{"id":85911,"date":"2026-05-07T11:02:10","date_gmt":"2026-05-07T09:02:10","guid":{"rendered":"https:\/\/www.lexxion.eu\/?post_type=dpi&p=85911"},"modified":"2026-05-07T11:02:27","modified_gmt":"2026-05-07T09:02:27","slug":"data-protection-insider-issue-153","status":"publish","type":"dpi","link":"https:\/\/www.lexxion.eu\/en\/dpi\/data-protection-insider-issue-153\/","title":{"rendered":"Data Protection Insider, Issue 153"},"content":{"rendered":"

Table of Contents:<\/b><\/p>\n

    \n
  1. Introduction<\/a><\/li>\n
  2. CJEU Rules Hungarian Legal Amendments Violate Article 10 GDPR<\/a><\/li>\n
  3. CJEU Refuses Data Subject Access Request Review based on Lack of New Substantial Facts<\/a><\/li>\n
  4. ECtHR: Bulgaria\u2019s Secret Surveillance Framework Lacks Safeguards<\/a><\/li>\n
  5. EDPB Publishes New Materials<\/a><\/li>\n<\/ol>\n

     <\/p>\n

    Introduction<\/h2>\n

    Dear readers, this week, we deal with CJEU decisions concerning Hungarian legal amendments and their adherence to Article 10 of the GDPR, and concerning the CJEU\u2019s decision on the review of a data access request. Alongside these, we bring you a summary of an ECtHR case dealing with Bulgaria\u2019s secret surveillance framework, and of the EDPB\u2019s new materials.<\/p>\n

    CJEU Rules Hungarian Legal Amendments Violate Article 10 GDPR<\/h2>\n

    [1]<\/a> On 21st<\/sup> April 2026, the CJEU ruled in the case of European Commission v Hungary. In terms of the facts, the case essentially concerned legal amendments in Hungary, which have the stated aim of protecting children. These amendments included, however, provisions which serve to limit access to content which depicts or promotes \u201cdeviation from the self-identity corresponding to the sex assigned at birth, of gender reassignment, or of homosexuality\u201d. The European Commission thus \u201cbrought an action for failure to fulfil obligations before the Court of Justice against Hungary concerning the adoption of the amending law\u201d, claiming \u201cthat the Court should find that Hungary has acted in breach of the primary and secondary law of the European Union relating to services in the internal market, several rights guaranteed by the Charter of Fundamental Rights of the European Union (\u2018the Charter\u2019), Article 2 TEU, 2 and, lastly, the General Data Protection Regulation (GDPR)\u201d. With regards to the GDPR \u2013 on which this summary will focus \u2013 the Commission asserted that \u201cby amending Paragraph 67(1)(a) to (d) of\u2026Law No XLVII of 2009 on the criminal records system, the registration of judgments handed down by the courts of the Member States of the European Union against Hungarian citizens, and the registration of biometric data in criminal and law enforcement matters\u2026which obliges the body having direct access to registered data to make accessible to authorised persons the registered data of persons who have committed offences abusing the sexual freedom or sexual morality of children, Hungary has infringed Article 10\u201d \u2013 concerning the processing of personal data relating to criminal convictions and offences \u2013 of the GDPR \u201cas well as Article 8(2) of the Charter\u201d. The Court agreed with the Commission and confirmed that \u201cHungary has failed to fulfil its obligations under Article 10\u201d of the GDPR \u201cas well as Article 8(2) of the Charter.\u201d In this regard, the Court highlighted that the provisions in question failed to provide \u201cappropriate safeguards for the rights and freedoms of data subjects\u201d and could not therefore \u201cjustify the processing of personal data appearing in the criminal record of the persons concerned on the ground that it is necessary for the performance of a task carried out in the public interest\u201d under Article 6(1)(e). The Court observed, in this regard, for example, the problematic lack of clarity regarding who might access data \u2013 the law foresees that any \u201cadult who is a relative of the minor concerned or who is responsible for the education, care or supervision of that minor\u201d might do so \u2013 and the problematic fact that the law \u201centrusts the assessment of the need for, and the proportionality of, such access to the person requesting access alone, rather than to the competent authority controlling access to criminal records.\u201d<\/p>\n

    CJEU Refuses Data Subject Access Request Review based on Lack of New Substantial Facts<\/h2>\n

