Pending CJEU data protection cases

What are the data protection cases currently pending at the Court of Justice of the EU – CJEU (preliminary questions about GDPR, ePrivacy 2002/58/EC, LED Directive 2016/680)?

Powered by Digibeetle

The table below is only a limited view of what Digibeetle offers. Don’t miss the opportunity to save time on research and supercharge your decision-making process with Digibeetle. Unlock the full potential of our intuitive search, referenced and curated documents.

CaseStageCase lodge dateReferring courtOrigin countryPreliminary questions or pleas in lawAdvocate GeneralDate of A-G's opinionRelevant GDPR articlesHearing date
CJEU Scalable Capital [C-182/22 and C-189/22]C-182/22 and C-189/22Scalable Capital IJudgment scheduled2022-03-102024-06-20Amtsgericht MünchenGermany

First question

Is Article 82 GDPR to be interpreted as meaning that the right to compensation, including the determination of the amount of that compensation, does not have a punitive character, in particular, that it has no general or specific dissuasive function, but a purely compensatory function and, in some instances, a satisfaction function?

Second question

Sub question a

Is the right to compensation for non-material damage to be determined on the basis that it also has an individual satisfaction function - understood here to mean the private interest of the injured party in seeing the behaviour that caused the damage penalised - or does it have only a compensatory function - understood here to mean the function of compensating for the detrimental effects suffered?

Sub question b.1

If it is to be assumed that the right to compensation for non-material damage has both a compensatory and a satisfaction function: is it to be determined on the basis that the compensatory function has structural precedence over the satisfaction function or, at least, that the relationship between the two is that of the rule and the exception? Does that mean that it can have a satisfaction function only when the infringement is deliberate or a result of gross negligence?

Sub question b.2

If the right to compensation for non-material damage does not have a satisfaction function: when determining that compensation, is additional weight attributed only to deliberate or grossly negligent data protection infringements deemed to be contributory factors?

Third question

Is the compensation for non-material damage to be determined on the basis of a structural order of precedence or, at least, a rule-exception relationship, which attributes less weight to the detrimental effects of a data infringement than to the detrimental and painful effects associated with a physical injury?

Fourth question

Assuming that damage has been sustained, can a national court award only minimal compensation, which may be perceived by the injured party or generally as merely symbolic, in the light of the non-serious nature of the damage?

Fifth question

Are the consequences of the compensation for non-material damage to be assessed on the basis that identity theft within the meaning of recital 75 of the General Data Protection Regulation requires an offender to have actually assumed the identity of the person concerned, that is to say to have somehow impersonated that person, or does the mere fact that offenders have gained possession of data that identify the person concerned constitute such identity theft?

Collins2023-10-2682 GDPR, 82(1) GDPR, 82(2) GDPR, 82(3) GDPR, 82(4) GDPR, 82(5) GDPR, 82(6) GDPR
CJEU PS - Incorrect address [C-590/22]C-590/22PS (Incorrect address)Judgment scheduled2022-09-092024-06-20Amtsgericht WeselGermany

First question

Is it sufficient for the establishment of a claim for compensation under Article 82(1) GDPR that a provision GDPR serving to protect the claimant has been infringed or is it necessary that a further adverse effect on the claimant has occurred, beyond the infringement of the provision as such?

Second question

Under EU law, does the establishment of a claim for compensation for non-material damage under Article 82(1) GDPR require an adverse effect of a certain magnitude?

Third question

In particular, is it sufficient for the establishment of a claim for compensation for non-material damage under Article 82(1) GDPR that the claimant fears that his or her personal data have come into the hands of third parties as a result of infringements of provisions GDPR, even though that circumstance cannot be positively established?

Fourth question

Is it in conformity with EU law for the national court to apply mutatis mutandis the criteria of the second sentence of Article 83(2) GDPR - which, according to the wording, apply only to administrative fines - when assessing compensation for non-material damage under Article 82(1) GDPR?

Fifth question

Must the amount of a claim for compensation for non-material damage under Article 82(1) GDPR also be assessed by reference to the fact that the amount of the claim awarded serves to have a deterrent effect and/or to prevent the 'commercialisation' (calculated acceptance of administrative fines/compensation payments) of infringements?

Sixth question

Is it in conformity with EU law, when assessing the amount of a claim for compensation for non-material damage under Article 82(1) GDPR, to take into account simultaneous infringements of national provisions which have as their purpose the protection of personal data but which are not delegated or implementing acts adopted in accordance with that regulation or Member State laws which specify provisions of that regulation?

Campos Sánchez-Bordona82 GDPR, 82(1) GDPR, 83 GDPR, 83(2) GDPR
CJEU ILVA - Fine for infringement of the GDPR [C-383/23]C-383/23ILVAHearing scheduled2023-06-212024-06-19Vestre LandsretDenmark

First question

Must the term ‘undertaking’ in Article 83(4) to (6) GDPR be understood as an undertaking within the meaning of Articles 101 and 102 TFEU, in conjunction with recital 150 GDPR, and the case-law of the Court of Justice of the European Union concerning EU competition law, so that the term ‘undertaking’ covers any entity engaged in an economic activity, regardless of that entity’s legal status and the way in which it is financed?

Second question

If the answer to the Question 1 is in the affirmative, must Article 83(4) to (6) GDPR be interpreted as meaning that, when imposing a fine on an undertaking, regard must be had to the total worldwide annual turnover of the economic entity of which the undertaking forms part, or only the total worldwide annual turnover of the undertaking itself?

83 GDPR, 83(5)(a) GDPR, 83(5)(b) GDPR, 83(5)(e) GDPR, 83(5)(c) GDPR, 83(5)(d) GDPR, 83(4) GDPR, 83(4)(a) GDPR, 83(4)(b) GDPR, 83(4)(c) GDPR, 83(6) GDPR2024-06-19
CJEU Ministerstvo na vatreshnite raboti [Registration of biometric and genetic data II] [C-80/23]C-80/23Ministerstvo na vatreshnite raboti (Registration of biometric and genetic data II)A-G opinion scheduled2023-02-142024-06-13Sofiyski gradski sadBulgaria

First question

Is the requirement of assessing ‘strict necessity’ under Article 10 LED Directive 2016/680, as interpreted by the Court of Justice in paragraph 133 of the judgment of 26 January 2023, Ministerstvo na vatreshnite raboti, C-205/21, satisfied if it is carried out solely on the basis of the decision accusing the person and on the basis of her written refusal to have her biometric and genetic data collected, or is it necessary for the court to have before it all the material in the file which, under national law, is made available to it in the event of an application for authorisation to carry out investigative measures which infringe the legal sphere of natural persons, where that application is made in a criminal case?

Second question

If the Court of Justice answers the first question in the affirmative – after having been provided with the case file, may the court in the context of the assessment of ‘strict necessity’ pursuant to Article 10 LED Directive 2016/680 in conjunction with Article 6(a) LED Directive 2016/680 also consider whether there are reasonable grounds to suspect that the accused has committed the criminal offence referred to in the accusation?

Richard de la Tour2024-06-132024-03-20
CJEU HYA and Others II [C-229/23]C-229/23HYA and OthersJudgment scheduled2023-04-122024-06-13Sofiyski gradski sadBulgaria

Must Article 15(1) ePrivacy Directive 2002/58, read in conjunction with the second paragraph of Article 47 Charter of Fundamental Rights of the European Union, as interpreted by the Court of Justice of the European Union in the judgment of 16 February 2023 in Case C-349/21 and in the light of recital 11 of that directive, of Article 52(1) Charter and Article 53 Charter and of the principle of equivalence, be interpreted as requiring a national court:

  • to disapply provisions of national law (Article 121(4) of the [Konstitutsia na Republika Bulgaria (Constitution of the Republic of Bulgaria)], Article 174(4) of the [Nakazatelnoprotsesualen kodeks (Code of Criminal Procedure; ‘the NPK’)] and Article 15(2) of the [Zakon za spetsialnite razuznavatelni sredstva (Law on Special Investigative Methods; ‘the ZSRS’)]) and the interpretation of Article 8(2) European Convention on the Protection of Human Rights and Fundamental Freedoms (ECHR) adopted by the [European Court of Human Rights (ECtHR)] in the judgment in Case No 70078/12, according to which a judicial authorisation (to listen to, intercept and store telecommunications without the consent of the users concerned) must contain an express statement of written reasons, irrespective of the existence of a reasoned application on the basis of which the authorisation was issued, the reason for such disapplication being that a cross-reading of the application and the authorisation makes apparent
  1. the precise grounds on which the court, in the factual and legal circumstances of the particular case, arrived at the view that the legal requirements had been met, and
  2. the person and the means of communication that formed the subject of the judicial authorisation issued?
  • in the context of the examination as to whether the telecommunications at issue must be excluded as evidence, to disapply a provision of national law (Article 105(2) of the NPK), or to interpret it in conformity with EU law, in so far as it requires compliance with the national procedural rules (in this case, Article 174(4) of the NPK and Article 15(2) of the ZSRS), and to apply instead the rule laid down by the Court of Justice in the judgment of 16 February 2023 in Case C-349/21?
Kokott
CJEU Másdi [C-169/23]C-169/23MasdiA-G opinion scheduled2023-03-172024-06-06KúriaHungary

First question

Must Article 14(5)(c) GDPR, read in conjunction with Article 14(1) GDPR and recital 62 thereof, be interpreted as meaning that the exception laid down in Article 14(5)(c) GDPR does not refer to data generated by the controller in its own procedure but rather only to data which the controller has expressly obtained from another person?

Second question

If Article 14(5)(c) GDPR is also applicable to data generated by the controller in its own procedure, must the right to lodge a complaint with a supervisory authority, laid down in Article 77(1) GDPR, be interpreted as meaning that a natural person who alleges an infringement of the obligation to provide information is entitled, when exercising his or her right to lodge a complaint, to request an examination of whether Member State law provides appropriate measures to protect the data subject’s legitimate interests, in accordance with Article 14(5)(c) GDPR?

Third question

If the answer to the second question is in the affirmative, may Article 14(5)(c) GDPR be interpreted as meaning that the ‘appropriate measures’ referred to in that provision require the national legislature to transpose (by means of legislation) the measures relating to the security of data laid down in Article 32 GDPR?

Medina2024-06-0614 GDPR, 77 GDPR, 32(1) GDPR, 32(1)(a) GDPR, 32(1)(b) GDPR, 32(1)(c) GDPR, 32(1)(d) GDPR, 32(2) GDPR, 32(3) GDPR, 32(4) GDPR, 14(1) GDPR, 14(5)(c) GDPR, 32 GDPR, 77(1) GDPR
CJEU Deldits [C-247/23]C-247/23DelditsHearing scheduled2023-04-182024-06-03Fővárosi TörvényszékHungary

First question

Must Article 16 GDPR be interpreted as meaning that, in connection with the exercise of the rights of the data subject, the authority responsible for keeping registers under national law is required to rectify the personal data relating to the sex of that data subject recorded by that authority, where those data have changed after they were entered in the register and therefore do not comply with the principle of accuracy established in Article 5(1)(d) GDPR?

