Data Protection Insider, Issue 153

7. Mai 2026  |   von DPI Editorial Team
Data Protection Insider, Issue 153 - DPI Issue 153 1

Table of Contents:

  1. Introduction
  2. CJEU Rules Hungarian Legal Amendments Violate Article 10 GDPR
  3. CJEU Refuses Data Subject Access Request Review based on Lack of New Substantial Facts
  4. ECtHR: Bulgaria’s Secret Surveillance Framework Lacks Safeguards
  5. EDPB Publishes New Materials

 

Introduction

Dear readers, this week, we deal with CJEU decisions concerning Hungarian legal amendments and their adherence to Article 10 of the GDPR, and concerning the CJEU’s decision on the review of a data access request. Alongside these, we bring you a summary of an ECtHR case dealing with Bulgaria’s secret surveillance framework, and of the EDPB’s new materials.

CJEU Rules Hungarian Legal Amendments Violate Article 10 GDPR

[1] On 21st April 2026, the CJEU ruled in the case of European Commission v Hungary. In terms of the facts, the case essentially concerned legal amendments in Hungary, which have the stated aim of protecting children. These amendments included, however, provisions which serve to limit access to content which depicts or promotes “deviation from the self-identity corresponding to the sex assigned at birth, of gender reassignment, or of homosexuality”. The European Commission thus “brought an action for failure to fulfil obligations before the Court of Justice against Hungary concerning the adoption of the amending law”, claiming “that the Court should find that Hungary has acted in breach of the primary and secondary law of the European Union relating to services in the internal market, several rights guaranteed by the Charter of Fundamental Rights of the European Union (‘the Charter’), Article 2 TEU, 2 and, lastly, the General Data Protection Regulation (GDPR)”. With regards to the GDPR – on which this summary will focus – the Commission asserted that “by amending Paragraph 67(1)(a) to (d) of…Law No XLVII of 2009 on the criminal records system, the registration of judgments handed down by the courts of the Member States of the European Union against Hungarian citizens, and the registration of biometric data in criminal and law enforcement matters…which obliges the body having direct access to registered data to make accessible to authorised persons the registered data of persons who have committed offences abusing the sexual freedom or sexual morality of children, Hungary has infringed Article 10” – concerning the processing of personal data relating to criminal convictions and offences – of the GDPR “as well as Article 8(2) of the Charter”. The Court agreed with the Commission and confirmed that “Hungary has failed to fulfil its obligations under Article 10” of the GDPR “as well as Article 8(2) of the Charter.” In this regard, the Court highlighted that the provisions in question failed to provide “appropriate safeguards for the rights and freedoms of data subjects” and could not therefore “justify the processing of personal data appearing in the criminal record of the persons concerned on the ground that it is necessary for the performance of a task carried out in the public interest” under Article 6(1)(e). The Court observed, in this regard, for example, the problematic lack of clarity regarding who might access data – the law foresees that any “adult who is a relative of the minor concerned or who is responsible for the education, care or supervision of that minor” might do so – and the problematic fact that the law “entrusts the assessment of the need for, and the proportionality of, such access to the person requesting access alone, rather than to the competent authority controlling access to criminal records.”

CJEU Refuses Data Subject Access Request Review based on Lack of New Substantial Facts

[2] On 22nd April, the CJEU ruled in the case of UU v. Court of Justice of the European Union. In essence, the case concerned a complaint, made by a temporary employee of the CJEU, against another employee of the CJEU, with whom she worked. In relation to this complaint, concerning data protection, the applicant, following a series of internal complaint procedures, made a series of requests for access to personal data concerning her under Article 17 of Regulation (EU) 2018/1725 – including to the Presidents of the Court and of the General Court and to the Court’s Data Protection Officer. These access requests were rejected on the basis that such access would be liable to infringe the rights and freedoms of others. Following a number of supplemental access requests, each of which were denied on the same grounds, the Applicant appealed the latter decisions before the Court. The Court rejected the applicant’s claims. Essentially, the Court asserted that the there had been no new and substantial facts relevant to the proceedings in question, which would support the need for review of the impugned decisions and support the adoption of a new decision. We would highlight that materials related to this case are currently only available in French, a language in which the authors are not fluent. Accordingly, automated translations of documents have been relied upon for this summary. Unfortunately, we cannot guarantee the accuracy of these translations, and thus we cannot guarantee the accuracy of all information in this summary. In this regard, we urge all interested in the subject matter of the case to consult primary materials for themselves.