    [2]<\/a> On 22nd<\/sup> April, the CJEU ruled in the case of UU v. Court of Justice of the European Union<\/em>. In essence, the case concerned a complaint, made by a temporary employee of the CJEU, against another employee of the CJEU, with whom she worked. In relation to this complaint, concerning data protection, the applicant, following a series of internal complaint procedures, made a series of requests for access to personal data concerning her under Article 17 of Regulation (EU) 2018\/1725 \u2013 including to the Presidents of the Court and of the General Court and to the Court’s Data Protection Officer. These access requests were rejected on the basis that such access would be liable to infringe the rights and freedoms of others. Following a number of supplemental access requests, each of which were denied on the same grounds, the Applicant appealed the latter decisions before the Court. The Court rejected the applicant\u2019s claims. Essentially, the Court asserted that the there had been no new and substantial facts relevant to the proceedings in question, which would support the need for review of the impugned decisions and support the adoption of a new decision. We would highlight that materials related to this case are currently only available in French, a language in which the authors are not fluent. Accordingly, automated translations of documents have been relied upon for this summary. Unfortunately, we cannot guarantee the accuracy of these translations, and thus we cannot guarantee the accuracy of all information in this summary. In this regard, we urge all interested in the subject matter of the case to consult primary materials for themselves.<\/em><\/p>\n

    ECtHR: Bulgaria\u2019s Secret Surveillance Framework Lacks Safeguards<\/h2>\n

    [3]<\/a> On 28th<\/sup> April, the ECtHR ruled that the processing of personal data by the Bulgarian State Agency for National Security (\u201cthe Agency\u201d) is not \u201cin accordance with the law\u201d and breaches Article 8 ECHR in Kanev and Bulgarian Helsinki Committee v Bulgaria<\/em>. As to the facts of the case, the two applicants (Mr Kanev, former head of the Bulgarian Helsinki Committee (BHC), filed a request with the Agency, in which they wanted to know whether the Agency had gathered information on them (e.g. via special means of surveillance techniques or via informants). The request was triggered by revelations that, during the 2020\/2021 anti-governmental protests, state authorities such as the Agency \u201chad been covertly intercepting \u201cnearly round the clock\u201d the communications of many people, including politicians and civil-society activists\u201d. Since the access request was refused, mainly on the grounds that the applicants sought to know how the Agency gathers intelligence rather than to know whether the applicants\u2019 data had been processed, and the domestic courts upheld the refusals, the applicants filed several complaints with the ECtHR, which were examined in substance under Article 8 ECHR. They complained about the uncertainty stemming from the \u201cimpossibility\u201d of learning whether data about them had been processed by the Agency and the legal basis for such a processing, in addition to the lack of clear rules on the processing of personal data by the Agency and the applicable safeguards. After a long deliberation on the admissibility of the complaint, the ECtHR ruled as follows on the merits of the case. First, it established that the Agency\u2019s \u2018neither confirm, nor deny\u2019 response amounted to interference with the applicants\u2019 \u201cprivate life\u201d and \u201ccorrespondence\u201d. As to the justification for the interference, the ECtHR started with the \u201cin accordance with the law\u201d requirement and focused on the safeguards against the abusive processing of personal data by the Agency for national security purposes, more precisely \u201c(a) the proceedings for judicial review of its refusal to disclose whether it was processing such data; (b) possible supervision of data processing by the Agency by the Commission for the Protection of Personal Data; (c) the supervision of some parts of the Agency\u2019s work by the National Bureau\u201d for the supervision of the operation of Special Means of Surveillance technologies; \u201c(d) the supervision of the Agency\u2019s work by a special parliamentary committee and by the Parliament as a whole; and (e) the supervision of the Agency\u2019s work by the government and the President of the Republic\u201d. It found that none of these institutions offered effective supervision or remedies, and thus protection against abuse. Thus, the ECtHR ruled that Article 8 ECHR has been breached, because the Bulgarian legal framework on data processing by the Agency is not \u201cin accordance with the law\u201d and that there was no need to examine whether the interference pursued a legitimate objective and was \u201cnecessary in a democratic society\u201d. It is noteworthy that the ruling is accompanied by a thought-provoking Joint Dissenting Opinion of Judges Pavli and Ni Raiffeartaigh. They did not \u201cconsider this request to have been properly and clearly formulated as a request for access to personal data held by the Agency; on the contrary, it was phrased as a request for information about the use of intelligence methods\u201d, thus agreeing with the domestic courts, and arguing that the complaint should have been declared inadmissible. In addition, relying on the Court\u2019s case law, they pointed out that due to the nature of national security work, national security authorities should not be regulated through data protection law and supervised by classical data protection authorities: \u201cHowever, the safeguards related to surveillance or use of covert sources by security services tend to be sui generis<\/em>, and have typically developed in ad hoc<\/em> and incremental ways, reflecting the history, political system, institutional arrangements and other traits specific to each democracy. They come in many different shapes and colours\u201d. They pointed out that in their opinion, the Bulgarian legal framework reflected this distinction.<\/p>\n

    EDPB Publishes New Materials<\/h2>\n

    At the end of April, the EDPB released the following materials:<\/u><\/p>\n