–

Digi Távközlési és Szolgáltató Kft., by R. Hatala and A.D. László, ügyvédek,

–

the Nemzeti Adatvédelmi és Információszabadság Hatóság, by G. Barabás, legal adviser, assisted by G.J. Dudás and Á. Hargita, ügyvédek,

–

the Hungarian Government, by Zs. Biró-Tóth and M.Z. Fehér, acting as Agents,

–

the Czech Government, by T. Machovičová, M. Smolek and J. Vláčil, acting as Agents,

–

the Portuguese Government, by P. Barros da Costa, L. Inez Fernandes, I. Oliveira, M.J. Ramos and C. Vieira Guerra, acting as Agents,

–

the European Commission, by V. Bottka and H. Kranenborg, acting as Agents,

1

This request for a preliminary ruling concerns the interpretation of Article 5(1)(b) and (e) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016 L 119, p. 1, and corrigendum OJ 2018 L 127, p. 2).

2

The request has been made in proceedings between Digi Távközlési és Szolgáltató Kft. (‘Digi’), one of the leading internet service and television providers in Hungary, and the Nemzeti Adatvédelmi és Információszabadság Hatóság (National Authority for Data Protection and Freedom of Information, Hungary) (‘the Authority’) regarding a breach of personal data contained in a Digi database.

3

Recitals 10 and 50 of Regulation 2016/679 state:

…

4

Article 4 of Regulation 2016/679, headed ‘Definitions’, provides:

‘For the purposes of this Regulation:

…

…’

5

Under Article 5 of that regulation, headed ‘Principles relating to processing of personal data’:

‘1.   Personal data shall be:

2.   The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (“accountability”).’

6

Article 6 of that regulation, headed ‘Lawfulness of processing’, provides:

‘1.   Processing shall be lawful only if and to the extent that at least one of the following applies:

…

4.   Where the processing for a purpose other than that for which the personal data have been collected is not based on the data subject's consent or on a Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard the objectives referred to in Article 23(1), the controller shall, in order to ascertain whether processing for another purpose is compatible with the purpose for which the personal data are initially collected, take into account, inter alia:

7

Digi is one of the leading internet service and television providers in Hungary.

8

In April 2018, following a technical failure affecting the operation of a server, Digi created a ‘test’ database (‘the test database’), to which it copied the personal data of around one third of its private customers, which were stored in another database, called the ‘digihu’ database, which could be linked to the website www.digi.hu, containing the up-to-date data of subscribers to Digi’s newsletter, for direct marketing purposes, and the data of systems administrators, giving access to the website interface.

9

On 23 September 2019, Digi became aware that an ‘ethical hacker’ had gained access to the personal data held by it in relation to around 322000 persons. Digi was informed of that access by the ‘ethical hacker’ himself, who sent Digi a line from the test database by way of evidence. Digi corrected the fault which had enabled that access and concluded a confidentiality agreement with the hacker, to whom it offered a reward.

10

After deleting the test database, Digi notified the personal data breach to the Authority on 25 September 2019, and the Authority subsequently opened an investigation.

11

By decision of 18 May 2020, the Authority found, inter alia, that Digi had infringed Article 5(1)(b) and (e) of Regulation 2016/679, in that, after carrying out the necessary tests and correcting the fault, it had not immediately deleted the test database, with the result that a large amount of personal data had been stored in that database for no purpose for nearly 18 months, in a file from which it was possible for the data subjects to be identified. As a consequence, the Authority required Digi to review all its databases and fined it the sum of 100000000 Hungarian forint (HUF) (around EUR 248000).

12

Digi challenged the legality of that decision before the referring court.

13

The referring court points out that the personal data copied by Digi to the test database were collected for the purposes of the conclusion and performance of subscription contracts and that the lawfulness of the initial collection of the personal data was not called into question by the Authority. It wonders, however, whether the effect of the copying, to another database, of the data initially collected was to change the purpose of the initial collection and the processing of those data. It adds that it must also determine whether the creation of a test database and the further processing, in that other database, of customers’ data are compatible with the purposes of the initial collection. It considers that the principle of ‘purpose limitation’, as set out in Article 5(1)(b) of Regulation 2016/679, does not enable it to determine the internal systems in which the controller is entitled to process the lawfully collected data or to ascertain whether the controller may copy those data to a test database without changing the purpose of the initial data collection.

