Pending CJEU data protection cases

First question

Does the processing of personal data, by which their name, the sport practised, the anti-doping rule violation committed, the sanction and the start and end of the sanction are published on the publicly accessible part of the website of XXXX in the form of an entry in a table and in publicly accessible XXXX of XXXX under XXXX, fall within the scope of application of Union law within the meaning of the first sentence of Article 16(2), first sentence, TFEU, so that the GDPR applies to such processing of personal data?

Second question

If the answer to question 1 is in the affirmative:

Is the information that a particular person has committed a particular doping offence and is banned from participating in (national and international) competitions because of this offence a "health data" within the meaning of Article 9 GDPR?

Third question

Does the GDPR – in particular with regard to Article 6(3) GDPR second subparagraph – preclude a national provision which provides for the publication of the name of the persons affected by the decision of the Austrian Anti-Doping Legal Commission or the Independent Arbitration Commission, the duration of the ban and the reasons for it, without it being possible to draw conclusions about the health data of the person concerned? Does it matter that, according to the national legislation, publication of this information to the general public can only be avoided if the person concerned is a recreational athlete, a minor or a person who has contributed significantly to the discovery of potential anti-doping violations by disclosing information or other evidence?

Fourth question

Does the GDPR – in particular with regard to the principles of Article 5(1)(a) GDPR and 5(1)(c) GDPR – require, in any event, a balancing of interests before publication, on the one hand, between the personal interests of the data subject affected by publication and, on the other hand, the public interest in information about the anti-doping offence committed by an athlete?

Fifth question

Does the information that a particular person has committed a particular doping offence and is banned from participating in (national and international) competitions because of that offence constitute the processing of personal data relating to criminal convictions and offences within the meaning of Article 10 GDPR?

Sixth question

If the answer to question 5 is in the affirmative:

Must the activities or decisions of a public authority to which the supervision of the processing of personal data relating to criminal convictions and offences or related security measures has been delegated in accordance with Article 10 GDPR be subject to judicial review?

Seventh question

Is a complaint under Article 77 GDPR regarding an alleged infringement under Article 17 GDPR, where at the time the complaint was lodged with the supervisory authority and the supervisory authority made its decision, no personal data of the data subject had yet been processed, but occurred in the course of the proceedings before the court of appeal, is it permissible or does it become permissible retrospectively if, at the time the complaint is lodged, there are specific indications that the controller is about to process personal data or will do so in the near future?

First question

Do the provisions of Article 92 of the Grundgesetz (Basic Law, ‘the GG’), Sections 138, 286, 355 et seq. of the Zivilprozessordnung (Code of Civil Procedure, ‘the ZPO’) in the case of an independent judicial processing activity falling under Article 6(1)(e) GDPR and 6(3) GDPR fulfil the requirement of certainty arising from Article 8(2), Article 52(1) Charter of Fundamental Rights of the European Union (‘the CFR’) and Article 5(1)(c) GDPR if the judicial processing activity involves interference with fundamental rights for a party or a third party? 

Second question

Sub-question (a)

When processing data – in particular personal data – can a national court rely on the fact that such processing is authorised under Article 17(3)(e) GDPR, or do Articles 6 GDPR and 9 GDPR constitute the exclusive basis for judicial processing activities? 

Sub-question (b) 

If Article 17(3)(e) GDPR can in principle form a legal basis for judicial processing activities: 

(aa) Does this also apply to cases in which the original collection of those data by a litigant or a third party was not lawful? 

(bb) Does the processing of originally unlawfully collected data under the generally applicable principle of good faith (Article 5(1)(a) GDPR) lead to a restriction of judicial processing under secondary law in the sense that Article 17(3)(e) GDPR is only applicable under certain conditions or within certain limits? 

(cc) Is the provision in Article 17(3)(e) GDPR to be understood in such a way that a prohibition on the judicial utilisation of originally unlawfully obtained data is always excluded – i.e. the court must always utilise those data – if the original data collection was not covert and was used to prove an intentional breach of duty?

Third question

Irrespective of whether the judicial data processing activity is subject to Article 17(3)(e) GDPR or Article 6(1)(c) GDPR or 6(1)(e) GDPR, 6(3) GDPR, Article 9 GDPR or other provisions of EU law:

Sub-question (a)

Do the principles of necessity and data minimisation under data protection law pursuant to Article 52(1) sentence 2 Charter, Article 5(1)(a) GDPR, in particular with regard to the processing of originally unlawfully collected or stored data, give rise to the need for a comprehensive proportionality test and balancing by the courts? 

Sub-question (b) 

What impact does Article 5(1)(e) GDPR, which stipulates that personal data may be kept for no longer than is necessary for the purposes for which such data are processed, have on subsequent judicial data processing activities, in particular in cases where 

• the original data collection served other purposes, or
• the original unlawful data collection took place a long time ago, or
• unlawful storage has been maintained for longer periods of time, or
• the unlawful data collection concerns data that were stored a long time ago – possibly unlawfully, or
• the data processing or collecting body or person has undertaken, either unilaterally or under individual contract or collective law, to erase the data within a certain period of time, but has not done so? 

Sub-question (c) 

Does it follow from EU law, in particular from Article 8 Charter, Article 6(1)(c) GDPR or 6(1)(e) GDPR, 6(3) GDPR, Article 9 GDPR, that the national court can utilise evidence that was obtained in violation of personal rights only if there is a recognisable interest of the party bearing the burden of proof that goes beyond the simple interest in evidence, or do no requirements follow from EU law in this respect, such that it is up to the national legal system to make provisions in that regard? 

Sub-question (d) 

Does it follow from Article 47(2) Charter, which guarantees the right to effective judicial protection and, in particular, to a fair trial, according to which the parties to civil proceedings must in principle be able sufficiently to substantiate and prove their legal protection objective, that the judicial processing of personal data of the applicant employee unlawfully collected by the employer can only be inappropriate and disproportionate in the narrower sense if the data collection under EU law would prove to be a serious infringement of Article 7 Charter and Article 8 Charter and other possible sanctions for the employer (e.g. compensation for damages under Article 82 GDPR and the imposition of fines under Article 83 GDPR) would be completely inadequate, or can inappropriateness and disproportionality be established even in the case of other, less serious breaches of data protection law during the original data collection? 

Sub-question (e) 

When deciding whether to utilise the data originally collected from a party or a third party as part of its judicial data processing activities, does the court have to take into account whether the data collector has complied with its information obligations under Article 13 GDPR? 

If so: Under what conditions and according to what standards must the court take this into account? 

Sub-question (f) 

Does the fact that the Court is bound by the GDPR and the Charter of Fundamental Rights of the European Union when processing personal data also include the personal data of third parties? 

In what way does a possible breach of data protection law in the original data collection have an effect on any subsequent judicial data processing in a dispute between two parties? Can a party rely on an offence committed not against it but against third parties, or is that not the case?

First question

Is Article 12 (5) second sentence GDPR to be interpreted as meaning that an excessive request for information by the data subject cannot be present at the first request to the controller?

Second question

Is Article 12(5) second sentence of the GDPR to be interpreted as meaning that the controller may refuse a data subject's request for information if the data subject intends to use the request for information to provoke claims for damages against the controller?

Third question

Is Article 12(5) second sentence GDPR to be interpreted as meaning that publicly accessible information about the data subject which allows the conclusion that the data subject, in a large number of cases of data protection infringements, asserts claims for damages against controllers, can justify the refusal to provide information?

Fourth question

Is Article 4(2) GDPR to be interpreted as meaning that a data subject's request for information to the controller under Article 15(1) GDPR and/or the controller's response to that request constitutes processing within the meaning of Article 4(2) GDPR?

Fifth question

Is Article 82(1) of the GDPR, in the light of recital 146, first sentence, 1 GDPR to be interpreted as meaning that only those damages that arise or have arisen for the data subject as a result of processing are eligible for compensation? Does this mean that, for a claim for damages under Article 82(1) of the GDPR, provided that the data subject has suffered causal damage, there must necessarily have been processing of the personal data of the data subject?

Sixth question

If the answer to question 5 is in the affirmative: does this mean that the data subject – assuming the existence of causal damage – has no right to compensation under Article 82(1) GDPR solely on the basis of a breach of his right of access under Article 15(1) GDPR?

Seventh question

Is Article 82(1) GDPR to be interpreted as meaning that the controller's objection of abuse of rights in relation to a data subject's request for information, having regard to EU law, cannot consist in the fact that the data subject has brought about the processing of his personal data solely or inter alia in order to assert claims for damages?

Eighth question

If the answers to questions 5 and 6 are in the negative: does the mere loss of control and/or uncertainty regarding the processing of the data subject's personal data, which is associated with a breach of Article 15(1) GDPR, constitute non-material damage to the data subject within the meaning of Article 82(1) GDPR, or is a further (objective or subjective) restriction and/or (appreciable) impairment of the data subject required?

First question

Does Regulation (EU) 2018/644 of the European Parliament and of the Council of 18 April 2018 on cross-border parcel delivery services, with regard to the collection of information, apply as such only to cross-border delivery service providers or, in general, to all parcel delivery service providers, subject to specific exclusions relating to individual provisions?

