Pending CJEU data protection cases

Does the obligation to take fingerprints and store them in identity cards in accordance with Article 3(5) of Regulation (EU) 2019/1157 infringe higher-ranking EU law, in particular

1. Article 77(3) TFEU,
2. Articles 7 Charter and 8 Charter,
3. Article 35(10) GDPR,

and is it therefore invalid on one of those grounds?

First question

Is the data subject's right of access under Article 15(1) GDPR, considered in conjunction with the [concept of] 'personal data' within the meaning of Article 4(1) GDPR, to be interpreted as meaning that information collected by the controller which indicates who processed the data subject's personal data and when and for what purpose they were processed does not constitute information in respect of which the data subject has a right of access, in particular because it consists of data concerning the controller's employees?

Second question

If Question 1 is answered in the affirmative and the data subject does not have a right of access to the information referred to in that question on the basis of Article 15(1) GDPR because it does not constitute 'personal data' of the data subject within the meaning of Article 4(1) GDPR, it remains necessary in the present case to consider the information in respect of which the data subject does have a right of access in accordance with Article 15(1) GDPR [(a) to (h)]:

1. How is the purpose of processing within the meaning of Article 15(1)(a) GDPR to be interpreted in relation to the scope of the data subject's right of access, that is to say, can the purpose of the processing give rise to a right of access to the user log data collected by the controller, such as information concerning personal data of the processors and the time and the purpose of the processing of the personal data?
2. In that context, can the persons who processed J.M.'s customer data be regarded, under certain criteria, as recipients of the personal data within the meaning of Article 15(1)(c) GDPR, in respect of whom the data subject would be entitled to obtain information?

Third question

Is the fact that the bank at issue performs a regulated activity or that J.M. was both an employee and a customer of the bank at the same time relevant to the present case?

Fourth question

Is the fact that J.M.'s data were processed before the entry into force of the General Data Protection Regulation relevant to the examination of the questions set out above?

First question

Do Articles 47 Charter and 8(3) Charter require provision to be made for a judicial remedy against an independent supervisory authority such as the Supervisory Body for Police Information where it exercises the rights of the data subject vis-à-vis the controller?

Second question

Does Article 17 LED Directive 2016/680 comply with Articles 47 Charter and 8(3) Charter, as interpreted by the Court of Justice, in that it obliges the supervisory authority - which exercises the rights of the data subject vis-à-vis the controller - only to inform the data subject ‘that all necessary verifications or a review by the supervisory authority have taken place’ and ‘of his or her right to seek a judicial remedy’, when such information does not enable any a posteriori review to be conducted as regards the action taken and assessment made by the supervisory authority in the light of the data of the data subject and the obligations of the controller?

Does the interpretation of Article 5 LED Directive (EU) 2016/680 in conjunction with Article 13(2)(b) LED Directive (EU) 2016/680 and Article 13(3) LED Directive (EU) 2016/680 permit national legislative measures which lead to a virtually unrestricted right of competent authorities to process personal data for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and/or to the elimination of the data subject’s right to have the processing of his or her data restricted or to have them erased or destroyed?

First question

Must Article 4(7) GDPR be interpreted as meaning that a Member State’s official gazette — vested with a public task of publishing and archiving official documents, which, under the applicable national legislation, is responsible for publishing official documents whose publication is ordered by third-party public bodies, as they stand when received from those bodies after the latter have themselves processed the personal data contained in those documents, without the national legislature having granted the official gazette any discretion over the content of the documents to be published or the purpose and means of publication — has the status of data controller?

Second question

If the answer to Question 1 is in the affirmative, must Article 5(2) GDPR be interpreted as meaning that only the official gazette in question need comply with the data controller’s responsibilities under that provision, to the exclusion of the third-party public bodies which have previously processed the data contained in the official documents whose publication they are requesting, or are those responsibilities incumbent cumulatively on each of the successive controllers?

Does Article 15(1) ePrivacy Directive 2002/58/EC preclude a provision of national law such as that contained in Article 132 of Legislative Decree No 196 of 30 June 2003 (the Privacy Code), paragraph 3 of which was amended by Decree-Law No 132 of 30 September 2021, converted, with amendments, into Law No 178 of 23 November 2021 and, in its current version, provides:

3. Within the retention period laid down by law, if there is sufficient evidence of the commission of an offence for which the law prescribes the penalty of life imprisonment or a maximum term of imprisonment of at least three years, determined in accordance with Article 4 of the Code of Criminal Procedure, or of an offence of threatening and harassing or disturbing persons by means of the telephone, where the threat or disturbance is serious, the data may, if relevant to establishing the facts, be acquired with the prior authorisation of the court, by way of reasoned order, at the request of the Public Prosecutor or upon an application by the legal representative of the accused, of the person under investigation, of the injured party or of any other private party

First question

Is Article 9(2)(h) GDPR to be interpreted as prohibiting a medical service of a health insurance fund from processing its employee's data concerning health which are a prerequisite for the assessment of that employee's working capacity?

Second question

If the Court answers Question 1 in the negative, with the consequence that an exception to the prohibition on the processing of data concerning health laid down in Article 9(1) GDPR is possible under Article 9(2)(h) GDPR: in a case such as the present one, are there further data protection requirements, beyond the conditions set out in Article 9(3) GDPR, that must be complied with, and, if so, which ones?

Third question

If the Court answers Question 1 in the negative, with the consequence that an exception to the prohibition on the processing of data concerning health laid down in Article 9(1) GDPR is possible under Article 9(2)(h) GDPR: does the permissibility or lawfulness of the processing of data concerning health depend on the fulfilment of at least one of the conditions set out in Article 6(1) GDPR?

Fourth question

Does Article 82(1) GDPR have a specific or general preventive character, and must that be taken into account in the assessment of the amount of non-material damage to be compensated at the expense of the controller or processor on the basis of Article 82(1) GDPR?

Fifth question

Is the degree of fault on the part of the controller or processor a decisive factor in the assessment of the amount of non-material damage to be compensated on the basis of Article 82(1) GDPR? In particular, can non-existent or minor fault on the part of the controller or processor be taken into account in their favour?

First question

Do activities of a committee of inquiry set up by a Parliament of a Member State in the exercise of its right to scrutinise the executive fall within the scope of EU law within the meaning of the first sentence of Article 16(2) TFEU, irrespective of the subject matter of the inquiry, with the result that the GDPR is applicable to the processing of personal data by a parliamentary committee of inquiry of a Member State?

Second question

If Question 1 is answered in the affirmative:

Do activities of a committee of inquiry which has been set up by a Parliament of a Member State in the exercise of its right to scrutinise the executive and which has as the subject matter of its inquiry the activities of a police State-protection authority, that is to say, activities concerning the protection of national security within the meaning of recital 16 of the GDPR, come within the scope of the exception set out in Article 2(2)(a) GDPR?

Third question

If Question 2 is answered in the negative:

If - as in the present case - a Member State has established only one single supervisory authority in accordance with Article 51(1) GDPR, does the competence of that authority in respect of complaints within the meaning of Article 77(1) GDPR, in conjunction with Article 55(1) GDPR, already arise directly from the GDPR?

First question

Can the concept of 'controller' set out in Article 4(7) GDPR be interpreted as meaning that a person who is planning to acquire a data collection tool (mobile application) by way of public procurement, irrespective of the fact that a public procurement contract has not been concluded and that the created product (mobile application), for the acquisition of which a public procurement procedure had been used, has not been transferred, is also to be regarded as a controller?

Second question

Can the concept of 'controller' set out in Article 4(7) GDPR be interpreted as meaning that a contracting authority which has not acquired the right of ownership of the created IT product and has not taken possession of it, but where the final version of the created application provides links or interfaces to that public entity and/or the confidentiality policy, which was not officially approved or recognised by the public entity in question, specified that public entity itself as a controller, is also to be regarded as a controller?

Third question

Can the concept of 'controller' set out in Article 4(7) GDPR be interpreted as meaning that a person who has not performed any actual data processing operations as defined in Article 4(2) GDPR and/or has not provided clear permission/consent to the performance of such operations is also to be regarded as a controller?

Is the fact that the IT product used for the processing of personal data was created in accordance with the assignment formulated by the contracting authority significant for the interpretation of the concept of 'controller'?

Fourth question

If the determination of actual data processing operations is relevant for the interpretation of the concept of 'controller', is the definition of 'processing' of personal data under Article 4(2) GDPR to be interpreted as also covering situations in which copies of personal data have been used for the testing of IT systems in the process for the acquisition of a mobile application?

Fifth question

Can joint control of data in accordance with Article 4(7) GDPR and Article 26(1) GDPR be interpreted exclusively as involving deliberately coordinated actions in respect of the determination of the purpose and means of data processing, or can that concept also be interpreted as meaning that joint control also covers situations in which there is no clear 'arrangement' in respect of the purpose and means of data processing and/or actions are not coordinated between the entities?

Are the circumstance relating to the stage in the creation of the means of personal data processing (IT application) at which personal data were processed and the purpose of the creation of the application legally significant for the interpretation of the concept of joint control of data?

Can an 'arrangement' between joint controllers be understood exclusively as a clear and defined establishment of terms governing the joint control of data?

Sixth question

Is the provision in Article 83(1) GDPR to the effect that 'administrative fines ... shall ... be effective, proportionate and dissuasive' to be interpreted as also covering cases of imposition of liability on the 'controller' when, in the process of the creation of an IT product, the developer also performs personal data processing actions, and do the improper personal data processing actions carried out by the processor always give rise automatically to legal liability on the part of the controller?