Second question

If the answer to the first question referred is in the affirmative, must Article 16 GDPR be interpreted as meaning that it requires the person requesting rectification of the data relating to his or her sex to provide evidence in support of the request for rectification?

Third question

If the answer to the second question referred is in the affirmative, must Article 16 GDPR be interpreted as meaning that the person making the request is required to prove that he or she has undergone sex reassignment surgery?

5 GDPR, 5(1)(d) GDPR, 16 GDPR2024-06-03
CJEU Agentsia po vpisvaniyata [C-200/23]C-200/23Agentsia po vpisvaniyataA-G opinion scheduled2023-03-282024-05-30Varhoven administrativen sadBulgaria

First question

May Article 4(2) of Directive 2009/101/EC be interpreted as meaning that it imposes an obligation on the Member State to permit the disclosure of an instrument of memorandum and articles of association, which is subject to registration under Article 119 of the Targovski zakon (Commercial Code), in the case where that instrument contains not only the names of the members of the company, which are subject to compulsory disclosure under Article 2(2) of the Zakon za targovskia registar i registara na yuriditcheskite litsa s nestopanska tsel (Law on the Commercial Register and the Register of Not-for-Profit Legal Persons), but also other personal data?

When answering this question, it is important to take into account that the Registration Agency is a public-sector body against which the directly effective provisions of the aforementioned directive may be relied on, in accordance with the settled case-law of the Court of Justice (judgment of 7 September 2006, Vassallo, С-180/04, ECLI:EU:C:2006:518, paragraph 26 and the caselaw cited).

Second question

If the first question is answered in the affirmative, may it be assumed that, in the circumstances which gave rise to the dispute in the main proceedings, the processing of personal information by the Registration Agency is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, within the meaning of Article 6(1)(e) GDPR?

Third question

If the first two questions are answered in the affirmative, may a national provision such as that contained in Article 13(9) of the Zakon za targovskia registar i registara na yuriditcheskite litsa s nestopanska tsel (Law on the Commercial Register and the Register of Not-for-Profit Legal Persons), in accordance with which, in the event that personal data not required by law are contained in an application [for registration] or in the documents annexed thereto, it must be assumed that the persons who made those data available consented to the processing thereof by the Agency and to the provision of public access thereto, be regarded as permissible, notwithstanding recitals 32, 40, 42, 43 and 50 of the GDPR, as a clarification of the possibility of ‘voluntary disclosure’, within the meaning of Article 4(2) of Directive 2009/101/EC, even of personal data?

Fourth question

Is it permissible for provisions of national law intended to give effect to the obligation laid down in Article 3(7) of Directive 2009/101/EC, whereby Member States are to take the necessary measures to avoid any discrepancy between what is disclosed in accordance with paragraph 5 and what appears in the register or file, and to take into account the interests of third parties in being acquainted with the essential documents of the company and certain information concerning the company, as referred to in recital 3 of that directive, to prescribe a procedure (application forms, submission of copies of documents in which personal data have been redacted) for exercising the right of natural persons under Article 17 GDPR to obtain from the controller the erasure of personal data concerning him or her without undue delay, in the case where the personal data the erasure of which is sought are part of publicly disclosed (notified) documents which were made available to the controller, in accordance with a similar procedure, by another person who, in so doing, also determined the purpose of the processing initiated by him or her?

Fifth question

In the situation underlying the dispute in the main proceedings, does the Registration Agency act only as controller in relation to the personal data or is it also the recipient thereof, in the case where the purposes of processing those data were determined by another controller as part of the documents that were submitted for disclosure?

Sixth question

Does the handwritten signature of a natural person constitute information relating to an identified natural person, in the sense that it is covered by the term ‘personal data’ within the meaning of Article 4(1) GDPR?

Seventh question

Is the concept of ‘non-material damage’ in Article 82(1) GDPR to be interpreted as meaning that the assumption of non-material damage requires a noticeable disadvantage and an objectively comprehensible impairment of personal interests, or is the mere short-term loss of the data subject’s unfettered control over his or her data due to the publication of personal data in the commercial register, which did not have any noticeable or adverse consequences for the data subject, sufficient for that purpose?

Eigth question

May opinion No 01-116(20)/01.02.2021, issued by the national supervisory authority, the Komisia za zashtita na lichnite danni (Commission for the Protection of Personal Data), in accordance with Article 58(3)(b) GDPR, to the effect that the Registration Agency does not have the option or power in law to restrict of its own motion or at the request of the data subject the processing of data which have already been disclosed, permissibly be regarded as proof, for the purposes of Article 82(3) GDPR, that the Registration Agency is in no way responsible for the circumstance which gave rise to the damage suffered by the natural person?

Medina2024-05-304 GDPR, 4(1) GDPR, 6 GDPR, 6(1)(e) GDPR, 17(1) GDPR, 17(1)(a) GDPR, 17(1)(b) GDPR, 17(1)(c) GDPR, 17(1)(d) GDPR, 17(1)(e) GDPR, 17(1)(f) GDPR, 17(2) GDPR, 17(3) GDPR, 17(3)(a) GDPR, 17(3)(b) GDPR, 17(3)(c) GDPR, 17(3)(d) GDPR, 17(3)(e) GDPR, 17 GDPR, 58 GDPR, 58(3)(b) GDPR, 82 GDPR, 82(1) GDPR, 82(3) GDPR2024-03-07
CJEU AGCOM [C-345/24]C-345/24AGCOMProceedings initiated2024-05-102024-05-10Consiglio di StatoItaly

Machine translation (more info):

A) First question

If Regulation (EU) 2018/644 of the European Parliament and of the Council of 18 April 2018 relating to cross-border parcel delivery services, as regards the collection of information, applies as such only to delivery service providers cross-border or, in general, to all suppliers of parcel delivery services, except for specific exclusions relating to individual provisions.

B) Second question

If, if the answer is in the first direction, it can be recognized in Directive 97/67/EC, or in the so-called "implied powers", the legal basis that allows the National Regulatory Authorities to impose on delivery service providers even if they do not cross-border information obligations in general. 

C) Third question

If, if the answer under B) is negative, it is to be considered reasonable, non-discriminatory and compliant with articles. 14, 114 and 169 of the Treaty on the Functioning of the European Union, the fact that Regulation (EU) 2018/644 of the European Parliament and of the Council of 18 April 2018 does not apply to non-cross-border delivery providers.

D) Fourth question

Within what limits (also in terms of necessity and proportionality) can the National Regulatory Authority impose information obligations on parcel delivery service providers and, in particular, whether it is possible to impose symmetric information obligations that concern: 

(i) the conditions applied to different types of customers; 

(ii) the contracts that regulate the relationships between the individual company that provides the parcel delivery service and the companies that in various capacities, according to the paradigm of the supply chain, contribute to providing said service; 

(iii) the economic conditions and legal protections recognized to workers employed in various capacities in providing the service.

CJEU Mirin [C-4/23]C-4/23MirinA-G opinion delivered2024-01-032024-05-07Judecătoria Sectorului 6 BucureştiRomania

First question

Does the fact that Article 43(i) and Article 57 of Legea nr. 119/1996 privind actele de stare civilă (Law No 119/1996 on civil status documents) do not recognise changes in civil status made in another Member State by means of the procedure for legal recognition of gender to entries concerning gender and first name by a transgender man who has dual nationality (Romanian and of another Member State) and require a Romanian citizen to bring, from the outset, separate judicial proceedings in Romania against the local Public Service for Personal Records and Civil Status – proceedings which have been held to lack clarity and foreseeability by the European Court of Human Rights (X and Y v. Romania, nos. 2145/16 and 20607/16, 19 January 2021) and which may lead to a decision contrary to that taken by the other Member State – constitute an obstacle to the exercise of the right to European citizenship (Article 20 of the Treaty on the Functioning of the European Union) and/or the right of citizens of the Union to move and reside freely (Article 21 of the Treaty on the Functioning of the European Union and Article 45 of the Charter of Fundamental Rights of the European Union) in conditions of dignity, equality before the law and nondiscrimination (Article 2 of the Treaty on European Union; Article 18 of the Treaty on the Functioning of the European Union, and Articles 1, 20 and 21 of the Charter of Fundamental Rights of the European Union), respecting the right to private and family life (Article 7 of the Charter of Fundamental Rights of the European Union)?

Second question

Does the departure of the United Kingdom of Great Britain and Northern Ireland from the European Union affect the answer to the above question, in particular where 

(i) the procedure for changing civil status was commenced before Brexit and was completed during the transition period, and 

(ii) the impact of Brexit means that the person cannot benefit from rights attached to European citizenship, including the right to free movement and residence, except on the basis of Romanian identity or travel documents in which that person appears with a female gender and first name, contrary to the gender identity that has already been legally recognised?

Richard de la Tour2024-05-072024-01-23
CJEU Mousse [C-394/23]C-394/23MousseHearing held2023-06-282024-04-29Conseil d'ÉtatFrance

First question

In order to assess whether data collection is adequate, relevant and limited to what is necessary, within the meaning of Article 5(1)(c) GDPR and the need for processing in accordance with Article 6(1)(b) GDPR and 6(1)(f) GDPR, may account be taken of commonly accepted practices in civil, commercial and administrative communications, with the result that the collection of data relating to customers’ civil titles, which is limited to ‘Mr’ or ‘Ms’, may be regarded as necessary, without this being precluded by the principle of data minimisation?

Second question

In order to assess the need for the compulsory collection and processing of data relating to customers’ civil titles, even though some customers consider that they do not come under either of the two civil titles and that the collection of such data is not relevant in their case, should account be taken of the fact that those customers may, after having provided those data to the data controller in order to benefit from the service offered, exercise their right to object to the use and storage of those data by relying on their particular situation, in accordance with Article 21 GDPR?

5 GDPR, 5(1)(c) GDPR, 6 GDPR, 6(1)(b) GDPR, 6(1)(f) GDPR2024-04-29
CJEU Darashev [C-312/24]C-312/24DarashevProceedings initiated2024-04-292024-04-29Sofiyski rayonen sadBulgaria
CJEU Lindenapotheke [C-21/23]C-21/23LindenapothekeA-G opinion delivered2023-01-192024-04-25BundesgerichtshofGermany

First question

Do the rules in Chapter VIII GDPR preclude national rules which – alongside the powers of intervention of the supervisory authorities responsible for monitoring and enforcing the regulation and the options for legal redress for data subjects – empower competitors to bring proceedings for infringements of the GDPR against the infringer before the civil courts on the basis of the prohibition of unfair commercial practices?