Second question

If the answer to Question 1 is that it applies only to cross-border delivery service providers, does Directive 97/67/EC, or do the so-called ‘implied powers’, provide the legal basis for the national regulatory authorities to impose, in any event, on delivery service providers, even non-cross-border ones, general obligations to provide information?

Third question

If the answer to Question 2 is no, must the fact that Regulation (EU) 2018/644 of the European Parliament and of the Council of 18 April 2018 does not apply to non-cross-border delivery providers be regarded as reasonable, nondiscriminatory and in accordance with Articles 14, 114 and 169 of the Treaty on the Functioning of the European Union?

Fourth question

To what extent (including from the perspective of necessity and proportionality) can the national regulatory authority impose obligations to provide information on parcel delivery service providers and, in particular, is it possible to impose, on all providers without distinction, obligations to provide information concerning:

(i) the conditions applied to different types of customers; 

(ii) the contracts which govern the relations between the individual undertaking that provides the parcel delivery service and the undertakings which in various ways, according to the specificities of the sector, contribute to providing that service; 

(iii) the economic conditions and the legal protection afforded to workers employed in various capacities in providing the service?

Is Article 2(1)GDPR to be interpreted as meaning that data processing includes activities within one and the same organisational structure, in which some of its directorates perform the duties of an employer while one other directorate has the function of an investigating authority in criminal proceedings against employees of the other directorates? 

If the answer is in the affirmative:

First question

Is the expression ‘processing of personal data’ in Article 4(2) GDPR to be interpreted as covering an activity in the context of which information concerning a particular employee which has been obtained by the employer, in its capacity as the investigating authority, through one of its directorates is added to that employee’s personal file?

Second question

Is the expression ‘filing system’ in Article 4(6) GDPR to be interpreted as covering the personal file of an employee or worker working in a directorate of the employer where the information has been collected by another directorate of the employer which has the status of an investigating authority?

Third question

Is Article 9(2)(b) GDPR to be interpreted as meaning that an organisational entity of an employer may gather and store data indicating that a particular employee was suspected of, charged with or put on trial for a criminal offence in criminal proceedings if that information was collected by another organisational entity of the employer which has the status of an investigating authority?

Fourth question

Is the ‘right to be forgotten’ within the meaning of Article 17(1)(a) GDPR to be interpreted as meaning that an employer is required to erase from the personal file of the employee any data which it has collected and stored through another of its directorates, which has the status of a public authority for the purposes of investigating its employees, and which indicate that the employee:

4.1. is suspected of, charged with or on trial for a criminal offence in pending criminal proceedings, or 

4.2. was suspected of, charged with or put on trial for a criminal offence for which criminal proceedings were stayed or abandoned?

Fifth question

5. Must personal data ‘unlawfully processed’ within the meaning of Article 17(1)(d) GDPR be interpreted as including data which the employer has received, collected and stored through another of its organisational entities which performs investigative functions in criminal proceedings against employees of other organisational entities of the employer, where those data are recorded in the personal file and relate to the fact that the employee has been suspected of, charged with or on trial for a criminal offence, that is to say:

5.1. is suspected of, charged with or on trial for a criminal offence in pending criminal proceedings, or

5.2. was suspected of, charged with or on trial for a criminal offence for which criminal proceedings were stayed or abandoned?

Sixth question

Are ‘personal data’ within the meaning of Article 3(1) LED, read in conjunction with Article 52 Charter of Fundamental Rights of the European Union, to be interpreted as meaning data which have been obtained, collected and stored by the employer through one of its organisational entities which performs the functions of an investigating authority in criminal proceedings against an employee serving in another organisational entity of the employer?

Seventh question

Is ‘processing’ within the meaning of Article 3(2) LED, read in conjunction with Article 52 Charter of Fundamental Rights of the European Union, to be interpreted as meaning that it encompasses an activity consisting in the employer storing in the employee’s personal file data which the employer has obtained, collected and stored through one of its organisational entities which performs the duties of an investigating authority in criminal proceedings against any of the employer’s employees serving in another of its organisational entities?

Eighth question

Is Article 9(1) LED, read in conjunction with Article 52 Charter of Fundamental Rights of the European Union, to be interpreted as meaning that it permits the employer to collect and store information on an employee who is suspected of, charged with or on trial for a criminal offence in cases where the employer collected that information through another of its organisational entities which has the status of an investigating authority in criminal proceedings against that employee?

Ninth question

Is Article 16(2) LED, read in conjunction with Article 52 Charter of Fundamental Rights of the European Union, to be interpreted as meaning that the employer must erase from the employee’s personal file any data which the employer has collected and stored through another of its organisational entities which has the status of an investigating authority in criminal proceedings against that employee and which relate to the fact that the employee: 

9.1. is suspected of, charged with or on trial for a criminal offence in pending criminal proceedings, or 

9.2. was suspected of, charged with or put on trial for a criminal offence for which criminal proceedings were stayed or abandoned?

Tenth question

Is Article 1 of Council Directive 2000/78/EC of 27 November 2000 establishing a general framework for equal treatment in employment and occupation to be interpreted as not permitting an employer, one of whose organisational entities undertakes investigative actions against an employee of another organisational entity, to deny an employee promotion on the sole ground that he: 

10.1. is suspected of, charged with or on trial for a criminal offence in pending criminal proceedings, or 

10.2. was suspected of, charged with or put on trial for a criminal offence for which criminal proceedings were stayed or abandoned?

Must Article 101 TFEU (prohibition on cartels), Article 102 TFEU (prohibition on abuse of a dominant position) and Article 56 TFEU (freedom to provide services) and also Article 6 GDPR be interpreted as precluding rules adopted by a world sporting association (in this case: FIFA), to which 211 national sports federations of the relevant sport (in this case: football) belong, and whose rules are therefore binding in any event on the majority of the actors active in the respective national professional leagues of the relevant sport (in this case: clubs (which also means football clubs organised as capital companies), players (who are club members) and players’ agents), and which have the following content:

(1) it is prohibited to agree on players’ agents’ remuneration, or pay them remuneration, in excess of a cap calculated as a percentage of the transfer fee or the annual remuneration of that player,

as provided for in Article 15(2) of the FIFA Football Agent Regulations (‘the FFAR’),

(2) it is prohibited for third parties to pay remuneration due under a representation agreement in respect of the players’ agent’s contracting partner,

as provided for in Article 14(2) and (3) of the FFAR,

(3) clubs are prohibited from paying more than 50% of the total remuneration due from the player and the club for the services of the players’ agent in cases where a players’ agent acts on behalf of the engaging club and the player,

as provided for in Article 14(10) of the FFAR,

(4) for the grant of a licence as a players’ agent, which is a condition for being allowed to provide players’ agent services, it is required that the applicant submit to the internal regulations of the world sporting association (in this case: the FFAR, the FIFA Statutes, the FIFA Disciplinary Code, the FIFA Code of Ethics, the FIFA Regulations on the Status and Transfer of Players as well as the statutes, regulations, guidelines and decisions of authorities and bodies) and also to its jurisdiction as an association and that of confederations and member associations,

as provided for in Article 4(2), Article 16(2)(b) and Article 20 of the FFAR, in conjunction with Article 8(3), Article 57(1) and Article 58(1) and (2) of the FIFA Statutes, Article 5(a), Article 49 and Article 53(3) of the FIFA Disciplinary Code, and Article 4(2) and Article 82(1) of the Code of Ethics,

(5) requirements are laid down for the grant of a licence as a players’ agent, under which the grant of a licence is permanently excluded in the case of convictions or settlements in criminal proceedings or a suspension of two years or more, licence suspension or withdrawal, or other disqualification by an authority or a sports governing body, without the possibility of the licence being granted at a later date,

as provided for in Article 5(1)(a)(ii) and (iii) of the FFAR,

(6) players’ agents are prohibited, in connection with the conclusion of a transfer agreement and/or a contract of employment, from providing players’ agent services or any other services to, and being remunerated for them, by:

1. the releasing club and the engaging club,
2. the releasing club and the player,
3. any parties involved (releasing club, engaging club and player),

as provided for respectively in Article 12(8) and (9) of the FFAR, and

(6a) players’ agents are prohibited, in connection with the conclusion of a transfer agreement and/or a contract of employment together with a connected players’ agent, from providing players’ agent services or any other services to, and being remunerated for them, by:

1. the releasing club and the engaging club,
2. the releasing club and the player,
3. any parties involved (releasing club, engaging club and player),

if the concept of connected players’ agent includes cooperation in accordance with the definition of ‘connected football agent’ laid down in the FFAR (fourth subparagraph on p. 6 of the FFAR),

as provided for in Article 12(10) of the FFAR, in conjunction with the definition of ‘connected football agent’ in the fourth subparagraph on p. 6 of the FFAR,

