Skip to content
News 9 January 2023 approx. 5 min read

Copy data to a test database to fix system errors as further data processing

Martyna Dobkowska Author Martyna Dobkowska Associate
Skopiowanie danych do testowej bazy celem naprawienia błędów systemu jako dalsze przetwarzanie danych

The principles relating to the general restriction on the processing of personal data also include the principle of data retention, according to which personal data should be stored in a form that allows the data subject to be identified for no longer than is necessary for the purposes for which the data is processed. This means that once the purposes of processing have been achieved, the data should be erased or anonymised (Article 5(1)(e) of the GDPR).

The interpretation of the above principles was of significant importance in the judgment delivered by the Court of Justice of the European Union (‘CJEU’) on 20 October 2022, Case C‑77/21. The dispute at the heart of the case was between the Hungarian company Digi, one of the main internet and television service providers in Hungary, and the Nemzeti Adatvédelmi és Információszabadság Hatóság (the national data protection and freedom of information authority in Hungary) concerning a breach of the protection of personal data contained in Digi’s database. In this case, the Hungarian court referred questions to the CJEU for a preliminary ruling concerning the compatibility of the parallel storage of the same data in another database with the principle of purpose limitation.

FACTS

In 2017, following a technical fault, Digi created a test database to which it copied the personal data of approximately one-third of its individual customers, stored in another database. Two years later, Digi learned that a ‘white hat hacker’ had gained access to the personal data it held and had notified the company of this. Digi rectified the error that had enabled this access and entered into a confidentiality agreement with that person, offering a reward. After deleting the test database a few days later, Digi notified the national authority of the personal data breach, following which the authority initiated an inspection procedure.

However, in its decision, the national authority found that Digi had infringed Article 5(1)(b) and (e) of the GDPR because, after carrying out the necessary tests and rectifying the error, it did not immediately delete the test database, with the result that a large amount of personal data, which allowed for the identification of the data subjects, was stored in that database without a specific and legitimate purpose for almost 18 months. Consequently, the authority imposed a financial penalty on the company, which the company challenged before the court, which subsequently referred questions to the CJEU.

CJEU’S POSITION

The Court held that the principle of purpose limitation set out in Article 5(1)(b) of the GDPR must be interpreted as not precluding the controller from recording and storing – in a database created for the purpose of carrying out tests and correcting errors – personal data previously collected and stored in another database, provided that such further processing is consistent with the specific purposes for which the personal data were originally collected.

The grounds for the judgment delivered by the CJEU indicate that the performance of tests and the correction of errors affecting the subscriber database demonstrate a specific link to the performance of subscriber contracts concluded with individual customers, for the performance of which the data was originally collected, as such errors may have a detrimental effect on the provision of the service provided for in the contract. In the CJEU’s view, such processing does not deviate from customers’ legitimate expectations regarding the further use of their personal data. This means that copying data to a new database for the purpose of correcting errors in the IT system must be regarded as further processing, and such action does not require additional consent from customers.

However, the CJEU noted that the principle of data retention limitation requires the controller to be able to demonstrate that personal data are stored only for the period necessary to achieve the purposes for which they were collected or for which they were further processed. In this case, Digi argued that, after carrying out tests and correcting errors, it did not immediately delete the personal data of some of its individual customers stored in the test database. In light of the above, the CJEU therefore held that such conduct by the company infringed the principle of data retention limitation, as the controller retained data previously collected for other purposes for a period longer than was necessary to carry out tests and correct errors.

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ EU L 2016 No 119, p. 1, as amended)

Frequently asked questions

No, such action does not require additional user consent. The Tribunal ruled that tests and bug fixes are closely related to the performance of subscription contracts, so they do not deviate from customers’ legitimate expectations regarding the use of their data.

Is storing copied data in a test database lawful if it serves to repair the system?

Yes, storing data in a new database intended for testing and bug fixes is permitted, provided that further processing is compatible with the original purposes for which the data was collected. Such action does not violate the purpose limitation principle, as long as it aims to ensure proper service provision.

How long can data be stored in a test database after fixing the error?

Data should be deleted immediately after completing tests and repairs, because the storage limitation principle prohibits keeping it longer than necessary to achieve the purpose. Storing data for many months after completion of repair work constitutes a violation of the law.

Can a company be penalized for long-term storage of data in a test database even with good intentions?

Yes, supervisory authorities may impose penalties for violating the storage limitation principle if the controller does not delete data within the time necessary to conduct tests. Even if the purpose is justified, purposeless extension of the storage period is illegal.

Where to start

Running a company with a matter to resolve?

That is where most conversations with a lawyer begin. A consultation is paid, PLN 600 net. You pay for a real opinion: whether you have a legal problem, what you can do about it and roughly what it costs. It ties you to nothing further, and you do not need to know the law, that part is on us.

  1. 1
    Talk

    You tell us what is going on, in your own words.

  2. 2
    What next

    We tell you your options and what it costs.

  3. 3
    We act

    You give the go-ahead and the matter is ours.

Martyna Dobkowska
Author
Martyna Dobkowska
Associate

She specializes in civil, commercial and business law. In the corporate and energy department, her activities are mainly based on providing corporate services to companies, reviewing and preparing commercial contracts, drafting litigation and non-litigation pleadings and preparing analyses and legal opinions, particularly in the sphere of business law and energy law. She also has professional experience in administrative and civil proceedings, which she gained in Warsaw law firms. She supports the Firm's…

View profile →

Related publications

Book a consultation

Book a consultation with one of our lawyers.

Schedule a consultation