14

If the creation of the test database is incompatible with the purpose of the initial collection, the referring court also wonders whether, since the purpose of the processing of subscribers’ data in another database was not to correct errors but to conclude contracts, the necessary retention period must, under the principle of ‘storage limitation’ appearing in Article 5(1)(e) of Regulation 2016/679, correspond to the period necessary for the correction of errors or to that necessary for the performance of the contractual obligations.

15

In those circumstances, the Fővárosi Törvényszék (Budapest High Court, Hungary) decided to stay the proceedings and to refer the following questions to the Court for a preliminary ruling:

16

The Authority and the Hungarian Government expressed doubts as to the admissibility of the questions referred, on the ground that those questions do not correspond to the facts of the dispute in the main proceedings and are not directly relevant to the resolution of that dispute.

17

In that regard, first, it should be recalled that it follows from settled case-law of the Court that it is solely for the national court before which the dispute has been brought, and which must assume responsibility for the subsequent judicial decision, to determine, in the light of the particular circumstances of the case, both the need for a preliminary ruling in order to enable it to deliver judgment and the relevance of the questions which it submits to the Court. Consequently, where the questions referred concern the interpretation or the validity of a rule of EU law, the Court is in principle bound to give a ruling. It follows that questions referred by national courts enjoy a presumption of relevance. The Court may refuse to rule on a question referred by a national court only where it appears that the interpretation sought bears no relation to the actual facts of the main action or its object, where the problem is hypothetical, or where the Court does not have before it the factual or legal material necessary to give a useful answer to the questions submitted to it (judgment of 16 July 2020, Facebook Ireland and Schrems, C‑311/18, EU:C:2020:559, paragraph 73 and the case-law cited).

18

In this case, the referring court has before it an action seeking annulment of a decision penalising Digi, in its capacity as controller, for having breached the principle of ‘purpose limitation’ and the principle of ‘storage limitation’, laid down, respectively, in Article 5(1)(b) and (e) of Regulation 2016/679, by having failed to delete a database containing personal data permitting identification of the data subjects. The questions referred relate precisely to the interpretation of those provisions, with the result that it cannot be found that the interpretation sought of EU law bears no relation to the actual facts of the main action or to its object or is hypothetical. Moreover, the order for reference contains sufficient factual and legal material to give a useful answer to the questions submitted by the referring court.

19

Secondly, it is important to recall that, in proceedings under Article 267 TFEU, which are based on a clear separation of functions between the national courts and the Court, the national court alone has jurisdiction to interpret and apply national law, while the Court is empowered only to give rulings on the interpretation or the validity of an EU provision on the basis of the facts which the national court puts before it (judgment of 5 May 2022, Zagrebačka banka, C‑567/20, EU:C:2022:352, paragraph 45 and the case-law cited).

20

Consequently, the argument relating to the inadmissibility of the questions referred, which the Authority and the Hungarian Government base, in essence, on the claim that the questions referred do not correspond to the facts of the dispute in the main proceedings, must be rejected.

21

It follows that the questions referred are admissible.

22

By its first question, the referring court asks, in essence, whether Article 5(1)(b) of Regulation 2016/679 must be interpreted as meaning that the principle of ‘purpose limitation’, laid down in that provision, precludes the recording and storage by the controller, in a database created for the purposes of carrying out tests and correcting errors, of personal data previously collected and stored in another database.

23

In accordance with settled case-law, the interpretation of a provision of EU law requires account to be taken not only of its wording, but also of its context, and the objectives and purpose pursued by the act of which it forms part (judgment of 1 August 2022, HOLD Alapkezelő, C‑352/20, EU:C:2022:606, paragraph 42 and the case-law cited).

24

In that regard, in the first place, it should be pointed out that Article 5(1) of Regulation 2016/679 establishes the principles relating to the processing of personal data, which apply to the controller and with which the controller must be able to demonstrate compliance, in accordance with the principle of accountability set out in Article 5(2).

25

In particular, under Article 5(1)(b) of that regulation, which sets out the principle of ‘purpose limitation’, personal data are, first, to be collected for specified, explicit and legitimate purposes and, second, not to be further processed in a manner that is incompatible with those purposes.