(7) players’ agents are prohibited from approaching or entering into a representation agreement with a club, player, or member association of the world sporting association or a legal person operating a single-entity league which is permitted to engage players’ agents and which have entered into an exclusive agreement with another players’ agent,

as provided for in Article 16(1)(b) and (c) of the FFAR,

(8) the names and details of all players’ agents, the names of the clients whom they represent, the players’ agent services which they provide to each individual client and/or the details of all transactions involving players’ agents, including the amount of remuneration payable to players’ agents, must be uploaded to a platform of the world sporting association and this information is made available in part to other clubs, players or players’ agents,

as provided for in Article 19 of the FFAR,

(9) it is prohibited to agree remuneration for players’ agent services on any other basis than the player’s remuneration or the transfer fee,

as provided for in Article 15(1) of the FFAR,

(10) it is presumed that other services provided by a players’ agent or a connected players’ agent in the 24 months prior to or following the provision of a players’ agent service to a client involved in the transaction for which player agency services were performed form part of the player agent’s services and, in so far that the presumption cannot be rebutted, remuneration for the other services is deemed to form part of the remuneration paid for the players’ agent service,

as provided for in Article 15(3) and (4) of the FFAR,

(11) the amount of the players’ agent’s remuneration to be calculated on a pro-rata basis is to be based solely on the salary actually received by the player,

as provided for in Article 14(7) and (12) of the FFAR,

(12) players’ agents are required to disclose the following information to the world sporting association:

1. within 14 days of conclusion: any agreement with a client other than a representation agreement, including but not limited to other services, and the information requested on the platform,
2. within 14 days of payment of remuneration: the information requested on the platform,
3. within 14 days of payment of any remuneration related to any agreement with a client other than a representation agreement: the information requested on the platform,
4. within 14 days of occurrence: any contractual or other arrangement between players’ agents to cooperate in the provision of any services or to share the revenue or profits of any part of their players’ agent services,
5. if they conduct their business affairs through an agency, within 14 days of the first transaction involving the agency: the number of players’ agents who use the same agency to conduct their business affairs and the name of all its employees,

as provided for in Article 16(2)(j)(ii) to (v) and (k)(ii) of the FFAR,

(13) clubs are prohibited from agreeing on remuneration or elements of remuneration with players’ agents for the future transfer of a player or from paying remuneration or elements of remuneration to players’ agents, the calculation basis for which is (also) dependent on future transfer compensation received by the club from a subsequent transfer of the player,

as provided for in Article 18ter(1), first alternative, of the FIFA Regulations on the Status and Transfer of Players (‘the FIFA RSTP’) and Article 16(3)(e) of the FFAR.

First question

Does Article 85(1) GDPR make it possible for the Member States to adopt legislative measures in addition to those which they must adopt under Article 85(2) GDPR relating to the processing of personal data for purposes other than journalistic ones or the purposes of academic, artistic or literary expression?

Second question

If the previous question is answered in the affirmative: 

Does Article 85(1) GDPR allow a reconciliation of the right to the protection of personal data pursuant to that regulation with the freedom of expression and of information which means that the only legal remedy available to a person whose personal data are processed by making criminal convictions involving that person available to the public on the internet in return for payment is the initiation of criminal proceedings for defamation or the claiming of damages for defamation?

Third question 

If the first question is answered in the negative or the second questionis answered in the negative: 

Can an activity which consists of making available to the public on the internet in return for payment, without any processing or editing, public documents in the form of criminal convictions constitute processing of personal data for the purposes set out in Article 85(2) GDPR?

Must Article 7 GDPR, read in conjunction with Articles 4 GDPR, 13 GDPR and 14 GDPR, together with Articles 2 ePrivacy Directive 2002/58/EC and 13 ePrivacy Directive 2002/58/EC, be interpreted as meaning that 

when an organisation, when collecting personal data from its customer-subscribers, obtains their consent so that these data may give rise to electronic commercial prospecting operations by it or its partners, the said organisation thus itself determining the purpose and the means of processing for which it must therefore be regarded as the controller, the informed nature of this consent is necessarily subject to prior information given to the persons concerned of the identity of the organization's partners, recipients of the data and likely to send them or have sent electronic commercial prospecting'

First question

Is Article 10 LED, read in conjunction with Article 4(1)(a) LED, 4(1)(b) LED and 4(1)(c) LED and Article 8(1) LED and 8(2) LED, to be interpreted as precluding national legislation, such as Article 55-1 of the French Code of Criminal Procedure, which provides for the systematic gathering of identification data (fingerprints and photographs) from persons who are suspected on one or more grounds of having committed or attempted to commit an offence?

Second question

Is Article 10 LED, read in conjunction with Article 4(1)(a) LED, 4(1)(b) LED and 4(1)(c) LED and Article 8(1) LED and 8(2) LED, to be interpreted as precluding national legislation, such as Article 55-1 of the French Code of Criminal Procedure, which does not impose on the competent authority an obligation to provide, in each individual case, a sufficient statement of reasons as to why it is strictly necessary to gather identification data?

Third question

Is Article 10 LED, read in conjunction with Article 4(1)(a) LED, 4(1)(b) LED and 4(1)(c) LED and Article 8(1) LED and 8(2) LED, to be interpreted as precluding national legislation, such as Article 55-1 of the French Code of Criminal Procedure, which allows the prosecution and conviction on a standalone basis of a person who has refused to consent to the gathering of identification data even though that person is not prosecuted for or convicted of the offence which formed the basis of the measure for gathering identification data?

First question

Is Article 82(1) of the GDPR to be interpreted as meaning that a national court must, in the event of an infringement of the GDPR, award compensation to a data subject who has merely demonstrated that a third party (and not the defendant data controller) has published the data subject's personal data on the internet? In other words: does the mere loss of control, even for a short time, over one's own data constitute non-material damage within the meaning of Article 82(1) of the GDPR?

Second question

If Question 1 is answered in the affirmative:

to what extent does the answer differ, or does it make any difference, if the data published consist only of certain personal data (including, at most, numerical user ID, name and gender) that the data subject himself or herself had already published on the internet, together with the data subject's telephone number, which a third party (who is not the defendant data controller) has linked to those personal data?

First question

Must Article 15(1) of Directive (EU) 2019/790 of the European Parliament and of the Council of 17 April 2019 [on copyright and related rights in the Digital Single Market and amending Directives 96/9/EC and 2001/29/EC], and Article 3(2) of Directive 2001/29/EC of the European Parliament and of the Council of 22 May 2001 on the harmonisation of certain aspects of copyright and related rights in the information society, be interpreted as meaning that the display, in the responses of an LLM-based chatbot, of a text partially identical to the content of web pages of press publishers, where the length of that text is such that it is already protected under Article 15 of Directive 2019/790, constitutes an instance of communication to the public? If the answer to that question is in the affirmative, does the fact that [the responses in question are] the result of a process in which the chatbot merely predicts the next word on the basis of observed patterns have any relevance?

Second question

Must Article 15(1) of Directive 2019/790 and Article 2 of Directive 2001/29 be interpreted as meaning that the process of training an LLM-based chatbot constitutes an instance of reproduction, where that LLM is built on the basis of the observation and matching of patterns, making it possible for the model to learn to recognise linguistic patterns?

Third question

If the answer to the second question referred is in the affirmative, does such reproduction of lawfully accessible works fall within the exception provided for in Article 4 of Directive 2019/790, which ensures free use for the purposes of text and data mining?

Fourth question

Must Article 15(1) of Directive 2019/790 and Article 2 of Directive 2001/29 be interpreted as meaning that, where a user gives an LLM-based chatbot an instruction which matches the text contained in a press publication, or which refers to that text, and the chatbot then generates its response based on the instruction given by the user, the fact that, in that response, part or all of the content of a press publication is displayed constitutes an instance of reproduction on the part of the chatbot service provider?

First question

In a case in which a publisher of online news publications providing information to the general public, which does not specialise in the field, regarding the legislative amendments issued each day in Romania, obtains the email address of a user when the latter creates a free user account entitling him or her:

1. to access, free of charge, an additional number of articles from the publication in question;
2. to receive, via email, a daily newsletter containing a summary of the new legislation discussed in articles within the publication and hyperlinks to those articles; and
3. to access, for a fee, additional and/or more extensive articles and analyses from the publication compared with those in the free daily newsletter:

1. is that email address obtained by the publisher of the online news publication ‘in the context of the sale of a product or a service’ within the meaning of Article 13(2) ePrivacy Directive 2000/31/EC?
2. is the transmission by the news publisher of a newsletter such as that described in the abovementioned point (ii) carried out ‘for direct marketing of its own similar products or services’ within the meaning of Article 13(2) ePrivacy Directive 2000/31/EC?

Second question

If the answers to Question 1(a) and (b) are in the affirmative, which of the conditions laid down in Article 6(1)(a) to 6(1)(f) GDPR must be interpreted as applying when the publisher uses the user’s email address for the purpose of sending a daily newsletter such as that described in Question 1(ii), in accordance with the requirements of Article 13(2) of Directive 2002/58/EC?