Is that provision to be interpreted as also covering cases of no-fault liability on the part of the controller?

First question

Does the requirement in the second sentence of Article 61(1) of Regulation (EU) 2018/858, according to which

‘Information shall be presented in an easily accessible manner in the form of machine-readable and electronically processable datasets’,

cover all repair and maintenance information within the meaning of point 48 of Article 3 of that regulation, or is that requirement limited to ‘spare parts information’ (‘parts of the vehicle […] that can be replaced by spare parts’) pursuant to point 6.1 of Annex X to that regulation?

Second question

Must the second sentence of Article 61(1) of Regulation (EU) 2018/858, according to which information is to be presented

‘in an easily accessible manner in the form of machine-readable and electronically processable datasets’,

and the second subparagraph of Article 61(2), according to which, for independent operators other than repairers,

‘the information shall also be given in a machine-readable format that is capable of being electronically processed with commonly available information technology tools and software and which allows independent operators to carry out the task associated with their business in the aftermarket supply chain’,

be interpreted as meaning that the vehicle manufacturer fulfils its obligations in that regard only by

1. making the information accessible via the internet by means of a machine-controlled query via a database interface, which provides the possibility to download the results, or is it sufficient that the vehicle manufacturer enables only a manual search by a human user on-screen on a website and limits the result of the query to the visible content of the pages displayed on-screen? and
2. making it possible for all information in the database linked to the vehicle manufacturer’s vehicle identification numbers (VINs) to be searched for on the basis of those VINs, which are to be provided by it in a separate list, and, independently of that possibility,

• also on the basis of other vehicle identification characteristics in accordance with the third subparagraph of point 6.1 of Annex X to the regulation
• and on the basis of the terms that the vehicle manufacturer otherwise uses for categories (such as categories of components, spare parts, repair and maintenance instructions and technical illustrations) and other database entries in any combination

or is it sufficient that the manufacturer offers the search exclusively as an individual query based on the VIN of a single, specific vehicle without at the same time providing an up-to-date list of all its vehicles’ VINs? and

3. providing those datasets in files in a format which is intended to make the datasets contained therein directly amenable to (further) electronic processing, the description of the dataset concerned being specified (in the case of texts and tables), or is the possibility to export mere screenshots in any conventional file format, such as a PDF file, sufficient for that purpose?

Third question

Does Article 61(1) of Regulation (EU) 2018/858 constitute, for vehicle manufacturers, a legal obligation within the meaning of Article 6(1)(c) GDPR which justifies the disclosure of VINs or information linked to VINs to independent operators as other controllers within the meaning of Article 4(7) GDPR?

First question

Does the information that a certain person has committed a specific doping violation, as a result of which that person has been banned from taking part in (national and international) competitions, constitute 'data concerning health' within the meaning of Article 9 GDPR?

Second question

Does the General Data Protection Regulation - particularly in the light of the second subparagraph of Article 6(3) GDPR - preclude a national provision that provides for the disclosure of the name of the persons concerned by the decision of the Independent Arbitration Committee, the duration of the ban and the reasons for it, without it being possible to infer the health data of the person concerned?

Is it relevant that disclosure of that information to the general public can only be omitted under the national provision if the person concerned is a recreational athlete, a minor or a person who has contributed significantly to the detection of potential anti-doping violations by disclosing information or other indications?

Third question

Does the General Data Protection Regulation - particularly in the light of the principles in Article 5(1)(a) GDPR and 5(1)(c) GDPR - in any case prior to the disclosure, require a balancing of interests between the personal interests of the person concerned that will be affected by the disclosure, on the one hand, and the interest of the general public in being informed of the anti-doping violation committed by an athlete, on the other?

Fourth question

Does the disclosure of the information that a certain person has committed a specific doping violation, as a result of which that person has been banned from taking part in (national and international) competitions, constitute the processing of personal data relating to criminal convictions and offences within the meaning of Article 10 GDPR?

Fifth question

If Question 4 is answered in the affirmative: Is the Independent Arbitration Committee established under Paragraph 8 of the 2021 ADBG an official authority within the meaning of Article 10 GDPR?

First question

Are Articles 24 GDPR and 32 GDPR to be interpreted as meaning that unauthorised disclosure of, or access to, personal data within the meaning of Article 4(12) GDPR by persons who are not employees of the controller's administration and are not subject to its control is sufficient for the presumption that the technical and organisational measures implemented are not appropriate?

Second question

If the first question is answered in the negative, what should be the subject matter and scope of the judicial review of legality in the examination as to whether the technical and organisational measures implemented by the controller are appropriate pursuant to Article 32 GDPR?

Third question

If the first question is answered in the negative, is the principle of accountability under Article 5(2) GDPR and Article 24 GDPR, read in conjunction with recital 74 thereof, to be interpreted as meaning that, in legal proceedings under Article 82(1) GDPR, the controller bears the burden of proving that the technical and organisational measures implemented are appropriate pursuant to Article 32 GDPR?

Can the obtaining of an expert's report be regarded as a necessary and sufficient means of proof to establish whether the technical and organisational measures implemented by the controller were appropriate in a case such as the present one, where the unauthorised access to, and disclosure of, personal data are the result of a 'hacking attack'?

Fourth question

Is Article 82(3) GDPR to be interpreted as meaning that unauthorised disclosure of, or access to, personal data within the meaning of Article 4(12) GDPR by means of, as in the present case, a 'hacking attack' by persons who are not employees of the controller's administration and are not subject to its control constitutes an event for which the controller is not in any way responsible and which entitles it to exemption from liability?

Fifth question

Is Article 82(1) GDPR and 82(2) GDPR, read in conjunction with recitals 85 and 146, to be interpreted as meaning that, in a case such as the present one, involving a personal data breach consisting in unauthorised access to, and dissemination of, personal data by means of a 'hacking attack', the worries, fears and anxieties suffered by the data subject with regard to a possible misuse of personal data in the future fall per se within the concept of non-material damage, which is to be interpreted broadly, and entitle him or her to compensation for damage where such misuse has not been established and/or the data subject has not suffered any further harm?

First question

Is Article 83(4) GDPR, 83(5) GDPR, 83(6) GDPR to be interpreted as incorporating into national law the functional concept of an undertaking and the principle of an economic entity, as defined in Articles 101 and 102 TFEU, as a result of which, by broadening the principle of a legal entity underpinning Paragraph 30 of the Gesetz über Ordnungswidrigkeiten (Law on administrative offences; 'the OWiG'), proceedings for an administrative fine may be brought against an undertaking directly and a fine imposed without requiring a finding that a natural and identified person committed an administrative offence, if necessary, in satisfaction of the objective and subjective elements of tortious liability?

Second question

If Question 1 is answered in the affirmative:

Is Article 83(4) GDPR, 83(5) GDPR, 83(6) GDPR to be interpreted as meaning that the undertaking must have intentionally or negligently committed the breach of an obligation vicariously through an employee (see Article 23 of Council Regulation (EC) No 1/2003), or is the objective fact of breach caused by it sufficient, in principle, for a fine to be imposed on that undertaking ('strict liability')?

First question

Is Article 15(1) ePrivacy Directive 2002/58/EC (possibly read in combination with Article 5 ePrivacy Directive 2002/58/EC), as amended by Directive 2009/136/EC, read in the light of Articles 7 Charter and 8 Charter, to be interpreted as meaning that public authorities' access to data stored on mobile telephones entails interference with fundamental rights enshrined in those articles of the Charter which is sufficiently serious to entail that access being limited, in areas of prevention, investigation, detection and prosecution of criminal offences, to the objective of fighting serious crime?

Second question

Is Article 15(1) ePrivacy Directive 2002/58/EC, as amended by Directive 2009/136, read in the light of Articles 7 Charter, 8 Charter and 11 Charter and Article 52(1) Charter, to be interpreted as meaning that it precludes a national rule, such as that enacted in Paragraph 18 of the Strafprozessordnung (Austrian Code of Criminal Procedure), read in combination with Paragraph 99(1) thereof, which allows security authorities to grant themselves full and uncontrolled access to all digital data stored on a mobile telephone in the course of a criminal investigation without the authorisation of a court or independent administrative body?

Third question

Is Article 47 Charter, possibly read in combination with Articles 41 Charter and 52 Charter, to be interpreted, from the point of view of equality of arms and from the point of view of an effective remedy, as meaning that it precludes a national rule, such as that enacted in Paragraph 18 of the Code of Criminal Procedure, read in combination with Paragraph 99(1) thereof, which allows data processing of a mobile telephone without advising the data subject before or, at the very least, after the measure is taken?

First question

Must the first sentence of Article 15(3) GDPR, read in conjunction with Article 12(5) GDPR, be interpreted as meaning that the controller (in the present case: the doctor providing treatment) is not obliged to provide the data subject (in the present case: the patient), free of charge, with a first copy of his or her personal data processed by the controller where the data subject does not request the copy in order to pursue the purposes referred to in the first sentence of recital 63 of the GDPR, namely to become aware of the processing of his or her personal data and to be able to verify the lawfulness of that processing, but pursues a different purpose - one which is not related to data protection but is legitimate (in the present case: to verify the existence of claims under medical liability law)?

