Data Protection Insider, Issue 151

26. March 2026  |   by DPI Editorial Team

-CJEU Rules on the Systematic Collection of Biometric Data for Law Enforcement-

On 19th March, the CJEU ruled in the case of HW. In terms of the facts, the case essentially concerned a participant in a demonstration, who was arrested by police. Following their arrest, the plaintiff refused to be fingerprinted and photographed. In consequence, he was charged with the offence of ‘having refused, although he was reasonably suspected on one or more grounds of having committed or attempted to commit an offence, to consent to the gathering of identification data, in particular by the taking of fingerprints, palm prints or photographs for the purposes of entry into and consultation of police databases, in accordance with the rules applicable to each of those databases’. ‘HW and the ministère public (Public Prosecutor’s Office, France) each brought an appeal against that judgment before the cour d’appel de Paris (Court of Appeal, Paris, France), which is the referring court’. This court referred the following three questions to the CJEU:  

  • Does Article 10 of Directive 2016/680, ‘read in conjunction with Article 4(1)(a) to (c) and Article 8’ preclude national legislation which provides for ‘systematic gathering of identification data (fingerprints and photographs) from persons who are suspected on one or more grounds of having committed or attempted to commit an offence?’ 
  • Do the same Articles preclude national legislation ‘which does not impose on the competent authority an obligation to provide, in each individual case, a sufficient statement of reasons as to why it is strictly necessary to gather identification data?’ 
  • Do the same Articles preclude national legislation ‘which allows the prosecution and conviction…of a person’ on the sole basis that they have ‘refused to consent to the gathering of identification data’? 

In relation to these questions, the CEJU provided the following clarifications:  

  • These Articles preclude national legislation which provides for such ‘systematic collection of the biometric data…unless it is established, first, that the national law defines the specific and concrete purposes pursued by that collection in an appropriate and sufficiently precise manner, and second, that the competent authority is required, in each individual case, to assess whether that collection is strictly necessary’. 
  • These Articles preclude national legislation national legislation which does not require the ‘competent authority to provide a sufficient statement of reasons…as to why it is’ strictly necessary ‘to collect the biometric data of a person reasonably suspected…of having committed or attempted to commit a criminal offence’. 
  • These Articles do not preclude ‘national legislation which allows a person to be prosecuted’ solely ‘for…refusal to allow the collection of his or her biometric data…provided that that collection satisfies the’ strictly necessary ‘condition…and…the criminal penalty…observes the principle of proportionality’. 

-CJEU Clarifies the Scope of Abuse of the Right of Access

On 19th March, the CJEU delivered its judgment in Brillen Rottler GmbH & Co. KG v TC, in which it ruled that the right of access to one’s data may be abused where the data subject does not request access for the purpose of protecting their rights as guaranteed by the GDPR. As to the facts of the case, the applicant (TC) subscribed to Brillen Rottler’s newsletter by providing his personal information. Then, he filed a data access requestBrillen Rottler refused to act upon it within the legally prescribed one month, arguing it was excessive and thus abusive. TC submitted a claim for damages (1000 Euros) under Article 82 GDPR. Brillen Rottler argued that from information posted online, e.g. in legal blogs, it was apparent that TC systematically subscribes to various newsletters, requests access to his data and then claims for compensation, and that this proves the abusive nature of his reliance on the right of access. The dispute escalated to the CJEU, which was called on to rule (1) whether a first request for access to one’s data can be excessive; (2) whether the right to compensation in Article 82 GDPR applies when the right of access has been infringed and (3) whether non-material damage can result from the loss of control over the processing of one’s dataThe Court ruled as follows. With regards to the first question, it ruled that a first request of access could be regarded as ‘excessive, but that the concept of ‘excessive’ has to be read restrictively. It ruled further that the controller bears the burden of proof that an initial request is ‘excessive’ by demonstrating that ‘despite formal observance of the conditions laid down by those provisions, that request was made by the data subject not for the purpose of being aware of the processing of those data and verifying the lawfulness of that processing, in order to be able, subsequently, to obtain protection of his or her rights under that regulation, but with an abusive intention, such as that of artificially creating the conditions laid down for obtaining an advantage from that regulation. In addition, Brillen Rottler may take into account the information available about the conduct of the data subject, ‘provided that it is supported by other relevant material. With regards to the second question, the CJEU ruled that even where there is an infringement of the GDPR that does not, as such, involve the processing of data, the data subject may rely on the right to compensation provided for in Article 82 of that regulation. As to the third question, the CJEU concluded that ‘the non-material damage suffered by the data subject encompasses the loss of control over his or her personal data or his or her uncertainty as to whether his or her data have been processed, provided that it is demonstrated, in particular, that the data subject actually suffered such damage and that his or her conduct was not the determining cause of that damage. 

-EDPB/EDPS Publish New Documents-

In the past two weeks, the EDPB/EDPS published the following documents: 

About

DPI Editorial Team


Dara Hallinan, Editor: Legal academic working at FIZ Karlsruhe. His specific focus is on the interaction between law, new technologies – particularly ICT and biotech – and society. He studied law in the UK and Germany, completed a Master’s in Human Rights and Democracy in Italy and Estonia and wrote his PhD at the Vrije Universiteit Brussel on the better regulation of genetic privacy in biobanks and genomic research through data protection law. He is also programme director for the annual Computers, Privacy and Data Protection conference.


Diana Dimitrova, Editor: Researcher at FIZ Karlsruhe. Focus on privacy and data protection, especially on rights of data subjects in the Area of Freedom, Security and Justice. Completed her PhD at the VUB on the topic of ‘Data Subject Rights: The rights of access and rectification in the AFSJ’. Previously, legal researcher at KU Leuven and trainee at EDPS. Holds LL.M. in European Law from Leiden University.

Leave a Reply

back to overview