Second question

Do the data that the customers of a pharmacist who acts as a seller on an online sales platform enter when ordering pharmacy-only but not prescription-only medicines on the sales platform (customer’s name, delivery address and information required for individualising the pharmacyonly medicine ordered) constitute data concerning health within the meaning of Article 9(1) GDPR and of Article 8(1) Data Protection Directive 95/46/EC

Szpunar2024-04-259 GDPR, 9(1) GDPR, 77 GDPR, 77(1) GDPR, 77(2) GDPR, 78 GDPR, 78(1) GDPR, 78(2) GDPR, 78(3) GDPR, 78(4) GDPR, 79 GDPR, 79(1) GDPR, 79(2) GDPR, 80 GDPR, 80(1) GDPR, 80(2) GDPR, 81 GDPR, 81(1) GDPR, 81(2) GDPR, 81(3) GDPR, 82 GDPR, 82(1) GDPR, 82(2) GDPR, 82(3) GDPR, 82(4) GDPR, 82(5) GDPR, 82(6) GDPR, 83 GDPR, 83(1) GDPR, 83(2) GDPR, 83(2)(a) GDPR, 83(2)(b) GDPR, 83(2)(c) GDPR, 83(2)(d) GDPR, 83(2)(e) GDPR, 83(2)(f) GDPR, 83(2)(g) GDPR, 83(2)(h) GDPR, 83(2)(i) GDPR, 83(2)(j) GDPR, 83(2)(k) GDPR, 83(3) GDPR, 83(4) GDPR, 83(4)(a) GDPR, 83(4)(b) GDPR, 83(4)(c) GDPR, 83(5) GDPR, 83(5)(a) GDPR, 83(5)(b) GDPR, 83(5)(c) GDPR, 83(5)(d) GDPR, 83(5)(e) GDPR, 83(6) GDPR, 83(7) GDPR, 83(8) GDPR, 83(9) GDPR, 84 GDPR, 84(1) GDPR, 84(2) GDPR2024-01-09
CJEU Schrems - Communication of data to the general public [C-446/21]C-446/21Facebook and Schrems (Communication of data to the general public)A-G opinion delivered2021-07-202024-04-25Oberster GerichtshofAustria

First question

Are the provisions of Article 6(1)(a) GDPR and 6(1)(b) to be interpreted as meaning that the lawfulness of contractual provisions in general terms of service for platform agreements such as that in the main proceedings (in particular, contractual provisions such as: 'Instead of paying ... by using the Facebook Products covered by these Terms you agree that we can show you ads ... We use your personal data ... to show you ads that are more relevant to you.') which provide for the processing of personal data with a view to aggregating and analysing it for the purposes of personalised advertising must be assessed in accordance with the requirements of Article 6(1)(a) GDPR, read in conjunction with Article 7 GDPR, which cannot be replaced by invoking Article 6(1)(b) GDPR?

Second question

Is Article 5(1)(c) GDPR (data minimisation) to be interpreted as meaning that all personal data held by a platform such as that in the main proceedings (by way of, in particular, the data subject or third parties on and outside the platform) may be aggregated, analysed and processed for the purposes of targeted advertising without restriction as to time or type of data?

Third question

Is Article 9(1) GDPR to be interpreted as applying to the processing of data that permits the targeted filtering of special categories of personal data such as political opinions or sexual orientation (for advertising, for example), even if the controller does not differentiate between those types of data?

Fourth question

Is Article 5(1)(b) GDPR, read in conjunction with Article 9(2)(e) GDPR, to be interpreted as meaning that a statement made by a person about his or her own sexual orientation for the purposes of a panel discussion permits the processing of other data concerning sexual orientation with a view to aggregating and analysing the data for the purposes of personalised advertising?

Rantos2024-04-255 GDPR, 5(1)(b) GDPR, 5(1)(c) GDPR, 6 GDPR, 6(1)(a) GDPR, 6(1)(b) GDPR, 7 GDPR, 7(1) GDPR, 7(2) GDPR, 7(3) GDPR, 7(4) GDPR, 9 GDPR, 9(1) GDPR, 9(2)(e) GDPR2024-02-08
CJEU Land Hessen (Obligation of the data protection authority to act) [C-768/21]C-768/21Land HessenA-G opinion delivered2021-12-142024-04-11Verwaltungsgericht WiesbadenGermany

Are Article 57(1)(a) GDPR and 57(1)(f) GDPR and Article 58(2)(a) GDPR, 58(2)(b) GDPR, 58(2)(c) GDPR, 58(2)(d) GDPR, 58(2)(e) GDPR, 58(2)(f) GDPR, 58(2)(g) GDPR, 58(2)(h) GDPR, 58(2)(i) GDPR, 58(2)(j) GDPR, read in combination with Article 77(1) GDPR,

to be understood as meaning that, where the supervisory authority finds that data processing has infringed the data subject’s rights, the supervisory authority must always take action in accordance with Article 58(2) GDPR?

Pikamäe2024-04-1157 GDPR, 57(1)(a) GDPR, 57(1)(f) GDPR, 58 GDPR, 58(2) GDPR, 58(2)(a) GDPR, 58(2)(b) GDPR, 58(2)(c) GDPR, 58(2)(d) GDPR, 58(2)(e) GDPR, 58(2)(f) GDPR, 58(2)(g) GDPR, 58(2)(h) GDPR, 58(2)(i) GDPR, 58(2)(j) GDPR, 77 GDPR, 77(1) GDPR
CJEU Garrapatica [C-199/24]C-199/24GarrapaticaProceedings initiated2024-03-132024-03-13Attunda tingsrättSweden

Unofficial machine translation:

First question

Does Article 85(1) GDPR allow Member States to adopt legislative  measures in addition to those imposed on Member States by Article 85(2) GDPR and with regard to the processing of personal data for purposes  other than journalistic purposes or academic, artistic or literary creation?

Second question

In the event that the previous question is answered in the affirmative, does Article 85(1) GDPR permit a combination of the right to privacy underthe Regulation with the freedom of expression and information whereby theperson whose personal data is processed, by making criminal convictionsrelating to that person available to the public against payment on the internet, may, as a remedy, only bring criminal proceedings for defamation or claim damages for defamation?

Third question

In the event that the first question is answered in the negative or the secondquestion is answered in the negative, can an activity consisting in makingavailable to the public, without any processing or editing, public documents in the form of criminal convictions against payment on the internet be regarded asprocessing of personal data for the purposes set out in Article 85(2) GDPR?

85 GDPR, 85(1) GDPR, 85(2) GDPR, 85(3) GDPR
CJEU HTB Neunte Immobilien Portfolio Ökorenta Neue Energien Ökostabil IV [C-17/22 and C-18/22]C-17/22 and C-18/22HTB Neunte Immobilien Portfolio Ökorenta Neue Energien Ökostabil IVHearing held2022-01-062024-02-29Amtsgericht MünchenGermany

First question

  1. Is Article 6(1)(b) GDPR and 6(1)(f) GDPR to be interpreted as meaning that, in the case of a partnership comprised of many members of the public, a limited partner with negligible liability has a 'legitimate interest' in obtaining information relating to all partners with shares held indirectly through a trustee, together with their contact details and the number of their shares in such a partnership, and a contractual obligation to that effect must be inferred from the partnership agreement?
  2. Or is a legitimate interest restricted under such circumstances to obtaining from the partnership information on limited partners with shares held indirectly and, rather than bearing negligible liability, hold shares above a minimum threshold that may, at least potentially, allow them to influence the future of the partnership?

Second question

  1. Does the intention to make contact for the purpose of becoming better acquainted, exchanging views or negotiating the purchase of shares in the partnership suffice in order not to exceed the limits to prevent abuse of rights inherent in such an unrestricted right (1a) or to make an exception to the restriction applicable to a restricted right to information (1b)?
  2. Or is an interest in information potentially relevant only where its disclosure is requested with the express intention of contacting other partners in order to invite them to coordinate on specifically designated matters on which a consensus is needed for the purpose of partners' resolutions?
6 GDPR, 6(1)(b) GDPR, 6(1)(f) GDPR2024-02-29
CJEU Belgian Association of Tax Lawyers and Others [C-623/22]C-623/22Belgian Association of Tax Lawyers and OthersA-G opinion delivered2022-09-292024-02-29Belgium

First question

Does Council Directive (EU) 2018/822 of 25 May 2018 amending Directive 2011/16/EU as regards mandatory automatic exchange of information in the field of taxation in relation to reportable cross-border arrangements infringe Article 6(3) TFEU and Articles 20 Charter and 21 Charter of Fundamental Rights of the European Union and, more specifically, the principles of equality and non-discrimination as guaranteed by those provisions, in that Directive (EU) 2018/822 does not limit the reporting obligation in respect of cross-border arrangements to corporation tax, but makes it applicable to all taxes falling within the scope of Council Directive 2011/16/EU of 15 February 2011 on administrative cooperation in the field of taxation and repealing Directive 77/799/EEC, which include under Belgian law not only corporation tax, but also direct taxes other than corporation tax and indirect taxes, such as registration fees?

Second question

Does Directive (EU) 2018/822 infringe the principle of legality in criminal matters as guaranteed by Article 49(1) Charter of Fundamental Rights of the European Union and by Article 7(1) of the European Convention on Human Rights, the general principle of legal certainty and the right to respect for private life as guaranteed by Article 7 Charter of Fundamental Rights of the European Union and by Article 8 of the European Convention on Human Rights, in that the concepts of ‘arrangement’ (and therefore the concepts of ‘cross-border arrangement’, ‘marketable arrangement’ and ‘bespoke arrangement’), ‘intermediary’, ‘participant’, ‘associated enterprise’, the terms ‘cross-border’, the different ‘hallmarks’ and the ‘main benefit test’ that Directive (EU) 2018/822 uses to determine the scope of the reporting obligation in respect of cross-border arrangements, are not sufficiently clear and precise?

Third question

Does Directive (EU) 2018/822, in particular in so far as it inserts Article 8ab(1) and (7) into Directive 2011/16/EU, infringe the principle of legality in criminal matters as guaranteed by Article 49(1) Charter of Fundamental Rights of the European Union and by Article 7(1) of the European Convention on Human Rights, and infringe the right to respect for private life as guaranteed by Article 7 Charter of Fundamental Rights of the European Union and by Article 8 of the European Convention on Human Rights, in that the starting point of the 30-day period during which the intermediary or relevant taxpayer must fulfil its reporting obligation in respect of a cross-border arrangement is not fixed in a sufficiently clear and precise manner?

Fourth question

Does Article 1(2) of Directive (EU) 2018/822 infringe the right to respect for private life as guaranteed by Article 7 Charter of Fundamental Rights of the European Union and by Article 8 of the European Convention on Human Rights, in that the new Article 8ab(5) which it inserted in Directive 2011/16/EU, provides that, where a Member State takes the necessary measures to give intermediaries the right to a waiver from filing information on a reportable cross-border arrangement where the reporting obligation would breach legal professional privilege under the national law of that Member State, that Member State is obliged to require the intermediaries to notify, without delay, any other intermediary or, if there is no such intermediary, the relevant taxpayer, of their reporting obligations, in so far as the effect of that obligation is to oblige an intermediary bound by legal professional privilege subject to criminal sanctions under the national law of that Member State to share with another intermediary, not being his client, information which he obtains in the course of the essential activities of his profession?

