The CJEU Ruled that Supervisory Authorities Can Order the Deletion of Unlawfully Processed Personal Data

On March 14, 2024, the Court of Justice of the EU ("CJEU") ruled that EU supervisory authorities have the (corrective) power to order data controllers who have been found to process personal data unlawfully to erase such personal data, even if the data subjects have not requested the erasure. (Case C-46/23)

The CJEU ruled that supervisory authorities have this power under Article 58(2)(g) of the GDPR, which provides that authorities may order the erasure of personal data pursuant to Article 17. The CJEU interpreted Article 17 of the GDPR (on the right to erasure) as imposing two "independent" obligations on data controllers, namely (i) to erase personal data when requested to do so by a data subject under the conditions set out in that Article, and (ii) to erase unlawfully processed personal data. The CJEU decided that this interpretation was necessary to protect data subjects who were never informed of the unlawful processing. The ECJ also ruled that, for the purposes of applying Article 17, it is irrelevant whether the controller collected the personal data directly from the data subjects or whether the data originated from another source.

* * *

Covington's Data Privacy and Cybersecurity Practice monitors CJEU cases closely and reports on relevant Court decisions and Advocate General opinions. If you have any questions about the GDPR rights, in particular the right of deletion, we would be happy to assist.