Data Protection Insider, Issue 109

Data Protection Insider, Issue 109 - DPI 19

– CJEU: Fingerprints in EU National Cards Not Contrary to Fundamental Rights to Privacy and Data Protection –

On 21st March, the CJEU ruled in RL v Landeshauptstadt Wiesbaden that EU Regulation 2019/1157, which requires EU national identity cards to include two fingerprints of the owners of the card, is not incompatible with the EU fundamental rights to privacy and data protection. As to the facts of the case, a German citizen applied for a new identity card. According to the new legal framework set by Regulation 2019/1157, he was obliged to provide his fingerprints to be included in the chip of the new identity card. He refused to do so, arguing that this requirement constitutes an infringement of his fundamental rights to privacy and data protection. Eventually the question reached the CJEU via the preliminary ruling procedure. The CJEU ruled as follows. First, it established, partially repeating its judgment in Schwarz, that the inclusion into the chips of the cards of two fingerprints, which are sensitive data and allow for the precise identification of individuals, as well as the data processing operations (collection of fingerprints and temporary storage), constitute an interference with Article 7 Charter (fundamental right to privacy) and Article 8 Charter (fundamental right to data protection). Second, it ruled that the interference with these two rights is justified pursuant to Article 52(1) Charter: i) Regulation 2019/1157 constitutes an appropriate legal basis for the interference, as long as it is still valid; ii) the essence of the two fundamental rights is respected, because ‘the information provided by fingerprints does not, in itself, make it possible to have an overview of the private and family life of data subjects’; iii) the Regulation pursues objectives of general interest of the Union, namely combating document fraud and the ‘interoperability of identification document verification systems’, thus facilitating the free movement within the Union; and iv) the inclusion of fingerprints constitutes an appropriate, necessary and proportionate measure for attaining the above objectives. The last point was examined at length by the Court and the analysis provides interesting insights into how the Court assesses proportionality in relation to processing (sensitive) biometric data. However, Regulation 2019/1157 was invalidated by the Court with effect from 1 January 2027, because the Court found that it was adopted on the wrong legal basis (Article 21(2) TFEU on the right to free movement), whereas the correct legal basis should have been Article 77(3) TFEU concerning the policies on border checks, asylum and immigration, and which requires unanimity within the Council.


– CJEU Rules on Supervisory Powers to Order Erasure

On 14th March, the CJEU ruled in the case of Újpesti Polgármesteri Hivatal. The case concerned a scheme launched to provide financial relief to citizens related to COVID-19. In the course of developing and implementing this scheme, personal data were requested and transferred from one authority to another, and then subsequently processed. Following this, and acting on its own initiative, the Hungarian supervisory authority launched an investigation, and found the use of personal data problematic on a number of grounds. The

authority then ordered the erasure of certain personal data, as well as issuing a fine. The decision was then appealed before national courts, where it was argued that the supervisory authority ‘does not have the power under Article 58(2)(d) of the GDPR to order the erasure of personal data in the absence of a request from the data subject, for the purposes of Article 17’ and that Article 17 ‘is solely intended as a right of the data subject’. In light of the above, the following two questions were referred to the CJEU:

  • Do Articles 58(2)(c), (d) and (g) mean a supervisory authority can, when exercising corrective powers, ‘order the controller or processor to erase unlawfully processed personal data’, although the data subject has not made a request under Article 17(1)?
  • Do the powers in Article 58(2) mean a supervisory authority can order the erasure of unlawfully processed personal in relation to data collected from the data subject, as well as ‘data originating from another source’?

In response to these questions, the CJEU concluded:

  • Articles 58(2)(d) and (g) mean a supervisory authority can, when exercising corrective powers, require ‘the controller or processor to erase unlawfully processed personal data, even though no request to that end has been made by the data subject…pursuant to Article 17(1)’ – the CJEU highlighted the need to interpret law in light of its context and aim, as well as the fact that, should an alternative conclusion have been reached, this ‘would mean that the controller, where there is no such request, could retain the personal data at issue and continue to process them unlawfully’ which ‘would undermine the effectiveness of…protection…since it would result in persons who take no action being deprived of protection’.
  • Article 58(2) means ‘the power of the supervisory authority…to order the erasure of unlawfully processed personal data may apply both to data collected from the data subject and to data originating from another source’.

The case is short, and the conclusions somewhat unsurprising. The case is nevertheless interesting in a number of respects, including the references made to prior national jurisprudence which came to a different conclusion – highlighting again the variety of interpretations of harmonized law across Member States – as well as for the reference and use of the Court to an Opinion of the EDPB – which, to our knowledge, is unusual.



– EDPB Holds 91st Plenary Meeting –

On 14th March, the EDPB held its 91st Plenary Meeting. From the agenda of the meeting, it seems the following significant points, amongst others, will have been discussed:

  • ‘Request for a mandate regarding guidelines on urgency procedure under Art. 66 GDPR’;
  • ‘Request for a mandate regarding financial data access and payment packages of the European Commission’;
  • ‘Request for a mandate relating to age verification criteria’;
  • ‘Request for an extension of the mandate regarding guidance on Art. 48 GDPR’;
  • ‘Presentation of the Fundamental Rights Agency on their draft conclusions of the GDPR evaluation’

At the time of writing, only the agenda of the meeting is available. We presume materials relating to the outcome of the meeting will become available in due course.




DPI Editorial Team

Dara Hallinan, Editor: Legal academic working at FIZ Karlsruhe. His specific focus is on the interaction between law, new technologies – particularly ICT and biotech – and society. He studied law in the UK and Germany, completed a Master’s in Human Rights and Democracy in Italy and Estonia and wrote his PhD at the Vrije Universiteit Brussel on the better regulation of genetic privacy in biobanks and genomic research through data protection law. He is also programme director for the annual Computers, Privacy and Data Protection conference.

Diana Dimitrova, Editor: Researcher at FIZ Karlsruhe. Focus on privacy and data protection, especially on rights of data subjects in the Area of Freedom, Security and Justice. Completed her PhD at the VUB on the topic of ‘Data Subject Rights: The rights of access and rectification in the AFSJ’. Previously, legal researcher at KU Leuven and trainee at EDPS. Holds LL.M. in European Law from Leiden University.

Hinterlasse eine Antwort