The Hungarian data protection authority (“DPA”) imposed a fine of HUF 100 million (about EUR 280,000) on DIGI Távközlési és Szolgáltató Kft (“Digi”) in May 2020 for the violation of Article 5 (1) b) and e) (i.e. the principles of purpose limitation and storage limitation) and Article 32 (adequate technical and organisational measures) of the GDPR.
Under the decision of the DPA, Digi had created a test database out of a certain portion of its customers’ database with a view to fixing certain errors, the test database was not deleted following the errors being fixed and also no adequate technical measures were put in place for the protection of the database (the decision contains that there was a vulnerability which had been existing for many years which Digi failed to discover).
What happened was that an ethical hacker had discovered a vulnerability and reported the same to Digi (the hacker also enclosed proof of the fact that he had had access to personal data). As per the hacker’s report, a lot of subscribers’ personal data could be accessed due to the vulnerability of the test database, and personal data of persons who consented to the sending of direct marketing material and of hosts in another database also became available due to poor security measures. Digi then reported the data breach to the DPA in time and this is how the DPA became aware of the data breach.
Article 5 (1) b) and e) of the GDPR provides that personal data must be
b) “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89 (1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);”
e) “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’).”
Amongst others, the decision of the DPA contains that the purpose of the creation of the test database (the fixing of the errors, which could be a legitimate processing purpose) is a purpose separate from the purpose of the existence of the original database (the performance of the contract with the subscribers) and the test database should have been deleted or the personal data in the test database anonymised once the errors had been fixed, and that in the absence of deletion / anonymisation, there was no legitimate processing purpose, thus, the processing of the data in the test database violates Article 5 (1) b) and e) of the GDPR.
Initiation of preliminary ruling procedure
Digi submitted a request for the judicial review of the decision of the DPA to the competent Hungarian court. The court initiated the preliminary ruling procedure of the Court of Justice of the European Union (“CJEU”) by phrasing the following two questions:
Is the principle of purpose limitation as provided for in Article 5 (1) b) of the GDPR to be interpreted in a way that it complies with the principle of purpose limitation if the personal data collected and stored in a database lawfully are also stored in a parallel database, or in such case, the lawfulness of the purpose of storing said data in a parallel database is absent?
If the answer to question 1 is that the parallel data storage is not compliant with the principle of purpose limitation, then is it compliant with the principle of storage limitation as provided for in Article 5 (1) e) of the GDPR if the data controller stores the personal data it has otherwise collected and stored lawfully, in a parallel database?
The document in which the Hungarian court has put forward the above questions to the CJEU contains that:
Digi argues that the legal basis of the processing of the original and also of the parallel database is the performance of the contract with the subscribers, the creation of the parallel database was to make sure that the subscribers’ data are available, the principle of purpose limitation does not prohibit the copying of the data and that even if the existence of a parallel database increased data protection risks, it could only be viewed as a data security issue rather than an infringement of data protection principles, thus, the existence of a parallel database does not violate the principle of purpose limitation;
as regards the principle of storage limitation, Digi argues that the purpose of processing of the subscribers’ data was not the fixing of the errors, thus, the data retention period could not be linked to the fixing of the errors. Digi says that just because it did not delete the test database after fixing the errors, it did not violate the principle of storage limitation since it was lawfully storing the data in a parallel database.
The Hungarian court wishes to know if the purpose of processing changes due to the fact that a parallel database is created and if the storing of the data in a parallel database is compliant with the principle of purpose limitation, because in the court’s view, the principle of purpose limitation does not give any clear guidance on how a controller can process within its internal systems the personal data collected lawfully, and if personal data collected lawfully can be copied to a test database without any change in the purpose of processing.
How the CJEU decides the above issues is yet to be seen.