ECtHR: Bulgaria’s Secret Surveillance Framework Lacks Safeguards

[3] On 28th April, the ECtHR ruled that the processing of personal data by the Bulgarian State Agency for National Security (“the Agency”) is not “in accordance with the law” and breaches Article 8 ECHR in Kanev and Bulgarian Helsinki Committee v Bulgaria. As to the facts of the case, the two applicants (Mr Kanev, former head of the Bulgarian Helsinki Committee (BHC), filed a request with the Agency, in which they wanted to know whether the Agency had gathered information on them (e.g. via special means of surveillance techniques or via informants). The request was triggered by revelations that, during the 2020/2021 anti-governmental protests, state authorities such as the Agency “had been covertly intercepting “nearly round the clock” the communications of many people, including politicians and civil-society activists”. Since the access request was refused, mainly on the grounds that the applicants sought to know how the Agency gathers intelligence rather than to know whether the applicants’ data had been processed, and the domestic courts upheld the refusals, the applicants filed several complaints with the ECtHR, which were examined in substance under Article 8 ECHR. They complained about the uncertainty stemming from the “impossibility” of learning whether data about them had been processed by the Agency and the legal basis for such a processing, in addition to the lack of clear rules on the processing of personal data by the Agency and the applicable safeguards. After a long deliberation on the admissibility of the complaint, the ECtHR ruled as follows on the merits of the case. First, it established that the Agency’s ‘neither confirm, nor deny’ response amounted to interference with the applicants’ “private life” and “correspondence”. As to the justification for the interference, the ECtHR started with the “in accordance with the law” requirement and focused on the safeguards against the abusive processing of personal data by the Agency for national security purposes, more precisely “(a) the proceedings for judicial review of its refusal to disclose whether it was processing such data; (b) possible supervision of data processing by the Agency by the Commission for the Protection of Personal Data; (c) the supervision of some parts of the Agency’s work by the National Bureau” for the supervision of the operation of Special Means of Surveillance technologies; “(d) the supervision of the Agency’s work by a special parliamentary committee and by the Parliament as a whole; and (e) the supervision of the Agency’s work by the government and the President of the Republic”. It found that none of these institutions offered effective supervision or remedies, and thus protection against abuse. Thus, the ECtHR ruled that Article 8 ECHR has been breached, because the Bulgarian legal framework on data processing by the Agency is not “in accordance with the law” and that there was no need to examine whether the interference pursued a legitimate objective and was “necessary in a democratic society”. It is noteworthy that the ruling is accompanied by a thought-provoking Joint Dissenting Opinion of Judges Pavli and Ni Raiffeartaigh. They did not “consider this request to have been properly and clearly formulated as a request for access to personal data held by the Agency; on the contrary, it was phrased as a request for information about the use of intelligence methods”, thus agreeing with the domestic courts, and arguing that the complaint should have been declared inadmissible. In addition, relying on the Court’s case law, they pointed out that due to the nature of national security work, national security authorities should not be regulated through data protection law and supervised by classical data protection authorities: “However, the safeguards related to surveillance or use of covert sources by security services tend to be sui generis, and have typically developed in ad hoc and incremental ways, reflecting the history, political system, institutional arrangements and other traits specific to each democracy. They come in many different shapes and colours”. They pointed out that in their opinion, the Bulgarian legal framework reflected this distinction.

EDPB Publishes New Materials

At the end of April, the EDPB released the following materials:

  • [4]  Announcement that a “Stakeholder event on competition and data protection” is going to be held and a call of expressions of interest to participate in it (23 April 2026).
  • [5]  Video dedicated to the GDPR: “Marking 10 years of the GDPR: the evolution of the European data protection landscape” (27 April 2026).
  • [6]  Released a Report on the “Coordinated supervisory action on minors under 15 years old processed by Europol as suspects or potential criminals” (30 April 2026).

 

More Information:

[1] https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:62022CJ0769

[2] https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:62024TJ0084

[3] https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:62022CJ0769

[4] https://www.edpb.europa.eu/news/news/2026/stakeholder-event-competition-and-data-protection_en

[5] https://www.edpb.europa.eu/news/news/2026/marking-10-years-gdpr-evolution-european-data-protection-landscape_en

[6] https://www.edpb.europa.eu/our-work-tools/our-documents/csc-documents/coordinated-supervisory-action-minors-under-15-years-old_en

Über

DPI Editorial Team


Dara Hallinan, Editor: Legal academic working at FIZ Karlsruhe. His specific focus is on the interaction between law, new technologies – particularly ICT and biotech – and society. He studied law in the UK and Germany, completed a Master’s in Human Rights and Democracy in Italy and Estonia and wrote his PhD at the Vrije Universiteit Brussel on the better regulation of genetic privacy in biobanks and genomic research through data protection law. He is also programme director for the annual Computers, Privacy and Data Protection conference.


Diana Dimitrova, Editor: Researcher at FIZ Karlsruhe. Focus on privacy and data protection, especially on rights of data subjects in the Area of Freedom, Security and Justice. Completed her PhD at the VUB on the topic of ‘Data Subject Rights: The rights of access and rectification in the AFSJ’. Previously, legal researcher at KU Leuven and trainee at EDPS. Holds LL.M. in European Law from Leiden University.

Hinterlasse eine Antwort

Zurück zur Übersicht