Fifth question

Does Directive (EU) 2018/822 infringe the right to respect for private life as guaranteed by Article 7 Charter of Fundamental Rights of the European Union and by Article 8 of the European Convention on Human Rights, in that the reporting obligation in respect of cross-border arrangements interferes with the right to respect for the private life of intermediaries and relevant taxpayers which is not reasonably justified or proportionate in the light of the objectives pursued and which is not relevant to the objective of ensuring the proper functioning of the internal market?

Emiliou2024-02-292023-11-30
CJEU I - Sale of a database [C-693/22]C-693/22I (Sale of a database)A-G opinion delivered2022-11-102024-02-22Sąd Rejonowy dla m.st. Warszawy w WarszawiePoland

First question

Should Article 5(1)(a) GDPR, in conjunction with Article 6(1)(a) GDPR, 6(1)(c) GDPR and 6(1)(e) GDPR, as well as Article 6(3) GDPR, be interpreted as precluding a provision of national law that permits the sale, in enforcement proceedings, of a database, within the meaning of Article 1(2) Database Directive 96/9/EC, which contains personal data, if the data subject did not consent to such a sale?

Pikamäe2024-02-225 GDPR, 5(1)(a) GDPR, 6 GDPR, 6(1)(a) GDPR, 6(1)(c) GDPR, 6(1)(e) GDPR, 6(3) GDPR2023-11-16
CJEU Meta Platforms Ireland - Representative action [C-757/22]C-757/22Meta Platforms Ireland (Representative action)A-G opinion delivered2022-12-152024-01-25BundesgerichtshofGermany

Is an infringement of rights ‘as a result of the processing’ within the meaning of Article 80(2) GDPR asserted when a consumer protection association invokes, in support of its action, infringement of a data subject’s rights on the ground of non-compliance with the information obligations laid down in the first sentence of Article 12(1) GDPR, read in conjunction with Article 13(1)(c) GDPR and 13(1)(e) GDPR, relating to the purpose of the data processing and the recipient of the personal data?

Richard de la Tour2024-01-2512 GDPR, 12(1) GDPR, 13 GDPR, 13(1)(c) GDPR, 13(1)(e) GDPR, 80 GDPR, 80(2) GDPR2023-11-23
CJEU Ministerstvo zdravotnictví II [C-710/23]C-710/23Ministerstvo zdravotnictví IIQuestions or pleas published2023-11-222023-11-22Nejvyšší správní soudCzech Republic

First question

Does the disclosure of the first name, surname, signature and contact information of a natural person as the director or responsible representative of a legal person, made exclusively for the purpose of identification of the (person authorised to represent a certain) legal person still constitute processing of ‘personal data’ of the natural person concerned, pursuant to Article 4(1) GDPR, and thus fall within the scope of GDPR?

Second question

Can national law, including settled case-law, render the application by an administrative authority of a directly applicable EU regulation, namely Article 6(1)(c) GDPR or 6(1)(e) GDPR, conditional on compliance with other conditions that do not follow from the text of the regulation itself but which, nevertheless, essentially extend the level of protection of personal data subjects, namely the obligation of a public authority to inform the data subject in advance of the submission of a request for the provision of his or her personal data to a third party?

4 GDPR, 4(1) GDPR, 6 GDPR, 6(1)(a) GDPR, 6(1)(c) GDPR, 6(1)(e) GDPR
CJEU Encarna [C-683/23]C-683/23EncarnaQuestions or pleas published2023-11-142023-11-14Juzgado de Primera Instancia No 19 de BarcelonaSpain

First question

Does the handing over by the court of the personal data of the parties and of children and teenagers to the parenting coordinator and authorisation to access the processed personal data of those persons in third-party (including healthcare) archives, without any statutory or regulatory provision, infringe Article 6(4) GDPR?

Second question

In the event that the court is entitled to hand over the personal data of the parties and of children and teenagers, does the handing over of that data by the court to the parenting coordinator infringe Article 16 TFEU and [Article] 7 CFREU (respect for private and family life), [Article] 8 CFREU (protection of personal data) and [Article] 52 CFREU (scope and interpretation of rights and principles)?

Third question

Is the handing over of data to the parenting coordinator without first hearing the child’s views on this matter and without considering the child’s best interests compatible with Article 6(4) GDPR in conjunction with Article 24 CFREU?

Fourth question

Does the handing over of the child’s data to the parenting coordinator so that he or she may take decisions concerning the exercise of parental responsibility and/or custody and/or contact arrangements, in cases involving violence, infringe Article 48(1) of the Istanbul Convention, which prohibits the use of mandatory alternative dispute resolution processes, in conjunction with Articles 7 and 24 of the CFREU?

Fifth question

In the event that the court is entitled to hand over the parties’ personal data and, as a consequence of the handing over of that data, the parenting coordinator’s fees must be covered by the parties because that has been ordered by the court, even though the parties have been granted legal aid, does this infringe Article 47 CFREU (right to effective judicial protection)?

6 GDPR, 6(4) GDPR, 6(4)(a) GDPR, 6(4)(b) GDPR, 6(4)(c) GDPR, 6(4)(d) GDPR, 6(4)(e) GDPR
CJEU Quirin Privatbank [C-655/23]C-655/23Quirin PrivatbankQuestions or pleas published2023-11-072023-11-07BundesgerichtshofGermany

First question

  1. Must Article 17 GDPR be interpreted as meaning that a data subject whose personal data have been unlawfully disclosed by the controller through onward transfer has the right to obtain a prohibitory injunction against the controller prohibiting further unlawful onward transfer of those data if the data subject does not request the controller to erase the data?
  2. Can such a right to obtain a prohibitory injunction (also) arise from Article 18 GDPR or any another provision thereof?

Second question

If the answers to Questions 1(a) and/or 1(b) are in the affirmative:

  1. Does the right to obtain a prohibitory injunction under EU law exist only if a risk of further infringements of the data subject’s rights under the GDPR is to be apprehended in the future (risk of recurrence)?
  2. Is the existence of the risk of recurrence presumed, where applicable, by reason of the existing infringement of the GDPR?

Third question

If the answers to Questions 1(a) and 1(b) are in the negative:

Must Article 84 of the GDPR, in conjunction with Article 79 thereof, be interpreted as permitting the national court to confer on the data subject whose personal data were unlawfully disclosed by the controller through onward transfer, in addition to the right to obtain compensation for material or non-material damage pursuant to Article 82 GDPR and the rights arising from Articles 17 GDPR and 18 GDPR, a right to obtain a prohibitory injunction against the controller prohibiting further unlawful onward transfer of those data in accordance with the provisions of national law?

Fourth question

Must Article 82(1) GDPR be interpreted as meaning that mere negative feelings such as annoyance, displeasure, dissatisfaction, worry and fear, which are in themselves part of the general risk of life and often part of everyday experience, are sufficient for the assumption of non-material damage within the meaning of that provision?

Or is a disadvantage to the natural person concerned which goes beyond those feelings necessary for the assumption of damage?

Fifth question

Must Article 82(1) GDPR to be interpreted as meaning that the degree of fault of the controller or processor or its employees constitutes a relevant criterion in assessing the amount of non-material damage to be compensated?

Sixth question

If the answers to Questions 1(a), 1(b) or 3 are in the affirmative:

Must Article 82(1) GDPR be interpreted as meaning that, in assessing the amount of non-material damage to be compensated, the fact that the data subject concerned has a right to obtain a prohibitory injunction in addition to the right to compensation can be taken into account as reducing the claim?

17 GDPR, 17(1) GDPR, 17(1)(a) GDPR, 17(1)(b) GDPR, 17(1)(c) GDPR, 17(1)(d) GDPR, 17(1)(e) GDPR, 17(1)(f) GDPR, 17(2) GDPR, 17(3) GDPR, 17(3)(a) GDPR, 17(3)(b) GDPR, 17(3)(c) GDPR, 17(3)(d) GDPR, 17(3)(e) GDPR, 18 GDPR, 18(1) GDPR, 18(1)(a) GDPR, 18(1)(b) GDPR, 18(1)(c) GDPR, 18(1)(d) GDPR, 18(2) GDPR, 18(3) GDPR, 79 GDPR, 79(1) GDPR, 79(2) GDPR, 82 GDPR, 82(1) GDPR, 84 GDPR, 84(1) GDPR, 84(2) GDPR
CJEU Inteligo Media [C-654/23]C-654/23Inteligo MediaQuestions or pleas published2023-11-022023-11-02Curtea de Apel BucureştiRomania

First question

In a case in which a publisher of online news publications providing information to the general public, which does not specialise in the field, regarding the legislative amendments issued each day in Romania, obtains the email address of a user when the latter creates a free user account entitling him or her:

  1. to access, free of charge, an additional number of articles from the publication in question;
  2. to receive, via email, a daily newsletter containing a summary of the new legislation discussed in articles within the publication and hyperlinks to those articles; and
  3. to access, for a fee, additional and/or more extensive articles and analyses from the publication compared with those in the free daily newsletter:
  1. is that email address obtained by the publisher of the online news publication ‘in the context of the sale of a product or a service’ within the meaning of Article 13(2) ePrivacy Directive 2000/31/EC?
  2. is the transmission by the news publisher of a newsletter such as that described in the abovementioned point (ii) carried out ‘for direct marketing of its own similar products or services’ within the meaning of Article 13(2) ePrivacy Directive 2000/31/EC?

Second question

If the answers to Question 1(a) and (b) are in the affirmative, which of the conditions laid down in Article 6(1)(a) to 6(1)(f) GDPR must be interpreted as applying when the publisher uses the user’s email address for the purpose of sending a daily newsletter such as that described in Question 1(ii), in accordance with the requirements of Article 13(2) of Directive 2002/58/EC?

Third question

Must Article 13(1) ePrivacy Directive 2002/58/EC and 13(2) ePrivacy Directive 2002/58/EC be interpreted as precluding national legislation which uses the concept of ‘commercial communication’ laid down in Article 2(f) E-Commerce Directive 2002/58/EC instead of the concept of ‘direct marketing’ laid down in Directive 2002/58/EC? If not, does a newsletter such as that described in Question 1(ii) constitute a ‘commercial communication’ within the meaning of Article 2(f) ePrivacy Directive 2000/31/EC?

Fourth question

If the answers to Question 1(a) and (b) are in the negative:

  1. does the transmission via email of a daily newsletter such as that described in Question 1(ii) constitute ‘use […] of electronic mail for the purposes of direct marketing’ within the meaning of Article 13(1) of Directive 2002/58/EC?
  2. must Article 95 GDPR, in conjunction with Article 15(2) of Directive 2002/58/EC, be interpreted as meaning that failure to comply with the conditions for obtaining valid consent from the user pursuant to Article 13(1) of Directive 2002/58/EC will be penalised in accordance with Article 83 GDPR or in accordance with the provisions of national law contained in the act transposing Directive 2002/58/EC, which contains specific penalties?

Fifth question

Must Article 83(2) GDPR be interpreted as meaning that a supervisory authority which decides whether to impose an administrative fine and decides on the amount of the administrative fine in each individual case is obliged to analyse and explain in the administrative act imposing the fine the effect of each of the criteria laid down in points (a) to (k) on the decision to impose a fine and, respectively, on the decision regarding the amount of the fine imposed?

