OPINION OF ADVOCATE GENERAL
PIKAMÄE
delivered on 31 March 2022 (1)
Case C‑77/21
Digi Távközlési és Szolgáltató Kft.
v
Nemzeti Adatvédelmi és Információszabadság Hatóság
(Request for a preliminary ruling from the Fővárosi Törvényszék (Budapest High Court, Hungary))
(Reference for a preliminary ruling – Protection of natural persons with regard to the processing of personal data – Regulation (EU) 2016/679 – Article 5(1)(b) and (e) – Principle of purpose limitation – Principle of storage limitation – Customers’ personal data which have been collected and stored lawfully – Creation of another specific internal database following a technical failure – Verification a posteriori of the purposes of the processing – Dual purpose – The purpose of the processing and that of the collection of the data are not identical – Compatibility of the processing with the purposes of the collection – Article 6(4) – Failure to delete the database after the technical failure had been corrected – Achievement of the purposes of the processing)
1. Under what circumstances may an internet and television provider retain its customers’ personal data, which have been collected and are already stored in a lawful manner, on an additional internal system, without their express consent but in order to remedy a technical failure?
2. This is one of the questions raised by the present case which will enable the Court to add to its growing body of case-law on Regulation (EU) 2016/679, (2) with regard, more specifically, to the principles of purpose limitation and storage limitation set out in Article 5(1)(b) and (e) of that regulation.
I. Legal framework
3. Articles 4 to 6, 13 and 32 of the GDPR are relevant to the present case.
II. The dispute in the main proceedings and the questions referred for a preliminary ruling
4. Digi Távközlési és Szolgáltató Kft. (‘Digi’) is one of the leading internet and television providers in Hungary.
5. In April 2018, following a technical failure affecting the operation of a server, Digi created ‘a test’ database to which it copied the personal data of about one third of its private customers.
6. On 23 September 2019, Digi became aware that an ‘ethical hacker’ had accessed the personal data of approximately 322 000 persons. It was the hacker himself who reported the attack in writing in an email sent to that undertaking on 21 September 2019 by extracting, as evidence, a line from the test database. Digi corrected the fault and concluded a confidentiality agreement with the hacker, in which it offered him a reward.
7. After deleting the test database, Digi notified the personal data breach to the Nemzeti Adatvédelmi és Információszabadság Hatóság (National Authority for Data Protection and Freedom of Information; ‘the Authority’) on 25 September 2019, following which that authority initiated an investigation.
8. By decision of 18 May 2020, the Authority found inter alia that, first, Digi had infringed Article 5(1)(b) and (e) of the GDPR in that, once the necessary tests had been carried out and the problems corrected, it did not delete the test database, with the result that a large amount of personal data in that test database was stored for no purpose for almost 18 months in a file that could allow the data subjects to be identified, the failure to delete that database having allowed a personal data breach to occur. Secondly, the Authority considered that Digi had infringed Article 32(1) and (2) of the GDPR. In those circumstances, the Authority imposed a fine of 100 000 000 forint (HUF) (approximately EUR 270 000) on Digi.
9. Digi has challenged the legality of that decision before the referring court.
10. The referring court notes that the personal data copied by Digi into the test database were collected for the purposes of concluding subscription contracts and that the lawfulness of the data collection was not called into question by the Authority. However, it wishes to ascertain whether the purpose of the collection and processing of the data is changed by the fact that the data collected for a specified purpose have been copied to another database. It adds that it must also determine whether the creation of a test database and the further processing of customers’ data in that way are compatible with the purpose of collecting those data. In that regard, it states that the principle of purpose limitation does not provide any clear indication as to which of the controller’s internal systems are ones in which the controller may process legitimately collected data, or whether that controller may copy such data to a test database without changing the purpose of the data collection.
11. In the event that the creation of the test database is incompatible with the purpose of the collection, the referring court also asks whether, in so far as the purpose of processing the customer data in another database was not to correct errors but to conclude contracts, the necessary storage period must be determined by the period needed to correct errors or the period needed to perform the contractual obligations.