Second question

If Question 1 is answered in the negative:

1. In accordance with Article 23(1)(i) GDPR, can a national provision of a Member State adopted prior to the entry into force GDPR also be regarded as a restriction of the right to be provided, free of charge, with a copy of the personal data processed by the controller, as provided for in the first sentence of Article 15(3) GDPR, read in conjunction with Article 12(5) GDPR?
2. If Question 2(a) is answered in the affirmative: Must Article 23(1)(i) GDPR be interpreted as meaning that the rights and freedoms of others, as referred to therein, also include their interest in being relieved of the costs associated with the provision of a copy of data in accordance with the first sentence of Article 15(3) GDPR and other expenses incurred in making the copy available?
3. If Question 2(b) is answered in the affirmative: In accordance with Article 23(1)(i) GDPR, can national legislation which, in the context of the doctor-patient relationship, provides that the doctor always has a claim for reimbursement of expenses against the patient, irrespective of the specific circumstances of the individual case, where the doctor provides the patient with a copy of the patient's personal data from the patient's medical records be regarded as a restriction of the obligations and rights arising from the first sentence of Article 15(3) GDPR, read in conjunction with Article 12(5) GDPR?

Third question

If Question 1 is answered in the negative and Question 2(a), 2(b) or 2(c) is answered in the negative:

In the context of the doctor-patient relationship, does the entitlement under the first sentence of Article 15(3) GDPR include entitlement to be provided with copies of all parts of the patient's medical records containing the patient's personal data, or does it extend only to the provision of a copy of the patient's personal data as such, with the doctor who processes the data deciding the manner in which he or she compiles the data for the patient concerned?

Questions of Case C‑228/21

1. Should Article 4 of [the Dublin III Regulation] be interpreted as meaning that an action may be brought under Article 27 of [that regulation] against a transfer decision adopted by a Member State, using the mechanism provided for in Article 26 of [that regulation] and on the basis of the obligation to take back laid down in Article 18(1)(b) thereof, solely because of a failure to deliver the information leaflet required under Article 4(2) of [that] regulation by the Member State which adopted the transfer decision?
2. Should Article 27 of [that regulation], read in conjunction with recitals 18 and 19 and Article 4 thereof, be interpreted as meaning that, where it has been determined that there has been a failure to fulfil the obligations laid down in Article 4 [of that regulation], an effective remedy requires that the court adopt a decision annulling the transfer decision?
3. If the answer to Question 2 above is in the negative, should Article 27 of [that regulation], read in conjunction with recitals 18 and 19 and Article 4 thereof, be interpreted as meaning that, where it has been determined that there has been a failure to fulfil the obligations laid down in Article 4 [of that regulation], an effective remedy requires that the court verify the significance of that failure to fulfil obligations in the light of the circumstances alleged by the applicant and permits confirmation of the transfer decision in all cases where there are no grounds for adopting a transfer decision with different content?’

Questions of Case C‑254/21

1. Does the right to an effective remedy under Article 47 of the Charter require that Articles 4 and 19 of that charter, in the circumstances referred to in the main proceedings, also provide protection against the risk of indirect refoulement following a transfer to a Member State of the European Union which has no systemic flaws within the meaning of Article 3(2) of the Dublin Regulation (in the absence of other Member States responsible on the basis of the criteria set out in Chapters III and IV) and which has already examined and rejected the first application for international protection?
2. Should the court of the Member State where the second application for international protection was lodged, hearing an appeal pursuant to Article 27 of the Dublin Regulation – and thus having jurisdiction to assess the transfer within the European Union but not to adjudicate on the application for protection – conclude that there is a risk of indirect refoulement to a third country, where the concept of “internal protection” within the meaning of Article 8 of Directive 2011/95 has been assessed differently by the Member State where the first application for international protection was lodged?
3. Is the assessment of the risk of indirect refoulement, following the different interpretation by two Member States of the need for ‘internal protection’, compatible with the second part of Article 3(1) of the Dublin Regulation and with the general principle that third-country nationals may not decide in which Member State of the European Union the application for international protection is to be lodged?
4. In the event that the previous questions are answered in the affirmative:

1. Does the assessment of the existence of the risk of indirect refoulement, made by the court of the Member State in which the applicant lodged the second application for international protection following the rejection of the first application, require the application of the clause provided for in Article 17(1), defined by the Regulation as a ‘discretionary clause’?
2. Which criteria must the court seised pursuant to Article 27 of the Regulation apply in order to assess the risk of indirect refoulement, other than those identified in Chapters III and IV, given that that risk has already been ruled out by the country that examined the first application for international protection?’

Questions of Case C‑297/21

1. Must Article 17(1) of [the Dublin III Regulation] be interpreted, in accordance with Articles 19 and 47 of the Charter and Article 27 of [the Dublin III Regulation], as meaning that the court of the Member State, hearing an appeal against the decision of the Dublin Unit, may establish the responsibility of the Member State which would have to carry out the transfer under Article 18(1)(d), if it determines the existence, in the Member State responsible, of a risk of infringement of the principle of non-refoulement by returning the applicant to his country of origin, where the applicant’s life would be in danger and where he would be at risk of inhuman and degrading treatment?
2. In the alternative, must Article 3(2) of [the Dublin III Regulation] be interpreted in accordance with Articles 19 and 47 of the Charter and Article 27 of [the Dublin III Regulation], as meaning that the court may establish the responsibility of the Member State required to carry out the transfer under Article 18(1)(d) of that regulation, where it is established that:

1. there is a risk in the Member State responsible of infringing the principle of non-refoulement by returning the applicant to his country of origin, where his life would be in danger and where he would be at risk of inhuman or degrading treatment?
2. it is impossible to carry out the transfer to another Member State designated on the basis of the criteria set out in Chapter III of [the Dublin III Regulation]?’

Questions of Case C‑315/21

1. Must Articles 4 and 5 of [the Dublin III Regulation] be interpreted as meaning that infringement thereof in itself renders unlawful a decision challenged under Article 27 of [the Dublin III Regulation], irrespective of the specific consequences of that infringement for the content of the decision and the identification of the Member State responsible?
2. Must Article 27 of [the Dublin III Regulation], read in conjunction with Article 18(1)(a) or with Articles 18[(1)](b), (c) and (d) and with Article 20(5) of [the Dublin III Regulation], be interpreted as identifying different subjects of appeal, different complaints to be raised in judicial proceedings and different aspects of infringement of the obligations to provide information and conduct a personal interview under Articles 4 and 5 of [the Dublin III Regulation]?
3. If the answer to question 2 is in the affirmative, must Articles 4 and 5 of [the Dublin III Regulation] be interpreted as meaning that the guarantees relating to information, provided for therein, are enjoyed only in the scenario set out in Article 18(1)(a) and not also in the take back procedure, or must they be interpreted as meaning that in that procedure the obligations to provide information are enjoyed at least in relation to the cessation of responsibilities referred to in Article 19 or the systemic flaws in the asylum procedure and in the reception conditions for applicants which result in a risk of inhuman or degrading treatment within the meaning of Article 4 of the Charter of Fundamental Rights of the European Union referred to in Article 3(2)?
4. Must Article 3(2) be interpreted as meaning that “systemic flaws in the asylum procedure” includes any consequences of final decisions rejecting an application for international protection already adopted by the court of the Member State effecting the take back, where the court seised pursuant to Article 27 of [the Dublin III Regulation] considers that there is a real risk that the applicant could suffer inhuman and degrading treatment if he or she is returned to his or her country of origin by the Member State [referred to above], also having regard to the presumed existence of a general armed conflict within the meaning of Article 15(c) of Directive 2011/95?

Questions of Case C‑328/21

1. What legal consequences are imposed by EU law in relation to take back transfer decisions under Chapter VI, Section III, of [the Dublin III Regulation], where the State has failed to provide the information required under Article 4 of [the Dublin III Regulation] and Article 29 of [the Eurodac Regulation]?
2. If a full and effective remedy has been implemented against the transfer decision, the Court of Justice of the European Union clarify the following:

2.1 Must Article 27 of [the Dublin III Regulation] be interpreted:

• as meaning that a failure to provide the information leaflet required under Article 4(2) and (3) of [the Dublin III Regulation] to a person who meets the conditions described in Article 23(1) of [the Dublin III Regulation] in itself renders the transfer decision irremediably invalid (and potentially also establishes the responsibility of the Member State to which the person has submitted the new application to take a decision on the application for international protection);
• or as meaning that it is for the appellant to prove in court that the procedure would have had a different outcome if the leaflet had been provided to him or her?

2.2 Must Article 27 of [the Dublin III Regulation] be interpreted:

• as meaning that a failure to provide the information leaflet required under Article 29 of [the Eurodac Regulation] to a person who meets the conditions described in Article 24(1) of [the Dublin III Regulation] in itself renders the transfer decision irremediably invalid (and potentially also results in the need to provide a possibility to submit a new application for international protection);
• or as meaning that it is for the appellant to prove in court that the procedure would have had a different outcome if the leaflet had been provided to him or her?

Must Article 15(1) ePrivacy Directive 2002/58/EC, read in conjunction with Articles 7 Charter, 8 Charter, 11 Charter and 52(1) Charter, be interpreted as prohibiting the competent public authorities from using data retained by providers of electronic communications services which may provide information on the data of, and communications made by, a user of a means of electronic communications, in investigations into corruption-related misconduct in office, irrespective of whether access to those data has been granted, in the particular case, for the purposes of combating serious crime and preventing serious threats to public security?

First question

May Article 4(2) of Directive 2009/101/EC be interpreted as meaning that it imposes an obligation on the Member State to permit the disclosure of an instrument of memorandum and articles of association, which is subject to registration under Article 119 of the Targovski zakon (Commercial Code), in the case where that instrument contains not only the names of the members of the company, which are subject to compulsory disclosure under Article 2(2) of the Zakon za targovskia registar i registara na yuriditcheskite litsa s nestopanska tsel (Law on the Commercial Register and the Register of Not-for-Profit Legal Persons), but also other personal data?