Third question

Must Article 13(1) ePrivacy Directive 2002/58/EC and 13(2) ePrivacy Directive 2002/58/EC be interpreted as precluding national legislation which uses the concept of ‘commercial communication’ laid down in Article 2(f) E-Commerce Directive 2002/58/EC instead of the concept of ‘direct marketing’ laid down in Directive 2002/58/EC? If not, does a newsletter such as that described in Question 1(ii) constitute a ‘commercial communication’ within the meaning of Article 2(f) ePrivacy Directive 2000/31/EC?

Fourth question

If the answers to Question 1(a) and (b) are in the negative:

1. does the transmission via email of a daily newsletter such as that described in Question 1(ii) constitute ‘use […] of electronic mail for the purposes of direct marketing’ within the meaning of Article 13(1) of Directive 2002/58/EC?
2. must Article 95 GDPR, in conjunction with Article 15(2) of Directive 2002/58/EC, be interpreted as meaning that failure to comply with the conditions for obtaining valid consent from the user pursuant to Article 13(1) of Directive 2002/58/EC will be penalised in accordance with Article 83 GDPR or in accordance with the provisions of national law contained in the act transposing Directive 2002/58/EC, which contains specific penalties?

Fifth question

Must Article 83(2) GDPR be interpreted as meaning that a supervisory authority which decides whether to impose an administrative fine and decides on the amount of the administrative fine in each individual case is obliged to analyse and explain in the administrative act imposing the fine the effect of each of the criteria laid down in points (a) to (k) on the decision to impose a fine and, respectively, on the decision regarding the amount of the fine imposed?

First question

Whether Article 2(2)(d) GDPR and Article 2(1) GDPR in conjunction with Article 1 LED must be interpreted as meaning that the processing of personal data which may be carried out by an FIU may constitute the processing of personal data by a competent authority for the purposes of the prevention, investigation, detection or prosecution authority within the meaning of the Code of Criminal Procedure? 

Second question

Are Article 23(2)(h) GDPR and Article 15(3) LED to be interpreted as meaning that a data subject may also be refused disclosure, in administrative or judicial proceedings, of the act on the basis of which he was refused access to his personal data? In order to prevent the fact of the processing of his personal data from being confirmed or disproved where the data subject is unaware of its occurrence or nonoccurrence, and whether, in such a case, the data subject may also be refused disclosure of information as to whether he has the possibility of availing himself of the remedy provided for in Article 17(1) LED? 

Third question

Must Article 15 LED or Article 23 GDPR be interpreted as meaning that a provision of national law which confers on the head of the FIU the power to restrict the rights of the data subject and in which the purpose, conditions and temporal and spatial scope of the restriction of the data subject's rights are manifested in conjunction with other provisions, including subordinate provisions, is compatible with those provisions?

Fourth question

Must Article 15 LED or Article 23 GDPR be interpreted as meaning that a national provision which restricts the exercise of the right under Article 14 LED or Article 15 GDPR in its entirety until the data have been destroyed, without the data subject ever having access to them, is compatible with those provisions?

First question

1. Must Article 17 GDPR be interpreted as meaning that a data subject whose personal data have been unlawfully disclosed by the controller through onward transfer has the right to obtain a prohibitory injunction against the controller prohibiting further unlawful onward transfer of those data if the data subject does not request the controller to erase the data?
2. Can such a right to obtain a prohibitory injunction (also) arise from Article 18 GDPR or any another provision thereof?

Second question

If the answers to Questions 1(a) and/or 1(b) are in the affirmative:

1. Does the right to obtain a prohibitory injunction under EU law exist only if a risk of further infringements of the data subject’s rights under the GDPR is to be apprehended in the future (risk of recurrence)?
2. Is the existence of the risk of recurrence presumed, where applicable, by reason of the existing infringement of the GDPR?

Third question

If the answers to Questions 1(a) and 1(b) are in the negative:

Must Article 84 of the GDPR, in conjunction with Article 79 thereof, be interpreted as permitting the national court to confer on the data subject whose personal data were unlawfully disclosed by the controller through onward transfer, in addition to the right to obtain compensation for material or non-material damage pursuant to Article 82 GDPR and the rights arising from Articles 17 GDPR and 18 GDPR, a right to obtain a prohibitory injunction against the controller prohibiting further unlawful onward transfer of those data in accordance with the provisions of national law?

Fourth question

Must Article 82(1) GDPR be interpreted as meaning that mere negative feelings such as annoyance, displeasure, dissatisfaction, worry and fear, which are in themselves part of the general risk of life and often part of everyday experience, are sufficient for the assumption of non-material damage within the meaning of that provision?

Or is a disadvantage to the natural person concerned which goes beyond those feelings necessary for the assumption of damage?

Fifth question

Must Article 82(1) GDPR to be interpreted as meaning that the degree of fault of the controller or processor or its employees constitutes a relevant criterion in assessing the amount of non-material damage to be compensated?

Sixth question

If the answers to Questions 1(a), 1(b) or 3 are in the affirmative:

Must Article 82(1) GDPR be interpreted as meaning that, in assessing the amount of non-material damage to be compensated, the fact that the data subject concerned has a right to obtain a prohibitory injunction in addition to the right to compensation can be taken into account as reducing the claim?

Must European Union law – in particular, Article 5[(4)] TEU, as well as Articles 5(1)(b) GDPR, 5(1)(c) GDPR and 5(1)(e) GDPR and 6 GDPR – be interpreted as precluding (or not precluding) legislation relating to the collection and processing of passenger data of the kind contained in Article 11 of legge 15 gennaio 1992, n.° 21 (Law No 21 of 15 January 1992), as amended by legge 11 febbraio 2019, n.° 12 (Law No 12 of 11 February 2019)?

First question 

Is Article 15 GDPR, read in conjunction with Article 4(7) GDPR, to be interpreted as meaning that a supervisory authority, as defined in Article 4(21) GDPR and acting in the context of a complaint procedure initiated by a data subject pursuant to Article 77 GDPR, is at the same time a ‘controller’ within the meaning of Article 15 GDPR, read in conjunction with Article 4(7) GDPR, and is therefore required to grant the data subject access to information on the basis of Article 15 GDPR? 

Second question

If Question 1 is answered in the affirmative: 

Is EU law, in particular Article 23 GDPR, to be interpreted as precluding national legislation – such as Article 20(2) of the Bayerisches Datenschutzgesetz (Bavarian Law on Data Protection), the provision at issue in the main proceedings – which excludes, in a blanket manner, rights of access or inspection with respect to files and records of supervisory authorities as defined in Article 4(21) GDPR?

First question

Is Article 4(7) GDPR of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (‘the GDPR’), to be interpreted as meaning that natural persons, who, in the exercise of their duties, process personal data by means of the tools made available and prescribed to them, not in their own personal interest but as the head of an organisation (an institution or other entity without legal personality), but which is backed by a legal entity, are ‘controllers’ who can be held liable in court?

Second question

Point a

Is Article 15(1)(g) of the GDPR to be interpreted as meaning that, in a case in which the processed data consists of a factual statement about or an evaluative assessment of the data subject in an email, ‘all available information on the origin of the data’ refers only to the author of the email, or does it also include the group of persons with whom the author has discussed the data subject?

Point b

In the event that names of the parties to the conversation that have not been stored constitute ‘available information on the origin of the data’ for purposes of Article 15(1)(g) of the GDPR: when weighing up the interests of the data subject against the interests of such a party to the conversation, is the fact that it was not foreseeable for the party that their statements would be made the subject of data processing relevant?

Third question

Is Article 82(2) of the GDPR to be interpreted as meaning that negative consequences for the data subject resulting from an infringement of that Regulation, which occurred after the processing of the personal data and is solely an infringement of the obligation to provide information pursuant to Article 15(1) of the GDPR, constitute damage caused by ‘processing which infringes this Regulation’ and leads to the obligation of the controller to pay compensation?

Fourth question

If Question 1 or 3 is answered in the affirmative: does Article 82 of the GDPR preclude national provisions according to which a claim for the compensation for damage caused to an injured party by a body of a legal entity in the sovereign execution of the law cannot be asserted against the body itself?

First question

What degree of distinction between individual data subjects is required by Article 4(1)(c) LED Directive 2016/680 or Article 6 LED Directive 2016/680 in conjunction with Article 10 LED Directive 2016/680?

Is it compliant with the obligation to minimise personal data processing, and with the obligation to distinguish between various categories of data subjects, for national law to permit the collection of genetic data in respect of all persons suspected or accused of having committed an intentional criminal offence?

Second question

Is it in accordance with Article 4(1)(e) LED Directive 2016/680 if the necessity of continued retention of a DNA profile is assessed, with a reference to the general prevention, investigation, and detection of criminal activity, by Police authorities on the basis of their internal regulations, which frequently means in practice that sensitive personal data is retained for an unspecified period without a maximum limit for the duration of the retention of that personal data being set?

If not, by what criteria should the proportionality of the period of the retention of the personal data collected and retained for that purpose be assessed?