12. In those circumstances, the Fővárosi Törvényszék (Budapest High Court, Hungary) decided to stay the proceedings and to refer the following questions to the Court of Justice for a preliminary ruling:
‘(1) Must the concept of “purpose limitation” as defined in Article 5(1)(b) of [the GDPR] be interpreted as meaning that the fact that the controller stores in parallel in another database personal data which were otherwise collected and stored for a limited legitimate purpose is consistent with that concept or, conversely, is the limited legitimate purpose of collecting those data no longer valid so far as the parallel database is concerned?
(2) Should the answer to the first question referred be that the parallel storage of data is in itself incompatible with the principle of “purpose limitation”, is the fact that the controller stores in parallel in another database personal data which were otherwise collected and stored for a limited legitimate purpose compatible with the principle of “storage limitation” established in Article 5(1)(e) of [the GDPR]?’
III. The procedure before the Court
13. Written observations have been submitted by the applicant and the defendant in the main proceedings, the Hungarian, Czech and Portuguese Governments and the European Commission. At the hearing held on 17 January 2022, the applicant and the defendant in the main proceedings, the Hungarian Government and the Commission presented oral argument.
IV. Analysis
A. Admissibility
14. The Authority and the Hungarian Government have expressed doubts as to the admissibility of the request for a preliminary ruling on the ground that the questions referred do not reflect the facts of the case in the main proceedings and are not directly relevant to the resolution of that case.
15. It follows from the settled case-law of the Court that it is solely for the national court before which the dispute has been brought, and which must assume responsibility for the subsequent judicial decision, to determine, in the light of the particular circumstances of the case, both the need for a preliminary ruling in order to enable it to deliver judgment and the relevance of the questions which it submits to the Court. Consequently, where the questions referred concern the interpretation or the validity of a rule of EU law, the Court is in principle bound to give a ruling. It follows that questions referred by national courts enjoy a presumption of relevance. The Court may refuse to rule on a question referred by a national court only where it appears that the interpretation sought bears no relation to the actual facts of the main action or its object, where the problem is hypothetical, or where the Court does not have before it the factual or legal material necessary to give a useful answer to the questions submitted to it. In the present case, the request for a preliminary ruling contains sufficient factual and legal material to understand the significance of the questions referred. Furthermore, and most importantly, nothing in the file before the Court leads to the conclusion that the interpretation of EU law that is requested is unrelated to the actual facts of the main action or its object, or that the problem is hypothetical. (3)
16. In that regard, it must be noted that the referring court has before it an action for annulment of a decision penalising Digi, in its capacity as controller, on account of an alleged breach of the principles of purpose limitation and storage limitation referred to in Article 5(1)(b) and (e) of the GDPR, to which the referring court’s request for interpretation relates. The request for a preliminary ruling must therefore be regarded as admissible.
B. The legal framework for the analysis
17. It must be noted that the request for a preliminary ruling concerns exclusively the interpretation of Article 5 of the GDPR in the context of a dispute in the main proceedings concerning the lawfulness of the processing of personal data by Digi, one of the leading internet and television providers in Hungary, which is, therefore, an operator that provides access to online public communication services.