When answering this question, it is important to take into account that the Registration Agency is a public-sector body against which the directly effective provisions of the aforementioned directive may be relied on, in accordance with the settled case-law of the Court of Justice (judgment of 7 September 2006, Vassallo, С-180/04, ECLI:EU:C:2006:518, paragraph 26 and the caselaw cited).

Second question

If the first question is answered in the affirmative, may it be assumed that, in the circumstances which gave rise to the dispute in the main proceedings, the processing of personal information by the Registration Agency is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, within the meaning of Article 6(1)(e) GDPR?

Third question

If the first two questions are answered in the affirmative, may a national provision such as that contained in Article 13(9) of the Zakon za targovskia registar i registara na yuriditcheskite litsa s nestopanska tsel (Law on the Commercial Register and the Register of Not-for-Profit Legal Persons), in accordance with which, in the event that personal data not required by law are contained in an application [for registration] or in the documents annexed thereto, it must be assumed that the persons who made those data available consented to the processing thereof by the Agency and to the provision of public access thereto, be regarded as permissible, notwithstanding recitals 32, 40, 42, 43 and 50 of the GDPR, as a clarification of the possibility of ‘voluntary disclosure’, within the meaning of Article 4(2) of Directive 2009/101/EC, even of personal data?

Fourth question

Is it permissible for provisions of national law intended to give effect to the obligation laid down in Article 3(7) of Directive 2009/101/EC, whereby Member States are to take the necessary measures to avoid any discrepancy between what is disclosed in accordance with paragraph 5 and what appears in the register or file, and to take into account the interests of third parties in being acquainted with the essential documents of the company and certain information concerning the company, as referred to in recital 3 of that directive, to prescribe a procedure (application forms, submission of copies of documents in which personal data have been redacted) for exercising the right of natural persons under Article 17 GDPR to obtain from the controller the erasure of personal data concerning him or her without undue delay, in the case where the personal data the erasure of which is sought are part of publicly disclosed (notified) documents which were made available to the controller, in accordance with a similar procedure, by another person who, in so doing, also determined the purpose of the processing initiated by him or her?

Fifth question

In the situation underlying the dispute in the main proceedings, does the Registration Agency act only as controller in relation to the personal data or is it also the recipient thereof, in the case where the purposes of processing those data were determined by another controller as part of the documents that were submitted for disclosure?

Sixth question

Does the handwritten signature of a natural person constitute information relating to an identified natural person, in the sense that it is covered by the term ‘personal data’ within the meaning of Article 4(1) GDPR?

Seventh question

Is the concept of ‘non-material damage’ in Article 82(1) GDPR to be interpreted as meaning that the assumption of non-material damage requires a noticeable disadvantage and an objectively comprehensible impairment of personal interests, or is the mere short-term loss of the data subject’s unfettered control over his or her data due to the publication of personal data in the commercial register, which did not have any noticeable or adverse consequences for the data subject, sufficient for that purpose?

Eigth question

May opinion No 01-116(20)/01.02.2021, issued by the national supervisory authority, the Komisia za zashtita na lichnite danni (Commission for the Protection of Personal Data), in accordance with Article 58(3)(b) GDPR, to the effect that the Registration Agency does not have the option or power in law to restrict of its own motion or at the request of the data subject the processing of data which have already been disclosed, permissibly be regarded as proof, for the purposes of Article 82(3) GDPR, that the Registration Agency is in no way responsible for the circumstance which gave rise to the damage suffered by the natural person?

Translation by EU data protection law specialist Andreea Lisievici

First question

Where a portal providing free information on legislative changes obtains the e-mail address of a user when the latter creates a free user account giving free access to the portal, a free daily newsletter with summaries of legislative news explained on the portal as well as paid access to additional articles and analyses:

1. Is the e-mail address in question obtained by the publisher of the online press publication "in the context of the sale of a product or service" within the meaning of Article 13(2) ePrivacy Directive?
2. Does the transmission of the newsletter constitute 'direct marketing of its own similar products or services' within the meaning of Article 13(2) ePrivacy Directive?

Second question

If the answers to sub-questions 1a and b are in the affirmative, which of the legal bases laid down in Article 6(1) GDPR are applicable when the publisher uses the user's e-mail address for the purpose of sending a daily newsletter, subject to the requirements set out in Article 13(2) ePrivacy Directive?

Third question

Does Article 13(1) and 13(2) ePrivacy Directive preclude national legislation from using the term 'commercial communication' as defined in Article 2(f) e-Commerce Directive 2000/31/EC instead of the term 'direct marketing' as defined in the ePrivacy Directive? If the answer is negative, is a newsletter as described above a 'commercial communication' within the meaning of Article 2(2) e-Commerce Directive?

Fourth question

If the answers to sub-questions 1a and b are negative: 

1. Is the transmission by email of daily newsletters as described above "use [...] of electronic mail for direct marketing purposes" within the meaning of Article 13(1) ePrivacy Directive?
2. Must article 95 GDPR in conjunction with Article 15(2) ePrivacy Directive be interpreted to mean that the failure to satisfy the conditions for obtaining valid user consent under Article 13(2) of the ePrivacy Directive is to be sanctioned in accordance with Article 83 GDPR, or in accordance with the provisions of national law in transposing the ePrivacy Directive?

Fifth question

Must Article 83(2) GDPR be interpreted as meaning that a supervisory authority deciding that an administrative fine is to be imposed and setting the amount of the administrative fine, is required to analyse and explain in the administrative act of sanction the impact of each of the criteria set out in points (a) to (k) on the decision to impose a fine, respectively on the decision concerning the amount of the fine imposed?

First question

Must Article 14(5)(c) GDPR, read in conjunction with Article 14(1) GDPR and recital 62 thereof, be interpreted as meaning that the exception laid down in Article 14(5)(c) GDPR does not refer to data generated by the controller in its own procedure but rather only to data which the controller has expressly obtained from another person?

Second question

If Article 14(5)(c) GDPR is also applicable to data generated by the controller in its own procedure, must the right to lodge a complaint with a supervisory authority, laid down in Article 77(1) GDPR, be interpreted as meaning that a natural person who alleges an infringement of the obligation to provide information is entitled, when exercising his or her right to lodge a complaint, to request an examination of whether Member State law provides appropriate measures to protect the data subject’s legitimate interests, in accordance with Article 14(5)(c) GDPR?

Third question

If the answer to the second question is in the affirmative, may Article 14(5)(c) GDPR be interpreted as meaning that the ‘appropriate measures’ referred to in that provision require the national legislature to transpose (by means of legislation) the measures relating to the security of data laid down in Article 32 GDPR?

First question

Is Article 22(1) GDPR to be interpreted as meaning that the automated establishment of a probability value concerning the ability of a data subject to service a loan in the future already constitutes a decision based solely on automated processing, including profiling, which produces legal effects concerning the data subject or similarly significantly affects him or her, where that value, determined by means of personal data of the data subject, is transmitted by the controller to a third-party controller and the latter draws strongly on that value for its decision on the establishment, implementation or termination of a contractual relationship with the data subject?

Second question

If Question 1 is answered in the negative, are Articles 6(1) GDPR and 22 GDPR to be interpreted as precluding national legislation under which the use of a probability value - in casu, in relation to a natural person's ability and willingness to pay, in the case where information about claims against that person is taken into account - regarding specific future behaviour of a natural person for the purpose of deciding on the establishment, implementation or termination of a contractual relationship with that person (scoring) is permissible only if certain further conditions, which are set out in more detail in the grounds of the request for a preliminary ruling, are met?

First question

Is Article 77(1) GDPR, read in conjunction with Article 78(1) GDPR, to be understood as meaning that the outcome that the supervisory authority reaches and notifies to the data subject

1. has the character of a decision on a petition? This would mean that judicial review of a decision on a complaint taken by a supervisory authority in accordance with Article 78(1) GDPR is, in principle, limited to the question of whether the authority has handled the complaint, investigated the subject matter of the complaint to the extent appropriate and informed the complainant of the outcome of the investigation, or
2. is to be understood as a decision on the merits taken by a public authority? This would mean that a decision on a complaint taken by a supervisory authority would be subject to a full substantive review by the court in accordance with Article 78(1) GDPR, whereby, in individual cases - for example where discretion is reduced to zero - the supervisory authority may also be obliged by the court to take a specific measure within the meaning of Article 58 GDPR.

Second question

Is the storage of data at a private credit information agency, where personal data from a public register, such as the 'national databases' within the meaning of Article 79(4) and 79(5) Recast Insolvency Regulation 2015/848, are stored without a specific reason in order to be able to provide information in the event of a request, compatible with Articles 7 Charter and 8 Charter?

Third question

1. Are private databases (in particular databases of a credit information agency) which exist in parallel with, and are set up in addition to, the State databases and in which the data from the latter (in casu, insolvency announcements) are stored for longer than the period provided for within the narrow framework of Recast Insolvency Regulation 2015/848, read in conjunction with the national law, permissible in principle?
2. If Question 3a is answered in the affirmative, does it follow from the 'right to be forgotten' under Article 17(1)(d) GDPR that such data must be deleted where the processing period provided for in respect of the public register has expired?