Third question

In the case of particularly sensitive personal data falling under Article 10 LED Directive 2016/680, what is the minimal scope of the substantive or procedural conditions for obtaining, retaining, and deleting such data that must be regulated by a 'provision of general application' in the law of a Member State? Can judicial case-law qualify as 'Member State law' within the meaning of Article 8(2) LED Directive 2016/680 in conjunction with Article 10 LED Directive 2016/680?

Question

In the light of Article 2 and the second subparagraph of Article 19(1) of the Treaty on European Union, read in conjunction with Articles 20 and 47 of the Charter of Fundamental Rights of the European Union and recital 61 of the AI Act, does an ordinary court of last instance of a Member State whose composition includes a judge of that court designated by a random number generator to hear the case on the basis of the draw report and a prior decision of the college of the court constitute an independent and impartial tribunal previously established by law that ensures cases are heard without undue delay in a non-discriminatory manner and guarantees effective judicial protection in circumstances where:

1. a court administrative body such as the Kolegium Sądu Okręgowego (college of the regional court) arbitrarily released the previously assigned judge from the obligation to hear the cases already assigned to her, contrary to the provisions of national law on the assignment of cases, despite the fact that the national statutory criteria for releasing her from that obligation were not met, and did so in breach of the principle that a change in the composition of the court may only occur where it is impossible for the court to hear the case in its existing composition or where there is a lasting obstacle to it hearing the case in its existing composition;
2. a new judge was assigned using the SLPS random case allocation generator developed by a member of the executive branch of government, namely the Minister Sprawiedliwości (Minister for Justice), under the rules for the randomised assignment of cases in courts established by way of a regulation issued by that Minister (paragraphs 43–76 of the Rozporządzenie Ministra Sprawiedliwości z 18.6.2019 r. – Regulamin urzędowania sądówpowszechnych [Regulation of the Minister for Justice of 18 June 2019 laying down rules on the operation of the ordinary courts]) and in a manner that infringes the right to an independent and impartial tribunal and the right to a tribunal established by law;
3. a new judge was assigned using the SLPS random case allocation generator without knowledge of the source code or the ability to verify the operation of the SLPS algorithm for random case allocation to judges, where information on that system was published only on the Biuletyn Informacji Publicznej [Public Information Bulletin] website, or the ability to ascertain the vulnerability of the random case allocation tool to errors and manipulation, in a manner that infringes the parties' right to a fair trial;
4. a new judge was assigned using the SLPS random case allocation generator developed by a member of the executive branch of government, namely the Minister Sprawiedliwości (Minister for Justice), under the rules for the randomised assignment of cases in courts established by way of a regulation issued by that Minister (paragraphs 43–76 of the Rozporządzenie Ministra Sprawiedliwości z 18.6.2019 r. – Regulamin urzędowania sądów powszechnych [Regulation of the Minister of Justice of 18 June 2019 laying down rules on the operation of the ordinary courts]) and in a manner that infringes the parties' right to have their cases heard without undue delay through a failure to guarantee an even workload for judges as a result of the operation of the SLPS, in a manner that discriminates against the parties and infringes the principle of equality before the law;
5. this results in the judge hearing the case in proceedings that are invalid on account of the composition of the court being contrary to the provisions of law and the parties not being afforded effective judicial protection;
6. there is no effective remedy in national law available to the judge against a written decision of the court administrative body regarding the allocation of the case, the assignment of judges and the composition of the court, as there is no judicial remedy enabling the judge to challenge such a written decision before an impartial and independent tribunal in proceedings that meet the requirements arising from Articles 47 of the Charter of Fundamental Rights?

First question

Do Articles 12 to 14 eCommerce Directive 2000/31/EC also apply to a storage and hosting information service provider that makes available to users a website on which free or paid advertisements may be published, which claims that its role in publishing users’ advertisements is purely technical (making the platform available), but which, through the general terms and conditions of use of the website, indicates that it does not claim ownership over the content that is provided, published, uploaded or transmitted, yet retains the right to use the content, including by means of copying it, distributing it, transmitting it, publishing it, reproducing it, modifying it, translating it, transferring it to partners and removing it at any time, without the need for any reason for doing so?

Second question

Must Article 2(4) GDPR, Article 4(7) GDPR and 4(11) GDPR, Article 5(1)(f) GDPR, Article 6(1)(a) GDPR, Articles 7 GDPR, 24 GDPR and 25 GDPR and Article 15 eCommerce Directive 2000/31/EC be interpreted as requiring such a storage and hosting information service provider, which is the personal data controller, to verify before publishing an advertisement whether the person publishing the advertisement and the owner of the personal data referred to in the advertisement are the same person?

Third question

Must Article 2(4) GDPR, Article 4(7) GDPR and 4(11) GDPR, Article 5(1)(f) GDPR, Article 6(1)(a) GDPR, Articles 7 GDPR, 24 GDPR and 25 GDPR and Article 15 eCommerce Directive 2000/31/EC be interpreted as requiring such a storage and hosting information service provider, which is the personal data controller, to verify in advance the content of advertisements published by users, in order to exclude advertisements which are potentially unlawful in nature or likely to infringe a person’s private and family life?

Fourth question

Must Article 5(1)(b) GDPR and 5(1)(f) GDPR, Articles 24 GDPR and 25 GDPR and Article 15 eCommerce Directive 2000/31/EC be interpreted as requiring such a storage and hosting information service provider, which is the personal data controller, to apply safeguards which prevent or limit the reproduction and redistribution of the content of the advertisements published through it?

First question

In the light of Article 2 and the second subparagraph of Article 19(1) of the Treaty on European Union, read in conjunction with Article 47 of the Charter of Fundamental Rights, where an ordinary court of last instance in a Member State (court of appeal) is composed of a single judge assigned to hear a case on the basis of a written decision of a court administrative body, is that court an independent and impartial tribunal that is previously established by law and that ensures effective legal protection where the decision in question:

1. was issued in breach of the principle that the composition of a court must remain constant;
2. was issued in flagrant infringement of the provisions of national law on the allocation of cases, assignment of judges, and changes to the composition of a court;
3. was issued in the absence of a judge's consent to be included in the composition of the court due to the fact that the written decision of the court administrative body on the allocation of the case, assignment of judges, and change to the composition of the court was issued in flagrant infringement of the provisions of national law;
4. would result in a judge hearing the case in proceedings that are invalid due to the composition of the court being contrary to the provisions of law and due to the failure to ensure effective legal protection for the parties;
5. was issued in the absence of an effective remedy available to the judge under national law against a written decision of the court administrative body on the allocation of the case, assignment of judges, and change to the composition of the court, namely:
   1. the absence of a judicial remedy enabling the judge to appeal such a written decision to an impartial and independent tribunal in proceedings that meet the requirements arising from Articles 47 and 48 of the Charter of Fundamental Rights;
   2. the absence of an effective remedy with respect to external administrative supervision by the Minister Sprawiedliwości (Minister of Justice);
   3. the absence of an effective remedy with respect to internal administrative supervision by the President of the Court;
6. involved the use of trawling activities against the judge by the President and Vice-President of the Court in order to create a chilling effect with the intention of forcing the judge selected by a random number generator to hear the case in a situation where the composition of the court is contrary to the provisions of law and the proceedings are invalid, including:
   1. by subjecting the judge to administrative supervision measures that encroach on the domain of judicial independence;
   2. by subjecting the judge to internal administrative supervision measures that are not provided for by statute;
   3. by subjecting the judge to internal administrative supervision measures provided for by statute in a situation where the judge is not at fault;
   4. by discriminating against the judge in his or her employment by subjecting him or her to internal administrative supervision measures while applying no such supervision measures (either provided for or not provided for by statute) against other judges of that court who bear full responsibility for flagrant infringements of the provisions of national law on the allocation of cases, assignment of judges, and changes to the composition of a court?

Second question

If the answer to that question is in the negative:

In the light of Article 2 and the second subparagraph of Article 19(1) of the Treaty on European Union, read in conjunction with Article 47 of the Charter of Fundamental Rights, where an ordinary court of last instance in a Member State (court of appeal) is composed of a single judge assigned to hear a case on the basis of a written decision of a court administrative body in the circumstances described in points 1 to 6 above, who, guided by the principle of the rule of law, has subsequently given his express consent to be included in the composition of the court in the absence of objections from both parties to the case or with their consent, is that court an independent and impartial tribunal that is previously established by law and that ensures effective legal protection?

First question

Is Article 17 1 GDPR, read in conjunction with the right to the protection of personal data as guaranteed by Article 8 of the Charter of Fundamental Rights of the European Union (‘the Charter’), the freedom of thought conscience and religion as guaranteed by Article 10 of the Charter and Article 9 [of the Convention for the Protection of Human Rights and Fundamental Freedoms] and the principle of separation of Church and State as enshrined in Articles 19 and 21 of the Belgian Constitution, to be interpreted as meaning that a person who was baptised as a minor and who, as an adult, wishes to dissociate himself or herself from the Roman Catholic Church, has or does not have the right to have his or her personal data erased from the baptismal register?