18. It should be noted that Article 1(1) of Directive 2002/58/EC (4) stipulates that that directive provides for the harmonisation of the national provisions required, inter alia, to ensure an equivalent level of protection of fundamental rights and freedoms, and in particular the right to privacy and confidentiality, with respect to the processing of personal data in the electronic communications sector. Moreover, Article 3 of Directive 2002/58 states that that directive is to apply to the processing of personal data in connection with the provision of publicly available electronic communications services in public communications networks in the European Union, including public communications networks supporting data collection and identification devices. Consequently, that directive must be regarded as regulating the activities of the providers of such services. (5)
19. In accordance with Article 1(2) thereof, Directive 2002/58 particularises and complements Directive 95/46/EC (6) for the purposes mentioned in paragraph 1, it being noted that, under Article 94(2) of the GDPR, the references made, in Directive 2002/58, to Directive 95/46 are to be construed as references to that regulation. (7) According to recital 10 of Directive 2002/58, in the electronic communications sector, Directive 95/46 applies in particular to all matters concerning the protection of fundamental rights and freedoms which are not specifically covered by the provisions of Directive 2002/58, including the obligations on the controller and the rights of individuals. (8)
20. It is clear from the request for a preliminary ruling that the dispute in the main proceedings does not concern the use of electronic communications services by Digi’s subscribers and, therefore, the protection of communications made in that way and of the related traffic data governed by Directive 2002/58, but has arisen in connection with the internal operation of that undertaking. It is established that, in 2018 and following a technical failure of the server which resulted in the original database of its subscribers being inaccessible, Digi created a file called ‘test’ into which it copied the personal data of some of its customers. (9) Once Digi had corrected that malfunction, the storage of data in the additional database continued until September 2019, during which period a hacking attack on that database occurred. The activity carried out in that regard by Digi has the character of a ‘processing of personal data’ for which that undertaking is the ‘controller’ within the meaning of the definitions provided in Article 4(2) and (7) of the GDPR. Furthermore, it is in that capacity that Digi was penalised by the Authority for having, on that occasion, infringed its obligations under, inter alia, Article 5(1)(b) and (e) of the GDPR.
21. In that regard, it should be recalled that, subject to the derogations permitted in Article 23 of the GDPR, any processing of personal data must observe the principles governing the processing of personal data and the rights of the data subject set out, respectively, in Chapters II and III of that regulation. In particular, any processing of personal data must, first, comply with the principles set out in Article 5 of that regulation and, secondly, satisfy the lawfulness conditions listed in Article 6 of that regulation. (10)
22. Under Article 5 of the GDPR, the controller has the task of ensuring that personal data are ‘processed lawfully, fairly and in a transparent manner’ (point (a)), that they are ‘collected for specified, explicit and legitimate purposes and [are] not further processed in a manner that is incompatible with those purposes’ (point (b)), that they are ‘adequate, relevant and (not excessive) in relation to the purposes for which they are (collected and/or further processed)’ (point (c)), that they are ‘accurate and, where necessary, (kept) up to date’ (point (d)) and, finally, that they are ‘kept in a form which permits identification of data subjects for no longer than is necessary (for the purposes) for which the data were (collected or for which they are further processed)’ (point (e)), the processing of data for historical, statistical or scientific purposes being subject to specific provisions. In this context, the controller must take every reasonable step to ensure that data which do not meet the requirements of that provision are erased or rectified. (11)
C. The scope of the request for a preliminary ruling
23. The referring court seeks guidance from the Court on the interpretation of the principles of purpose limitation and storage limitation, laid down in Article 5(1)(b) and (e) of the GDPR respectively, which has resulted in it referring two separate questions for a preliminary ruling relating to those provisions. However, the second question, concerning the principle of storage limitation, is formulated only in the conditional, in the case where the processing in question is incompatible with the principle of purpose limitation.
24. It is important to point out that the requirements relating to the processing of personal data set out in Article 5 of the GDPR are, clearly, cumulative and independent of each other. (12) The issue of compliance with the principle of storage limitation is legally independent of that relating to the principle of purpose limitation. In the decision which is the subject of the main proceedings, the Authority considers that the storage of data in an additional internal system has given rise to the infringement of the two separate principles mentioned above.
25. Even though the referring court has formally limited its second question by its conditional nature, that circumstance does not prevent the Court from providing it with all the elements of interpretation which may be useful for the judgment in the main proceedings, by extracting from the body of material provided by that court, and in particular from the statement of reasons for the order for reference, the elements of EU law which require interpretation in the light of the subject matter of the dispute. (13)
D. The lawfulness of the processing in the light of the principles of purpose limitation and storage limitation
1. Preliminary remarks
26. As a preliminary point, I consider it necessary to analyse the respective scope of the principles set out in Article 5(1)(b) and (e) of the GDPR, in connection with the concept of storage used in the order for reference and the interested parties’ submissions in order to describe the processing operation in question from two perspectives. The first concerns the very act of storing or saving data, in the present case, the storage in an additional internal database of a copy of the data of some of Digi’s subscribers. The second views the storage in the sense of maintaining that database over time. The issue raised is therefore the duration of the data storage. In that regard, the temporary problem set out above does not, in my view, fall within the scope of the principle of purpose limitation, but exclusively the principle of storage limitation.
