Data Protection Insider, Issue 94

Data Protection Insider, Issue 94 - MicrosoftTeams image 7

– AG Clarifies the Right to Indirect Exercise of Data Subject Rights under the LED 


On 15th June, AG Medina delivered an Opinion in which she provided four significant clarifications on the (indirect) exercise of the rights of the data subject under the LED in Ligue des droits humains ASBL, BA v Organe de contrôle de l’information policière. As to the facts of the case, a Belgian individual applied for a security clearance before taking up a job. The Belgian National Security Authority refused to issue him this certificate on the grounds that he had participated previously in demonstrations. In order to challenge the refusal, the applicant in the main proceedings requested access to the information as to which authorities had entered the data in the respective police records and access to the personal data entered in these records. The access was refused under the Belgian law implementing the LED (‘LPD’), because under this law individuals may not receive any access to the data processed by the law enforcement authorities and any additional information about the processing of their data. They may only request the supervisory authority to check the lawfulness of the processing and to receive only information that the necessary checks have been carried out. By contrast, under the LED individuals should have direct access to the data and only where it is restricted in individual cases, should the right of access be exercised via the supervisory authority which should provide ‘at least’ information that the necessary checks have been carried out (Article 17 (3) LED). During the legal proceedings in Belgium, the following two questions were sent for preliminary ruling: (1) may the answer by the supervisory authority that the necessary checks have been carried out be challenged in court?; and (2) is Article 17 LED compatible with the requirement for independence of the data protection supervisory authorities and the fundamental right to effective judicial remedies under the Charter (Article 8(3) and Article 47 Charter respectively)? When answering the questions, AG Medina provided the following clarifications about the exercise of the data subject rights under the LED. First, she stated that under the LED, direct exercise of the rights (i.e. directly against the controller) is the rule, whereas the indirect exercise of the rights via the supervisory authority should be only the exception and should constitute an ‘additional guarantee’, i.e. it should not be an alternative to direct access. Second, she noted that ‘Article 42 of the LPD establishes a regime of indirect exercise of rights which is incompatible with the manner in which the rights of data subjects are exercised as set out in Directive 2016/680.’ Third, she argued that when data protection supervisory authorities exercise indirect access, they do not act on a mandate given by the data subjects: ‘the EU legislature has, by contrast, granted the supervisory authority a leading and active role in the verification of the lawfulness of data processing which can be carried out solely by a public authority.’ When verifying the lawfulness of the data processing, the supervisory authorities dispose of certain enforcement powers under the LED and enjoy certain discretion in exercising them. The supervisory authority should examine in each individual case what information to disclose to the data subject about the processing of their data according to the principle of proportionality. The AG pointed out later that such an interpretation of the LED is also compatible with the fundamental right to judicial remedies under Article 47 Charter and with the requirement for independent supervisory authorities under Article 8 (3) Charter. Fourth, on the question of judicial remedies against the supervisory authority, the AG clarified that such remedies should be available ‘where that data subject exercises his or her rights through that authority in so far as that remedy concerns that supervisory authority’s task of checking the lawfulness of processing.’ Finally, the AG concluded that ‘Article 17 of Directive 2016/680 is compatible with Article 8(3) and Article 47 of the Charter in so far as (i) the supervisory authority may, depending on the circumstances, go beyond stating that all necessary verifications have been carried out and (ii) there is available to the data subject a judicial review of the action taken and the assessment made by the supervisory authority concerning that data subject in the light of the obligations of the controller.’

Learn more


– AG Clarifies the Right to Erasure under the LED 


On 15th June, AG Pikamäe delivered an Opinion on the right to erasure of personal data under the LED by the police in NG Administrative proceedings v Direktor na Glavna direktsia ‘Natsionalna politsia’ pri MVR – Sofia. As to the facts of the case, the applicant in the main proceedings – NG – was convicted of a criminal offence and served his sentence in 2018. After having served his sentence and having been rehabilitated, he requested the deletion of the police entry containing his personal data. The application was refused on the ground that under Bulgarian law, the serving of a sentence is not a ground for data erasure, thus effectively allowing the indefinite storage of personal data in police records. Whether this is compatible with the LED (Articles 4, 5, 8, 10 and 16 (2)), as read in light of the Charter, became the subject of the preliminary ruling questions sent to the CJEU. In his Opinion, AG Pikmäe provided the following clarifications. At the outset, the AG stated that ‘the national legislation at issue in the main proceedings entails undeniably serious interferences with the rights guaranteed in Articles 7 and 8 of the Charter, in so far, inter alia, as it seeks to introduce a means of continuous retention of sensitive data, which may cross the borders of the State concerned, of persons convicted of a criminal offence.’ Then, the AG continued his analysis by examining whether the interference is justified under Article 52 (1) Charter. He first concluded that the interference had a legal basis in Bulgarian law which is sufficiently clear and precise. Second, he concluded that the Bulgarian legislation does not infringe the essence of the two examined fundamental rights. In relation to Article 8 Charter, this is because ‘the national legislation at issue limits the purposes of the data processing and lays down an exhaustive list of the data retained and of the rules designed to ensure that they can be accessed, amended or erased.’ Third, the AG concluded that the interference meets a general objective of the Union (detecting and preventing crime) and it is appropriate for achieving that purpose. Fourth, the AG argued that the Bulgarian law is, however, not proportionate and not strictly necessary to achieve the stated purposes. In the words of the AG: ‘Articles 4, 5, 8, 10 and Article 16(2) (LED) must be interpreted as meaning that they preclude national legislation providing for the retention of personal data in a police record, including the biometric and genetic data, of any person convicted of an intentional offence, without further differentiation regarding the nature or seriousness of the offence, until that person’s death and without the possibility of reviewing the retention of the data contained in that record in the light of the time that has elapsed since it was created and, where appropriate, obtain the subsequent erasure of those data. The assessment of the proportionality of the period of the data retention to the purpose of the processing in the light of the convicted person’s situation may take account of any rehabilitation to which that person has been subject.’

