On March 14, 2024, the Court of Justice of the EU (“CJEU”) ruled that EU supervisory authorities have the (corrective) power to order data controllers who have been found to process personal data unlawfully to erase such personal data, even if the data subjects have not requested the erasure. (Case C‑46/23)
The CJEU ruled that supervisory authorities have this power under Article 58(2)(g) of the GDPR, which provides that authorities may order the erasure of personal data pursuant to Article 17. The CJEU interpreted Article 17 of the GDPR (on the right to erasure) as imposing two “independent” obligations on data controllers, namely (i) to erase personal data when requested to do so by a data subject under the conditions set out in that Article, and (ii) to erase unlawfully processed personal data. The CJEU decided that this interpretation was necessary to protect data subjects who were never informed of the unlawful processing.
Read more at Inside Privacy.