Background information
- Date of final decision: 22/12/2023
- Cross-border case
- LSA: Hungarian SA
- and CSAs: Polish SA
- Controller: an airline company
- Legal Reference(s): Article 5 (Principles relating to processing of personal data), Article 6 (Lawfulness of processing), Article 12 (Transparent information, communication and modalities for the exercise of the rights of the data subject), Article 17 (Right to erasure (‘right to be forgotten’))
- Decision: Erasure order, Administrative fine
- Key words: Exercise of data subject rights, Lawfulness of processing, Right to erasure, Transparency, Administrative fine
Summary of the Decision
Origin of the case
The Data Subject lodged her complaint with the Polish SA stating that she requested the data controller to erase all her personal data in the online interface provided by the data controller on 23 October 2018. In previous cases it has already been identified that the Hungarian SA is the LSA for the data controller, therefore case has been transferred. Based on the data controller’s statement and the screenshot made by it on the relevant part of the IT system used to administer erasure requests, the data controller erased the Data Subject’s account on 23 November 2018, but failed to inform the Data Subject thereof prior to 6 March 2019.
Key Findings
The Hungarian SA founded that the data controller infringed Article 12(3) GDPR because it failed to inform the Data Subject of the action taken based on the request within the time limit and it also infringed the principle of transparent data processing according to Article 5(1)(a) GDPR as the Data Subject could not see what additional data, for what purpose and on what legal basis and for how long were processed by the data controller in relation to her following the erasure of her account and the related personal data. The Hungarian SA has also found that Article 5(2) GDPR cannot be regarded as a provision requiring mandatory processing. The Hungarian SA found that that the processing pursued by the data controller in the course of legal procedures related to data subjects cannot be based on the data controller’s legitimate interest, because the balancing test wasn’t appropriate.
Decision
The Hungarian SA founded that the data controller has infringed the principle of transparency under Article 5(1)(a) and Article 12(3) GDPR. Further, the Hungarian SA established that the data controller has infringed Article 6(1) and Article 17(1)(a) GDPR. Further, the Hungarian SA ordered the data controller pursuant to Article 58(2)(g) GDPR, to erase the personal data processed for the purpose of recording the Data Subject's activities in relation to the exercise of her data protection rights.
For the infringement described above, based on Article 83(2)(i) GDPR the Hungarian SA ordered the data controller to pay a fine of HUF 5,000,000, which is approximately equal to EUR 13,244.
For further information:
- The national decision has not been published.
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.