Data Protection Insider, Issue 137

17. July 2025  |   by DPI Editorial Team
Data Protection Insider, Issue 137 - DPI 33

-CJEU Examines Rules on Data Disclosure for Evidence Purposes-

On 3rd July, the CJEU delivered a judgment following an appeal in the case of Parliament v TC. As to the background of the dispute, it concerns in essence the procedure for terminating the contract of an accredited parliamentary assistant (A), who had been recruited by a Member of the European Parliament (TC). The dispute was initially settled by the General Court (GC), but the Parliament appealed the judgment in front of the CJEU. In substance, in the framework of the contract termination dispute, questions related to compliance with the EU Data Protection Regulation (EUDPR) – applicable to EU institutions, bodies and entities – came up, as well as questions on the right of the defence in relation to disclosure of documents. These issues can be summarized as follows. First, the Parliament claimed that the GC had erred by ruling that the Parliament had not properly justified its refusal to disclose to TC his emails from 2015 and 2016 and information on A’s access to the Parliament, available from the use of A’s card to access the Parliament, as well as information on how often parliamentary protection was granted to A. The CJEU started by observing that the right of access to one’s file (in contrast to access to any document) is tied to the rights of the defence (Article 41 (2) (a) and (b) CFREU). The CJEU held that the Parliament had correctly withheld the disclosure of all the documents requested by TC, because TC had not ‘set out with sufficient precision…both the evidence which may be in the Parliament’s possession and the facts, relating to the genuineness of that assistant’s work and to the link between that work and the Member’s mandate, which that evidence would be capable of proving, so that the Parliament may identify that evidence for the purposes of its verification’. In addition, the CJEU held that the parliamentary policy on MEP emails was to delete them after 90 days, unless the emails were saved by the MEP themselves. Thus, the Parliament would have breached its own rules if it had retained the emails for longer, and it would have breached the principle of MEP independence if the Parliament had scanned the emails before deleting them in order to check which emails might be relevant for the case before deleting them. Furthermore, the CJEU held that the Parliament was also not obliged to store the data on A’s usage of their card to access the Parliament for longer than required by its policy on the retention of this data, or to store information on the parliamentary protection granted to A. Second, the CJEU provided guidance on the interpretation of Article 9(a) and (b) EUDPR –concerning the disclosure of personal data to entities other than EU institutions and bodies. It ruled that ‘the data requested by TC could not be regarded as being ‘necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the recipient’ within the meaning of Article 9(1)(a) of that regulation’ but that ‘the conduct of a procedure for the recovery of parliamentary assistance expenses unduly incurred by the Parliament in respect of a Member, while respecting that member’s rights of the defence, must be regarded as serving ‘a specific purpose in the public interest’, within the meaning of Article 9(1)(b) of Regulation 2018/1725’. Finally, the CJEU ruled that the Parliament was right in refusing to forward A’s personal file to TC, because according to the Article 26 Staff Regulations, the personal file could be consulted only on the premises of the Parliament or on a secure electronic medium, whereas TC requested the mere forwarding of the file to him. The CJEU ruled finally that TC’s pleas related to the non-disclosure of information to him should be rejected, but referred back to the General Court the remainder of pleas for final judgment.

-ECtHR Rules on Police Disclosures in Employment Vetting-

On 1st July, the ECtHR ruled in the case of A.R. v. the United Kingdom. In terms of the facts, the case, in essence, concerned two disclosures, in relation to two different potential employers, ‘by the police, in the context of enhanced employment vetting, of information that the applicant had been charged with rape and had subsequently been acquitted at trial, and a description of the circumstances of the alleged offence’. These disclosures were made as part of ‘an enhanced criminal record certificate (“ECRC”)…issued by the Criminal Records Bureau (“CRB”)’. The applicant complained about these disclosures to the police, as well as to domestic courts. These complaints, however, were not successful. In this regard, the applicant complained to the Court ‘under Article 8 of the Convention that the disclosure in his ECRCs of the information concerning the charge of rape of which he was acquitted at trial was neither in accordance with the law nor necessary in a democratic society’ – the applicant also complained under Article 6(2) of the Convention, the substance of which the Court considered as part of the Article 8 complaint. The Court, in a brief judgment, unanimously held that there had ‘been a violation of Article 8 of the Convention’. The Court focused on the ‘in accordance with the law’ criterion. In this regard, the Court concluded ‘that the legal provisions in force at the relevant time, taken together with applicable guidance, left an excessively broad discretion for the competent authorities in the application of the’ relevant disclosure. The Court continued that there ‘were insufficient safeguards to afford adequate legal protection against the arbitrary exercise of that discretion and, as a result, the disclosure was not in accordance with the law’. Despite this, the Court also observed that the legal situation has changed since the events in the case, and ‘that additional statutory and non-statutory guidance has been published for both chief officers and employers’ which may lead ‘to a different conclusion in a future case’. The Court thus did not go on to consider ‘whether the disclosure was “necessary in a democratic society”’.

-EDPB Publications-

Over the past two weeks, the EDPB has published the following important documents:

• ‘EDPB-EDPS Joint Opinion 01/2025 on the Proposal for a Regulation on simplification measures for SMEs and SMCs, in particular the record-keeping obligation under Art. 30(5) GDPR’;
• ‘The Helsinki Statement on enhanced clarity, support and engagement’.

About

DPI Editorial Team

Dara Hallinan, Editor: Legal academic working at FIZ Karlsruhe. His specific focus is on the interaction between law, new technologies – particularly ICT and biotech – and society. He studied law in the UK and Germany, completed a Master’s in Human Rights and Democracy in Italy and Estonia and wrote his PhD at the Vrije Universiteit Brussel on the better regulation of genetic privacy in biobanks and genomic research through data protection law. He is also programme director for the annual Computers, Privacy and Data Protection conference.

Diana Dimitrova, Editor: Researcher at FIZ Karlsruhe. Focus on privacy and data protection, especially on rights of data subjects in the Area of Freedom, Security and Justice. Completed her PhD at the VUB on the topic of ‘Data Subject Rights: The rights of access and rectification in the AFSJ’. Previously, legal researcher at KU Leuven and trainee at EDPS. Holds LL.M. in European Law from Leiden University.

Leave a Reply

back to overview