Data Protection Insider, Issue 89

Data Protection Insider, Issue 89 - Image Landing Page DPI 4

 – CJEU Decides on Personal Data Processing in Civil Proceedings – 


On 2nd March, the CJEU passed down its verdict in the case of Norra Stockholm Bygg AB v Per Nycander AB, other party: Entral AB. In terms of the facts, the case concerned the construction of a building by the appellant for the respondent. The register of employee activity on the project was held by Entral AB. With regard to the project, the respondent challenged the request for payment, claiming the requested amount was too high. In this regard, in order to prove this claim before court, the respondent requested the disclosure of employee activity records from Entral AB. The request was opposed by the appellant, who suggested that the disclosure would breach the GDPR – given requested data were collected for another purpose and cannot be used as evidence. National courts initially ordered the production of the records, a decision which the appellant appealed. In this regard, the referring court submitted two questions to the CJEU:


1. ‘Does Article 6(3) and (4) of the’ GDPR ‘also impose a requirement on national procedural legislation relating to’ the requirement to produce documents?

2. Does the ‘GDPR mean that regard must also be had to the interests of the data subjects when a decision on’ production ‘must be made which involves the processing of personal data? In such circumstances, does EU law establish any requirements concerning how, in detail, that decision should be made?’


In relation to these questions, the Court decided:


‘Article 6 (3) and (4) of the GDPR’ mean ‘that provision applies, in the context of civil court proceedings, to the production as evidence of a staff register containing personal data of third parties collected principally for the purposes of tax inspection’.

‘Articles 5 and 6 of the GDPR’ mean that, when considering the necessity of ordering a document, a national court must consider ‘the interests of the data subjects concerned’ and balance these ‘according to the circumstances of each case, the type of proceeding at issue and duly taking into account the requirements arising from the principle of proportionality as well as, in particular, those resulting from the principle of data minimisation…in Article 5(1)(c).’


This is an interesting case worthy of attention. This is not only because it with a special, and important, processing sector – judicial proceedings – but also as the judgment contains a range of interesting discussions and statements on, for example, the relationship between data protection and the right to effective judicial protection, and on the concept of pseudonymisation.

Learn more


– ECtHR Rules on Publication of Personal Data on Tax Authority Website 


On 9th March, the ECtHR passed down its verdict in the case of L.B. v. Hungary. In terms of the facts, the plaintiff was found, in domestic procedures, to owe significant sums in unpaid taxes. In 2014, the tax authority then ‘published the applicant’s personal data, including his name and home address, on the list of major tax defaulters on its website’ – a measure which was provided for in national law. ‘The applicant’s name and home address were’ also ‘published on the list’. Subsequently, in 2016, ‘an online media outlet produced an interactive map called “the national map of tax debtors”. The applicant’s home address, along with the addresses of other tax debtors…was indicated with a red dot, and if a person clicked on the dot the applicant’s personal information…appeared, thus making the data available to all readers’. The applicant’s entry was removed in 2019, ‘when his tax arrears became time-barred’. Finally, following ‘the entry into force of the amendments to the 2017 Tax Administration Act on 1 January 2020…the applicant’s personal data, together with information on which fiscal years his tax debts related to, became accessible through the search interface on the Tax Authority’s website’. Appealing to the ECtHR, the ‘applicant alleged that the publication infringed his right to respect for private life as protected by Article 8 of the Convention’. In this regard, the Court eventually – after deliberating centrally on whether the national legislative measures in question had been enacted by Parliament after an adequate consideration of all the interests involved – concluded that: ‘given the systematic publication of taxpayer data, which included taxpayers’ home addresses, the Court is not satisfied, notwithstanding the margin of appreciation of the respondent State, that the reasons relied on by the Hungarian legislature in enacting the section 55(5) publication scheme, although relevant, were sufficient to show that the interference complained of was “necessary in a democratic society” and that the authorities of the respondent State struck a fair balance between the competing interests at stake’. This is an interesting case, not only for the subject-matter, but also for certain of the details of the Court’s discussions, for example, in relation to the degree of sensitivity of financial data, as well as in relation to the operation of national legislatures concerning data protection principles.

Learn more


– EDPB Adopts Opinion on EU-US Data Privacy Framework  


On 28th February, the EDPB adopted ‘Opinion 5/2023 on the European Commission Draft Implementing Decision on the adequate protection of personal data under the EU-US Data Privacy Framework’. The Opinion does identify a number of positive developments in the Framework in relation to its predecessors. The EDPB also, however, highlight a number of outstanding concerns and considers these should be addressed by the Commission. In terms of substantive content, the Opinion is split into three parts: i) ‘General Data Protection Aspects’ – including, for example, a discussion of issues concerning onward transfers and a discussion of automated decision-making; ii) ‘Access and Use of Personal Data Transferred from the European Union by Public Authorities in the US’ – including, for example, a discussion of issues related to EO 14086, which provides new rules regarding security processing; and iii) ‘Implementation and Monitoring of the Draft Decision’ – including, for example, a discussion of the modalities of the review procedure the EDPB consider important. The fact that the EDPB has raised concerns is perhaps not surprising. Nevertheless – as with the recent Parliament debate on the issue – the expression of these concerns in the Opinion is yet another sign the US-adequacy saga is still far from over.

Learn more


DPI Editorial Team

Dara Hallinan, Editor: Legal academic working at FIZ Karlsruhe. His specific focus is on the interaction between law, new technologies – particularly ICT and biotech – and society. He studied law in the UK and Germany, completed a Master’s in Human Rights and Democracy in Italy and Estonia and wrote his PhD at the Vrije Universiteit Brussel on the better regulation of genetic privacy in biobanks and genomic research through data protection law. He is also programme director for the annual Computers, Privacy and Data Protection conference.

Diana Dimitrova, Editor: Researcher at FIZ Karlsruhe. Focus on privacy and data protection, especially on rights of data subjects in the Area of Freedom, Security and Justice. Completed her PhD at the VUB on the topic of ‘Data Subject Rights: The rights of access and rectification in the AFSJ’. Previously, legal researcher at KU Leuven and trainee at EDPS. Holds LL.M. in European Law from Leiden University.

Leave a Reply