27. The principle of purpose limitation, provided for in Article 5(1)(b) of the GDPR, has two components: the personal data must, first, be collected for ‘specified, explicit and legitimate’ purposes and, secondly, must not be ‘further processed in a manner that is incompatible’ with those purposes. The purpose of that principle is to delimit as clearly as possible the use of personal data by ensuring a balance between respect for the fundamental rights of data subjects in relation to privacy and data protection and the recognition of a degree of flexibility for the controller in the management of those data, which is necessary because of the unknowns in digital life.
28. In its second component, which is of particular interest in the present case, the aim of that principle is to define the limits within which personal data collected for a given purpose may be re-used. In accordance with Article 5(1)(b) of the GDPR, any processing after collection must be regarded as ‘further processing’ and must therefore, subject to certain exceptions, satisfy the requirement of compatibility. (14) The latter reflects the need for a specific, logical and sufficiently close link between the purpose for which the data were collected and the further processing of those data. In other words, that processing must not be disconnected from the original purpose of the data collection or conflict with it, and its content must be compatible with the rationale behind the collection, irrespective of any temporary issue.
29. The principle of purpose limitation is not, strictly speaking, an expression of the principle of proportionality, unlike the principle of storage limitation set out in Article 5(1)(e) of the GDPR. As the Court has stated, it follows from the requirements laid down in that article that even initially lawful processing of data may, in the course of time, become incompatible with the regulation where those data are no longer necessary in the light of the purposes for which they were collected or processed. That is so, in particular, where they appear to be inadequate, irrelevant or no longer relevant, or excessive in relation to those purposes and in the light of the time that has elapsed. (15)
30. Therefore, in connection with the principle of storage limitation, it is a question of assessing the proportionality of the treatment in relation to its purpose, in the light of the time that has passed. The retention of data for a period that is longer than necessary, that is to say for longer than is necessary for the purposes for which the data have been retained, will contravene that principle. (16) Since the purposes of such processing are achieved, the data must be erased. (17) The principle of storage limitation therefore answers the question as to when the storage of data on an additional internal system by Digi was no longer justified.
31. It is in the light of the foregoing considerations that I shall examine the lawfulness of the processing in question by reference to the two abovementioned principles.
2. The principle of purpose limitation
32. Verification of compliance with the second component of the principle of purpose limitation requires the purpose or purposes of the collection of the data in question to be determined beforehand. It is clear from the documents before the Court that those data were collected by Digi for the purposes of concluding and performing subscription contracts offered in its capacity as an internet and television provider and that the lawfulness of that original processing is not a matter of dispute between the parties to the main proceedings. The same applies to the unavoidable subsequent processing consisting of the storage of those data on a dedicated system which will be referred to as the original database. (18) In that context, the referring court asks, inter alia, whether the specified, explicit and legitimate purpose of the data collection is ‘changed’ by the fact that those data have been copied to a database in addition to the original storage which is not disputed between the parties.
33. According to the case-law of the Court, the rules for the protection of personal data contained in the GDPR must be complied with with respect to any processing of those data as defined in Article 2 thereof. (19) To me, the abovementioned question reflects a lack of awareness of the requirement for an individual assessment of all data processing operations subsequent to their collection, resulting, in the present case, from Article 5(1)(b) of the GDPR.
