The General Data Protection Regulation (GDPR) is a frequent topic on the agenda of the Court of Justice of the European Union (CJEU). The judgment of 14 March 2024 dealt with the power of national supervisory authorities to order the erasure of personal data without a request from the data subject.

In the dispute in question, the Hungarian supervisory authority ordered the Újpest municipal authority to delete personal data, in the scope of basic identification data and the social security number of natural persons, processed for the purpose of providing support related to the situation of covid-19 on the basis of a municipal ordinance. The Hungarian supervisory authority stated, among other things, that the Újpest Municipality did not inform the data subjects within one month of the categories of personal data processed in connection with this programme, the purpose of the processing concerned or the procedures for exercising the data subjects’ rights in this respect. The Hungarian State Treasury, which provided the data to the municipality, was also fined.

In subsequent litigation, the Hungarian court asked the CJEU if Article 58(2)(c), (d) and (g) of the GDPR must be interpreted as meaning that the supervisory authority of a Member State is entitled, in the exercise of its power to take the remedial measures provided for in those provisions, to order a controller or processor to erase personal data which have been unlawfully processed, even if the data subject has not made any request to that effect to exercise his or her rights under Article 17(1) of that regulation.

The CJEU clarified the wording of Article 17 in the sense that it contains both regimes, i.e. both erasure at the request of the data subject and at the instruction from the controller. The latter is necessary because there are situations where the data subject has not necessarily been informed that personal data concerning him or her are being processed. In order to ensure a high standard of protection and therefore effective application of the GDPR, the supervisory authority must have powers to intervene against violations of the Regulation. According to the CJEU, it does not matter whether the data collected came from the data subject himself or from another source.

Therefore, the national supervisory authority may also order the erasure of the processed data on its own initiative and the consent of the data subject is not required.