance. In the petitioner’s view, the judgement of the Curia violates the right to a fair trial and the right to legal remedy, and in its view the Curia’s judgement restricted the petitioner’s competence in a manner that is contrary to the Fundamental Law. In its decision, the Constitutional Court found that the courts, in their decisions and deliberations in the context of the right to the protection of personal data, failed to recognise that the broad supervisory control of data protection authorities had also been guaranteed under the Fundamental Law, EU law and obligations under international law before the GDPR. If the authority finds during the inspection that the processing of personal data by the controller is unlawful, it follows from the effective protection of fundamental rights, which is the main task of the authority, that it can not only inspect and detect unlawful personal data processing, but also order the erasure of such data ex officio (in order to protect the fundamental rights of third parties). The plenary session of the Constitutional Court thus stated that the challenged judgements of the Curia and the Budapest-Capital Regional Court were in conflict with the Fundamental Law, therefore annulled them.