Fourth question

In so far as Article 6(1)(f) GDPR enters into consideration as the sole legal basis for the storage of data at private credit information agencies with regard to data also stored in public registers, is a credit information agency already to be regarded as pursuing a legitimate interest in the case where it imports data from the public register without a specific reason so that those data are then available in the event of a request?

Fifth question

Is it permissible for codes of conduct which have been approved by the supervisory authorities in accordance with Article 40 GDPR, and which provide for time limits for review and erasure that exceed the retention periods for public registers, to suspend the balancing of interests prescribed under Article 6(1)(f) GDPR?

First question

Is the requirement of assessing ‘strict necessity’ under Article 10 LED Directive 2016/680, as interpreted by the Court of Justice in paragraph 133 of [the judgment of 26 January 2023, Ministerstvo na vatreshnite raboti, C-205/21, satisfied if it is carried out solely on the basis of the decision accusing the person and on the basis of her written refusal to have her biometric and genetic data collected, or is it necessary for the court to have before it all the material in the file which, under national law, is made available to it in the event of an application for authorisation to carry out investigative measures which infringe the legal sphere of natural persons, where that application is made in a criminal case?

Second question

If the Court of Justice answers the first question in the affirmative – after having been provided with the case file, may the court in the context of the assessment of ‘strict necessity’ pursuant to Article 10 LED Directive 2016/680 in conjunction with Article 6(a) LED Directive 2016/680 also consider whether there are reasonable grounds to suspect that the accused has committed the criminal offence referred to in the accusation?

First question

Is a national legal provision that has been adopted pursuant to Article 88(1) GDPR - such as Paragraph 26(4) of the Bundesdatenschutzgesetz (German Federal Law on data protection, ‘the BDSG’) - and which provides that the processing of personal data, including special categories of personal data, of employees for the purposes of the employment relationship is permissible on the basis of collective agreements subject to compliance with Article 88(2) GDPR, to be interpreted as meaning that the other requirements of the GDPR - such as Article 5 GDPR, Article 6(1) GDPR and Article 9(1) GDPR and 9(2) GDPR - must always also be complied with?

Second question

If the answer to Question 1 is in the affirmative:

May a national legal provision adopted pursuant to Article 88(1) GDPR - such as Paragraph 26(4) of the BDSG - be interpreted as meaning that the parties to a collective agreement (in this case, the parties to a works agreement) are entitled to a margin of discretion in assessing the necessity of data processing within the meaning of Article 5 GDPR, Article 6(1) GDPR and Article 9(1) GDPR and 9(2) GDPR that is subject to only limited judicial review?

Third question

If the answer to Question 2 is in the affirmative:

In such a case, to what is the judicial review to be limited?

Fourth question

Is Article 82(1) GDPR to be interpreted as meaning that a person is entitled to compensation for non-material damage when his or her personal data have been processed contrary to the requirements of Regulation 2016/679, or does the right to compensation for non-material damage additionally require that the data subject demonstrate non-material damage - of some weight - suffered by him or her?

Fifth question

Does Article 82(1) GDPR have a specific or general preventive character, and must that be taken into account in the assessment of the amount of non-material damage to be compensated at the expense of the controller or processor on the basis of Article 82(1) GDPR?

Sixth question

Is the degree of fault on the part of the controller or processor a decisive factor in the assessment of the amount of non-material damage to be compensated on the basis of Article 82(1) GDPR?

In particular, can non-existent or minor fault on the part of the controller or processor be taken into account in their favour?

First question

What degree of distinction between individual data subjects is required by Article 4(1)(c) LED Directive 2016/680 or Article 6 LED Directive 2016/680 in conjunction with Article 10 LED Directive 2016/680?

Is it compliant with the obligation to minimise personal data processing, and with the obligation to distinguish between various categories of data subjects, for national law to permit the collection of genetic data in respect of all persons suspected or accused of having committed an intentional criminal offence?

Second question

Is it in accordance with Article 4(1)(e) LED Directive 2016/680 if the necessity of continued retention of a DNA profile is assessed, with a reference to the general prevention, investigation, and detection of criminal activity, by Police authorities on the basis of their internal regulations, which frequently means in practice that sensitive personal data is retained for an unspecified period without a maximum limit for the duration of the retention of that personal data being set?

If not, by what criteria should the proportionality of the period of the retention of the personal data collected and retained for that purpose be assessed?

Third question

In the case of particularly sensitive personal data falling under Article 10 LED Directive 2016/680, what is the minimal scope of the substantive or procedural conditions for obtaining, retaining, and deleting such data that must be regulated by a 'provision of general application' in the law of a Member State? Can judicial case-law qualify as 'Member State law' within the meaning of Article 8(2) LED Directive 2016/680 in conjunction with Article 10 LED Directive 2016/680?

First question

Must Article 58(2) GDPR, in particular subparagraphs 58(2)(c) GDPR, 58(2)(d) GDPR and 58(2)(g) GDPR, be interpreted as meaning that the national supervisory authority, in exercise of its corrective powers, may order the data controller or processor to erase unlawfully processed personal data even in the absence of an express request by the data subject under Article 17(1) GDPR?

Second question

In the event that the answer to the first question is that the supervisory authority may order the data controller or processor to erase unlawfully processed personal data even in the absence of a request by the data subject, is that so irrespective of whether or not the personal data were obtained from the data subject?

First question

Do the rules in Chapter VIII GDPR preclude national rules which – alongside the powers of intervention of the supervisory authorities responsible for monitoring and enforcing the regulation and the options for legal redress for data subjects – empower competitors to bring proceedings for infringements of the GDPR against the infringer before the civil courts on the basis of the prohibition of unfair commercial practices?

Second question

Do the data that the customers of a pharmacist who acts as a seller on an online sales platform enter when ordering pharmacy-only but not prescription-only medicines on the sales platform (customer’s name, delivery address and information required for individualising the pharmacyonly medicine ordered) constitute data concerning health within the meaning of Article 9(1) GDPR and of Article 8(1) Data Protection Directive 95/46/EC

Is an infringement of rights ‘as a result of the processing’ within the meaning of Article 80(2) GDPR asserted when a consumer protection association invokes, in support of its action, infringement of a data subject’s rights on the ground of non-compliance with the information obligations laid down in the first sentence of Article 12(1) GDPR, read in conjunction with Article 13(1)(c) GDPR and 13(1)(e) GDPR, relating to the purpose of the data processing and the recipient of the personal data?

First question

Does an oral transfer of personal data constitute processing of personal data within the meaning of Article 2(1) GDPR and Article 4(2) GDPR?

Second question

Can public access to official documents be reconciled with the right to protection of personal data pursuant to the General Data Protection Regulation, in the manner referred to by Article 86 GDPR, by allowing information on criminal convictions or offences of a natural person to be obtained from a court’s register of persons without restriction where a request is made to transfer the information orally to the applicant?

Third question

Is it relevant for the answer to Question 2 whether the applicant is a company or a private individual?

First question

Should Article 5(1)(a) GDPR, in conjunction with Article 6(1)(a) GDPR, 6(1)(c) GDPR and 6(1)(e) GDPR, as well as Article 6(3) GDPR, be interpreted as precluding a provision of national law that permits the sale, in enforcement proceedings, of a database, within the meaning of Article 1(2) Database Directive 96/9/EC, which contains personal data, if the data subject did not consent to such a sale?

First question

Are the civil identity data corresponding to an IP address included among the traffic and location data to which, in principle, the requirement for prior review by a court or an independent administrative entity with binding power applies?

Second question

If the first question is answered in the affirmative, and having regard to the fact that the data relating to the civil identity of users, including their contact details, are not particularly sensitive data, is ePrivacy Directive 2002/58/EC, read in the light of the Charter of Fundamental Rights of the European Union, to be interpreted as precluding national legislation which provides for the collection of those data, corresponding to the IP addresses of users, by an administrative authority, without prior review by a court or an independent administrative entity with binding power?

Third question

If the second question is answered in the affirmative, and having regard to the fact that the data relating to civil identity are not particularly sensitive data, that only those data may be collected and they may be collected solely for the purposes of preventing failures to fulfil obligations which have been defined precisely, exhaustively and restrictively by national law, and that the systematic review of access to the data of each user by a court or a third-party administrative entity with binding power would be liable to jeopardise the fulfilment of the public service task entrusted to the administrative authority which collects those data, which is itself independent, does the directive preclude the review from being performed in an adapted fashion, for example as an automated review, as the case may be under the supervision of a department within the body which offers guarantees of independence and impartiality in relation to the officials who have the task of collecting the data?

Does the verification, using the national ‘čTečka’ application, of the validity of interoperable Covid-19 vaccination, test, or recovery certificates, issued pursuant to Regulation (EU) 2021/953 of the European Parliament and of the Council of 14 June 2021 on a framework for the issuance, verification and acceptance of interoperable COVID-19 vaccination, test and recovery certificates (EU Digital COVID Certificate) to facilitate free movement during the COVID-19 pandemic, which are used by the Czech Republic for national purposes, amount to automated processing of personal data pursuant to Article 4(2) GDPR, and hence, is the material scope GDPR thus established, pursuant to Article 2(1) GDPR?

First question

How should the District Court interpret the term 'legitimate interest'?

Second question

Should the term be interpreted as the respondent interprets it?

Are these interests which exclusively pertain to the law, constitute law, are enshrined in a law? Or;

Third question

Can any interest be a legitimate interest, provided that interest is not in breach of the law?

More specifically: should a purely commercial interest, such as the interest at issue here, the provision of personal data in return for payment without the consent of the data subject concerned, be regarded as a legitimate interest under certain circumstances? If so, what circumstances determine whether a purely commercial interest is a legitimate interest?