6 GDPR, 6(1) GDPR, 6(1)(a) GDPR, 6(1)(b) GDPR, 6(1)(c) GDPR, 6(1)(d) GDPR, 6(1)(e) GDPR, 6(1)(f) GDPR, 83 GDPR, 83(2) GDPR, 83(2)(a) GDPR, 83(2)(b) GDPR, 83(2)(c) GDPR, 83(2)(d) GDPR, 83(2)(e) GDPR, 83(2)(f) GDPR, 83(2)(g) GDPR, 83(2)(h) GDPR, 83(2)(i) GDPR, 83(2)(j) GDPR, 83(2)(k) GDPR, 95 GDPR
CJEU Amt der Tiroler Landesregierung [C-638/23]C-638/23Amt der Tiroler LandesregierungQuestions or pleas published2023-10-242023-10-24VerwaltungsgerichtshofAustria

Is Article 4(7) GDPR, to be interpreted as precluding application of a provision of national law (such as, in the present case, Paragraph 2(1) of the Tiroler Datenverarbeitungsgesetz (Tyrol Law on data processing)) in which a particular controller is provided for within the meaning of the second part of Article 4(7) GDPR but

  • this is merely a service (such as, in the present case, the Amt der Tiroler Landesregierung (Office of the Provincial Government of Tyrol)) which, although established by law, is not a natural or legal person nor, in the present case, an authority, but functions merely as an auxiliary apparatus for such an authority and has no full or partial legal capacity of its own;
  • is nominated without reference to specific processing of personal data, with the result that the purposes and means of specific processing of personal data are not determined by Member State law either;
  • neither alone nor jointly with others determined the purposes and means of the processing of personal data at issue in the present case?
4 GDPR, 4(7) GDPR
CJEU Obshtina Burgas and Others [C-599/23]C-599/23Obshtina Burgas and OthersProceedings initiated2023-09-282023-09-28Rayonen sad AytosBulgaria
CJEU Natsionalna agentsia za prihodite II [C-563/23]C-563/23Natsionalna agentsia za prihoditeQuestions or pleas published2023-09-122023-09-12Sofiyski rayonen sadBulgaria

First question

Must Article 4(7) GDPR be interpreted as meaning that a judicial authority which allows another State authority to access data concerning the account balances of taxable persons determines the purposes or means of the processing of personal data and is therefore a ‘controller’ for the purposes of the processing of personal data?

Second question

If the first question is answered in the negative, must Article 51 GDPR be interpreted as meaning that a judicial authority which allows another State authority to access data concerning the account balances of taxable persons is responsible for monitoring [the application of] that regulation and must therefore be classified as a ‘supervisory authority’ in relation to those data?

Third question

If either of the above questions is answered in the affirmative, must Article 32(1)(b) GDPR and Article 57(1)(a) GDPR be interpreted as meaning that a judicial authority which allows another State authority to access data concerning the account balances of taxable persons is obliged, in the presence of data concerning a personal data breach committed in the past by the body to which such access is to be granted, to obtain information on the data protection measures taken and to assess the appropriateness of those measures in its decision to permit access?

Fourth question

Irrespective of the answers to the [second] and [third] questions, must Article 79(1) GDPR, read in conjunction with Article 47 Charter of Fundamental Rights of the European Union, be interpreted as meaning that, where the national law of a Member State provides that certain categories of data may be disclosed only after permission to do so has been granted by a court, the court so competent must of its own motion grant legal protection to the persons whose data are to be disclosed, by requiring the authority which has applied for access to the data in question, and which is known to have received binding instructions from the authority under Article 51(1) GDPR following a personal data breach, to provide information on the implementation of the measures imposed on it by administrative decision pursuant to Article 58(2)(d) GDPR?

4 GDPR, 4(7) GDPR, 32 GDPR, 32(1)(b) GDPR, 51 GDPR, 51(1) GDPR, 51(2) GDPR, 51(3) GDPR, 51(4) GDPR, 57 GDPR, 57(1)(a) GDPR, 58 GDPR, 58(2)(d) GDPR, 79 GDPR, 79(1) GDPR
CJEU Patērētāju tiesību aizsardzības centrs [C-507/23]C-507/23Patērētāju tiesību aizsardzības centrsQuestions or pleas published2023-08-082023-08-08Augstākā tiesa (Senāts)Latvia

First question

Must Article 82(1) GDPR be interpreted as meaning that the unlawful processing of personal data, in so far as it is an infringement of that regulation, may, in itself, constitute unjustified interference with a person’s subjective right to the protection of his or her data and damage caused to that person?

Second question

Must Article 82(1) GDPR be interpreted as meaning that, where there is no possibility of restoring the situation that existed before the damage was caused, it permits the imposition of the obligation to apologise as the sole form of compensation for non-material damage?

Third question

Must Article 82(1) GDPR be interpreted as meaning that it permits a smaller amount of compensation for the damage caused to be set on the basis of circumstances that are indicative of the attitude and motivation of the person processing the data (for example, the need to perform a task carried out in the public interest, the lack of intent to cause damage to the person concerned or difficulties in understanding the legal framework)?

82 GDPR, 82(1) GDPR
CJEU Russmedia Digital and Inform Media Press [C-492/23]C-492/23Russmedia Digital and Inform Media PressQuestions or pleas published2023-08-032023-08-03Curtea de Apel ClujRomania

First question

Do Articles 12 to 14 eCommerce Directive 2000/31/EC also apply to a storage and hosting information service provider that makes available to users a website on which free or paid advertisements may be published, which claims that its role in publishing users’ advertisements is purely technical (making the platform available), but which, through the general terms and conditions of use of the website, indicates that it does not claim ownership over the content that is provided, published, uploaded or transmitted, yet retains the right to use the content, including by means of copying it, distributing it, transmitting it, publishing it, reproducing it, modifying it, translating it, transferring it to partners and removing it at any time, without the need for any reason for doing so?

Second question

Must Article 2(4) GDPR, Article 4(7) GDPR and 4(11) GDPR, Article 5(1)(f) GDPR, Article 6(1)(a) GDPR, Articles 7 GDPR, 24 GDPR and 25 GDPR and Article 15 eCommerce Directive 2000/31/EC be interpreted as requiring such a storage and hosting information service provider, which is the personal data controller, to verify before publishing an advertisement whether the person publishing the advertisement and the owner of the personal data referred to in the advertisement are the same person?

Third question

Must Article 2(4) GDPR, Article 4(7) GDPR and 4(11) GDPR, Article 5(1)(f) GDPR, Article 6(1)(a) GDPR, Articles 7 GDPR, 24 GDPR and 25 GDPR and Article 15 eCommerce Directive 2000/31/EC be interpreted as requiring such a storage and hosting information service provider, which is the personal data controller, to verify in advance the content of advertisements published by users, in order to exclude advertisements which are potentially unlawful in nature or likely to infringe a person’s private and family life?

Fourth question

Must Article 5(1)(b) GDPR and 5(1)(f) GDPR, Articles 24 GDPR and 25 GDPR and Article 15 eCommerce Directive 2000/31/EC be interpreted as requiring such a storage and hosting information service provider, which is the personal data controller, to apply safeguards which prevent or limit the reproduction and redistribution of the content of the advertisements published through it?

2 GDPR, 2(4) GDPR, 4 GDPR, 4(7) GDPR, 4(11) GDPR, 5 GDPR, 5(1)(f) GDPR, 6 GDPR, 6(1)(a) GDPR, 7 GDPR, 7(1) GDPR, 7(2) GDPR, 7(3) GDPR, 7(4) GDPR, 24 GDPR, 24(1) GDPR, 24(2) GDPR, 24(3) GDPR, 25 GDPR, 25(1) GDPR, 25(2) GDPR, 25(3) GDPR
CJEU Österreichische Datenschutzbehörde - Excessive demands [C-416/23]C-416/23Österreichische Datenschutzbehörde (Excessive demands)Questions or pleas published2023-07-062023-07-06VerwaltungsgerichtshofAustria

First question

Must the concept of ‘requests’ or ‘request’ in Article 57(4) GDPR be interpreted as meaning that it also covers ‘complaints’ under Article 77(1) of the GDPR?

If Question 1 is answered in the affirmative:

Second question

Must Article 57(4) GDPR be interpreted as meaning that, for requests to be ‘excessive’, it is sufficient that a data subject has merely addressed a certain number of requests (complaints under Article 77(1) GDPR) to a supervisory authority within a certain period of time, irrespective of whether the facts are different and/or whether the requests (complaints) concern different controllers, or is an abusive intention on the part of the data subject required in addition to the frequent repetition of requests (complaints)?

Third question

Must Article 57(4) GDPR be interpreted as meaning that, in the case of a ‘manifestly unfounded’ or ‘excessive’ request (complaint), the supervisory authority is free to choose whether to charge a reasonable fee based on the administrative costs of processing it or refuse to process it from the outset?

If not, which circumstances and criteria must the supervisory authority take into account? In particular, is the supervisory authority obliged to charge a reasonable fee primarily, as a less severe measure, and entitled to refuse to process manifestly unfounded or excessive requests (complaints) only in the event that charging a fee to prevent such requests is futile?

57 GDPR, 57(4) GDPR, 77 GDPR, 77(1) GDPR
CJEU HP - Hrvatska pošta [C-336/23]C-336/23HP - Hrvatska poštaQuestions or pleas published2023-05-262023-05-26Visoki upravni sud Republike HrvatskeCroatia

First question

Is the term ‘re-use of information’ for the purposes of Article 2(11) Open Data Directive 2019/1024 of the European Parliament and of the Council of 20 June 2019 on open data and the re-use of public sector information ([OJ 2019] L 172, [p. 56]) (‘the Directive’) to be understood as meaning access to any information which a public sector body/public undertaking has produced or holds, and which a user (natural or legal person) requests from a public sector body for the first time?

Second question

Can a request for information which a public sector body/public undertaking has produced or which it holds, and which was generated within the scope of its activities or in connection with its organisation and work, be regarded as a request for information to which the provisions of the Directive apply, that is to say, do the provisions of that directive apply to all requests for information held by public sector bodies?

Third question

Are the entities obliged to provide information, listed in Article 2 Open Data Directive 2019/1024, only those public sector bodies to which requests for re-use of information are made, or do the new definitions concern all public sector bodies and all information held by those bodies, that is to say, are the entities listed in Article 2 Open Data Directive 2019/1024 obliged to provide information they have produced or hold, or are the entities listed in Article 2 of the Directive considered to be obliged to provide information only where the information is re-used?

Fourth question

Can the exceptions to the obligation to make information available under Article 1(2) Open Data Directive 2019/1024 be regarded as exceptions by virtue of which public sector bodies may refuse to provide information produced or held by them, or are they exceptions which apply only where requests have been made to the public sector bodies for re-use of the information?

