Wed, Apr
37 New Articles

Does The Violation of the GDPR Always Mean Unlawful Data Processing?

  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

Based on the GDPR, data controllers have several obligations, such as maintaining the records of data processing or in case of joint controllers, entering into an agreement which determines their respective responsibilities for compliance with their data protection related obligations. In a recent case, the Court of Justice of the European Unio (‘CJEU’) needed to decide on the issue whether the non-compliance with these obligations constitutes unlawful processing resulting in the duty to erase the personal data of the data subject.


Regarding the factual background of the case, the German Federal Office for Migration and Refugees (‘Federal Office’) rejected the applicant’s application for internal protection. The applicant attacked this decision before the administrative court; thus, the Federal Office sent an electronic file containing the applicant’s personal data to the court via the electronic court and administrative mailbox.

The administrative court had doubts as to whether the maintenance and the transmission of the electronic file complied with the GDPR for two reasons. First, the Federal Office did not produce a complete record of the processing activities relating to the electronic file in accordance with Article 30 of the GDPR. Second, in disregard of Article 26 of the GDPR, no national legislation governs the transmission of the electronic file, and the Federal Office did not provide an agreement on the joint responsibility.

In the above context, the German administrative court asked the CJEU whether the failure of the controller to comply with the accountability principle of the GDPR (Article 5), specifically not concluding an agreement determining joint responsibility for processing and not maintaining a record of processing activities constitutes unlawful processing conferring on the data subject a right to erasure or restriction of processing.

The decision of the CJEU

The CJEU recalled that the lawfulness of processing is precisely the subject of Article 6 of the GDPR. This means that a data processing may only be lawful if one of the six conditions set forth in Article 6 is met, for example if the data subject has given consent to the data processing or the data processing is necessary for the performance of a contract or for the legitimate interests of the controller.

However, compliance with the obligation laid down in Article 26 of the GDPR to conclude an arrangement determining joint responsibility for processing and the obligation to maintain a record of processing activities laid down in Article 30 is not among the grounds for lawfulness of processing set out in Article 6 of the GDPR.

Thus, the infringement of Articles 26 and 30 of the GDPR does not constitute unlawful processing in the sense of the right to erasure (Article 17 1. (d)) or of the right to restriction of processing (Article 18 1. (b)), since this breach as such does not mean that the controller violates the principle of “accountability” (Article 5).

This means that the ‘sanction’ of the violations of Article 26 and 30 of the GDPR is not the erasure of the personal data or the restriction of the data processing, but other corrective actions provided for by the GDPR, such as the obligation to bring the processing operations into compliance with the GDPR, the lodging of a complaint with the supervisory authority, or compensation for any damage caused by the controller.

Lesson learnt

The decision of the CJEU presented above is important because it makes a clear differentiation between the legal basis of the data processing and the “secondary” data protections related obligations of the controllers (and processors) under the GDPR.

The CJEU clarified that the lawfulness of the processing activity depends solely on the questions of whether a legal basis (based on Article 6) exists in relation with the data processing. In case the appropriate legal basis is missing, the data subject may demand the erasure of his personal data or the restriction of the data processing. By contrast, if the data processing has a legal basis in accordance with the GDPR, nevertheless the controller fails to comply with other obligations provided for by the GDPR, other corrective actions may be implied.

By Anita Vereb, Attorney-at-lawda, SmartLegal Schmidt & Partners

Hungary Knowledge Partner

Nagy és Trócsányi was founded in 1991, turned into limited professional partnership (in Hungarian: ügyvédi iroda) in 1992, with the aim of offering sophisticated legal services. The firm continues to seek excellence in a comprehensive and modern practice, which spans international commercial and business law. 

The firm’s lawyers provide clients with advice and representation in an active, thoughtful and ethical manner, with a real understanding of clients‘ business needs and the markets in which they operate.

The firm is one of the largest home-grown independent law firms in Hungary. Currently Nagy és Trócsányi has 26 lawyers out of which there are 8 active partners. All partners are equity partners.

Nagy és Trócsányi is a legal entity and registered with the Budapest Bar Association. All lawyers of the Budapest office are either members of, or registered as clerks with, the Budapest Bar Association. Several of the firm’s lawyers are admitted attorneys or registered as legal consultants in New York.

The firm advises a broad range of clients, including numerous multinational corporations. 

Our activity focuses on the following practice areas: M&A, company law, litigation and dispute resolution, real estate law, banking and finance, project financing, insolvency and restructuring, venture capital investment, taxation, competition, utilities, energy, media and telecommunication.

Nagy és Trócsányi is the exclusive member firm in Hungary for Lex Mundi – the world’s leading network of independent law firms with in-depth experience in 100+countries worldwide.

The firm advises a broad range of clients, including numerous multinational corporations. Among our key clients are: OTP Bank, Sberbank, Erste Bank, Scania, KS ORKA, Mannvit, DAF Trucks, Booking.com, Museum of Fine Arts of Budapest, Hungarian Post Pte Ltd, Hiventures, Strabag, CPI Hungary, Givaudan, Marks & Spencer, CBA.

Firm's website.

Our Latest Issue