GDPR principles on purpose and storage limitation in action – the fruits of a CJEU judgment

Background

In September 2019, an ethical hacker reported to DIGI Kft. (Digi) that there was a vulnerability in the content management system of the digi.hu website that allowed access to the personal data of a large number of data subjects. The vulnerability concerned a test database created for troubleshooting purposes and a database containing personal data of data subjects who subscribe to the newsletter.

Digi notified the personal data breach to the NAIH within 72 hours after having become aware of it, and resolved the vulnerability by installing a repair package and deleting the test database.

The NAIH conducted an official inspection and then initiated an official investigation procedure in December 2019. In its Decision No. NAIH/2020/1160/10 (First Decision), the NAIH set out that Digi had breached the principles of purpose limitation and storage limitation by not deleting the test database originally created for troubleshooting purposes after running tests and correcting errors. This is because a large number of customer data was stored in the test database in an identifiable manner for almost a year and a half without purpose, and the failure to delete the test database directly allowed the personal data breach to occur. The NAIH imposed a data protection fine of HUF 100 million.

Preliminary ruling by the CJEU

Digi appealed to the Metropolitan Court which referred the case to the Court of Justice of the European Union (CJEU) for a preliminary ruling on the interpretation of the principles of purpose limitation and storage limitation of the GDPR with regard to the case in question.

The following questions were examined by the CJEU:

• Should the purpose limitation principle of the GDPR be interpreted as meaning that is it still fulfilled if a controller stores personal data otherwise collected and stored for a legitimate purpose in parallel in another database, or, conversely, is the legitimate purpose of collecting those data no longer valid as far as the parallel database is concerned?
• Should the answer to the above question be that the parallel storage of data is in principle incompatible with the principle of purpose limitation”, [or?] is it compatible with the storage limitation principle of the GDPR if the controller stores in parallel in another database personal data that which were otherwise collected and stored for a legitimate purpose?

In its judgment (C‑77/21), the CJEU ruled that the principle of purpose limitation does not preclude the recording and storage by the controller, in a database created for the purposes of carrying out tests and correcting errors, of personal data previously collected and stored in another database, where such further processing is compatible with the specific purposes for which the data were initially collected, which must be determined having regard to the (compatibility) criteria set out in Article 6(4) of the GDPR.

There is a specific link between conducting the tests and correcting errors affecting the subscriber database and the performance of the subscription contracts of private customers for which the data were originally collected, as such errors may be prejudicial to the provision of the contractually agreed service. This processing does not deviate from the legitimate expectations of these subscribers regarding the further use of their personal data.

However, according to the CJEU, the principle of storage limitation precludes the storage by the controller, in a database created for the purposes of carrying out tests and correcting errors, of personal data previously collected for other purposes for longer than is necessary for conducting those tests and correcting those errors.

Judgement of the Metropolitan Court

Based on the CJEU's findings, the Metropolitan Court reached the following conclusions in its judgement:

Re. the principle of purpose limitation:

• Although the original purpose of data processing was conclusion and performance of subscriber agreements, this did not in itself mean that this purpose could not be accompanied by other so-called "further purposes", which means that the principle of "purpose limitation" also applies to this "further purpose."
• Processing for further purpose may be allowed if the further processing of personal data is compatible with the purpose for which the personal data were initially collected. To determine this, the criteria set out under Article 6(4) of the GDPR should be considered, e.g., any link between the purpose for which the personal data were initially collected and the envisaged purpose of the further processing. Such conditions are of exemplary nature, and the fulfilment of even one condition may be sufficient to comply with the principle of purpose limitation.
• While Digi originally collected and stored personal data for the purpose of concluding and performing subscription agreements, the immediate purpose of creating the test database was to carry out the tests necessary for correcting specific errors. Although the test database was created for troubleshooting purposes, such purpose was specifically linked to the purpose for which the personal data were originally processed. The testing and correction of errors is clearly necessary to allow Digi to access and use subscriber data for the conclusion and performance of subscription contracts, thereby promoting the achievement of the original purpose of the processing.
• Digi therefore processed personal data of its customers in the test database lawfully, in accordance with the principle of purpose limitation and in a manner compatible with the original purpose of the processing.