Second question

In that regard, does it make any difference for the purposes of Article 17(1)(c) GDPR that, according to the controller, the entry in the baptismal register affects the aforementioned fundamental rights (freedom of religion) of the controller and the Roman Catholic Church community it represents?

Third question

Does it make a difference in that respect that this baptismal register is not digital, but a unique material carrier in the form of book with recto-verso pages in which details of other data subjects are also given on the back?

Fourth question

Does it make a difference that the book itself is an historical artefact and that the baptismal register is a unique record of historical facts that are not recorded anywhere else, as a result of which the data processing also occurs for archiving in the public interest, scientific or historical research or statistical purposes within the meaning of Article 17(3)(d) GDPR?

Fifth question

To the extent that there might be a right to data erasure within the meaning of Article 17(1) GDPR and in so far as there might not be an exception to this right within the meaning of Article 17(3) GDPR, is the right to data erasure by analogy satisfied by the annotation that a person has left the church in the margin of the baptismal register?

First Question

Must Article 86(1) AI Act be interpreted as meaning that the consumer has the right, within the meaning of Directives 2011/83/EU and 93/13/EEC, to know from the service provider how and with the aid of what elements [and] parameters automated decisions (invoices) were generated on the basis of data which the trader collected automatically in the context of a contract for the provision of mobile telecommunications services?

Must Article 86(1) AI Act, read in conjunction with Article 38 of the Charter of Fundamental Rights of the European Union, be interpreted as meaning that the consumer has the right to know from the service provider what algorithm calculates the automatically generated invoices […] and what elements and parameters are fed into it?

Must Article 86(1) AI Act be interpreted as applying to consumer contracts?

Second Question

Must Articles 6(1) and 7(1) of Directive 93/13/EEC be interpreted meaning that they are applicable in respect of an activity based on artificial intelligence [or] automated decisions within the meaning of Article 86 AI Act?

Third Question

Must Article 3(1) of Directive 2011/83/EU be interpreted as meaning that the protection of consumer rights is applicable in respect of systems which use artificial intelligence and generate automated decisions within the meaning of the AI Act?

Fourth Question

Must Article 86(1) AI Act, read in conjunction with Article 47 of the Charter of Fundamental Rights of the European Union, read in conjunction with Article 38 of the Charter, and with the principle of effectiveness reflected in Articles 6(1) and 7(1) of Directive 93/13/EEC and in Article 5 of Directive 2011/83/EU, be interpreted as permitting the court to demand from the trader the black box data, the source code and the algorithm relating to the way in which automated decisions are made under the consumer contract?

Fifth Question

Must Article 86(1) AI Act, read in conjunction with Article 47 of the Charter of Fundamental Rights of the European Union, read in conjunction with Article 38 of the Charter, and with Directive 2011/83/EU, be interpreted as meaning that an automated decision generated by a trader under a contract with a consumer for mobile telecommunications services permits that automated decision to be reviewed by a human being, a judge, during real judicial proceedings? Must those provisions be interpreted as meaning that automated decisions […] are subject to human review by a judge in real judicial proceedings?

Sixth Question

Must recitals 7 and 8 and Article 95(2)(a) AI Act and Directive 2011/83/EU […] be interpreted as meaning that, where an automated decision-making system is operated and used […] in the consumer contract, lawyers or senior judicial officers […] with high moral and ethical standards must be involved in order to guarantee a transparent, effective and human-centric information system which takes account of fundamental rights?

Seventh Question

Must Article 3(1) of Directive 93/13/EEC and point 1(e) of the Annex to that directive be interpreted precluding a trader from invoicing compensation for termination of contract where the contract was terminated on the grounds of nonpayment by the consumer […] but will be reinstated, and mobile telecommunications services resumed, upon subsequent payment […]?

Eighth Question

Must the expression 'fails to fulfil his obligation' within the meaning of point 1(e) of the Annex to Directive 93/13/EEC be interpreted as meaning nonpayment by the consumer of amounts which were generated by an automated system and represent automated decision-making (ADM), where the consumer was not informed of the way in which the amounts were calculated?

Ninth Question

Must Article 5(1)(a) and (c) of Directive 2011/83/EU and Article 5(1) of Directive 93/13/EEC be interpreted as meaning that the requirement regarding 'plain, intelligible' or 'clear and comprehensible' language also applies to subsequent contracts, annexes and invoices arising from a consumer contract and generated by means of artificial intelligence or another automated system without human intervention (ADM)?

Tenth Question

Must Article 5(1) of Directive 93/13/EEC and Article 86(1) AI Act be interpreted as meaning that the automatically generated invoices arising from a consumer contract […] must be written in plain, intelligible language and the consumer has the right to demand an explanation from the trader as to how and by what algorithm the decision was made?

Eleventh Question

Must Article 5(1)(c) of Directive 2011/83/EU ('the Consumer Rights Directive') and Article 3(1) of Directive 93/13/EEC be interpreted as not precluding the trader from calculating a sum in compensation for termination of a contract (on the grounds of non-payment under the contract) on the basis of the standard monthly subscription fee and not on the basis of the promotional subscription fee, even though the parties agreed on payment of the promotional subscription fee until the end of the contract and the trader itself did not want to conclude a contract with a standard subscription fee?

Twelfth Question

Must [the expression] 'a disproportionately high sum in compensation' within the meaning of point 1(e) of the Annex to Directive 93/13/EEC be interpreted as representing the difference between the promotional subscription fee and the standard monthly subscription fee in a contract, calculated for the number of months remaining until the end of the [originally agreed] term of the terminated contract?

Thirteenth Question

Must Article 3(1) of Directive 93/13/EEC be interpreted as not permitting a trader to calculate amounts for fractions of the accounting periods where the parties contractually agreed amounts for whole accounting periods?

Fourteenth Question

Must Articles 6(1) and 7(1) of Directive 93/13/EEC and the principle of effectiveness […] be interpreted as precluding national legislation under which a consumer may be ordered to bear part of the costs of the proceedings where […] the trader did not explain to the consumer in a clear [and] comprehensible manner how and by what algorithm the automated decision is made and the trader only provided that explanation […] in the course of the judicial proceedings brought against the consumer […] on the grounds of non-payment of amounts due under the contract?

Fifteenth Question

Must Article 5(1)(a) and (c) of Directive 2011/83/EU be interpreted as precluding a mobile telecommunications operator from claiming a sum in compensation […] for a contract terminated early on the grounds of non-payment by the consumer […] which is based on the standard monthly subscription fee even though the trader and the consumer agreed a (lower) promotional monthly subscription fee for the term of the contract?

Sixteenth Question

Must Article 5(1)(a) and (c) of Directive 2011/83/EU be interpreted as precluding a mobile telecommunications operator from claiming a sum in compensation […] for a contract terminated early on the grounds of non-payment by the consumer […] which includes the difference between the standard monthly subscription fee and the promotional monthly subscription fee […] for the time from termination [of the contract until the end of the agreed term]?

Seventeenth Question

Must Article 5(1)(a) and (c) of Directive 2011/83/EU be interpreted as precluding a mobile telecommunications operator from claiming a sum in compensation for [single] days even though the parties agreed a monthly subscription fee by way of compensation? Is the trader permitted to claim a sum in compensation based on a monthly subscription fee for [single] days and not for a month?

First question

Is the term 'national law' in Article 14(d) Company Law Directive 2017/1132 'persons participating in the management, supervision or control of a company' means be interpreted as referring to any shareholder in a public limited liability company and, consequently, that a Member State is obliged to provide information on every shareholder of a company by making it publicly available in a register pursuant to Article 16(3) of Directive 2017/1132?

Second question

If the answer to the first question is in the affirmative, does Article 14(d)(ii) of Directive 2017/1132, in so far as it provides the disclosure of the particulars of each shareholder of a public limited liability company, is valid, having regard to the right to private and family life guaranteed by Article 7 Charter and the right to the protection of personal data guaranteed by Article 8 Charter?

Third question

Is Article 5(1)(b) GDPR to be interpreted as meaning that the purpose of processing the personal data of shareholders of public limited liability companies may the purpose of ensuring, first, an open business environment and, third the protection of the interests of third parties, secondly, the protection of the the prevention of the financing of money laundering, terrorism and proliferation, and the enforcement of national, international and European Union sanctions the provision of information necessary for the enforcement of sanctions?

Fourth question

Do the principles set out in Article 5(1) GDPR Member State's legal framework to provide for the above-mentioned purposes, under which the personal data of any shareholder in a public limited liability company may be obtained by any person and does not have to prove a legitimate interest in obtaining such data?

First question

Do the requirements imposed by Article 80(1) GDPR on an advocacy organisation as referred to in that paragraph preclude Member States from including in their national legislation further admissibility requirements for advocacy organisations seeking to bring actions on behalf of data subjects as referred to in Articles 77 GDPR, 78 GDPR, 79 GDPR and 82 GDPR?
 

Second question

Are the admissibility requirements in the WAMCA, which implements the EU Directive 2020/1828 on representative actions for the protection of the collective interests of consumers and repealing Directive 2009/22/EC, to interest representatives who wish to bring a collective redress action on behalf of data subjects against a controller or processor on account of violations of the GDPR permissible in the light of Article 80(1) GDPR?
 