34. In other words, each subsequent use of those data must be examined in order to verify the specific purpose of that use and, where appropriate, whether it is compatible with the purpose of the collection. The lawfulness of the latter and of an initial storage of the data cannot, as a spill-over effect, have an automatic impact on the compliance of another further processing activity with the principle of purpose limitation, irrespective of whether the latter activity concerns the same data. As the Hungarian Government submits, the controller cannot be considered to be free to store personal data in several files and without restriction, provided that it initially collected and processed those data in a lawful manner.
35. Therefore, it is necessary to examine the question of compatibility between the purposes for which the data were collected and the subsequent processing of those data required by Article 5(1)(b) of the GDPR. However, logically, that question arises only if that processing is performed for purposes other than those initially specified.
36. Thus, according to recital 50 of that regulation, the processing of personal data ‘for purposes other than’ those for which they were initially collected should be allowed only where the processing is compatible with the purposes of the initial collection. The wording of Article 6(4) of that regulation also supports the above conclusion. That provision establishes a non-exhaustive list of criteria which make it possible to assess, in a given configuration, whether the processing ‘for another purpose’ is compatible with the purpose for which the personal data were initially collected. Therefore, the finding that the purpose for which the data were collected and the purpose of the further processing of those data are identical, as alleged by Digi, would render the question of compatibility devoid of purpose and would support the conclusion that that processing is lawful in the light of the principle of purpose limitation. (20)
(a) The purposes of the processing
37. It is clear from the documents before the Court, and in particular the statements made by Digi, that, following a technical failure of the server which resulted in the original database being inaccessible, that undertaking stored a copy of the data of some subscribers in an additional internal database, known as ‘the test’ database, in order to remedy the technical incident and to ensure access to the data in accordance with the obligation imposed on the controller by Article 5(1)(f) and detailed in Article 32 of the GDPR. (21) Digi claims that that processing operation also contributed to achieving the purpose of the data collection, namely the provision of the contractually agreed service. In those circumstances, it states that the storage in question is not linked to a different purpose, which rules out any infringement of Article 5(1)(b) of that regulation.
38. While it is of course for the referring court to verify the lawfulness of the abovementioned processing operation, in the light inter alia of the requirements laid down in Article 5 of the GDPR and all of the circumstances of the present case, a number of suggestions may be made to that end.
39. I note, in the first place, that Digi states, in essence, that the processing in question had a dual purpose in the sense that the primary and specific aim of correcting the server failure and securing the availability of subscriber data itself fell within the scope of a secondary and general objective relating to the performance of the subscription contracts, which coincides with that of the initial collection of the data.
40. It is entirely conceivable, in practice, that personal data may be collected or further processed for a number of purposes. This is clearly envisaged and recognised by the GDPR, as is reflected in the wording of Article 5(1)(b) and Article 6(1)(a), as well as recitals 32 and 50 of that regulation. That approach meets the need for pragmatism and flexibility required by the complex and non-linear processing of personal data in the digital age. It must, however, take into account the requirement to specify the purpose, which is a key element in the implementation of the European regime for the protection of personal data.
41. A sufficiently precise purpose thus constitutes a fundamental guarantee in terms of predictability and legal certainty in the sense that it contributes to the proper understanding by the data subject of the possible use of his data and enables him to make a fully informed decision. This predictability is essential when assessing the compatibility between the purpose of the data collection and the further processing of those data, thus reducing the risk of distortion between the reasonable expectations of data subjects as to the possible use of their data in the future and the operations carried out by the controller. It is also necessary to specify the purpose in order to apply other data quality requirements, including the adequacy, relevance, proportionality and accuracy of the data collected, as well as the requirements relating to the period for which they are stored, in accordance with Article 5(1)(c), (d) and (e) of the GDPR.
42. That requirement to specify the purpose is therefore valid, as is noted in Opinion 3/2013 of the Article 29 Working Party, (22) for all processing operations and not only at the stage of the initial collection of the data. It is interesting to note that, where data are processed on the basis of the data subject’s consent, that processing will be lawful, in accordance with Article 6(1)(a) of the GDPR, only if the data subject has given consent to the processing for one or more ‘specific’ purposes.