CJEU Addiko Bank [C-312/23]C-312/23Addiko BankProceedings initiated2023-05-222023-05-22Upravni sud u ZagrebuCroatiaQuestions unknown. Join the conversation.
CJEU Inspektorat kam Visshia sadeben savet [C-313/23, C-316/23 and C-332/23]C-313/23, C-316/23 and C-332/23Inspektorat kam Visshia sadeben savetQuestions or pleas published2023-05-222023-05-22Sofiyski rayonen sadBulgaria

First question

Must the second subparagraph of Article 19(1) [TEU], read in conjunction with the second paragraph of Article 47 Charter, be interpreted as meaning that

it is per se or under certain conditions an infringement of the obligation incumbent on Member States to provide effective remedies sufficient to ensure independent judicial review for the functions of an authority which can impose disciplinary penalties on judges and has powers to collect data relating to their assets and liabilities to be indefinitely extended after the constitutionally stipulated term of office of that body comes to an end? If such an extension is permissible, under what conditions is that the case?

Second question

Must Article 2(2)(a) GDPR be interpreted as meaning that

the disclosure of data covered by banking secrecy for the purposes of verifying assets and liabilities of judges and public prosecutors which are subsequently made public constitutes an activity which falls outside the scope of Union law? Is the answer different where that activity also includes the disclosure of data relating to family members of those judges and public prosecutors who are not judges or public prosecutors themselves?

Third question

If the answer to the second question is that Union law is applicable, must Article 4(7) GDPR be interpreted as meaning that

a judicial authority which allows another State authority to access data concerning the account balances of judges and public prosecutors and their family members determines the purposes or means of the processing of personal data and is therefore a ‘controller’ for the purposes of the processing of personal data?

Fourth question

If the answer to the second question is that Union law is applicable and the third question is answered in the negative, must Article 51 GDPR be interpreted as meaning that

a judicial authority which allows another State authority to access data concerning the account balances of judges and public prosecutors and their family members is responsible for monitoring [the application of] that regulation and must therefore be classified as a ‘supervisory authority’ in relation to those data?

Fifth question

If the answer to the second question is that Union law is applicable and either the third or the fourth questions are answered in the affirmativeIf the second question is answered to the effect that European Union law applies and if one of the questions is answered in the affirmative, must Article 32(1)(b) GDPR and Article 57(1)(a) GDPR be interpreted as meaning that

a judicial authority which allows another State authority to access data concerning the account balances of judges and public prosecutors and their families, is obliged, in the presence of data concerning a personal data breach committed in the past by the authority to which such access is to be granted, to obtain information on the data protection measures taken and to take into account the appropriateness of those measures in its decision to permit access?

Sixth question

If the answer to the second question is that Union law is applicable, and irrespective of the answers to the third and fourth questions, must Article 79(1) GDPR, read in conjunction with Article 47 Charter, to be interpreted as meaning that,

where the national law of a Member State provides that certain categories of data may be disclosed only after permission to do so has been granted by a court, the court so competent must of its own motion grant legal protection to the persons whose data are to be disclosed, by requiring the authority which has applied for access to the data in question and which is known to have committed a personal data breach in the past to provide information on the measures taken pursuant to Article 33(3)(d) GDPR and their effective application?

2 GDPR, 2(2)(a) GDPR, 4 GDPR, 4(7) GDPR, 32 GDPR, 32(1)(b) GDPR, 33 GDPR, 33(3)(d) GDPR, 51 GDPR, 51(1) GDPR, 51(2) GDPR, 51(3) GDPR, 51(4) GDPR, 57 GDPR, 57(1)(a) GDPR, 79 GDPR, 79(1) GDPR
CJEU Bezirkshauptmannschaft Landeck [C-548/21]C-548/21Bezirkshauptmannschaft LandeckA-G opinion delivered2021-06-092023-04-20Landesverwaltungsgericht TirolAustria

First question

Is Article 15(1) ePrivacy Directive 2002/58/EC (possibly read in combination with Article 5 ePrivacy Directive 2002/58/EC), as amended by Directive 2009/136/EC, read in the light of Articles 7 Charter and 8 Charter, to be interpreted as meaning that public authorities' access to data stored on mobile telephones entails interference with fundamental rights enshrined in those articles of the Charter which is sufficiently serious to entail that access being limited, in areas of prevention, investigation, detection and prosecution of criminal offences, to the objective of fighting serious crime?

Second question

Is Article 15(1) ePrivacy Directive 2002/58/EC, as amended by Directive 2009/136, read in the light of Articles 7 Charter, 8 Charter and 11 Charter and Article 52(1) Charter, to be interpreted as meaning that it precludes a national rule, such as that enacted in Paragraph 18 of the Strafprozessordnung (Austrian Code of Criminal Procedure), read in combination with Paragraph 99(1) thereof, which allows security authorities to grant themselves full and uncontrolled access to all digital data stored on a mobile telephone in the course of a criminal investigation without the authorisation of a court or independent administrative body?

Third question

Is Article 47 Charter, possibly read in combination with Articles 41 Charter and 52 Charter, to be interpreted, from the point of view of equality of arms and from the point of view of an effective remedy, as meaning that it precludes a national rule, such as that enacted in Paragraph 18 of the Code of Criminal Procedure, read in combination with Paragraph 99(1) thereof, which allows data processing of a mobile telephone without advising the data subject before or, at the very least, after the measure is taken?

Campos Sánchez-Bordona2023-04-202023-01-16
CJEU RRC Sports [C-209/23]C-209/23RRC SportsQuestions or pleas published2023-03-312023-03-31Landgericht MainzGermany

Must Article 101 TFEU (prohibition on cartels), Article 102 TFEU (prohibition on abuse of a dominant position) and Article 56 TFEU (freedom to provide services) and also Article 6 GDPR be interpreted as precluding rules adopted by a world sporting association (in this case: FIFA), to which 211 national sports federations of the relevant sport (in this case: football) belong, and whose rules are therefore binding in any event on the majority of the actors active in the respective national professional leagues of the relevant sport (in this case: clubs (which also means football clubs organised as capital companies), players (who are club members) and players’ agents), and which have the following content:

(1) it is prohibited to agree on players’ agents’ remuneration, or pay them remuneration, in excess of a cap calculated as a percentage of the transfer fee or the annual remuneration of that player,

as provided for in Article 15(2) of the FIFA Football Agent Regulations (‘the FFAR’),

(2) it is prohibited for third parties to pay remuneration due under a representation agreement in respect of the players’ agent’s contracting partner,

as provided for in Article 14(2) and (3) of the FFAR,

(3) clubs are prohibited from paying more than 50% of the total remuneration due from the player and the club for the services of the players’ agent in cases where a players’ agent acts on behalf of the engaging club and the player,

as provided for in Article 14(10) of the FFAR,

(4) for the grant of a licence as a players’ agent, which is a condition for being allowed to provide players’ agent services, it is required that the applicant submit to the internal regulations of the world sporting association (in this case: the FFAR, the FIFA Statutes, the FIFA Disciplinary Code, the FIFA Code of Ethics, the FIFA Regulations on the Status and Transfer of Players as well as the statutes, regulations, guidelines and decisions of authorities and bodies) and also to its jurisdiction as an association and that of confederations and member associations,

as provided for in Article 4(2), Article 16(2)(b) and Article 20 of the FFAR, in conjunction with Article 8(3), Article 57(1) and Article 58(1) and (2) of the FIFA Statutes, Article 5(a), Article 49 and Article 53(3) of the FIFA Disciplinary Code, and Article 4(2) and Article 82(1) of the Code of Ethics,

(5) requirements are laid down for the grant of a licence as a players’ agent, under which the grant of a licence is permanently excluded in the case of convictions or settlements in criminal proceedings or a suspension of two years or more, licence suspension or withdrawal, or other disqualification by an authority or a sports governing body, without the possibility of the licence being granted at a later date,

as provided for in Article 5(1)(a)(ii) and (iii) of the FFAR,

(6) players’ agents are prohibited, in connection with the conclusion of a transfer agreement and/or a contract of employment, from providing players’ agent services or any other services to, and being remunerated for them, by:

  1. the releasing club and the engaging club,
  2. the releasing club and the player,
  3. any parties involved (releasing club, engaging club and player),

as provided for respectively in Article 12(8) and (9) of the FFAR, and

(6a) players’ agents are prohibited, in connection with the conclusion of a transfer agreement and/or a contract of employment together with a connected players’ agent, from providing players’ agent services or any other services to, and being remunerated for them, by:

  1. the releasing club and the engaging club,
  2. the releasing club and the player,
  3. any parties involved (releasing club, engaging club and player),

if the concept of connected players’ agent includes cooperation in accordance with the definition of ‘connected football agent’ laid down in the FFAR (fourth subparagraph on p. 6 of the FFAR),

as provided for in Article 12(10) of the FFAR, in conjunction with the definition of ‘connected football agent’ in the fourth subparagraph on p. 6 of the FFAR,

(7) players’ agents are prohibited from approaching or entering into a representation agreement with a club, player, or member association of the world sporting association or a legal person operating a single-entity league which is permitted to engage players’ agents and which have entered into an exclusive agreement with another players’ agent,

as provided for in Article 16(1)(b) and (c) of the FFAR,

(8) the names and details of all players’ agents, the names of the clients whom they represent, the players’ agent services which they provide to each individual client and/or the details of all transactions involving players’ agents, including the amount of remuneration payable to players’ agents, must be uploaded to a platform of the world sporting association and this information is made available in part to other clubs, players or players’ agents,

as provided for in Article 19 of the FFAR,

(9) it is prohibited to agree remuneration for players’ agent services on any other basis than the player’s remuneration or the transfer fee,

as provided for in Article 15(1) of the FFAR,

(10) it is presumed that other services provided by a players’ agent or a connected players’ agent in the 24 months prior to or following the provision of a players’ agent service to a client involved in the transaction for which player agency services were performed form part of the player agent’s services and, in so far that the presumption cannot be rebutted, remuneration for the other services is deemed to form part of the remuneration paid for the players’ agent service,

as provided for in Article 15(3) and (4) of the FFAR,

(11) the amount of the players’ agent’s remuneration to be calculated on a pro-rata basis is to be based solely on the salary actually received by the player,

as provided for in Article 14(7) and (12) of the FFAR,

(12) players’ agents are required to disclose the following information to the world sporting association:

  1. within 14 days of conclusion: any agreement with a client other than a representation agreement, including but not limited to other services, and the information requested on the platform,
  2. within 14 days of payment of remuneration: the information requested on the platform,
  3. within 14 days of payment of any remuneration related to any agreement with a client other than a representation agreement: the information requested on the platform,
  4. within 14 days of occurrence: any contractual or other arrangement between players’ agents to cooperate in the provision of any services or to share the revenue or profits of any part of their players’ agent services,
  5. if they conduct their business affairs through an agency, within 14 days of the first transaction involving the agency: the number of players’ agents who use the same agency to conduct their business affairs and the name of all its employees,

as provided for in Article 16(2)(j)(ii) to (v) and (k)(ii) of the FFAR,

(13) clubs are prohibited from agreeing on remuneration or elements of remuneration with players’ agents for the future transfer of a player or from paying remuneration or elements of remuneration to players’ agents, the calculation basis for which is (also) dependent on future transfer compensation received by the club from a subsequent transfer of the player,

as provided for in Article 18ter(1), first alternative, of the FIFA Regulations on the Status and Transfer of Players (‘the FIFA RSTP’) and Article 16(3)(e) of the FFAR.

