Hungarian SA: deletion request in concerning an airline company

19 January 2024

Background information

  • Date of final decision: 22 December 2023
  • Cross-border case
    One-Stop-Shop Procedure the decision was taken by national supervisory authorities following the One-Stop-Shop cooperation procedure (OSS).
  • LSA: Hungary
  • and CSAs: Poland
  • Controller: an airline company
  • Legal Reference(s): Article 5 (Principles relating to processing of personal data), Article 6 (Lawfulness of processing), Article 12 (Transparent information, communication and modalities for the exercise of the rights of the data subject), Article 17 (Right to erasure (‘right to be forgotten’))
  • Decision: Erasure order,  Administrative fine
  • Key words: Exercise of data subject rights, Lawfulness of processing, Right to erasure, Transparency,  Administrative fine

 

Summary of the Decision

 

Origin of the case  

The Data Subject lodged a complaint with the Polish Supervisory Authority (SA) stating that she requested the data controller to erase all her personal data in the online interface provided by the data controller on 23 October 2018. 

In previous cases it has already been identified that the Hungarian Supervisory Authority (SA) is the Lead Supervisory Authority (LSA) for the data controller, therefore the case has been transferred. Based on the data controller’s statement and the screenshot made by it on the relevant part of the IT system used to administer erasure requests, the data controller erased the Data Subject’s account on 23 November 2018, but failed to inform the Data Subject thereof prior to 6 March 2019. 


Key Findings 

The Hungarian SA founded that the data controller infringed Article 12(3) of GDPR, because it failed to inform the Data Subject of the action taken based on the request within the time limit. Also, it infringed the principle of transparent data processing according to Article 5(1)(a) of GDPR as the Data Subject could not see what additional data, for what purpose and on what legal basis and for how long were processed by the data controller in relation to her following the erasure of her account and the related personal data. 

The Hungarian SA has also found that Article 5(2) of GDPR cannot be regarded as a provision requiring mandatory processing. The Hungarian SA found that the processing pursued by the data controller in the course of legal procedures related to data subjects cannot be based on the data controller’s legitimate interest, because the balancing test wasn’t appropriate.

 

Decision 

The Hungarian SA found that the data controller has infringed the principle of transparency under Article 5(1)(a) and Article 12(3) of GDPR. Further, the Hungarian SA established that the data controller has infringed Article 6(1) of GDPR. Further, the Hungarian SA found that the data controller has infringed Article 17(1)(a) of GDPR. Further, the Hungarian SA ordered the data controller pursuant to Article 58(2)(g) of GDPR, to erase the personal data processed for the purpose of recording the Data Subject's activities in relation to the exercise of her data protection rights.

For the infringement described above, based on Article 83(2)(i) of GDPR the Hungarian SA ordered the data controller to pay a data protection fine of HUF 5,000,000, which is approximately equal to EUR 13,244. 

For further information: national decision
 

The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.