First question

1. Is it compatible with Article 51 GDPR et seq. if a national competition authority - such as the German Federal Cartel Office - which is not a supervisory authority within the meaning of Article 51 GDPR et seq., of a Member State in which an undertaking established outside the European Union has an establishment that provides the main establishment of that undertaking - which is located in another Member State and has sole responsibility for processing personal data for the entire territory of the European Union - with advertising, communication and public relations support, finds, for the purposes of monitoring abuses of competition law, that the main establishment's contractual terms relating to data processing and their implementation breach the GDPR and issues an order to end that breach?
2. If so: Is that compatible with Article 4(3) TEU if, at the same time, the lead supervisory authority in the Member State in which the main establishment, within the meaning of Article 56(1) GDPR, is located is investigating the undertaking's contractual terms relating to data processing?

Second question

If the answer to Question 1 is yes:

1. If an internet user merely visits websites or apps to which the criteria of Article 9(1) GDPR relate, such as flirting apps, gay dating sites, political party websites or health-related websites, or also enters information into them, for example when registering or when placing orders, and another undertaking, such as Facebook Ireland, uses interfaces integrated into those websites and apps, such as 'Facebook Business Tools', or cookies or similar storage technologies placed on the internet user's computer or mobile device, to collect data about those visits to the websites and apps and the information entered by the user, and links those data with the data from the user's Facebook.com account and uses them, does this collection and/or linking and/or use involve the processing of sensitive data for the purpose of that provision?
2. If so: Does visiting those websites or apps and/or entering information and/or clicking or tapping on the buttons integrated into them by a provider such as Facebook Ireland (social plugins such as 'Like', 'Share' or 'Facebook Login' or 'Account Kit') constitute manifestly making the data about the visits themselves and/or the information entered by the user public within the meaning of Article 9(2)(e) GDPR?

Third question

Can an undertaking, such as Facebook Ireland, which operates a digital social network funded by advertising and offers personalised content and advertising, network security, product improvement and continuous, seamless use of all of its group products in its terms of service, justify collecting data for these purposes from other group services and third-party websites and apps via integrated interfaces such as Facebook Business Tools, or via cookies or similar storage technologies placed on the internet user's computer or mobile device, linking those data with the user's Facebook.com account and using them, on the ground of necessity for the performance of the contract under Article 6(1)(b) GDPR or on the ground of the pursuit of legitimate interests under Article 6(1)(f) GDPR?

Fourth question

In those circumstances, can

• the fact of users being underage, vis-à-vis the personalisation of content and advertising, product improvement, network security and non-marketing communications with the user;
• the provision of measurements, analytics and other business services to enable advertisers, developers and other partners to evaluate and improve their services;
• the provision of marketing communications to the user to enable the undertaking to improve its products and engage in direct marketing;
• research and innovation for social good, to further the state of the art or the academic understanding of important social issues and to affect society and the world in a positive way;
• the sharing of information with law enforcement agencies and responding to legal requests in order to prevent, detect and prosecute criminal offences, unlawful use, breaches of the terms of service and policies and other harmful behaviour; also constitute legitimate interests within the meaning of Article 6(1)(f) GDPR if, for those purposes, the undertaking links data from other group services and from third-party websites and apps with the user's Facebook.com account via integrated interfaces such as Facebook Business Tools or via cookies or similar storage technologies placed on the internet user's computer or mobile device and uses those data?

Fifth question

In those circumstances, can collecting data from other group services and from third-party websites and apps via integrated interfaces such as Facebook Business Tools, or via cookies or similar storage technologies placed on the internet user's computer or mobile device, linking those data with the user's Facebook.com account and using them, or using data already collected and linked by other lawful means, also be justified under Article 6(1)(c) GDPR, 6(1)(d) GDPR and 6(1)(e) GDPR in individual cases, for example to respond to a legitimate request for certain data (point (c)), to combat harmful behaviour and promote security (point (d)), to research for social good and to promote safety, integrity and security (point (e))?

Sixth question

Can consent within the meaning of Article 6(1)(a) GDPR and Article 9(2)(a) GDPR be given effectively and, in accordance with Article 4(11) GDPR in particular, freely, to a dominant undertaking such as Facebook Ireland?

Seventh question

If the answer to Question 1 is no:

1. Can the national competition authority of a Member State, such as the Federal Cartel Office, which is not a supervisory authority within the meaning of Article 51 GDPR et seq. and which examines a breach by a dominant undertaking of the competition-law prohibition on abuse that is not a breach GDPR by that undertaking's data processing terms and their implementation, determine, when assessing the balance of interests, whether those data processing terms and their implementation comply with the GDPR?
2. If so: In the light of Article 4(3) TEU, does that also apply if the competent lead supervisory authority in accordance with Article 56(1) GDPR is investigating the undertaking's data processing terms at the same time?

If the answer to Question 7 is yes, Questions 3 to 5 must be answered in relation to data from the use of the group's Instagram service.

First question

1. Must Article 4(1) GDPR, read in combination with Articles 7 Charter and 8 Charter, be interpreted as meaning that a character string that captures the preferences of an Internet user in connection with the processing of his or her personal data in a structured and machine-readable manner constitutes personal data within the meaning of the said provision in respect of (1) a sectoral organisation which makes available to its members a standard whereby it prescribes to them how that string should be generated, stored and/or distributed practically and technically, and (2) the parties that have implemented that standard on their websites or in their apps and thus have access to that string?
2. Does it make a difference in that regard if the implementation of the standard means that this string is available together with an IP address?
3. Does the answer to questions 1(a) and 1(b) lead to a different conclusion if this standard-setting sectoral organisation does not itself have legal access to the personal data that are processed within this standard by its members?

Second question

1. Must Articles 4(7) GDPR and 24(1) GDPR, read in combination with Articles 7 Charter and 8 Charter, be interpreted as meaning that a standard-setting sectoral organisation must be classified as a controller if it offers its members a standard for managing consent which contains, in addition to a binding technical framework, rules setting out in detail how those consent data - which constitute personal data - must be stored and disseminated?
2. Does the answer to question 2(a) lead to a different conclusion if this sectoral organisation itself does not itself have legal access to the personal data that are processed within this standard by its members?
3. If the standard-setting sectoral organisation must be designated as a controller or a joint controller for the processing of Internet users' preferences, does that (joint) responsibility of the standard-setting sectoral organisation therefore automatically extend to the subsequent processing by third parties for which the Internet users' preferences were obtained, such as targeted online advertising by publishers and vendors?

First question

Is it sufficient for the establishment of a claim for compensation under Article 82(1) GDPR that a provision GDPR serving to protect the claimant has been infringed or is it necessary that a further adverse effect on the claimant has occurred, beyond the infringement of the provision as such?

Second question

Under EU law, does the establishment of a claim for compensation for non-material damage under Article 82(1) GDPR require an adverse effect of a certain magnitude?

Third question

In particular, is it sufficient for the establishment of a claim for compensation for non-material damage under Article 82(1) GDPR that the claimant fears that his or her personal data have come into the hands of third parties as a result of infringements of provisions GDPR, even though that circumstance cannot be positively established?

Fourth question

Is it in conformity with EU law for the national court to apply mutatis mutandis the criteria of the second sentence of Article 83(2) GDPR - which, according to the wording, apply only to administrative fines - when assessing compensation for non-material damage under Article 82(1) GDPR?

Fifth question

Must the amount of a claim for compensation for non-material damage under Article 82(1) GDPR also be assessed by reference to the fact that the amount of the claim awarded serves to have a deterrent effect and/or to prevent the 'commercialisation' (calculated acceptance of administrative fines/compensation payments) of infringements?

Sixth question

Is it in conformity with EU law, when assessing the amount of a claim for compensation for non-material damage under Article 82(1) GDPR, to take into account simultaneous infringements of national provisions which have as their purpose the protection of personal data but which are not delegated or implementing acts adopted in accordance with that regulation or Member State laws which specify provisions of that regulation?

Is a legally appointed curator who performs that activity in a professional capacity a controller within the meaning of Article 4(7) GDPR?

Is he or she required to provide information in accordance with Article 15 GDPR?

Is the concept of non-material damage in Article 82(1) GDPR to be interpreted as meaning that the assumption of non-material damage requires a noticeable disadvantage and an objectively comprehensible impairment of personal interests, or is the mere short-term loss of the data subject’s unfettered control over his or her data due to the publication of personal data on the internet for a period of a few days, which did not have any noticeable or adverse consequences for the data subject, sufficient for that purpose?