Third question

Does the concept of mandate in Article 80(1) GDPR and/or the provisions of Article 80(2) GDPR preclude national legislation pursuant to which an interest group, which meets the requirements of Article 80(1) GDPR , may bring a collective action for damages on behalf of data subjects against a data controller or processor on account of violations of the GDPR, when that interest group does not (yet) have an explicit mandate from data subjects?

Fourth question

To what extent is it relevant in this context that under those national regulations (the WAMCA), the data subject can choose in writing at two points in time not to make use of the interest representation by the interest representative, namely (i) within a period to be determined by the court counting from the moment the interest representative is appointed by the court as (exclusive) interest representative (art. 1018f paragraph 1 Code of Civil Procedure - Rv) and (ii) within a period to be determined by the court after the parties have concluded a settlement agreement (art. 1018h paragraph 5 Rv).

First question 

Is Article 31(4) AML5 Directive 2015/849 as amended by Directive 2018/843, in so far as it allows access to information on the beneficial ownership of a trust or similar legal arrangement, is compatible with the rules of the Charter of Fundamental Rights (Article 7 Charter 'Respect for private and family life' and Article 8 Charter 'Protection of personal data') and the European Convention on Human Rights (Article Article 8 of the European Convention on Human Rights), in so far as it allows access in any event to any natural or legal person 'who can demonstrate a legitimate interest' without specifying and delimiting the very concept of 'legitimate interest', leaving its definition to the full discretion of the Member States, thus giving rise to the risk of excessively broad delimitation of the subjective scope of the right of access, which could potentially undermine the fundamental rights of the individual concerned. 

Second question 

Do the safeguards provided for in Article 31(7a) AML5 Directive 2015/849, as amended by Directive 2018/843, relating to the right to an administrative appeal against a decision derogating (in exceptional circumstances established by national law) from the access referred to in paragraph 4, (access permitted, in any event, to information on the ownership of a trust or related legal arrangement), having regard to the protections afforded by Article 47 Charter ('right to an effective remedy and a fair trial') and Article 6 of the ECHR are compatible with Articles 6 to 7 of Decree No 55 of the Ministry of the Economy and Finance No 55 of 11 March 2022 in so far as they confer on a non-jurisdictional administrative body such as the territorial chamber of commerce the power to give an opinion determining the irreversible effect of the disclosure of the data, providing only at a later stage for the right to a judicial remedy available to the beneficial owner.

First question

Must Article 15(1) ePrivacy Directive 2002/58/EC, read in conjunction with Articles 7 Charter, 8 Charter and 52(1) Charter of Fundamental Rights of the European Union, be interpreted as: 

1. precluding national legislation which lays down an obligation for operators of electronic communications services to retain and process the traffic data referred to in that legislation in the context of the provision of that network or service for a period of 4 or 12 months, as the case may be, for the purposes of taking appropriate, proportionate, preventive and remedial measures in order to prevent fraud and misuse of their networks and to prevent end users suffering harm or inconvenience, as well as to establish fraud or malicious use of the network or service or enable the perpetrators or origin thereof to be identified;
2. precluding national legislation which allows those operators to retain and process the traffic data concerned beyond the abovementioned time limits, in the case of identified specific fraud or identified specific malicious use of the network, for the time required for its analysis and resolution or the time necessary to process that malicious use;
3. precluding national legislation which, without laying down an obligation to request a prior opinion or to notify an independent authority, allows those operators to retain and process data other than those referred to in the law, with a view to making it possible to establish fraud or malicious use of the network or service, or to identify its perpetrator and origin;
4. precluding national legislation which, without laying down an obligation to request a prior opinion or to notify an independent authority, allows those operators to retain and process for a period of 12 months the traffic data which they consider necessary to ensure the security and proper functioning of their electronic communications networks and services, and in particular for the detection and analysis of a potential or actual breach of that security, including identifying the origin of that breach and, in the event of a specific breach of network security, for the period necessary to process it?

Second question

Must Article 15(1) ePrivacy Directive 2002/58/EC, read in conjunction with Articles 7 Charter, 8 Charter and 52(1) Charter of Fundamental Rights, be interpreted as: 

1. precluding national legislation which allows mobile network operators to retain and process location data, without the legislation describing precisely which data are covered, in the context of the provision of that network or service, for a period of 4 or 12 months, as the case may be, where necessary for the proper functioning and security of the network or service, or to detect or analyse fraud or malicious use of the network;
2. precluding national legislation which allows those operators to retain and process location data beyond the abovementioned time limits, in the event of a specific breach and in the case of specific fraud or specific malicious use?

Third question

If, on the basis of the answers to the first or the second question, the Constitutional Court should conclude that certain provisions of the Law of 20 July 2022 ‘on the collection and retention of identification data and metadata in the electronic communications sector and the provision of such data to the authorities’ infringe one or more of the obligations arising from the provisions referred to in those questions, may it maintain on a temporary basis the effects of the abovementioned provisions of the Law of 20 July 2022 in order to avoid legal uncertainty and to enable the data previously collected and retained to continue to be used for the objectives pursued by the law?

First question

Can a public body which operates a database whose obtaining, verification or presentation of its contents evidences a substantial investment, qualitatively or quantitatively, be regarded as a maker within the meaning of Article 7(1) Database Directive 96/6/EC, if the database is created and operated by that public body in the performance of a statutory task and with financing from public funds, to the extent that the costs cannot be financed from income from the products and services of that public body?

Second question

Does making an extract from the set of documents managed by a public body available in unaltered form (one-to-one) to a third party on a commercial basis by an applicant for this extract fall under ‘re-use’ within the meaning of Article 2(11)(a) Open Data Directive 2019/1024/EU? 

In particular, does it or does it not include use by the applicant ‘for commercial or non-commercial purposes other than the original purpose within the public task for which the information was produced’, given that the public body performs a statutory task and the applicant has a commercial purpose? 

If this one-to-one use falls within the scope of the concept of ‘re-use’, is a prohibition of such re-use, which is made by invoking a database right, objective, proportionate and non-discriminatory as referred to in Article 8 of that directive, if that public body thereby seeks to prevent the marketing of obsolete extracts from its set of documents (principle of legal certainty) and to deprive it of revenue due to the existence of shadow registries from which, for a lower amount, these extracts are traded (principle of profit)?

First question

Is Article 2(3) of Open Data Directive 2019/1024 of the European Parliament and of the Council of 20 June 2019 on open data and the reuse of public sector information to be interpreted as meaning that the term public undertaking includes an undertaking in which several public sector bodies may jointly exercise a dominant influence by virtue of their ownership, their financial participation therein, or the rules which govern it? 

Second question

If the first question is answered in the affirmative, is a dominant influence, as defined in the above-mentioned article of Open Data Directive 2019/1024, to be assumed, even where several public sector bodies jointly hold the majority of an undertaking’s subscribed capital, control the majority of the votes attaching to shares issued by the undertaking, or can appoint more than half of the undertaking’s administrative, management or supervisory body, or is it necessary to examine whether those public sector bodies actually act in concert and have common interests?

First question

What circumstances indicate that the person concerned is a person within the meaning of Article 2 of Council Regulation (EU) No 269/2014 of 17 March 2014 concerning restrictive measures in respect of acts undermining or threatening the territorial integrity, sovereignty and independence of Ukraine ('Regulation No 269/2014')?

Is a legal person whose shares are 50 % held by a legal person whose beneficial owner is on the list of natural persons listed in the Annex to Council Implementing Regulation (EU) 2022/336 of 28 February 2022 implementing Regulation (EU) No 269/2014 concerning restrictive measures concerning acts that undermine or threaten the territorial integrity, sovereignty and independence of Ukraine to be regarded as a related legal person? 

Second question

If the answer to the second part of Question 1 is in the affirmative, is a legal person, within the meaning of Article 2 of Regulation (EU) No 269/2014, also a related legal person of which the legal person described in the second part of Question 1 has a 50 % shareholding? 

Third question

Are the persons, entities or bodies referred to in Article 11(1)(b) of Regulation No 269/2014 also to be regarded as connected legal persons within the meaning of Article 2 of Regulation No 269/2014?

Fourth question

In the determination of any claim, must the Court independently verify whether the parties to the claim are persons referred to in Article 2 or Article 11(1)(a) or (b) of Regulation No 269/2014? 

Fifth question

What are the legal consequences of Article 11(1) of Regulation No 269/2014 stating that claims brought by persons referred to in subparagraph 'a' or 'b' of that paragraph are 'unsatisfactory', and is it permissible to examine the merits of such claims if the court states in the operative part of the judgment that the judgment is not enforceable so long as those persons are included in the relevant lists?

Sixth question

Does Article 11(1) of Regulation No 269/2014 produce legal effects where the claimant is not the person referred to in subparagraph (a) or (b) but the respondent is the person referred to in subparagraph (a) or (b)?