Learn more


– AG Opinion on Concept of Controller in the Context of Official Journals – 


On 8th June 2023, AG Media delivered their Opinion in the case of État belge v Autorité de protection des données. The case concerns the publication, in an official Belgian Journal, of certain information on a company. This information mistakenly included certain personal data. When this mistake was identified, the organisation which had produced the original text requested its removal, and replacement with an alternative text. This request was refused. Following this, a complaint was filed before the DPA regarding the removal of the problematic text. The DPA upheld the complaint and ‘and, in essence, ordered the deletion of the passage at issue’. The Belgian State, however, appealed the decision of the DPA. In the appeal proceedings, there was considerable confusion as to the correct allocation of controller responsibilities amongst the parties. Against this background, the national court referred the following two questions to the CJEU.


  1. Does Article 4(7) GDPR mean a Member State’s official journal ‘– vested with a public task of publishing and archiving official documents…whose publication is ordered by third-party public bodies, as they stand when received from those bodies after the latter have themselves processed the personal data contained in those documents, without the national legislature having granted the’ journal ‘any discretion over the content of the documents to be published or the purpose and means of publication – has the status of data controller?’
  2. In the case the answer to the first question is positive: Does Article 5(2) GDPR mean that only the journal ‘need comply with the data controller’s responsibilities under that provision, to the exclusion of the third-party…bodies which…previously processed the data contained in the official documents whose publication they are requesting, or are those responsibilities incumbent cumulatively on each of the successive controllers?’


In response the AG concluded:


  1. Article 4(7) GDPR means an official journal ‘which is vested, under the applicable national legislation, with the task of publishing and archiving official documents, for the purposes of ensuring an effective and complete protection of data subjects, can be considered to be a controller within the meaning of Article 4(7)…in circumstances where the publication of those documents, as they stand, is ordered by third-party entities since the national legislature has granted that journal the power to determine the means of the digital transformation, publication, dissemination and storage of the documents at issue and has set wide publication and dissemination purposes. However, as to the absence of the designation of the controller with respect to the withdrawal or erasure of data…the national court’ must define the responsible party.
  2. Article 5(2) means the official journal must ‘comply with the data controller’s responsibilities under that provision for the operations it has carried out. The processing at issue does not give rise to joint controllership’.


Whilst the subject matter of the case is rather specific, we highlight the AG’s Opinion nevertheless contains much on the concept of the data controller, and thus has relevance beyond the specifics of the case.

Learn more


– European Parliament Agrees Position on AI – 


On 14th June 2023, ‘the European Parliament adopted its negotiating position on the Artificial Intelligence (AI) Act with 499 votes in favour, 28 against and 93 abstentions’. The Parliament’s press release asserts that the adopted rules should ‘ensure that AI developed and used in Europe is fully in line with EU rights and values including human oversight, safety, privacy, transparency, non-discrimination and social and environmental wellbeing’. Amongst other changes, the Parliament voted to extend the list of prohibited AI practices. This extended list also includes, for example: ‘“Real-time” remote biometric identification systems in publicly accessible spaces; “Post” remote biometric identification systems, with the only exception of law enforcement for the prosecution of serious crimes and only after judicial authorization; biometric categorisation systems using sensitive characteristics (e.g. gender, race, ethnicity, citizenship status, religion, political orientation)’ and ‘predictive policing systems (based on profiling, location or past criminal behaviour)’. In terms of next steps, the press release suggests that negotiations with the Council, prior to adopting a final version of the law, have already begun.

Learn more


DPI Editorial Team

Dara Hallinan, Editor: Legal academic working at FIZ Karlsruhe. His specific focus is on the interaction between law, new technologies – particularly ICT and biotech – and society. He studied law in the UK and Germany, completed a Master’s in Human Rights and Democracy in Italy and Estonia and wrote his PhD at the Vrije Universiteit Brussel on the better regulation of genetic privacy in biobanks and genomic research through data protection law. He is also programme director for the annual Computers, Privacy and Data Protection conference.

Diana Dimitrova, Editor: Researcher at FIZ Karlsruhe. Focus on privacy and data protection, especially on rights of data subjects in the Area of Freedom, Security and Justice. Completed her PhD at the VUB on the topic of ‘Data Subject Rights: The rights of access and rectification in the AFSJ’. Previously, legal researcher at KU Leuven and trainee at EDPS. Holds LL.M. in European Law from Leiden University.

Leave a Reply