Blog details

EU Supervisory Authorities have a right to order the erasure of unlawfully processed data without a request from the data subject

EU Supervisory Authorities have a right to order the erasure of unlawfully processed data without a request from the data subject

The CJEU has ruled that EU Supervisory Authorities have a right to order the erasure of unlawfully processed data even without a prior request from the data subject.


The recent ruling by the Court of Justice of the European Union (CJEU) has significant implications for the processing of personal data by organisations within the European Union. The CJEU ruled that EU Supervisory Authorities (SAs) of member states have the power to order organisations to delete unlawfully processed data without a request from the data subject. This decision provides SAs with a more robust enforcement tool to ensure compliance with the General Data Protection Regulation (GDPR). The CJEU’s ruling stems from a case involving the Újpest District Administration in Hungary. The Hungarian court had ordered the Újpest administration to erase the data of persons who had qualified for financial aid, as the use of their data for qualification for this financial aid had not been communicated to the data subjects. 


The CJEU affirmed that data subject requests are not necessary for Supervisory Authorities to mandate the deletion of unlawfully processed data.


Following the request to erase the data, the Újpest administration sought a GDPR interpretation from the CJEU regarding whether an SA could, in fact, order the erasure of data without a request from the data subject. In its ruling, the CJEU held that Article 58(2)(g) of the GDPR empowers SAs to order an organisation to delete unlawfully processed data, even if the data subject has not requested its erasure. The Court underscored the importance of this power, rationalising it as a critical tool for the enforcement of GDPR provisions. It was argued that in order for the regulation to be effectively administered and for the protection of data subjects’ rights to be adequately maintained, SAs must possess the capability to act independently in ordering the eradication of improperly handled data.


This ruling emphasises the extensive enforcement powers of Supervisory Authorities under the GDPR, mandating rigorous compliance from organisations and enhancing data subject protection.


The CJEU’s ruling has several important implications for organisations processing personal data within the EU. First, it clarifies that SAs have broad powers to enforce the GDPR, including the power to order the erasure of unlawfully processed data. This means that organisations must take data protection seriously and ensure that they are compliant with the GDPR. In addition, the CJEU’s ruling provides data subjects with an additional layer of protection. Data subjects can now seek erasure of their unlawfully processed data directly from Supervisory Authorities, without having to file a complaint with the organisation that processed the data. This is also likely to have a significant impact on the way that organisations manage personal data. Organisations will need to carefully consider whether they are required to erase data as failure to erase unlawfully processed data could result in enforcement action by SAs.


The CJEU’s ruling considerably strengthens GDPR enforcement by broadening Supervisory Authorities’ powers to ensure organisations adhere to data protection standards and uphold individual privacy within the EU.


This landmark ruling by the CJEU demonstrates the broad scope of authority provided to Supervisory Authorities under the GDPR framework. It reaffirms the role of this regulation in upholding the privacy and protection of individuals’ data within the European Union. In addition, this decision plays a crucial role in reinforcing the accountability of organisations in their data processing activities, ensuring that they adhere to the highest standards of data protection as stipulated by GDPR. By empowering SAs to act decisively in cases of unlawful data processing without waiting for complaints or requests from data subjects, the CJEU has significantly bolstered the enforcement mechanism of the GDPR, thereby enhancing the protection afforded to individuals’ personal data.

Elevate your data protection standards with Aphaia. Schedule a consultation today and embark on a journey toward strengthening security, regulatory compliance, and the peace of mind that comes with knowing your data is in expert hands. Contact us today.

Prev post
EU Artificial Intelligence Act passed by the European Parliament
March 21, 2024
Next post
Possible fines under US data protection laws
April 4, 2024