Data Protection Insider, Issue 155

18. June 2026  |   by DPI Editorial Team
Data Protection Insider, Issue 155 - DPI Issue 154 1

Table of Contents:

  1. CJEU: Police HR to apply GDPR when processing personnel data related to investigations
  2. AG Considers Access to Personal Data in EU Documents Related to COVID-19 Vaccines
  3. EDPB Publishes New Materials

 

In the present edition, we inform our readers of an important CJEU judgment, which helps practitioners delineate the scope of applicability of the GDPR and the LED, an AG Opinion dealing with the issue of access to EU documents relating to the COVID-19 pandemic, and new material published by the EDPB.

[1] On 4th June, the CJEU ruled on the distinction between the scope of applicability of the GDPR and the LED in the framework of criminal investigations against police staff for HR purposes and on the right to erasure of HR data in Darashev. As to the facts of the case, the applicant in the main proceedings is a police officer in Bulgaria and held various positions in different departments, all belonging to the Ministry of the Interior. The “Internal Security” department within the Ministry of the Interior, to which he did not belong, opened investigations against an unknown perpetrator suspected of robbery, and eventually arrested the applicant in the main proceedings. They held him in custody for 24 hours, during which time they collected data on him, including his fingerprints, and asked victims to identify him. As he was not identified by the victims and no traces of his fingerprints were found on the stolen objects, he was released. He was never investigated or accused of the crime in question. In the following years, he applied for promotion within his department several times, which was always turned down by the HR department on account of him having been previously arrested. In the course of the claim for damages which the applicant raised against the Public Prosecutor’s Office, in essence two questions arose: (1) as to whether the GDPR or the LED is applicable to the processing of personnel data, where the processing takes places by one entity – the Ministry of the Interior – but by different units within it (one unit where the police officer works and of which they are an employee, and one unit which acts in its law enforcement capacity) and (2) how the right to erasure is to be interpreted and applied in relation to his personnel file. As to the first question, the CJEU established that: “In the present case, although the initial collection of personal data carried out by the ‘Internal Security’ directorate of the Ministry of the Interior for the purposes of the investigation concerning the applicant in the main proceedings falls within the scope of Directive 2016/680, the processing at issue in the main proceedings, in so far as it is carried out for human resources management purposes, falls within the scope of the GDPR”. As to the second question, the CJEU left it to the referring court to decide whether continuing to store the data of the applicant for HR purposes is lawful under the GDPR and provided the following guidance: “Article 17(3)(b) of the GDPR, read in conjunction with point (c) of the first subparagraph of Article 6(1) and Article 6(3) of that regulation and in the light of Article 52(1) of the Charter, must be interpreted as meaning that the storage, in the personnel file of a police officer, for the purposes of the management of his career and the monitoring of compliance…of personal data relating to his or her status as a suspect in a suspended criminal investigation, where that officer has not been accused of or faced criminal charges for the offence concerned, may be regarded as justified for the purposes of compliance with a legal obligation to which the public authority, the employer of that officer, is subject on the basis of national law, provided that that legal basis is clear and precise, that its application is foreseeable for data subjects and that that obligation meets an objective of public interest and is proportionate to that objective”.

[2] On 11th June, Advocate General Rantos delivered their Opinion in the joint cases of European Commission v Margrete Auken and Others and European Commission v Fabien Courtois and Others. In essence, these cases concern appeals by the Commission, which seeks to have prior judgments made by the Court set aside. In these prior judgments, the General Court “annulled in part, respectively, Decision C(2022) 1038 final of the…Commission…taken pursuant to Article 4 of Regulation (EC) No 1049/2001…granting Ms Auken and Others…partial access to the advance purchase agreements and purchase agreements for COVID-19 pandemic vaccines concluded between the Commission and the pharmaceutical undertakings concerned…and Decision C(2022) 1359 final of the…Commission….adopted pursuant to Article 4 of Regulation (EC) No 1049/2001, granting Mr Courtois and Others…partial access to certain documents relating to the purchase of vaccines by that institution in the context of that pandemic”. In relation to data protection – the case goes somewhat beyond data protection, the remainder of which will not be considered here – the case concerns “the extent of the Commission’s power to refuse natural persons, by relying on the protection of personal data, access to documents of the EU institutions relating…to the names of the members of the joint negotiation team, composed of Commission officials and a small number of experts from the Member States, for the purchase of vaccines from pharmaceutical undertakings”. In this regard, the AG’s Opinion considers, in particular, two issues. First: the proposition, put forward by the Commission “that the General Court wrongly classified as a ‘specific purpose in the public interest’, within the meaning of Article 9(1)(b) of Regulation 2018/1725, the objective of ascertaining the impartiality of the members of the joint negotiation team”. The AG concluded that this proposition “should be rejected as unfounded”. In doing so, they considered, for example, the legitimacy of the proposition that individual requests for access to documents could be in the public interest, the legitimacy of the proposition that transparency of negotiations could be regarded as representing a specific public interest, and the fact that “disclosure of anonymised versions of…declarations of absence of conflict of interests…do not make it possible to carry out an external verification to check the accuracy and/or completeness of the information contained therein”. Second: the proposition, put forward by the Commission, that the Court had misinterpreted the “second condition laid down in Article 9(1)(b) of Regulation 2018/1725” – concerning the proportionality of transfers of personal data following a weighing of competing interests. In this regard, the Commission asserted that: i) “interference arising from the disclosure of the personal data in question would be particularly serious for the members of the joint negotiation team” for example exposing “them to unsolicited external contacts which would not be limited to contact from the press, but could also include harm to their physical integrity and forms of harassment, in particular by supporters of ‘conspiracy theories’, whose numbers are not insignificant in the context of the COVID-19 pandemic”; ii) that certain of the public servants in question had no decision-making power; and that iii) “the objective of ascertaining the impartiality of the members of the joint negotiation team has already been achieved by the disclosure of anonymised versions of the declarations of absence of conflict of interests”. The AG rejected the Commission’s positions. In doing so, the AG considered the first two of the Commission’s arguments inadmissible – on the basis of lack of specification of the legal challenge to the Court’s argumentation. The AG then highlighted, in relation to the Commission’s third argument, the position already put forward in relation to the anonymous disclosure of declarations of absence of conflicts of interests made in relation to the first issue considered.

EDPB Publishes New Materials

Over the past two weeks, the EDPB released the following significant materials:

  • [3] ‘Template for personal data breach notification’ – also subject to public consultation until 5th August 2026

More Information:

[1] https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:62024CJ0312

[2]https://infocuria.curia.europa.eu/tabs/document/C/2024/C-0631-24-00000000PV-01-P-01/CONCL/322100-EN-1-html

[3] https://www.edpb.europa.eu/our-work-tools/our-documents/other/template-personal-data-breach-notification_en

About

DPI Editorial Team


Dara Hallinan, Editor: Legal academic working at FIZ Karlsruhe. His specific focus is on the interaction between law, new technologies – particularly ICT and biotech – and society. He studied law in the UK and Germany, completed a Master’s in Human Rights and Democracy in Italy and Estonia and wrote his PhD at the Vrije Universiteit Brussel on the better regulation of genetic privacy in biobanks and genomic research through data protection law. He is also programme director for the annual Computers, Privacy and Data Protection conference.


Diana Dimitrova, Editor: Researcher at FIZ Karlsruhe. Focus on privacy and data protection, especially on rights of data subjects in the Area of Freedom, Security and Justice. Completed her PhD at the VUB on the topic of ‘Data Subject Rights: The rights of access and rectification in the AFSJ’. Previously, legal researcher at KU Leuven and trainee at EDPS. Holds LL.M. in European Law from Leiden University.

Leave a Reply

back to overview