6 GDPR, 6(1) GDPR, 6(1)(f) GDPR
CJEU K GmbH [C-65/23]C-65/23K GmbHQuestions or pleas published2023-02-082023-02-08BundesarbeitsgerichtGermany

First question

Is a national legal provision that has been adopted pursuant to Article 88(1) GDPR - such as Paragraph 26(4) of the Bundesdatenschutzgesetz (German Federal Law on data protection, ‘the BDSG’) - and which provides that the processing of personal data, including special categories of personal data, of employees for the purposes of the employment relationship is permissible on the basis of collective agreements subject to compliance with Article 88(2) GDPR, to be interpreted as meaning that the other requirements of the GDPR - such as Article 5 GDPR, Article 6(1) GDPR and Article 9(1) GDPR and 9(2) GDPR - must always also be complied with?

Second question

If the answer to Question 1 is in the affirmative:

May a national legal provision adopted pursuant to Article 88(1) GDPR - such as Paragraph 26(4) of the BDSG - be interpreted as meaning that the parties to a collective agreement (in this case, the parties to a works agreement) are entitled to a margin of discretion in assessing the necessity of data processing within the meaning of Article 5 GDPR, Article 6(1) GDPR and Article 9(1) GDPR and 9(2) GDPR that is subject to only limited judicial review?

Third question

If the answer to Question 2 is in the affirmative:

In such a case, to what is the judicial review to be limited?

Fourth question

Is Article 82(1) GDPR to be interpreted as meaning that a person is entitled to compensation for non-material damage when his or her personal data have been processed contrary to the requirements of Regulation 2016/679, or does the right to compensation for non-material damage additionally require that the data subject demonstrate non-material damage - of some weight - suffered by him or her?

Fifth question

Does Article 82(1) GDPR have a specific or general preventive character, and must that be taken into account in the assessment of the amount of non-material damage to be compensated at the expense of the controller or processor on the basis of Article 82(1) GDPR?

Sixth question

Is the degree of fault on the part of the controller or processor a decisive factor in the assessment of the amount of non-material damage to be compensated on the basis of Article 82(1) GDPR?

In particular, can non-existent or minor fault on the part of the controller or processor be taken into account in their favour?

5 GDPR, 5(1) GDPR, 5(1)(a) GDPR, 5(1)(b) GDPR, 5(1)(c) GDPR, 5(1)(d) GDPR, 5(1)(e) GDPR, 5(1)(f) GDPR, 5(2) GDPR, 6 GDPR, 6(1) GDPR, 9 GDPR, 9(1) GDPR, 9(2) GDPR, 82 GDPR, 82(1) GDPR, 88 GDPR, 88(1) GDPR, 88(2) GDPR
CJEU Policejní prezidium [C-57/23]C-57/23Policejní prezidiumQuestions or pleas published2023-02-022023-02-02Nejvyšší správní soudCzech Republic

First question

What degree of distinction between individual data subjects is required by Article 4(1)(c) LED Directive 2016/680 or Article 6 LED Directive 2016/680 in conjunction with Article 10 LED Directive 2016/680?

Is it compliant with the obligation to minimise personal data processing, and with the obligation to distinguish between various categories of data subjects, for national law to permit the collection of genetic data in respect of all persons suspected or accused of having committed an intentional criminal offence?

Second question

Is it in accordance with Article 4(1)(e) LED Directive 2016/680 if the necessity of continued retention of a DNA profile is assessed, with a reference to the general prevention, investigation, and detection of criminal activity, by Police authorities on the basis of their internal regulations, which frequently means in practice that sensitive personal data is retained for an unspecified period without a maximum limit for the duration of the retention of that personal data being set?

If not, by what criteria should the proportionality of the period of the retention of the personal data collected and retained for that purpose be assessed?

Third question

In the case of particularly sensitive personal data falling under Article 10 LED Directive 2016/680, what is the minimal scope of the substantive or procedural conditions for obtaining, retaining, and deleting such data that must be regulated by a 'provision of general application' in the law of a Member State? Can judicial case-law qualify as 'Member State law' within the meaning of Article 8(2) LED Directive 2016/680 in conjunction with Article 10 LED Directive 2016/680?

CJEU KNLTB [C-621/22]C-621/22KNLTBQuestions or pleas published2022-09-292022-09-29Rechtbank AmsterdamNetherlands

First question

How should the District Court interpret the term 'legitimate interest'?

Second question

Should the term be interpreted as the respondent interprets it?

Are these interests which exclusively pertain to the law, constitute law, are enshrined in a law? Or;

Third question

Can any interest be a legitimate interest, provided that interest is not in breach of the law?

More specifically: should a purely commercial interest, such as the interest at issue here, the provision of personal data in return for payment without the consent of the data subject concerned, be regarded as a legitimate interest under certain circumstances? If so, what circumstances determine whether a purely commercial interest is a legitimate interest?

6 GDPR, 6(1)(f) GDPR
CJEU MK - Professional curator [C-461/22]C-461/22MKQuestions or pleas published2022-07-122022-07-12Landgericht HannoverGermany

Is a legally appointed curator who performs that activity in a professional capacity a controller within the meaning of Article 4(7) GDPR?

Is he or she required to provide information in accordance with Article 15 GDPR?

4 GDPR, 4(7) GDPR, 15 GDPR, 15(1) GDPR, 15(1)(a) GDPR, 15(1)(b) GDPR, 15(1)(c) GDPR, 15(1)(d) GDPR, 15(1)(e) GDPR, 15(1)(f) GDPR, 15(1)(g) GDPR, 15(1)(h) GDPR, 15(2) GDPR, 15(3) GDPR, 15(4) GDPR
CJEU Kinderrechtencoalitie Vlaanderen [C-280/22]C-280/22Kinderrechtencoalitie VlaanderenQuestions or pleas published2022-04-252022-04-25Raad van State (Belgium)Belgium

Are Article 3(5) and (6) and Article 14 of Regulation (EU) 2019/1157 of the European Parliament and of the Council of 20 June 2019 on strengthening the security of identity cards of Union citizens and of residence documents issued to Union citizens and their family members exercising their right of free movement, read in conjunction with Commission Implementing Decision C(2018) 7767 of 30 November 2018 laying down the technical specifications for the uniform format for residence permits for third country nationals and repealing Decision C(2002)3069,

valid and compatible with Article 16 TFEU and - as regards Article 3(5) and (6) - with Article 21 TFEU, as well as with Articles 7 Charter, 8 Charer and 52 Charter, in conjunction with:

  • Articles 1 GDPR, 2 GDPR, 3 GDPR, 4 GDPR, 5 GDPR, 6 GDPR, 9 GDPR, 25 GDPR, 32 GDPR, 35 GDPR and 36 GDPR,
  • Articles 1 LED Directive 2016/680, 2 LED Directive 2016/680, 3 LED Directive 2016/680, 4 LED Directive 2016/680, 8 LED Directive 2016/680, 9 LED Directive 2016/680, 10 LED Directive 2016/680, 27 LED Directive 2016/680 and 28 LED Directive 2016/680,
  • Articles 1, 2, 3, 4, 5, 10, 28 and 42 Regulation 2018/1725 (EUDPR),

in so far as Article 3(5) and (6) of Regulation (EU) 2019/1157 requires two fingerprints of the holder of the card to be stored in interoperable digital formats on a storage medium included on the identity card,

and in so far as Article 3(5) and (6) and Article 14 of Regulation (EU) 2019/1157, read in conjunction with Annex III to the aforementioned Commission Implementing Decision C(2018) 7767 of 30 November 2018, require the fingerprint data on the identity cards and residence documents referred to in points (a) and (c) of Article 2 of that regulation to be stored in the form of a digital image of the fingerprints on an electronic microprocessor chip which uses RFID and can be read wirelessly/in contactless form?

1 GDPR, 1(1) GDPR, 1(2) GDPR, 1(3) GDPR, 2 GDPR, 2(1) GDPR, 2(2) GDPR, 2(2)(a) GDPR, 2(2)(b) GDPR, 2(2)(c) GDPR, 2(2)(d) GDPR, 2(3) GDPR, 2(4) GDPR, 3 GDPR, 3(1) GDPR, 3(2) GDPR, 3(2)(a) GDPR, 3(2)(b) GDPR, 3(3) GDPR, 4 GDPR, 5 GDPR, 5(1) GDPR, 5(1)(a) GDPR, 5(1)(b) GDPR, 5(1)(c) GDPR, 5(1)(d) GDPR, 5(1)(e) GDPR, 5(1)(f) GDPR, 5(2) GDPR, 6 GDPR, 6(1) GDPR, 6(1)(a) GDPR, 6(1)(b) GDPR, 6(1)(c) GDPR, 6(1)(d) GDPR, 6(1)(e) GDPR, 6(1)(f) GDPR, 6(2) GDPR, 6(3) GDPR, 6(3)(a) GDPR, 6(3)(b) GDPR, 6(4) GDPR, 6(4)(a) GDPR, 6(4)(b) GDPR, 6(4)(c) GDPR, 6(4)(d) GDPR, 6(4)(e) GDPR, 9 GDPR, 9(1) GDPR, 9(2) GDPR, 9(2)(a) GDPR, 9(2)(b) GDPR, 9(2)(c) GDPR, 9(2)(d) GDPR, 9(2)(e) GDPR, 9(2)(f) GDPR, 9(2)(g) GDPR, 9(2)(h) GDPR, 9(2)(i) GDPR, 9(2)(j) GDPR, 9(3) GDPR, 9(4) GDPR, 25 GDPR, 25(1) GDPR, 25(2) GDPR, 25(3) GDPR, 32 GDPR, 32(1) GDPR, 32(1)(a) GDPR, 32(1)(b) GDPR, 32(1)(c) GDPR, 32(1)(d) GDPR, 32(2) GDPR, 32(3) GDPR, 32(4) GDPR, 35 GDPR, 35(1) GDPR, 35(2) GDPR, 35(3) GDPR, 35(3)(a) GDPR, 35(3)(b) GDPR, 35(3)(c) GDPR, 35(4) GDPR, 35(5) GDPR, 35(6) GDPR, 35(7) GDPR, 35(7)(a) GDPR, 35(7)(b) GDPR, 35(7)(c) GDPR, 35(7)(d) GDPR, 35(8) GDPR, 35(9) GDPR, 35(10) GDPR, 35(11) GDPR, 36 GDPR, 36(1) GDPR, 36(2) GDPR, 36(3) GDPR, 36(3)(a) GDPR, 36(3)(b) GDPR, 36(3)(c) GDPR, 36(3)(d) GDPR, 36(3)(e) GDPR, 36(3)(f) GDPR, 36(4) GDPR, 36(5) GDPR
CJEU DX - Access to data held by suppliers for contractual purposes [C-241/22]C-241/22DX (Access to data held by suppliers for contractual purposes)Questions or pleas published2022-04-062022-04-06Hoge Raad der NederlandenNetherlands

First question

Do legislative measures which relate to granting public authorities access to traffic and location data (including identification data) in connection with the prevention, investigation, detection and prosecution of criminal offences fall within the scope of ePrivacy Directive 2002/58/EC if they concern the granting of access to data which are not retained on the grounds of legislative measures within the meaning of Article 15(1) ePrivacy Directive 2002/58/EC, but which are retained by the provider on some other ground?