26

It is thus apparent from the wording of that provision that it comprises two requirements, one relating to the purposes of the initial collection of the personal data and the other concerning the further processing of those data.

27

Regarding, first, the requirement that personal data are to be collected for specified, explicit and legitimate purposes, it follows from the case-law of the Court that that requirement implies, first of all, that the purposes of the processing are to be identified at the latest at the time of the collection of the personal data, next, that the purposes of that processing are to be clearly stated and, finally, that the purposes of that processing are to guarantee, inter alia, the lawfulness of the processing of those data, within the meaning of Article 6(1) of Regulation 2016/679 (see, to that effect, judgment of 24 February 2022, Valsts ieņēmumu dienests (Processing of personal data for tax purposes), C‑175/20, EU:C:2022:124, paragraphs 64 to 66).

28

In this case, it is apparent from the wording of the first question and the grounds of the order for reference that the personal data at issue in the main proceedings were collected for specified, explicit and legitimate purposes, with the referring court specifying, in addition, that those data were collected for the purposes of the conclusion and performance by Digi of subscription contracts with its customers, in accordance with Article 6(1)(b) of Regulation 2016/679.

29

With regard, secondly, to the requirement that the personal data are not to be the subject of further processing which is incompatible with those purposes, it should be pointed out, on the one hand, that the recording and storage, by the controller, in a newly created database, of personal data stored in another database constitutes ‘further processing’ of those data.

30

The concept of ‘processing’ is defined broadly in Article 4(2) of Regulation 2016/679 as covering any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as, inter alia, the collection, recording and storage of those data.

31

Moreover, in accordance with the usual meaning of the term ‘further’ in everyday language, any processing of personal data which is subsequent to the initial processing constituted by the initial collection of those data constitutes ‘further’ processing of those data, regardless of the purpose of that further processing.

32

On the other hand, it should be pointed out that Article 5(1)(b) of Regulation 2016/679 does not contain any indication of the circumstances in which further processing of personal data may be regarded as compatible with the purposes of the initial collection of those data.

33

The context of that provision nevertheless provides, in the second place, useful clarification in that regard.

34

It is apparent from a combined reading of Article 5(1)(b), Article 6(1)(a) and Article 6(4) of Regulation 2016/679 that the question of the compatibility of the further processing of personal data with the purposes for which those data were initially collected arises only if the purposes of that further processing are not identical to the purposes of the initial collection.

35

Moreover, it follows from that Article 6(4), read in the light of recital 50 of that regulation, that, where the processing for a purpose other than that for which the data have been collected is not based on the data subject’s consent or on an EU or Member State law, it is necessary, in order to ascertain whether processing for another purpose is compatible with the purpose for which the personal data are initially collected, to take into account, inter alia, first, any link between the purposes for which the personal data have been collected and the purposes of the intended further processing; secondly, the context in which the personal data have been collected, in particular regarding the relationship between data subjects and the controller; thirdly, the nature of the personal data; fourthly, the possible consequences of the intended further processing for data subjects; and finally, fifthly, the existence of appropriate safeguards in both the original and intended further processing operations.

36

As the Advocate General noted, in essence, in points 28, 59 and 60 of his Opinion, those criteria reflect the need for a specific, logical and sufficiently close link between the purposes for which the personal data were initially collected and the further processing of those data, and ensure that such further processing does not deviate from the legitimate expectations of the subscribers as to the subsequent use of their data.

37

Furthermore, in the third place, as the Advocate General emphasised, in essence, in point 27 of his Opinion, those criteria limit the reuse of personal data previously collected by ensuring a balance between, on the one hand, the need for predictability and legal certainty regarding the purposes of the processing of personal data previously collected and, on the other hand, the recognition of a degree of flexibility for the controller in the management of those data, and thereby contribute to the attainment of the objective of ensuring a consistent and high level of protection of natural persons, which is set out in recital 10 of Regulation 2016/679.

38

Thus, taking into account the criteria mentioned in paragraph 35 of the present judgment and in the light of all of the circumstances characterising the case, it falls to the national court to determine both the purposes of the initial collection of the personal data and those of the further processing of those data and, if the purposes of that further processing are different from the purposes of that collection, to check that the further processing of those data is compatible with the purposes of that initial collection.