Are Article 3(5) and (6) and Article 14 of Regulation (EU) 2019/1157 of the European Parliament and of the Council of 20 June 2019 on strengthening the security of identity cards of Union citizens and of residence documents issued to Union citizens and their family members exercising their right of free movement, read in conjunction with Commission Implementing Decision C(2018) 7767 of 30 November 2018 laying down the technical specifications for the uniform format for residence permits for third country nationals and repealing Decision C(2002)3069,

valid and compatible with Article 16 TFEU and - as regards Article 3(5) and (6) - with Article 21 TFEU, as well as with Articles 7 Charter, 8 Charer and 52 Charter, in conjunction with:

• Articles 1 GDPR, 2 GDPR, 3 GDPR, 4 GDPR, 5 GDPR, 6 GDPR, 9 GDPR, 25 GDPR, 32 GDPR, 35 GDPR and 36 GDPR,
• Articles 1 LED Directive 2016/680, 2 LED Directive 2016/680, 3 LED Directive 2016/680, 4 LED Directive 2016/680, 8 LED Directive 2016/680, 9 LED Directive 2016/680, 10 LED Directive 2016/680, 27 LED Directive 2016/680 and 28 LED Directive 2016/680,
• Articles 1, 2, 3, 4, 5, 10, 28 and 42 Regulation 2018/1725 (EUDPR),

in so far as Article 3(5) and (6) of Regulation (EU) 2019/1157 requires two fingerprints of the holder of the card to be stored in interoperable digital formats on a storage medium included on the identity card,

and in so far as Article 3(5) and (6) and Article 14 of Regulation (EU) 2019/1157, read in conjunction with Annex III to the aforementioned Commission Implementing Decision C(2018) 7767 of 30 November 2018, require the fingerprint data on the identity cards and residence documents referred to in points (a) and (c) of Article 2 of that regulation to be stored in the form of a digital image of the fingerprints on an electronic microprocessor chip which uses RFID and can be read wirelessly/in contactless form?

First question

Do legislative measures which relate to granting public authorities access to traffic and location data (including identification data) in connection with the prevention, investigation, detection and prosecution of criminal offences fall within the scope of ePrivacy Directive 2002/58/EC if they concern the granting of access to data which are not retained on the grounds of legislative measures within the meaning of Article 15(1) ePrivacy Directive 2002/58/EC, but which are retained by the provider on some other ground?

Second question

1. Do the ... terms 'serious criminal offences' and 'serious crime' ... [used in the judgments of the Court of Justice cited in the order for reference] constitute autonomous concepts of European Union law, or is it incumbent on the competent authorities of the Member States themselves to give substance to those terms?
2. If these are indeed autonomous concepts of European Union law, in what way should it be established whether what is involved is a 'serious criminal offence' or 'serious crime'?

Third question

Can granting public authorities access to traffic and location data (other than mere identification data) for the purpose of the prevention, investigation, detection and prosecution of criminal offences be permissible under Directive 2002/58/EC if no serious criminal offences or serious crime are involved, that is to say, if in the specific case the granting of access to such data - in so far as may be assumed - causes only a minor interference with, in particular, the right to the protection of the private life of the user as referred to in Article 2(b) ePrivacy Directive 2002/58/EC?

First question

What requirements as to content does information provided need to satisfy in order to be regarded as sufficiently 'meaningful' within the meaning of Article 15(1)(h) GDPR?

In the case of profiling, must the information essential for making the result of the automated decision transparent in each individual case also be disclosed by the controller - where necessary in compliance with an existing trade secret - as part of the disclosure of the 'logic involved' which includes, in particular,

1. the disclosure of the data subject's processed data,
2. the disclosure of the parts of the algorithm on which the profiling is based that are necessary to provide transparency, and
3. the information relevant to establishing the connection between the processed information and the rating arrived at?

In cases involving profiling, must the party entitled to access for the purpose of Article 15(1)(h) GDPR be provided, as a minimum, with the following information on the specific processing concerning him or her, even if a trade secret is involved, in order to enable him or her to protect his or her rights under Article 22(3) GDPR:

• communication of all potentially pseudo-anonymised information, in particular on the manner in which the data subject's data is being processed, which allows the data subject to check compliance with the GDPR,
• making available the input data used for profiling,
• the parameters and input variables used in the determination of the rating,
• the influence of these parameters and input variables on the calculated rating,
• information on the origin of the parameters or input variables,
• an explanation as to why the party entitled to access for the purpose of Article 15(1)(h) GDPR has been assigned a specific rating and clarification of the implications of such rating,
• listing the profile categories and providing an explanation as to what rating implication is associated with each of the profile categories?

Second question

Is the right of access granted by Article 15(1)(h) GDPR related to the rights guaranteed by Article 22(3) GDPR to express one's point of view and to challenge an automated decision taken within the meaning of Article 22 GDPR in so far as the scope of the information to be provided on the basis of an access request within the meaning of Article 15(1)(h) GDPR is only sufficiently 'meaningful' if the party requesting access and the data subject for the purpose of Article 15(1)(h) GDPR is enabled to exercise the rights guaranteed by Article 22(3) GDPR to express his or her own point of view and to challenge the automated decision for the purpose of Article 22 GDPR concerning him or her in a real, profound and promising way?

Third question

1. Must Article 15(1)(h) GDPR be interpreted as meaning that information constitutes 'meaningful information' for the purposes of this provision only if it is so broad that the party entitled to access for the purpose of Article 15(1)(h) GDPR is able to determine whether this information is accurate, i.e. whether the automatic decision specifically requested was actually based on the information provided?
2. If the above question is answered in the affirmative: what is the procedure if the accuracy of the information provided by a controller can only be verified if third-party data protected by the GDPR must also be brought to the attention of the party entitled to access for the purpose of Article 15(1)(h) GDPR (black box)?

Can this tension between the right of access within the meaning of Article 15(1) GDPR and the data protection rights of third parties also be resolved by disclosing the data of third parties (which have also been subjected to the same profiling process) required for the accuracy check only to the authority or the court for the authority or the court to check independently whether the disclosed data of these third parties is accurate?

3. If the above question is answered in the affirmative: which rights must be granted to the party entitled to access for the purpose of Article 15(1)(h) GDPR in the event that it is necessary to ensure the protection of third party rights within the meaning of Article 15(4) GDPR by creating the black box referred to in point (3b)? Must the data of other persons to be disclosed by the controller for the purpose of Article 15(1) GDPR to the party entitled to access for the purpose of Article 15(1)(h) GDPR be disclosed in pseudo-anonymised form in order to ensure that the accuracy can be verified?

Fourth question

1. What is the procedure if the information to be provided in accordance with Article 15(1)(h) GDPR also meets the requirements of a trade secret within the meaning of Article 2(1) Trade Secrets and Know-How Directive 2016/943?

Can the tension between the right of access guaranteed by Article 15(1)(h) GDPR and the right to non-disclosure of a trade secret protected by the Trade Secrets and Know-How Directive be resolved by allowing the information to be disclosed as a trade secret within the meaning of Article 2(1) Trade Secrets and Know-How Directive 2016/943 be disclosed to the authority or the court only, so that the authority or the court must independently verify whether it must be assumed that a trade secret within the meaning of Article 2(1) Trade Secrets and Know-How Directive 2016/943 exists and whether the information provided by the controller within the meaning of Article 15(1) GDPR is accurate?

2. If the above question is answered in the affirmative: which rights must be granted to the party entitled to access for the purpose of Article 15(1)(h) GDPR in the event that it is necessary to ensure the protection of third party rights within the meaning of Article 15(4) GDPR by creating the black box referred to in point (4a)?

In this case of discrepancy between the information to be disclosed to the authority or the court and the information to be disclosed to the person entitled to access within the meaning of Article 15(1)(h) GDPR, in cases involving profiling, must the party entitled to access for the purpose of Article 15(1)(h) GDPR also be provided, as a minimum, with the following information on the specific processing concerning him or her in order to enable him or her to protect his or her rights under Article 22(3) GDPR in their entirety:

• communication of all potentially pseudo-anonymised information, in particular on the manner in which the data subject's data is being processed, which allows the data subject to check compliance with the GDPR,
• making available the input data used for profiling,
• the parameters and input variables used in the determination of the rating,
• the influence of these parameters and input variables on the calculated rating,
• information on the origin of the parameters or input variables,
• an explanation as to why the party entitled to access for the purpose of Article 15(1)(h) GDPR has been assigned a specific rating and clarification of the implications of such rating,
• listing the profile categories and providing an explanation as to what rating implication is associated with each of the profile categories?

Fifth question

Does the provision of Article 15(4) GDPR in any way limit the scope of the information to be provided pursuant to Article 15(1)(h) GDPR?

If this question is answered in the affirmative, is this right of access limited by Article 15(4) GDPR, and how is the extent of the limitation to be determined in each individual case?

Sixth question

Is the provision of Article 4(6) of the Law on Data protection, according to which 'the right of access of the data subject pursuant to Article 15 GDPR, as a rule, does not (exist) vis-à-vis the controller if the provision of such information would violate a business or trade secret of the controller or third parties' compatible with the requirements of Article 15(1) GDPR in conjunction with Article 22(3) GDPR?

If the above question is answered in the affirmative, what are the conditions for such compatibility?

First question

Is Article 82 GDPR to be interpreted as meaning that the right to compensation, including the determination of the amount of that compensation, does not have a punitive character, in particular, that it has no general or specific dissuasive function, but a purely compensatory function and, in some instances, a satisfaction function?

Second question

Sub question a

Is the right to compensation for non-material damage to be determined on the basis that it also has an individual satisfaction function - understood here to mean the private interest of the injured party in seeing the behaviour that caused the damage penalised - or does it have only a compensatory function - understood here to mean the function of compensating for the detrimental effects suffered?

Sub question b.1

If it is to be assumed that the right to compensation for non-material damage has both a compensatory and a satisfaction function: is it to be determined on the basis that the compensatory function has structural precedence over the satisfaction function or, at least, that the relationship between the two is that of the rule and the exception? Does that mean that it can have a satisfaction function only when the infringement is deliberate or a result of gross negligence?

Sub question b.2

If the right to compensation for non-material damage does not have a satisfaction function: when determining that compensation, is additional weight attributed only to deliberate or grossly negligent data protection infringements deemed to be contributory factors?