43. In those circumstances, if certain processing can pursue two purposes, each of them must be specific and have an objective and sufficiently close link with the processing operation concerned.
44. In the second place, reference must be had to the specific context in which the assessment of the purpose or purposes of the further processing in question must be made.
45. In accordance with recitals 60 and 61 of the GDPR, the principles of fair and transparent processing require that the data subject is informed of the existence of the processing operation, and its purposes and the information in relation to the processing of his or her personal data must be given to him or her at the time of collection from the data subject. In that regard, Article 13(1)(c) of that regulation provides that, where personal data relating to a data subject are collected from the data subject, the controller must, at the time when personal data are obtained, provide the data subject with information as to the purposes of the processing for which the personal data are intended as well as the legal basis for the processing.
46. However, no matter how forward-looking and considered a controller may be, it may not be possible for that controller, at the time when the processing is designed, to envisage and determine the nature and exact scope of all of the operations forming the data processing chain. Likewise, the present case is a perfect illustration of the problems associated with managing a technical failure, inadvertently, and the subsequent implementation of a certain type of data processing for a purpose that was not initially specified.
47. In the context of the assessment, as in the present case, of the lawfulness of such processing by the supervisory authority and then by the court responsible for the action brought against the decision of the supervisory authority, that purpose is verified a posteriori in the light of the information provided by the controller during the administrative procedure. And it is for the latter, the designer of the processing operation concerned, in accordance with the principle of accountability laid down in Article 5(2) of the GDPR, to demonstrate the reality of the alleged purpose and, where appropriate, that the processing is in accordance with the objective of the collection of the data. (23)
48. In that regard, two specific and objective elements may be taken into account in order to verify that purpose. First, Article 13(3) of the GDPR provides that, where personal data relating to a data subject are collected from the data subject and the controller intends to further process those data for a purpose other than that for which they were collected, prior to that further processing the controller must provide the data subject with information on that other purpose (24) and with any relevant further information as referred to in Article 13(2). Secondly, Article 30(1) of the GDPR requires each controller to maintain a record in writing, including in electronic form, of processing activities under its responsibility and to make the record available to the supervisory authority on request. That record must contain various items of information including information relating to the purposes of the processing.
49. In the present case, it would appear that Digi did not inform any of the subscribers concerned of its intention to duplicate their data and store them on an internal system intended for testing and the correction of errors, since that operator considered that the purpose of that processing operation was not different from that for which the data were collected and, therefore, it did not fall within the scope of Article 13(3) of the GDPR. (25) Moreover, the file submitted to the Court does not make it possible to determine whether Digi is in a position to benefit from the exemption provided for in Article 30(5) of that regulation with regard to the obligation to maintain a register. (26)
50. I note, in any event, that, at the hearing, Digi clearly stated that the technical failure in 2018 had not led to an interruption of the contractually agreed service, the storage at issue having been carried out solely in the light of the risk of such an interruption. Those statements must be linked to objective material findings as to the choice to call the database a ‘test’ database, the fact that that database did not contain the data of all subscribers but only of one third of them and that, after having been forgotten by Digi for the 18 months following the resolution of the initial technical incident, that database was deleted immediately after the hacking attack in September 2019 which affected the security of the data.
51. In those circumstances, it seems possible to conclude that the processing in question was carried out only for the concrete and specific objective of temporarily securing some of the subscribers’ data in connection with the correction of a technical incident affecting the operation of the server, thus an aim which, in my view, is different from that of the data collection.
52. The Commission and Digi submit, however, that such processing, which sought to satisfy the security obligation imposed on the controller by Article 5(1)(f) of the GDPR and set out in detail in Article 32 thereof, cannot be regarded as pursuing a new or distinct purpose, since this would undermine the effectiveness of that act and would deprive the obligation to provide data subjects with information of its practical relevance.