Seventh question

Should the data of the natural person subject to sanctions (name and surname) be disclosed in the grounds for the judicial decision and should those personal data be pseudonymised when the judicial decision is published?

First question

Must Article 22 of Directive (EU) 2019/944 of the European Parliament and of the Council of 5 June 2019 on common rules for the internal market for electricity and amending Directive 2012/27/EU ('the Electricity Directive 2019/944'), read in conjunction with Annex II of that directive, be interpreted as meaning that a system operator is required to [take into consideration] a final customer's wish not to receive a smart meter, and has an obligation in such a case to provide the final customer with a conventional meter instead of a smart meter?

Second question

Must Article 2(1) of Directive 2014/32/EU of the European Parliament and of the Council of 26 February 2014 on the harmonisation of the laws of the Member States relating to the making available on the market of measuring instruments, which defines in more detail a 'measuring instrument' within the meaning of the instrument-specific Annexes III to XII (active electrical energy meters [MI-003]), read in conjunction with Article 20(b) and (c) and Article 23(3) of the Electricity Directive 2019/44, be interpreted in such a way that it runs counter to a provision of national law (point 31 of Paragraph 7(1) of the Elektrizitätswirtschafts- und organisationsgesetz 2010 (Law on the organisation of the electricity sector 2010) in the version in BGBl I No. 17/2021, 'the ElWOG'), which does not lay down any specific data protection requirements in relation to meters?

Third question

Must Article 20(b) and (c), Article 21(1)(a) and Article 23(3) of the Electricity Directive 2019/44 also take into consideration Article 6(1) of Directive 1999/34/EC of the European Parliament and of the Council of 10 May 1999 amending Council Directive 85/37/EEC on the approximation of the laws, resolutions and administrative provisions of the Member States concerning liability for defective products?

Fourth question

Must Article 5(3) of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector ('Directive on privacy and electronic communication'), be interpreted as meaning that the term 'electronic communications network' is also applicable to an electricity system via which data (consumption data, metadata, personal identity) are transmitted for the purposes of Article 20(b) and (c), Article 21(1)(a) and Article 23(3) of the Electricity Directive 2019/944?

Fifth question

Must Articles 5(1)(f) GDPR, Article 13 GDPR and Article 32(2) GDPR and Article 7, Article 8(1) and (2) of the Charter of Fundamental Rights of the European Union ('the Charter') be interpreted as contradicting a national provision (Paragraph 1(6) of the Intelligente Messgeräte-Einführungsverordnung (Ordinance on the introduction of smart meters), BGBl II No. 138/2012 in the version in BGBl II No. 9/2022 of 13 January 2022, 'the IME-VO'), according to which only the respective configuration of the reading interval must be visible for the final customer, but not whether the system operator recognised a 'justified individual case' (Paragraph 84a(1) of the ElWOG) and has retrieved data of the final customer before the set interval?

Sixth question

Having regard to Article 52(3) of the Charter, the fifth recital thereof and the explanations relating to Article 7 of the Charter, must the case-law of the European Court of Human Rights on Article 8 of the European Convention on Human Rights taken into account for the purpose of interpreting Article 20(b) and (c), Article 21(1)(a) and Article 23(3) of the Electricity Directive?

First question

Should Article 23(1) of Directive 2013/32, read in conjunction with Article 46(1) of Directive 2013/32, and having regard to Articles 4 and 47 of the Charter of Fundamental Rights of the European Union, be interpreted as meaning that the (access to the) information in the applicant's file on the basis of which a decision has been or will be made also includes (access to) information on the manner in which that information was gathered and obtained?

Second question

Does Article 5 of Directive 2008/115, read in conjunction with Article 13(1) of Directive 2008/115, and having regard to Articles 4, 19(2) and 47 of the Charter of Fundamental Rights of the European Union, require the judicial authority reviewing the lawfulness of a return decision to ascertain how the information referred to in Article 23(1) of Directive 2013/32 was gathered and obtained?

First question

Are Articles 77 GDPR and 79 GDPR applicable in light of the ECJ's statements in the judgments of 12 January 2023, Nemzeti Adatvédelmi és Információszabadság Hatóság, C-132/21, EU:C:2023:2 and of 7 December 2023, SCHUFA Holding and Others (Release of outstanding debt), C-26/22 and C-64/22, EU:C:2023:958, to the effect that
 

• that the nationally provided possibility of rejecting a complaint to a supervisory authority under Article 77 GDPR on the basis of the prior lodging of a judicial remedy under Article 79 GDPR in the same case and the fact that this remedy is pending before the court constitutes a permissible modality for regulating the interaction of these remedies (within the meaning of the aforementioned case-law of the CJEU),

Second question

and if the first question is answered in the negative,
 

• that the domestic possibility of rejecting a complaint to a supervisory authority under Article 77 GDPR on the basis of the fact that a substantive decision (albeit not yet final) has already been issued in the proceedings pending in the same case on the judicial remedy under Article 79 GDPR constitutes a permissible modality for regulating the interaction of these remedies (within the meaning of the aforementioned case-law of the CJEU)?

First question (a)

Does the obligation imposed on Member States by Article 12(2) of Directive 2004/80/EC (“the Compensation Directive”) to provide “fair and appropriate compensation” to victims of violent intentional crimes, require that a victim be compensated for both material and non-material loss within the meaning of Presidenza del Consiglio dei Ministri v BV (“BV”) (Case C-129/19,EU:C:2020:566)?

Second question (b)

If the answer to Question (a) is yes, what forms of loss fall within the scope of “non-material loss”?

Third question (c)

In particular, does a victim’s ‘pain and suffering’ fall within the scope of “non-material loss?”

Fourth question (d)

If the answer to a) and c) is yes, bearing in mind that [M]ember [S]tates are required to ensure that their schemes are financially viable, what relationshipshould the “fair and appropriate compensation” awarded to a victim pursuant tothe Compensation Directive bear to the damages in tort that would be awarded to that victim as against the relevant perpetrator as tort-feasor.

Fifth question (e)

Can the compensation established for victims of violent intentional crimes under the ‘Scheme of Compensation for Personal Injuries Criminally Inflicted’ (the “Scheme”) be regarded as “fair and appropriate compensation to victims” within the meaning of Article 12(2) of the Compensation Directive if a victim is awarded the sum of €645.65 as compensation for a serious eye injury resulting inpermanent sight impairment?

First question

Must Article 4(7) GDPR be interpreted as meaning that a judicial authority which allows another State authority to access data concerning the account balances of taxable persons determines the purposes or means of the processing of personal data and is therefore a ‘controller’ for the purposes of the processing of personal data?

Second question

If the first question is answered in the negative, must Article 51 GDPR be interpreted as meaning that a judicial authority which allows another State authority to access data concerning the account balances of taxable persons is responsible for monitoring [the application of] that regulation and must therefore be classified as a ‘supervisory authority’ in relation to those data?

Third question

If either of the above questions is answered in the affirmative, must Article 32(1)(b) GDPR and Article 57(1)(a) GDPR be interpreted as meaning that a judicial authority which allows another State authority to access data concerning the account balances of taxable persons is obliged, in the presence of data concerning a personal data breach committed in the past by the body to which such access is to be granted, to obtain information on the data protection measures taken and to assess the appropriateness of those measures in its decision to permit access?

Fourth question

Irrespective of the answers to the [second] and [third] questions, must Article 79(1) GDPR, read in conjunction with Article 47 Charter of Fundamental Rights of the European Union, be interpreted as meaning that, where the national law of a Member State provides that certain categories of data may be disclosed only after permission to do so has been granted by a court, the court so competent must of its own motion grant legal protection to the persons whose data are to be disclosed, by requiring the authority which has applied for access to the data in question, and which is known to have received binding instructions from the authority under Article 51(1) GDPR following a personal data breach, to provide information on the implementation of the measures imposed on it by administrative decision pursuant to Article 58(2)(d) GDPR?

First question

Do legislative measures which relate to granting public authorities access to traffic and location data (including identification data) in connection with the prevention, investigation, detection and prosecution of criminal offences fall within the scope of ePrivacy Directive 2002/58/EC if they concern the granting of access to data which are not retained on the grounds of legislative measures within the meaning of Article 15(1) ePrivacy Directive 2002/58/EC, but which are retained by the provider on some other ground?

Second question

1. Do the ... terms 'serious criminal offences' and 'serious crime' ... [used in the judgments of the Court of Justice cited in the order for reference] constitute autonomous concepts of European Union law, or is it incumbent on the competent authorities of the Member States themselves to give substance to those terms?
2. If these are indeed autonomous concepts of European Union law, in what way should it be established whether what is involved is a 'serious criminal offence' or 'serious crime'?

Third question

Can granting public authorities access to traffic and location data (other than mere identification data) for the purpose of the prevention, investigation, detection and prosecution of criminal offences be permissible under Directive 2002/58/EC if no serious criminal offences or serious crime are involved, that is to say, if in the specific case the granting of access to such data - in so far as may be assumed - causes only a minor interference with, in particular, the right to the protection of the private life of the user as referred to in Article 2(b) ePrivacy Directive 2002/58/EC?