On 20 October 2022, the Court of Justice of the European Union (“CJEU”) issued its decision in Case C-77/21 Digi Távközlési és Szolgáltató Kft. (“Digi”) v. Nemzeti Adatvédelmi és Információszabadság Hatóság  (National Authority for Data Protection and Freedom of Information, “NAIH”), relating to the request for a preliminary ruling presented by the Court of Budapest-Capital.

Specifically, the CJEU provided clarification of how Articles 5(1)(b) and 5(1)(e) of the GDPR, which deal with the principles relating to processing of personal data, are to be construed in relation to a dispute between one of the principal internet and broadcasting service providers in Hungary and the NAIH, vis-à-vis a personal data breach in a database owned by Digi.

In its decision, the CJEU concluded that Article 5(1)(b) of the GDPR must be construed in the sense that the purpose limitation principle does not necessarily prevent the recording and storing by the data controller in a database created for the purpose of analysing and rectifying errors, of personal data collected and stored in a distinct database, provided said supplementary processing is compatible with the specific purposes for which the personal data was initially collected.

The foregoing condition must therefore be analysed in light of the standards referred to in Article 6(4) of the GDPR, i.e., taking into account:

  • the link between the purposes for which the personal data was collected and the purposes of the intended further processing;
  • the context in which the personal data was collected, in particular regarding the relationship between data subjects and the controller;
  • the nature of the personal data and whether special categories are processed;
  • the possible consequences of the intended further processing; and
  • the existence of appropriate safeguards such as encryption or pseudonymisation.

On the other hand, the CJEU resolved that Article 5(1)(e) of the GDPR must be construed in the sense that the storage limitation principle indeed impedes the data controller from storing personal data originally collected for different purposes in a database created for the purpose of running tests and rectifying errors, for a prolonged period beyond that required for conducting such analysis.

The full CJEU decision can be accessed  here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.