53. This abstract and systematic approach seems to me to be contrary to the requirement to assess the lawfulness of each processing operation in the light of all the relevant circumstances of the individual case. It is that approach which, in reality, results in depriving of its effectiveness the obligation to provide data subjects with information laid down in Article 13(3) of the GDPR, information which the controller must provide to data subjects in order to ensure fair processing of data in their regard. (27) That obligation is imperative where, as in the present case, the processing is carried out in the context of a contractual relationship and is based on Article 6(1)(b) of the GDPR which concerns the need to perform the contract without the consent of the contracting parties being required. Finally, that approach fails to take account of the rationale behind Article 5(1)(b) of the GDPR, namely that further processing which serves a purpose other than that for which the data were collected is not necessarily unlawful since its mere compatibility with the latter is sufficient to comply with the abovementioned provision.
(b) The compatibility of the processing
54. Article 5(1)(b) of the GDPR does not contain any indication as to the conditions under which further processing for a purpose different from that of the initial collection of the data may be regarded as being compatible with the latter. Reference must be had, in that regard, to Article 6(4) of the GDPR, read in conjunction with recital 50 thereof, the content of which reflects a link between the principle of purpose limitation and the legal basis for the processing concerned.
55. Therefore, that principle makes a distinction, with respect to the requirement of compatibility, depending on whether the processing for a purpose other than that for which the data were collected is or is not based on the data subject’s consent or on EU or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard the objectives referred to in Article 23(1) of the GDPR.
56. If it is, the controller, in accordance with the second paragraph of recital 50 of the GDPR, is allowed to further process the personal data irrespective of the compatibility of the purposes. (28) That derogation from the requirement for compatibility is, in essence, justified by the existence of other rules to protect data subjects, and specifically those relating to the information of data subjects on those other purposes and the right to object to processing. (29)
57. If it is not, and that is the situation in the present case, in accordance with Article 6(4) of the GDPR:
‘…
the controller shall, in order to ascertain whether processing for another purpose is compatible with the purpose for which the personal data are initially collected, take into account, inter alia:
(a) any link between the purposes for which the personal data have been collected and the purposes of the intended further processing;
(b) the context in which the personal data have been collected, in particular regarding the relationship between data subjects and the controller;
(c) the nature of the personal data, in particular whether special categories of personal data are processed, pursuant to Article 9, or whether personal data related to criminal convictions and offences are processed, pursuant to Article 10;
(d) the possible consequences of the intended further processing for data subjects;
(e) the existence of appropriate safeguards, which may include encryption or pseudonymisation’.
58. In the absence of any formal indication by Digi at the time of the data collection as to the further processing envisaged and its purpose, a substantive approach must be followed which, in my view, leads to a finding that the processing is compatible.
59. In that regard, there is undeniably a link between the purpose of the initial data collection, namely the performance of the internet and television subscription contract, and processing aimed at securing those data in an additional internal database and carrying out tests, securely, which are intended to remedy a technical failure that could potentially harm the provision of the contractually agreed service. Without overlapping, as stated above, those purposes are logically linked.
60. It is important to note that such processing does not deviate from the legitimate expectations of the subscribers as to the subsequent use of their data. Additional storage of data on an internal system which is driven by the need to resolve a technical failure affecting the accessibility of the data in the original database cannot be regarded as being surprising or unlikely. Moreover, the data concerned have continued to be processed by the same controller and have not been disclosed to third parties which, a priori, means that there is no negative impact. The fact that, in the course of the hacking attack on Digi, the perpetrator was able to access the data on that system, cannot, in my view, lead to a retrospective conclusion that the processing in question is incompatible.
3. The principle of storage limitation
61. In accordance with Article 5(1)(e) of the GDPR, data must be kept in a form which permits identification of data subjects (30) for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods in so far as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes in accordance with Article 89(1) of that regulation, subject to implementation of the appropriate technical and organisational measures required by that regulation in order to safeguard the rights and freedoms of the data subject.
62. As mentioned, the principle of storage limitation gives expression to the principle of proportionality, as well as to the principle of ‘data minimisation’, according to which personal data are to be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. (31) In the context of the principle of storage limitation, the question relating to the need for the processing, which is intended to be temporary, is related to the question of whether its purpose remains the same.
