{"id":78087,"date":"2025-01-16T10:14:48","date_gmt":"2025-01-16T09:14:48","guid":{"rendered":"https:\/\/www.lexxion.eu\/?post_type=dpi&p=78087"},"modified":"2025-01-16T10:14:48","modified_gmt":"2025-01-16T09:14:48","slug":"data-protection-insider-issue-125","status":"publish","type":"dpi","link":"https:\/\/www.lexxion.eu\/en\/dpi\/data-protection-insider-issue-125\/","title":{"rendered":"Data Protection Insider, Issue 125"},"content":{"rendered":"

-CJEU: High Number of Complaints Does Not Amount Automatically to \u2018Excessive Requests\u2019-<\/strong><\/a><\/h3>\n

On 9th<\/sup> January, the CJEU ruled that a data protection authority may not automatically designate complaints submitted to it as \u2018excessive requests\u2019 based purely on their huge number in \u00d6sterreichische Datenschutzbeh\u00f6rde v FR<\/em>. <\/a>As to the facts of the case, FR submitted approximately 77 similar complaints based on Article 15 GDPR within 20 months with the DSB (Austrian Data Protection Authority) and contacted the DSB by phone to inform it of additional facts and make further requests. The DSB refused to act upon the complaints submitted last, arguing that the amount of complaints was \u2018excessive\u2019. The dispute escalated to the CJEU and can be summarized under the following three questions: (1) does the concept of \u2018request(s)\u2019 in Article 57(4) GDPR cover also the concept of \u2018complaints\u2019 under Article 77(1) GDPR?; (2) does a high number of complaints automatically amount to \u2018excessive\u2019 requests under Article 57(4) GDPR?; and (3) in cases of \u2018excessive\u2019 and \u2018manifestly unfounded\u2019 requests, is a data protection authority free to choose between discarding the requests from the outset and<\/em> charging a reasonable fee? The CJEU answered as follows. First, it established that \u2018Article 57(4) of the GDPR must be interpreted as meaning that the concept of a \u2018request\u2019 in that provision covers the complaints referred to in Article 57(1)(f) and Article 77(1) of that regulation.\u2019 Second, it ruled that \u2018Article 57(4) of the GDPR must be interpreted as meaning that requests cannot be classified as \u2018excessive\u2019, within the meaning of that provision, solely on account of their number during a specific period, since the exercise of the option provided for in that provision is subject to the supervisory authority\u2019s demonstrating the existence of an abusive intention on the part of the person who submitted those requests\u2019. Third, the CJEU ruled that Article 57(4) GDPR leaves it open to the data protection authority to decide whether to charge a reasonable fee or whether to refuse to act upon excessive complaints, as long as the chosen measure is \u2018appropriate, necessary and proportionate, taking into account the relevant circumstances and avoiding unnecessary costs and excessive inconvenience to the data subject\u2019. It clarified, though, that data protection authorities might want to first charge a reasonable fee as this measure might have \u2018less of an adverse effect on the rights that data subjects derive from that regulation\u2019.<\/p>\n

-CJEU: Title and Gender Identity Data Not Always \u2018Necessary\u2019 for Issuing Tickets-<\/strong><\/a><\/h3>\n

On 9th<\/sup> December, the CJEU ruled that a transport company may not always collect gender data of its customers in Mousse v Commission nationale de l\u2019informatique et des libertes (CNIL), SCNF Connect<\/em>. <\/a>As to the facts of the case, Mousse is an association, which complained against SNCF Connect with the CNIL for collecting gender data of its customers in order to issue them with a ticket or a travel card for the purposes of personalising commercial communication. It argued that the collection of these data was not necessary under Article 6(1) GDPR, read in conjunction with Article 5(1)(c) GDPR (data minimisation). The CNIL rejected the complaint and the dispute escalated to the CJEU, which was asked to rule on whether the conditions for lawful processing in Article 6(1)(b) and (f) GDPR, read in light of the data minimisation principle, were satisfied. It was asked also to rule on the question of whether, in assessing the necessity for the processing of the disputed data, one should consider the existence of the right to object under Article 21 GDPR. The CJEU answered as follows. First, it ruled that the collection of the disputed data \u2018does not appear to be either objectively indispensable or essential to enable the proper performance of a contract (under Article 6(1)(b) GDPR) and, therefore, cannot be regarded as necessary for the performance of that contract\u2019. Second, it ruled that as regards the collection of the data under Article 6(1)(f) GDPR, read in light of the data minimisation principle, \u2018the processing of personal data relating to the title of the customers of a transport undertaking, the purpose of which is to personalise the commercial communication based on their gender identity, cannot be regarded as necessary for the purposes of the legitimate interests pursued by the controller or by a third party, where:<\/p>\n