Re. the principle of storage limitation:

• As time passes, initially lawful processing of personal data may become incompatible with the GDPR where those data are no longer necessary for the purposes for which they were collected. Such data must be erased once those purposes have been fulfilled. Although the purpose of creating the test database was closely linked to the original purpose of data processing, it is a separate purpose.
• Processing of personal data between April 2018, when the original testing was done, and September 2019, when the dataset was actually removed from the internet, exceeded the necessary period of data processing by an unreasonable time period. Digi admitted that it did not delete the test database out of negligence, despite maintaining such database was no longer justified on the basis of correcting errors, and then forgot about the test database until it became aware of the cyberattack. This shows that Digi no longer had direct purpose for the contested processing, which does not in itself exclude the fulfilment of the purpose limitation of the processing as described above.
• Based on the above, the processing activity was not compatible with the principle of storage limitation.

The Metropolitan Court annulled the First Decision with regard to the breaching the principle of purpose limitation, the amount of the fine imposed and publicity. The court instructed the NAIH to conduct new proceedings as regards the legal effects. The court ruled that in case the NAIH imposes a fine, the amount of such fine cannot exceed approx. EUR 260,000 (HUF 100 million) that was imposed by the First Decision, considering the lack of breaching the principle of purpose limitation. In addition to that, the Metropolitan Court dismissed Digi's appeal.
Digi filed an extraordinary appeal against the decision of the Metropolitan Court to the Curia which is the supreme court in Hungary. The Curia did not admit the appeal, inter alia, on the basis of: (i) the special weight and social significance of the legal questions cannot be established merely on the grounds that the data processing activity affects a large number of data subjects; and (ii) there is no need for a preliminary ruling proceedings before the CJEU if the CJEU has already interpreted the applicable EU law in the case concerned.

The repeated proceedings of the NAIH and the new amount of the fine

The NAIH reduced the original amount of the fine by 20 percent and imposed a fine of approx. EUR 208,000 (HUF 80 million) on Digi due to the breach of the principle of storage limitation and the risks to the privacy of data subjects resulting from the severe data security breaches.

With regard to the assessment of the proportionality of the amount of the fine, the NAIH considered, inter alia, the following four elements:

• the data security breach is resulting from the repairable vulnerability known for nine years, thus the implemented measures have not been complied with the state of the art;
• data security risks have not properly examined due to the lack of security testing and vulnerability assessment of the website;
• the lack of adequate encryption has significantly increased data security risks;
• the storage of the database involved in the personal data breach was not compatible with the principle of storage limitation.

Takeaways from the case

The judgment of the Metropolitan Court, which was based on the assessment of data processing principles provided by the CJEU, confirmed that the original purpose of concluding and performing a subscription contract with a customer, and the further purpose of testing and correcting errors in the subscriber database, are compatible due to the existence of a direct link between them.

The conditions of the compatibility of data processing purposes defined by Article 6(4) of the GDPR are of exemplary nature, and the fulfilment of even one condition may be sufficient to comply with the principle of purpose limitation.

The approx. EUR 260,000 (HUF 100 million) fine imposed by the NAIH in the First Decision was the highest fine at that time. Since then, the NAIH has imposed a fine of approx. EUR 650,000 (HUF 250 million) on a bank. These and other enforcement decisions show a trend of increasing GDPR fine amounts in Hungary.

Digi had the right to remedy against the decision of the NAIH issued in the new procedure by means of initiating administrative litigation.

Details of decisions regarding fines imposed on Digi:

• First Decision of NAIH: NAIH/2020/1160/10, dated 18 May 2020, available here in Hungarian.
• CJEU preliminary ruling (C-77/21), dated 20 October 2022, available here.
• Order of the Metropolitan Court No. 105.K.704.076/2022/4, dated 9 March 2023.
• Order of the Curia No. Kfv.IV.37.334/2023/2, dated 20 June 2023.
• Second Decision of the NAIH No. NAIH-6427-1/2023, dated 22 June 2023, available here in Hungarian.

This article has been prepared using publicly available information. Bird & Bird did not advise Digi in the above case.