143 views 19 secs 0 comments

The CJEU Ruled that Supervisory Authorities Can Order the Deletion of Unlawfully Processed Personal Data

In Europe, Legal News
March 18, 2024
The CJEU Ruled that Supervisory Authorities Can Order the Deletion of Unlawfully Processed Personal Data
By Luxofluxo - Own work, CC BY-SA 4.0, https://commons.wikimedia.org/w/index.php?curid=132388198

On March 14, 2024, the Court of Justice of the EU (“CJEU”) ruled that EU supervisory authorities have the (corrective) power to order data controllers who have been found to process personal data unlawfully to erase such personal data, even if the data subjects have not requested the erasure.  (Case C‑46/23)

The CJEU ruled that supervisory authorities have this power under Article 58(2)(g) of the GDPR, which provides that authorities may order the erasure of personal data pursuant to Article 17.  The CJEU interpreted Article 17 of the GDPR (on the right to erasure) as imposing two “independent” obligations on data controllers, namely (i) to erase personal data when requested to do so by a data subject under the conditions set out in that Article, and (ii) to erase unlawfully processed personal data.  The CJEU decided that this interpretation was necessary to protect data subjects who were never informed of the unlawful processing.  

Read more at Inside Privacy.