Data protection is human protection: EU’s top court demands Hungary correct trans refugee’s documents
Today, the European Court of Justice (CJEU) issued a judgment in the case of Deldits (C-247/23), stating that national authorities responsible for keeping public registers (such as asylum registers) should correct data on gender identity when it is inaccurately recorded. This decision carries significant implications for advancing human rights protections in the EU, at a time when trans people and human rights in general are under massive attack.
Background
Trans refugee in Hungary seeks legal gender recognition
This case concerns a trans man who was granted refugee status in Hungary based on a well-founded fear of persecution in his country of origin because of his gender identity. The trans man requested the correction of his gender marker and name on the national asylum registry (as it reflected his name and sex at birth) under Article 16 of the EU’s General Data Protection Regulation (GDPR) on the basis that the data was inaccurate.
A legal paradox: Granted asylum but denied recognition
Despite the Hungarian authorities granting the applicant refugee status on this ground, he found himself in a paradox: his gender marker was registered incorrectly, and he could not correct it as there is no legal framework regulating the conditions for legal gender recognition (LGR) in the country.
Hungary’s ban on legal gender recognition
This case is a pivotal moment in the ongoing battle for the rights of trans people in Hungary, which has banned LGR for citizens in 2020, whilst refugees never had access to LGR. Moreover, Hungarian authorities requested proof of surgery as a precondition to change the trans man’s gender marker – a practice that the European Court of Human Rights has declared to be in violation of the right to respect for private and family life as protected by Article 8 of the Convention since 2017.
GDPR and human rights
The case raised several important questions for the CJEU: whether the GDPR mandates the correction of gender markers in national registries upon request. If so, does this request require evidence? If so, does it need to include proof of surgical intervention?
CJEU ruling strengthens trans rights and data accuracy rules
Today’s CJEU ruling addresses these questions, and is very favourable. It confirms that the right to rectification under Article 16 GDPR, taken in conjunction with the principle of data accuracy under Article 5(1)(d) GDPR, require authorities, without undue delay, to correct personal data concerning gender identity which is held in public registers when such data is inaccurate.
Importantly, the Court stated that if the purpose of collecting personal data is to identify the individual, the data should refer to the person’s lived gender identity, and not the identity assigned to them at birth. In that respect, the Court underlined that a Member State cannot invoke the absence of a domestic procedure for LGR to limit the exercise of the right to rectification under GDPR.
Secondly, the Court clarified that a person may need to provide reasonable proof to correct inaccurate data, but Member States cannot require proof of ‘gender reassignment surgery’ “under any circumstances”. The Court stated that such a requirement goes against the right to personal integrity (Article 3) and the right to privacy (Article 7) of the Charter of Fundamental Rights.
The Hungarian authorities must now allow for a change of gender marker in the Asylum Registry and all other national registries. However, instead of patchwork procedures by each data controlling entity in the country, the Hungarian government needs to urgently create legal certainty and set up a legal framework for quick, transparent and accessible procedure for LGR, where individuals can adapt their documents to match with their gender identity. The European Court of Human Rights already found that Hungary violates the European Convention on Human Rights for failing to allow such procedure (R.K. v. Hungary, 2023) including for trans refugees (Rana v Hungary, 2020).
The CJEU ruling is also binding upon national authorities keeping a public register across all EU Member States.
Reactions
TGEU Expert Advisor, Richard Köhler, comments: “Trans people deserve accurate personal data—full stop. Today’s Court ruling sends a clear message: while Member States control legal gender recognition processes, they must respect EU law. Evidence can be requested, but surgical proof? Absolutely forbidden.
This isn’t just about refugees—it’s also about asylum seekers and citizens. Where public records are kept to identify people, Member States need to recognise that a person’s real identity is what matters, not labels given at birth. The Court couldn’t be clearer: surgery requirements and forced sterilisation violate EU data protection law. Now, Member States must take action. No more delays. No more excuses. The message is simple: recognise people’s identities without invasive demands. The EU Commission must support Member States with implementation and take decisive action against those who continue to deny trans people their fundamental rights.“
ILGA-Europe Advocacy Director, Katrin Hugendubel, said: “This judgment is a significant step forward for the rights of trans people, including refugees, in the EU – especially in Member States without any legal framework for LGR. At a time when the rights of trans and LGBTI people in general are under constant threat, we call on Member States to implement this ruling by ensuring that their frameworks for collecting and storing personal data are GDPR and fundamental rights compliant. We also call on the EU Commission to actively monitor the implementation of this judgment and to encourage Member States to bring their frameworks for LGR in line with international human rights and EU law standards.”
According to Gábor Győző, the attorney representing the applicant in the proceedings on behalf of Háttér Society and the Hungarian Helsinki Committee: “It is very important and welcomed that the Court not only addressed the specifics of the case, but also assessed the Hungarian legal framework and the protection of the rights of trans people in a broader context. Moreover, this decision also serves as a guideline for all other Member States on this issue.”
“Trans people have been subject to constant governmental harassment in recent years. The judgment is a ray of hope that they cannot be deprived of their rights and denied their existence,” added Eszter Polgári, Director of the Legal Program of Háttér Society.
Joint calls to action
We call on EU governments to adhere to this CJEU ruling and proactively check their national procedures for a GDPR and European human rights compliant framework that allows individuals to quickly, transparently and in an accessible way update gendered data that is held on them. As EU data protection rules apply to anyone in the EU, they also need to ensure data of asylum seekers alongside refugees can be easily updated to reflect a person’s gender identity.
We call on the EU Commission to monitor the implementation of the Deldits case into national case law and adherence of the national authorities to the final decision. Failure in compliance needs to lead to infringement procedures. National Data Protection Authorities (DPAs) should equally monitor implementation and issue fines for non-compliant data controllers.
For a uniform understanding and application across the EU on both the Deldits and Mousse CJEU case law, we call on the Commission to provide practical guidance and the possibility to exchange for Member States and data controllers on implementation.
As EU data protection rules also apply to private actors, any organisation collecting, storing, or processing personal data on names and gender markers needs to check their processes for allowing correction of the data that they hold.
We urge EU institutions and Member States to ensure trans people have access to quick, transparent and accessible paths to LGR.
Congratulations to everyone involved for this incredible victory. Your efforts and dedication will make a huge impact on trans lives across the EU.
ILGA-Europe and TGEU provided support in the CJEU procedure to Háttér Society, which represented the applicant together with the Hungarian Helsinki Committee in this case.
Context
Today’s judgement comes on the heels of a groundbreaking data protection case strengthening the rights of non-binary people, Mousse (C-394/23). In this judgment, the CJEU found that the collection of gendered civil tiles (Mr/Mrs) when purchasing train tickets by a railway company is not necessary for providing transportation services and hence not compliant with the GDPR principle of data minimisation.
EU data privacy rules
The GDPR is Europe’s powerful privacy law that protects people’s personal data by giving them control over how private and public organisations collect, use and store their information. It applies to all organisations handling EU residents’ data anywhere in the world, and goes far beyond cookie settings—it ensures organisations get proper consent, minimise data collection, secure information properly, and allow people to access, correct, or delete their own data.
Today’s judgment particularly addresses national authorities and public registers. Therefore, it goes beyond asylum registers and may well have implications for national civil registries and how such personal data can be corrected.
The Court reaffirmed that regulation of legal gender recognition continues to be within the remit of Member States, but that they must respect EU data protection and fundamental rights when doing so.