39

That said, it is open to the Court, when giving a preliminary ruling on a reference, to give clarifications to guide the national court in that determination (see, to that effect, judgment of 7 April 2022, Fuhrmann-2, C‑249/21, EU:C:2022:269, paragraph 32).

40

In this case, first, as was recalled in paragraph 13 of the present judgment, it is apparent from the order for reference that the personal data were initially collected by Digi, the controller, for the purposes of the conclusion and performance of subscription contracts with its private customers.

41

Second, the parties to the main proceedings are not in agreement on the specific purpose of the recording and storage by Digi, in the test database, of the personal data at issue. While Digi argues that the specific purpose of the creation of the test database was to guarantee access to the subscribers’ data until the errors were corrected, with the result that that purpose was identical to the purposes pursued by the initial collection of those data, the Authority maintains that the specific purpose of the further processing was distinct from those purposes since it was the conducting of tests and the correction of errors.

42

In that regard, it should be recalled that it is apparent from the case-law cited in paragraph 19 of the present judgment that, in proceedings under Article 267 TFEU, which are based on a clear separation of functions between the national courts and the Court, the national court alone has jurisdiction to interpret and apply national law, while the Court is empowered only to give rulings on the interpretation or the validity of an EU provision on the basis of the facts which the national court puts before it.

43

It is apparent from the order for reference that the test database was created by Digi in order to be able to carry out tests and correct errors, so that it is in the light of those purposes that it falls to the referring court to assess the compatibility of the further processing with the purposes of the initial collection, being the conclusion and performance of subscription contracts.

44

Third, regarding that assessment, it should be pointed out that there is a specific link between the conducting of tests and the correction of errors affecting the subscriber database and the performance of the subscription contracts of private customers, in that such errors may be prejudicial to the provision of the contractually agreed service, for which the data were initially collected. As the Advocate General noted in point 60 of his Opinion, such processing does not deviate from the legitimate expectations of those customers as to the subsequent use of their personal data. It is not, furthermore, apparent from the order for reference that those data were sensitive in whole or in part or that the further processing at issue of those data, as such, had detrimental consequences for the subscribers or was not accompanied by appropriate safeguards, which it is, in any event, for the referring court to verify.

45

It follows from all of the foregoing considerations that the answer to the first question is that Article 5(1)(b) of Regulation 2016/679 must be interpreted as meaning that the principle of ‘purpose limitation’, laid down in that provision, does not preclude the recording and storage by the controller, in a database created for the purposes of carrying out tests and correcting errors, of personal data previously collected and stored in another database, where such further processing is compatible with the specific purposes for which the personal data were initially collected, which must be determined in the light of the criteria in Article 6(4) of that regulation.

46

By way of a preliminary point, it should be noted that the referring court’s second question, which relates to the conformity with the principle of ‘storage limitation’, appearing in Article 5(1)(e) of Regulation 2016/679, of the storage by Digi, in the test database, of personal data of its customers, is asked by that court only in the event of the answer to the first question, as reformulated, being in the affirmative, namely if that storage is not compatible with the principle of ‘purpose limitation’, laid down in Article 5(1)(b) of that regulation.

47

However, first, as the Advocate General noted in point 24 of his Opinion, the principles relating to the processing of personal data set out in Article 5 of Regulation 2016/679 apply cumulatively. Consequently, the storage of personal data must comply not only with the principle of ‘purpose limitation’, but also with that of ‘storage limitation’.

48

Second, it should be recalled that, as is apparent from recital 10 of Regulation 2016/679, that regulation aims, inter alia, to ensure a high level of protection of natural persons within the European Union and, to that end, to ensure consistent and homogenous application of the rules for the protection of the fundamental rights and freedoms of those persons with regard to the processing of personal data throughout the European Union.