63. It should also be recalled that compliance with the requirement of proportionality means that derogations in relation to the protection of personal data must apply only in so far as is strictly necessary. (32) The Court has clearly stated that Article 5(1)(e) of the GDPR seeks to protect data subjects. (33)
64. Recital 39 of the GDPR explicitly states that period for which data are stored must be ‘limited to a strict minimum’ and that, to that end, time limits should be established by the controller for erasure or for a periodic review. Article 13(2)(a) of the GDPR provides that the controller must, at the time when personal data are obtained, provide the data subject with additional information to that set out in paragraph 1 of that article which is necessary to ensure fair and transparent processing, including the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period. (34)
65. In that context, it is necessary to determine, having regard to all the circumstances of the case, (35) the point at which the purposes of storing a copy of the data of some of the subscribers in an additional internal database could, if at all, be regarded as having been served, thus depriving that processing of its raison d’être and forcing Digi to erase the data. It is clear that it is for the controller, in accordance with the principle of accountability laid down in Article 5(2) of the GDPR, to adduce proof that the processing is lawful in the light of the principle of storage limitation, as with the principle of purpose limitation.
66. In the present case, considering that the storage in question was in line with the objective of securing the data and thereby contributed to the attainment of the objective of performing the subscription contract, Digi claims that the period for which the data were stored in the test database was consistent with that of the performance of its contractual obligations, which precludes any infringement of Article 5(1)(e) of the GDPR.
67. With regard to determining the purpose or purposes, I refer to all the findings and assessments made in connection with the response to the question of compliance with the principle of purpose limitation from which it follows that the processing at issue cannot be regarded as having a dual purpose which includes the performance of subscription contracts. (36)
68. In any event, whatever the nature of the intended purpose or purposes, the processing of data in the form of storage in an additional internal file should nevertheless have been limited in time to what was strictly necessary. In other words, once the initial malfunction had been resolved, the circumstances which justified the storage operation and its continuation no longer existed. The direct and primary objective of securing the data in relation to the correction of the technical incident, taken in isolation or even in conjunction with the indirect and ancillary objective of performing the subscription contract, could no longer, in those circumstances, cover the continuation of the processing.
69. The fact remains that Digi has unequivocally stated that the test database was intended to ensure access to subscribers’ data ‘until the error was corrected’ and that it inadvertently did not delete it even though the correction of errors no longer justified having it, (37) which means that the processing in question was of no further use and was therefore devoid of purpose. Can an internal database which the controller admits has been forgotten for a year and a half still be regarded as being capable of fulfilling an actual purpose? In my view, the answer must be in the negative.
V. Conclusion
70. In the light of the foregoing considerations, I propose that the Court should reply to the Fővárosi Törvényszék (Budapest High Court, Hungary) as follows:
(1) Article 5(1)(b) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) must be interpreted as meaning that the principle referred to therein does not preclude the retention of personal data, which have been collected and stored in a lawful manner, in an additional internal database, provided that such processing serves the same purposes as those of their collection, or, if that is not the case, is compatible with those purposes, which it is for the controller to demonstrate, including in the case where the processing fulfils the obligation of the controller to ensure appropriate security of the personal data, laid down in Article 5(1)(f) of that regulation.
Where that processing for a purpose other than that for which the data have been collected is not based on the data subject’s consent or on a legislative act of the European Union or of a Member State falling within the scope of Article 23(1) of Regulation 2016/679, its compatibility must be established in the light of, inter alia, the criteria set out in Article 6(4) of that regulation.
(2) Article 5(1)(e) of Regulation 2016/679 must be interpreted as meaning that the principle referred to therein precludes the retention of data in a form which permits identification of data subjects, which have been collected and stored in a lawful manner, in an additional internal database which meets the objective of correcting a technical anomaly and temporarily securing those data, beyond the period necessary to attain that objective and therefore after that incident has been resolved, including where that direct and primary objective can be linked to the indirect and ancillary objective of the provision of the contractually agreed service.