Third question

Is the compensation for non-material damage to be determined on the basis of a structural order of precedence or, at least, a rule-exception relationship, which attributes less weight to the detrimental effects of a data infringement than to the detrimental and painful effects associated with a physical injury?

Fourth question

Assuming that damage has been sustained, can a national court award only minimal compensation, which may be perceived by the injured party or generally as merely symbolic, in the light of the non-serious nature of the damage?

Fifth question

Are the consequences of the compensation for non-material damage to be assessed on the basis that identity theft within the meaning of recital 75 of the General Data Protection Regulation requires an offender to have actually assumed the identity of the person concerned, that is to say to have somehow impersonated that person, or does the mere fact that offenders have gained possession of data that identify the person concerned constitute such identity theft?

First question

Is Article 82 GDPR to be interpreted as meaning that the right to compensation, including the determination of the amount of that compensation, does not have a punitive character, in particular, that it has no general or specific dissuasive function, but a purely compensatory function and, in some instances, a satisfaction function?

Second question

Sub question a

Is the right to compensation for non-material damage to be determined on the basis that it also has an individual satisfaction function - understood here to mean the private interest of the injured party in seeing the behaviour that caused the damage penalised - or does it have only a compensatory function - understood here to mean the function of compensating for the detrimental effects suffered?

Sub question b.1

If it is to be assumed that the right to compensation for non-material damage has both a compensatory and a satisfaction function: is it to be determined on the basis that the compensatory function has structural precedence over the satisfaction function or, at least, that the relationship between the two is that of the rule and the exception? Does that mean that it can have a satisfaction function only when the infringement is deliberate or a result of gross negligence?

Sub question b.2

If the right to compensation for non-material damage does not have a satisfaction function: when determining that compensation, is additional weight attributed only to deliberate or grossly negligent data protection infringements deemed to be contributory factors?

Third question

Is the compensation for non-material damage to be determined on the basis of a structural order of precedence or, at least, a rule-exception relationship, which attributes less weight to the detrimental effects of a data infringement than to the detrimental and painful effects associated with a physical injury?

Fourth question

Assuming that damage has been sustained, can a national court award only minimal compensation, which may be perceived by the injured party or generally as merely symbolic, in the light of the non-serious nature of the damage?

Fifth question

Are the consequences of the compensation for non-material damage to be assessed on the basis that identity theft within the meaning of recital 75 of the General Data Protection Regulation requires an offender to have actually assumed the identity of the person concerned, that is to say to have somehow impersonated that person, or does the mere fact that offenders have gained possession of data that identify the person concerned constitute such identity theft?

First question

1. Is Article 6(1)(b) GDPR and 6(1)(f) GDPR to be interpreted as meaning that, in the case of a partnership comprised of many members of the public, a limited partner with negligible liability has a 'legitimate interest' in obtaining information relating to all partners with shares held indirectly through a trustee, together with their contact details and the number of their shares in such a partnership, and a contractual obligation to that effect must be inferred from the partnership agreement?
2. Or is a legitimate interest restricted under such circumstances to obtaining from the partnership information on limited partners with shares held indirectly and, rather than bearing negligible liability, hold shares above a minimum threshold that may, at least potentially, allow them to influence the future of the partnership?

Second question

1. Does the intention to make contact for the purpose of becoming better acquainted, exchanging views or negotiating the purchase of shares in the partnership suffice in order not to exceed the limits to prevent abuse of rights inherent in such an unrestricted right (1a) or to make an exception to the restriction applicable to a restricted right to information (1b)?
2. Or is an interest in information potentially relevant only where its disclosure is requested with the express intention of contacting other partners in order to invite them to coordinate on specifically designated matters on which a consensus is needed for the purpose of partner' resolutions?

First question

1. Is Article 6(1)(b) GDPR and 6(1)(f) GDPR to be interpreted as meaning that, in the case of a partnership comprised of many members of the public, a limited partner with negligible liability has a 'legitimate interest' in obtaining information relating to all partners with shares held indirectly through a trustee, together with their contact details and the number of their shares in such a partnership, and a contractual obligation to that effect must be inferred from the partnership agreement?
2. Or is a legitimate interest restricted under such circumstances to obtaining from the partnership information on limited partners with shares held indirectly and, rather than bearing negligible liability, hold shares above a minimum threshold that may, at least potentially, allow them to influence the future of the partnership?

Second question

1. Does the intention to make contact for the purpose of becoming better acquainted, exchanging views or negotiating the purchase of shares in the partnership suffice in order not to exceed the limits to prevent abuse of rights inherent in such an unrestricted right (1a) or to make an exception to the restriction applicable to a restricted right to information (1b)?
2. Or is an interest in information potentially relevant only where its disclosure is requested with the express intention of contacting other partners in order to invite them to coordinate on specifically designated matters on which a consensus is needed for the purpose of partners' resolutions?

Are Article 57(1)(a) GDPR and 57(1)(f) GDPR and Article 58(2)(a) GDPR, 58(2)(b) GDPR, 58(2)(c) GDPR, 58(2)(d) GDPR, 58(2)(e) GDPR, 58(2)(f) GDPR, 58(2)(g) GDPR, 58(2)(h) GDPR, 58(2)(i) GDPR, 58(2)(j) GDPR, read in combination with Article 77(1) GDPR,

to be understood as meaning that, where the supervisory authority finds that data processing has infringed the data subject’s rights, the supervisory authority must always take action in accordance with Article 58(2) GDPR?

First question

In the light of recital 85 and the third sentence of recital 146 of the GDPR, is the concept of 'non-material damage' in Article 82(1) GDPR to be understood as covering any impairment of the protected legal position, irrespective of the other effects and materiality of that impairment?

Second question

Is liability for compensation under Article 82(3) GDPR excluded by the fact that the infringement is attributed to human error in the individual case on the part of a person acting under the authority of the processor or controller within the meaning of Article 29 GDPR?

Third question

Is it permissible or necessary to base the assessment of compensation for non-material damage on the criteria for determining fines set out in Article 83 GDPR, in particular in Article 83(2) GDPR and 83(5) GDPR?

Fourth question

Must the compensation be determined for each individual infringement, or are several infringements - or at least several infringements of the same nature - penalised by means of an overall amount of compensation, which is not determined by adding up individual amounts but is based on an evaluative overall assessment?

First question

As no automatic legal effects are specified, is the compensation rule enacted in Article 82 GDPR invalid in the case of non-material damage?

Second question

Is it necessary, for the purposes of the right to compensation, to establish the occurrence of non-material damage, to be demonstrated by the claimant, in addition to the unauthorised disclosure of the protected data to an unauthorised third party?

Third question

Does the accidental disclosure of the personal data of the data subject (name, address, occupation, income, employer) to a third party in a paper document (printout), as the result of a mistake by employees of the processing undertaking, suffice in order to establish infringement of the General Data Protection Regulation?

Fourth question

Where the undertaking accidentally discloses, through its employees, data entered in an automated data processing system to an unauthorised third party in the form of a printout, does that accidental disclosure to a third party qualify as unlawful further processing (Article 2(1) GDPR, Article 5(1)(f) GDPR, Article 6(1) GDPR and Article 24 GDPR)?

Fifth question

Is non-material damage within the meaning of Article 82 GDPR incurred even where the third party who received the document containing the personal data did not read the data before returning the document containing the information, or does the discomfort of the person whose personal data were unlawfully disclosed suffice for the purpose of establishing non-material damage within the meaning of Article 82 GDPR, given that every unauthorised disclosure of personal data entails the risk, which cannot be eliminated, that the data might nevertheless have been passed on to any number of people or even misused?

Sixth question

Where accidental disclosure to third parties is preventable through better supervision of the undertaking's helpers and/or better data security arrangements, for example by handling collections separately from contract documentation (especially financing documentation) under separate collection notes or by sending the documentation internally to the collection counter without giving the customer the printed documents and collection note, how serious should the infringement be considered to be (Article 32(1)(b) GDPR and 32(2) GDPR and Article 4(7) GDPR)?

Seventh question

Is compensation for non-material damage to be regarded as the award of a penalty similar to a contract penalty?

First question

Are the provisions of Article 6(1)(a) GDPR and 6(1)(b) to be interpreted as meaning that the lawfulness of contractual provisions in general terms of service for platform agreements such as that in the main proceedings (in particular, contractual provisions such as: 'Instead of paying ... by using the Facebook Products covered by these Terms you agree that we can show you ads ... We use your personal data ... to show you ads that are more relevant to you.') which provide for the processing of personal data with a view to aggregating and analysing it for the purposes of personalised advertising must be assessed in accordance with the requirements of Article 6(1)(a) GDPR, read in conjunction with Article 7 GDPR, which cannot be replaced by invoking Article 6(1)(b) GDPR?

Second question

Is Article 5(1)(c) GDPR (data minimisation) to be interpreted as meaning that all personal data held by a platform such as that in the main proceedings (by way of, in particular, the data subject or third parties on and outside the platform) may be aggregated, analysed and processed for the purposes of targeted advertising without restriction as to time or type of data?

Third question

Is Article 9(1) GDPR to be interpreted as applying to the processing of data that permits the targeted filtering of special categories of personal data such as political opinions or sexual orientation (for advertising, for example), even if the controller does not differentiate between those types of data?

Fourth question

Is Article 5(1)(b) GDPR, read in conjunction with Article 9(2)(e) GDPR, to be interpreted as meaning that a statement made by a person about his or her own sexual orientation for the purposes of a panel discussion permits the processing of other data concerning sexual orientation with a view to aggregating and analysing the data for the purposes of personalised advertising?