EU Court Upholds Authority of Data Protection Agencies

The national authority for the protection of personal data has sufficient authority to order data deletion even if the data subject has not requested it. A ruling from the Court of Justice of the European Union based in Luxembourg clarifies that the European Regulation on the Protection of Personal Data empowers national authorities to safeguard privacy even if the data subject has not requested it.

The ruling comes after a preliminary ruling submitted by a Hungarian court. A municipality in the Hungarian country requested economic information from its citizens from the Treasury to grant or deny them social assistance as a result of COVID-19. The data protection authority requested the municipality to delete the data of those who had not requested assistance, but the municipality refused, arguing that there had been no request for data deletion by the data subjects.

Luxembourg resolves that even in the absence of a data subject’s request, the authority’s request is sufficient to execute deletion and adequately protect the privacy of citizens.

“It seems evident that economic information from the Treasury or the Tax Office cannot be used for purposes other than those for which it was obtained. Economic, financial, patrimonial, or fiscal information is especially sensitive, like health information, and therefore requires extra protection and punishment if it has not been properly safeguarded or if citizens’ privacy has been violated,” says Juan Ignacio Navas, managing partner of Navas & Cusí, a law firm specializing in European law.

“Luxembourg is particularly sensitive to the protection of personal data. Recently, it also ruled that access to criminal records – even orally – is only possible after proving a legitimate interest. This is because privacy is a value, and the protection of honor is a mandate,” concludes the managing partner of the law firm.