The GDPR and the Convention, no strangers to each other – Judgment of the CJEU in the case of Deldits

In the case of Deldits (C-247/23, 13.3.2025), the CJEU ruled on the right to rectification of incorrect personal data appearing in a public register, as provided for by Article 23 of Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“General Data Protection Regulation”, “GDPR”).

In the case at hand, VP, an Iranian national who had obtained refugee status in Hungary, unsuccessfully applied for the rectification in the asylum register of their gender identity from female to male. VP’s application, which relied on Article 16 of the GDPR (right to rectification of inaccurate personal data), was rejected by the Hungarian asylum authority on the ground, inter alia, that VP had not proved that they had undergone gender reassignment surgery.

In light of Article 5(1)(d) of the GDPR (principle of the accuracy of personal data), the CJEU first holds that since the purpose of collecting personal data is to identify the data subject, these data should relate to VP’s gender identity at the time of their registration in the asylum register and not the gender identity assigned to them at birth. National law cannot stand in the way of the right to have incorrect data rectified accordingly, pursuant to Articles 8(2) of the EU-Charter and 16 of the GDPR (§§ 32-37).

The CJEU then examines, in light of Article 23 of the GDPR, which regulates the restrictions which can be applied to the rights and obligations laid down in the GDPR, the Hungarian administrative practice according to which the exercise of the right to rectification of the personal data relating to the gender identity of a natural person is conditional upon the production of evidence of, in particular, gender reassignment surgery.

The CJEU finds this practice not to fulfil the requirements of Article 23 and, consequently, to be incompatible with the right to rectification of personal data, within the meaning of Article 16, because a) the said practice is not provided for by a legislative act, and b) the only evidence accepted in support of the request for rectification of the person’s gender identity is evidence of a gender reassignment surgery.

*              *              *

What is noteworthy, from a Convention point of view, is the CJEU’s reasoning leading to that conclusion, notably on the question whether the restrictions entailed by the said practice respect the essence of the fundamental rights and freedoms involved and are necessary and proportionate, as required by Article 23. In holding that this is not the case, because the said practice undermines the essence of, in particular, the right to the integrity of the person and the right to respect for private life, as enshrined in Articles 3 and 7 of the EU-Charter, the CJEU also refers to case-law of the ECtHR to the same effect, notably X and Y v. Romania and Garcon and Nicot v. France.

The CJEU thereby relies on Article 52(3) of the EU-Charter, according to which the rights guaranteed by the Charter have the same meaning and the same scope as the corresponding rights guaranteed by the Convention, the latter constituting a minimum threshold of protection (§ 46).

The impact of such references by the CJEU in the application of the GDPR should not be underestimated, as they confirm the relevance of the Convention in this legal area, more particularly in making clear that restrictions under the GDPR not only must comply with the Charter but also should not lower the Convention protection level. Such an indication is even more significant in view of the fact that the GDPR itself makes no reference to the Convention, except in Recital 73 dealing with restrictions. This somehow suggests that the EU lawmaker considered the Convention to be of little importance for the GDPR.

Nowhere else is there any explicit indication by the EU lawmaker that the GDPR does not intend to lower the Convention protection level, as one can find in numerous other pieces of secondary legislation, e.g. in their non-regression clauses. Admittedly, Recital 4 states that the GDPR “respects all fundamental rights and observes the freedoms and principles recognised in the Charter as enshrined in the Treaties”. But can such a general formulation in a recital be equated with a proper non-regression clause?

The value of such non-regression or equivalent clauses becomes clear when considering that pursuant to Articles 78 and 79 of the GDPR, national courts are competent to deal with the judicial remedies which data subjects are entitled to use against supervisory authorities, controllers or processors acting on the basis of the GDPR. As with any other EU law context, when applying the GDPR these national courts must also comply with the Convention (see, among others, Bivolaru and Moldovan v. France). Mutatis mutandis, this, in principle, also holds true for all other national bodies or agents entrusted with the performance of duties under the GDPR, since no part of the legal systems of the EU Member States is outside the scope of the ECtHR’s jurisdiction as determined by Article 1 of the Convention (Bosphorus v. Ireland, § 153).

The CJEU can therefore only be commended for referring in this important area to Article 52(3) of the EU-Charter and the threshold function it confers on the Convention in EU law (on this function, see Optionality of the Convention). First, this is a useful reminder that the application of the GDPR by national authorities is not outside the scope of the Convention. Secondly, the reference to the threshold function of the Convention is also an indication that while it can perhaps be assumed that the GDPR is generally not lowering the Convention protection level, this should nonetheless, by virtue of Article 52(3) of the EU-Charter, be double-checked at national level in case of doubt in a concrete case, if necessary by referring the issue to the CJEU for a preliminary ruling under Article 267 TFEU.