49

To that end, Chapters II and III of that regulation set out, respectively, the principles governing the processing of personal data and the rights of the data subject, which any processing of personal data must observe. In particular, any processing of personal data must, first, comply with the principles relating to the processing of data established in Article 5 of that regulation and, second, in the light, in particular, of the principle of the lawfulness of processing, laid down in Article 5(1)(a), satisfy one of the conditions of the lawfulness of the processing listed in Article 6 of that regulation (see, to that effect, judgments of 22 June 2021, Latvijas Republikas Saeima (Penalty points), C‑439/19, EU:C:2021:504, paragraph 96, and of 24 February 2022, Valsts ieņēmumu dienests (Processing of personal data for tax purposes), C‑175/20, EU:C:2022:124, paragraph 50).

50

In the light of those considerations, even if, formally, the referring court asked the second question only in the event of the answer to the first question, as reformulated, being in the affirmative, that does not prevent the Court from providing the referring court with all the elements of interpretation of EU law which may be of assistance in assessing the case pending before it (see, to that effect, judgment of 17 March 2022, Daimler, C‑232/20, EU:C:2022:196, paragraph 49) and, therefore, from answering the second question.

51

In those circumstances, it must be found that, by that question, the referring court asks, in essence, whether Article 5(1)(e) of Regulation 2016/679 must be interpreted as meaning that the principle of ‘storage limitation’, laid down in that provision, precludes the storage by the controller, in a database created for the purposes of carrying out tests and correcting errors, of personal data previously collected for other purposes, for longer than is necessary for the conducting of those tests and the correction of those errors.

52

In the first place, it should be pointed out that, under Article 5(1)(e) of Regulation 2016/679, personal data are to be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.

53

It is thus unequivocally clear from the wording of that article that the principle of ‘storage limitation’ requires the controller to be able to demonstrate, in accordance with the principle of accountability referred to in paragraph 24 of the present judgment, that personal data are kept only for as long as is necessary for the purposes for which they were collected or for which they have been further processed.

54

It follows that even initially lawful processing of data may over time become incompatible with Regulation 2016/679 where those data are no longer necessary for such purposes (judgment of 24 September 2019, GC and Others (De-referencing of sensitive data), C‑136/17, EU:C:2019:773, paragraph 74) and that the data must be erased when those purposes have been served (see, to that effect, judgment of 7 May 2009, Rijkeboer, C‑553/07, EU:C:2009:293, paragraph 33).

55

That interpretation is consistent, in the second place, with the context of Article 5(1)(e) of Regulation 2016/679.

56

In that regard, it was recalled in paragraph 49 of the present judgment that any processing of personal data must comply with the principles relating to the processing of data set out in Article 5 of that regulation and satisfy one of the conditions relating to the lawfulness of the processing listed in Article 6 of that regulation.

57

First, as is apparent from such Article 6, where the data subject has not given consent to the processing of his or her personal data for one or more specific purposes, in accordance with Article 6(1)(a) of Regulation 2016/679, the processing must, as is apparent from Article 6(1)(b) to (f), satisfy a requirement of necessity.

58

Second, such a requirement of necessity follows also from the principle of ‘data minimisation’, laid down in Article 5(1)(c) of that regulation, under which personal data are to be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

59

Such an interpretation is, in the third place, consistent with the objective pursued by Article 5(1)(e) of Regulation 2016/679, which, as was recalled in paragraph 48 of the present judgment, is, inter alia, to ensure a high level of protection of natural persons within the European Union with regard to the processing of personal data.

60

In this case, Digi argued that it was due to an oversight that the personal data of a portion of its private customers stored in the test database were not deleted after the tests had been conducted and the errors had been corrected.

61

In that regard, it is sufficient to point out that that argument is not relevant for the purposes of assessing whether data were kept for longer than was necessary for the purposes for which they were further processed, in breach of the principle of ‘storage limitation’, laid down in Article 5(1)(e) of Regulation 2016/679.

62

It follows from all of the foregoing considerations that the answer to the second question is that Article 5(1)(e) of Regulation 2016/679 must be interpreted as meaning that the principle of ‘storage limitation’, laid down in that provision, precludes the storage by the controller, in a database created for the purposes of carrying out tests and correcting errors, of personal data previously collected for other purposes, for longer than is necessary for the conducting of those tests and the correction of those errors.

63

Since these proceedings are, for the parties to the main proceedings, a step in the action pending before the national court, the decision on costs is a matter for that court. Costs incurred in submitting observations to the Court, other than the costs of those parties, are not recoverable.

On those grounds, the Court (First Chamber) hereby rules: