Table of Contents:
- CJEU rules on the possibility for a supervisory authority to reject a complaint also brought before a judicial body
- CJEU rules on personal data processing in judicial proceedings
- AG Norkus: Individuals contributing to evaluative judgments are not sources of data
- European Commission proposes upgrades to the Europol and Eurojust Regulations and the data protection rules in the AFSJ in Regulation 2018/1725
- EDPB releases new documents
In the present edition, we discuss two CJEU judgments, and one AG Opinion on different aspects of the GDPR. In addition, we present a list of the newest legislative proposals in the field of data protection and EDPB documents.
CJEU rules on the possibility for a supervisory authority to reject a complaint also brought before a judicial body
[1] On 18th June, the CJEU ruled in the case of Datenschutzbehörde. In terms of the facts, the case essentially concerned a physician, who requested from a “search platform enabling third parties to provide reviews and testimonials on physicians…the erasure of certain personal data concerning her, on the basis of the legal situation prior to the entry into force of the GDPR”. This request was rejected by the platform. Consequently, the physician complained before the civil courts, and to the DPA. The DPA rejected the complaint on the basis that the “complaint and the civil action…related to the same subject matter, namely the erasure of personal data concerning” her “as published on that platform”. In this regard, the DPA considered that “the parallel or successive conduct of proceedings before a supervisory authority and judicial proceedings would, from a systematic perspective, be inconsistent with the remedial mechanism provided for under the GDPR. In its view, in such a situation, the supervisory authority would have to rule on the same question as that referred to the civil court”. The DPA further considered that “the concurrent exercise of the right to lodge a complaint with the supervisory authority and of the right to a judicial remedy concerning the same subject matter cannot be permitted”. This led to proceedings in front of the national courts, culminating in proceedings before the Verwaltungsgerichtshof (Supreme Administrative Court), which referred two questions to the CJEU. The Court summarized these as follows: do “Article 77(1) and Article 79(1) of the GDPR” preclude “a supervisory authority, with which a complaint has been lodged under Article 77(1)…from rejecting that complaint on the sole ground that judicial proceedings under Article 79(1)…concerning the same subject matter, have already been brought and even though the decision given in those proceedings is not yet final”. The Court ruled that the Articles in question “must be interpreted as precluding a supervisory authority, with which a complaint has been lodged under Article 77(1)…from rejecting” a “complaint on the sole ground that judicial proceedings under Article 79(1)…concerning the same subject matter, have already been brought and even though the decision given in those proceedings is not yet final”. In this regard the Court highlighted that the grounds of complaint have been designed such as to potentially be brought concurrently, and that should they be allowed to function otherwise, this may result in diminished protection for the data subject. Interestingly, the Court did, in principle, however, recognise the possibility for supervisory authorities to be allowed to suspend cases also pending before judicial fora.
CJEU rules on personal data processing in judicial proceedings
[2] On 18th June, the CJEU ruled in the case of NTH Haustechnik GmbH. In terms of the facts, the case essentially concerned a company employee who sold goods allegedly belonging to the company on eBay – the employee denies the goods belonged to the company. The company discovered this by accessing the employee’s eBay account via the use of their ID and password – precisely how this happened remains the subject of debate – an act of processing personal data which the referring national court accepts may have been unlawful. In this regard, the referring court was unsure as to a number of questions related to the processing of such personal data in the context of judicial proceedings, and accordingly requested clarification from the CJEU. The CJEU considered the following six questions:
- Do Articles 6(1)(c) and 6(3) of the GDPR, in light of Articles 8(2) and 52 of the Charter, preclude “national legislation which…when a court examines the facts and takes evidence…prescribes that it is for the parties to submit detailed factual evidence…and requires that court to take such evidence fully into consideration…without providing any indication as to the circumstances and conditions under which the facts stated and the evidence adduced by the parties containing personal data may be used by that court”?
- Does Article 17(3)(c) set “out an alternative lawfulness condition which the processing may satisfy in order to comply with Article 5(1)(a)…which is distinct from…the lawfulness conditions listed in…Article 6(1) of the GDPR”?
- Does Article 5(1)(c), in light of Article 52(1) of the Charter, mean the principle of data minimisation “requires a court to ensure…that the principle of proportionality is observed”?
- Do Articles 7 and 8 of the Charter, and Articles 5(1)(c), 6(1)(c), and 6(3) of the GDPR preclude national courts “from using evidence containing personal data obtained in breach of the right to the protection of privacy and the right to protection of personal data by the party transmitting such data to it”?
- Do Articles 13(1) and (2) of the GDPR preclude a national court, “when acting in its judicial capacity, from using data collected by a person who has failed to comply with…obligations to provide information under that provision”?
- Does the GDPR require a national court, when “acting in its judicial capacity, to ensure compliance with that regulation when it processes personal data relating to persons who are not a party to the proceedings pending before it” and does EU law require “that one of the parties to those proceedings be able to rely on the fact that those data have been collected or stored unlawfully…by the other party in breach of the rights which those third parties derive from that regulation”?
In consideration of these questions, the Court concluded:
- Articles 6(1)(c) and 6(3) of the GDPR, in light of Article 8(2) and Article 52 of the Charter do not preclude national legislation such as that in question “provided…(i) there is clear and precise national case-law, the application of which is foreseeable, and which itself establishes the circumstances and conditions under which the facts stated and the evidence adduced by the parties containing personal data may be used by a court, (ii) that case-law meets an objective of public interest and (iii) that case-law is proportionate to that objective”.
- Article 17(3)(e) “does not formulate an alternative lawfulness condition which processing could satisfy in order to comply with Article 5(1)(a)…and which is distinct from…those listed in the first subparagraph of Article 6(1)”.
- Article 5(1)(c), in light of Article 52 of the Charter means “the principle of ‘data minimisation’ does not require a court to ensure, for each processing of personal data it undertakes, that the principle of proportionality is observed…provided that the conditions laid down in Article 5(1)(c)…are met”.
- Articles 7 and 8 of the Charter, and the relevant provisions of the GDPR do not preclude “a national court from using evidence containing personal data obtained in breach of the right to privacy and the right to the protection of personal data by the party which transmitted such data to that court…. By contrast, before disclosing those data to the parties or third parties, that court must verify that such data are limited to what is necessary in relation to the purposes for which such disclosure is made and, as appropriate, take certain measures to minimise the impediment to the right to the protection of personal data which such disclosure is likely to entail”.
- Articles 13(1) and (2) do not preclude “a national court…from using data collected by a party or by a third party which has failed to comply with its obligations to provide information”.
- A “court is required, when acting in its judicial capacity, to ensure compliance with” the GDPR “when it processes personal data relating to persons who are not a party to proceedings. EU law does not require one of the parties to those proceedings to be able to rely on the fact that the other party collected or stored data unlawfully…in breach of the rights which those third parties derive from that regulation”.
This is an lengthy and involved case, in which many separate questions relating to the processing of personal data in judicial proceedings were considered. It is not possible, in the context of this brief summary, to elaborate on the Court’s reasoning in relation to each question. Accordingly, we strongly encourage all interested in personal data processing in the judicial sector to read the text of the case in full.
AG Norkus: Individuals contributing to evaluative judgments are not sources of data
[3] On 18th June, AG Norkus advised the Court on the scope of the right of access in relation to the source which provided the personal data of a data subject in Waldfelber. As to the facts of the case, a headteacher of a school in Austria (TS) learned that the applicant in the main proceedings (RS) has been appointed as a programme coordinator for a training for the teachers in his school. The trainings are organised by the University of Educational Sciences (UES). TS made enquiries among his acquaintances to find out more about RS. After a conversation with one of them, TS sent an email from his professional account to the UES, requesting a different programme coordinator to be appointed for the training of his colleagues. RS learned about the email and requested to know the identity of the third party (or source of information) who gave negative feedback, relying on his right of access under Article 15(1)(g) GDPR. In order to solve the legal dispute, the referring court asked the CJEU the following three questions: (1) whether TS can be classified as a controller; (2) whether the right of access, more precisely the right to know the identity of the person who provided information concerning oneself, applies in the present case, and (3) whether not complying with the right of access as regards the source of the data may give rise to claims for damages and whether the Austrian law on liability is compatible with the GDPR. AG Norkus advised the CJEU to rule as follows. On the first question, AG Norkus opined that a headteacher who processes personal data in his professional capacity, acting on behalf of the school he is employed at, does not qualify as a controller under Article 4 GDPR. In such a case, he suggested, the school would be the controller. Having reached that conclusion, AG Norkus argued that it is not necessary to answer the remaining two questions. However, he decided to propose an answer in case the CJEU decides to go into these questions. On the second question, AG Norkus advised that the scope of the right of access should be assessed in relation to its purpose of enabling the data subject to control the legality of the processing of their data, and that it encompasses evaluative judgments. Then, he turned to the question of who should be considered to be the source of information in casu. He opined that if the evaluative judgment is to be attributed to TS, then he should be considered to be the source of the information. If, however, TS merely cites the opinion of his interlocutor, then the interlocutor should be seen as the source. He suggested that the referring court should decide on this. AG Norkus also examined whether TS’s interlocutor could be considered to be “‘any available information as to [that] source’” under Article 15(1)(g) GDPR and answered this question in the negative. As to the third question, he referred to Brillen Rottler, where the CJEU established that a breach of the right to rectification could in principle give rise to damage claims. As to the Austrian law on liability, AG Norkus opined that “Article 82 of the GDPR does not preclude national rules pursuant to which persons acting on behalf of certain public legal entities cannot be held liable for the damage which they cause to data subjects, in their capacity as controllers or processors, provided that those rules also identify the entity against which a claim for compensation may be brought by such data subjects”.
European Commission proposes upgrades to the Europol and Eurojust Regulations and the data protection rules in the AFSJ in Regulation 2018/1725
[4] On 24th June, the European Commission tabled the following important legislative proposals:
- Proposal to amend the current Europol Regulation, in order to boost in particular Europol’s data processing capabilities, including by allowing it to establish a Police Shared Data Space;
- Proposal to amend the current Eurojust Regulation, including giving Eurojust more analytical capabilities and opportunities to cooperate, e.g. with Europol;
- Amendments especially to Chapter IX Regulation 2018/1725 (on the data protection rules applicable to the EU bodies and agencies in the AFSJ);
- Proposal on an update to the European Investigation Order; and
- Proposal on a novel European Remote Participation Order.
EDPB releases new documents
[5] Last week, the EDPB issued the following new documents:
- An Update to the “One-Stop-Shop (OSS) case digest on right to object and right to erasure” and
- A “dedicated contact form for stakeholders to report possible inconsistencies in how the GDPR is interpreted across Europe”.
More Information:
[1]https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:62024CJ0414
[2]https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:62024CJ0484
[3]https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:62025CC0185
[4] https://ec.europa.eu/commission/presscorner/detail/en/ip_26_1420
[5] https://www.edpb.europa.eu/news/one-stop-shop-case-digest-on-right-to-object-and-right-to-erasure-updated_en; https://www.edpb.europa.eu/news/supporting-gdpr-consistency-edpb-launches-dedicated-form_en