Second question

  1. Do the ... terms 'serious criminal offences' and 'serious crime' ... [used in the judgments of the Court of Justice cited in the order for reference] constitute autonomous concepts of European Union law, or is it incumbent on the competent authorities of the Member States themselves to give substance to those terms?
  2. If these are indeed autonomous concepts of European Union law, in what way should it be established whether what is involved is a 'serious criminal offence' or 'serious crime'?

Third question

Can granting public authorities access to traffic and location data (other than mere identification data) for the purpose of the prevention, investigation, detection and prosecution of criminal offences be permissible under Directive 2002/58/EC if no serious criminal offences or serious crime are involved, that is to say, if in the specific case the granting of access to such data - in so far as may be assumed - causes only a minor interference with, in particular, the right to the protection of the private life of the user as referred to in Article 2(b) ePrivacy Directive 2002/58/EC?

CJEU Dun & Bradstreet Austria [C-203/22]C-203/22CKQuestions or pleas published2022-03-162022-03-16Verwaltungsgericht WienAustria

First question

What requirements as to content does information provided need to satisfy in order to be regarded as sufficiently 'meaningful' within the meaning of Article 15(1)(h) GDPR?

In the case of profiling, must the information essential for making the result of the automated decision transparent in each individual case also be disclosed by the controller - where necessary in compliance with an existing trade secret - as part of the disclosure of the 'logic involved' which includes, in particular,

  1. the disclosure of the data subject's processed data,
  2. the disclosure of the parts of the algorithm on which the profiling is based that are necessary to provide transparency, and
  3. the information relevant to establishing the connection between the processed information and the rating arrived at?

In cases involving profiling, must the party entitled to access for the purpose of Article 15(1)(h) GDPR be provided, as a minimum, with the following information on the specific processing concerning him or her, even if a trade secret is involved, in order to enable him or her to protect his or her rights under Article 22(3) GDPR:

  • communication of all potentially pseudo-anonymised information, in particular on the manner in which the data subject's data is being processed, which allows the data subject to check compliance with the GDPR,
  • making available the input data used for profiling,
  • the parameters and input variables used in the determination of the rating,
  • the influence of these parameters and input variables on the calculated rating,
  • information on the origin of the parameters or input variables,
  • an explanation as to why the party entitled to access for the purpose of Article 15(1)(h) GDPR has been assigned a specific rating and clarification of the implications of such rating,
  • listing the profile categories and providing an explanation as to what rating implication is associated with each of the profile categories?

Second question

Is the right of access granted by Article 15(1)(h) GDPR related to the rights guaranteed by Article 22(3) GDPR to express one's point of view and to challenge an automated decision taken within the meaning of Article 22 GDPR in so far as the scope of the information to be provided on the basis of an access request within the meaning of Article 15(1)(h) GDPR is only sufficiently 'meaningful' if the party requesting access and the data subject for the purpose of Article 15(1)(h) GDPR is enabled to exercise the rights guaranteed by Article 22(3) GDPR to express his or her own point of view and to challenge the automated decision for the purpose of Article 22 GDPR concerning him or her in a real, profound and promising way?

Third question

  1. Must Article 15(1)(h) GDPR be interpreted as meaning that information constitutes 'meaningful information' for the purposes of this provision only if it is so broad that the party entitled to access for the purpose of Article 15(1)(h) GDPR is able to determine whether this information is accurate, i.e. whether the automatic decision specifically requested was actually based on the information provided?
  2. If the above question is answered in the affirmative: what is the procedure if the accuracy of the information provided by a controller can only be verified if third-party data protected by the GDPR must also be brought to the attention of the party entitled to access for the purpose of Article 15(1)(h) GDPR (black box)?

Can this tension between the right of access within the meaning of Article 15(1) GDPR and the data protection rights of third parties also be resolved by disclosing the data of third parties (which have also been subjected to the same profiling process) required for the accuracy check only to the authority or the court for the authority or the court to check independently whether the disclosed data of these third parties is accurate?

  1. If the above question is answered in the affirmative: which rights must be granted to the party entitled to access for the purpose of Article 15(1)(h) GDPR in the event that it is necessary to ensure the protection of third party rights within the meaning of Article 15(4) GDPR by creating the black box referred to in point (3b)? Must the data of other persons to be disclosed by the controller for the purpose of Article 15(1) GDPR to the party entitled to access for the purpose of Article 15(1)(h) GDPR be disclosed in pseudo-anonymised form in order to ensure that the accuracy can be verified?

Fourth question

  1. What is the procedure if the information to be provided in accordance with Article 15(1)(h) GDPR also meets the requirements of a trade secret within the meaning of Article 2(1) Trade Secrets and Know-How Directive 2016/943?

Can the tension between the right of access guaranteed by Article 15(1)(h) GDPR and the right to non-disclosure of a trade secret protected by the Trade Secrets and Know-How Directive be resolved by allowing the information to be disclosed as a trade secret within the meaning of Article 2(1) Trade Secrets and Know-How Directive 2016/943 be disclosed to the authority or the court only, so that the authority or the court must independently verify whether it must be assumed that a trade secret within the meaning of Article 2(1) Trade Secrets and Know-How Directive 2016/943 exists and whether the information provided by the controller within the meaning of Article 15(1) GDPR is accurate?

  1. If the above question is answered in the affirmative: which rights must be granted to the party entitled to access for the purpose of Article 15(1)(h) GDPR in the event that it is necessary to ensure the protection of third party rights within the meaning of Article 15(4) GDPR by creating the black box referred to in point (4a)?

In this case of discrepancy between the information to be disclosed to the authority or the court and the information to be disclosed to the person entitled to access within the meaning of Article 15(1)(h) GDPR, in cases involving profiling, must the party entitled to access for the purpose of Article 15(1)(h) GDPR also be provided, as a minimum, with the following information on the specific processing concerning him or her in order to enable him or her to protect his or her rights under Article 22(3) GDPR in their entirety:

  • communication of all potentially pseudo-anonymised information, in particular on the manner in which the data subject's data is being processed, which allows the data subject to check compliance with the GDPR,
  • making available the input data used for profiling,
  • the parameters and input variables used in the determination of the rating,
  • the influence of these parameters and input variables on the calculated rating,
  • information on the origin of the parameters or input variables,
  • an explanation as to why the party entitled to access for the purpose of Article 15(1)(h) GDPR has been assigned a specific rating and clarification of the implications of such rating,
  • listing the profile categories and providing an explanation as to what rating implication is associated with each of the profile categories?

Fifth question

Does the provision of Article 15(4) GDPR in any way limit the scope of the information to be provided pursuant to Article 15(1)(h) GDPR?

If this question is answered in the affirmative, is this right of access limited by Article 15(4) GDPR, and how is the extent of the limitation to be determined in each individual case?

Sixth question

Is the provision of Article 4(6) of the Law on Data protection, according to which 'the right of access of the data subject pursuant to Article 15 GDPR, as a rule, does not (exist) vis-à-vis the controller if the provision of such information would violate a business or trade secret of the controller or third parties' compatible with the requirements of Article 15(1) GDPR in conjunction with Article 22(3) GDPR?

If the above question is answered in the affirmative, what are the conditions for such compatibility?

15 GDPR, 15(1) GDPR, 15(1)(h) GDPR, 15(4) GDPR, 22 GDPR, 22(3) GDPR
CJEU Scalable Capital II [C-189/22]C-189/22Scalable Capital IIQuestions or pleas published2022-03-112022-03-11Amtsgericht MünchenGermany

First question

Is Article 82 GDPR to be interpreted as meaning that the right to compensation, including the determination of the amount of that compensation, does not have a punitive character, in particular, that it has no general or specific dissuasive function, but a purely compensatory function and, in some instances, a satisfaction function?

Second question

Sub question a

Is the right to compensation for non-material damage to be determined on the basis that it also has an individual satisfaction function - understood here to mean the private interest of the injured party in seeing the behaviour that caused the damage penalised - or does it have only a compensatory function - understood here to mean the function of compensating for the detrimental effects suffered?

Sub question b.1

If it is to be assumed that the right to compensation for non-material damage has both a compensatory and a satisfaction function: is it to be determined on the basis that the compensatory function has structural precedence over the satisfaction function or, at least, that the relationship between the two is that of the rule and the exception? Does that mean that it can have a satisfaction function only when the infringement is deliberate or a result of gross negligence?

Sub question b.2

If the right to compensation for non-material damage does not have a satisfaction function: when determining that compensation, is additional weight attributed only to deliberate or grossly negligent data protection infringements deemed to be contributory factors?

Third question

Is the compensation for non-material damage to be determined on the basis of a structural order of precedence or, at least, a rule-exception relationship, which attributes less weight to the detrimental effects of a data infringement than to the detrimental and painful effects associated with a physical injury?

Fourth question

Assuming that damage has been sustained, can a national court award only minimal compensation, which may be perceived by the injured party or generally as merely symbolic, in the light of the non-serious nature of the damage?

Fifth question

Are the consequences of the compensation for non-material damage to be assessed on the basis that identity theft within the meaning of recital 75 of the General Data Protection Regulation requires an offender to have actually assumed the identity of the person concerned, that is to say to have somehow impersonated that person, or does the mere fact that offenders have gained possession of data that identify the person concerned constitute such identity theft?

82 GDPR, 82(1) GDPR, 82(2) GDPR, 82(3) GDPR, 82(4) GDPR, 82(5) GDPR, 82(6) GDPR
CJEU Ökorenta [C-18/22]C-18/22OekorentaQuestions or pleas published2022-01-072022-01-07Amtsgericht MünchenGermany

First question

  1. Is Article 6(1)(b) GDPR and 6(1)(f) GDPR to be interpreted as meaning that, in the case of a partnership comprised of many members of the public, a limited partner with negligible liability has a 'legitimate interest' in obtaining information relating to all partners with shares held indirectly through a trustee, together with their contact details and the number of their shares in such a partnership, and a contractual obligation to that effect must be inferred from the partnership agreement?
  2. Or is a legitimate interest restricted under such circumstances to obtaining from the partnership information on limited partners with shares held indirectly and, rather than bearing negligible liability, hold shares above a minimum threshold that may, at least potentially, allow them to influence the future of the partnership?

Second question

  1. Does the intention to make contact for the purpose of becoming better acquainted, exchanging views or negotiating the purchase of shares in the partnership suffice in order not to exceed the limits to prevent abuse of rights inherent in such an unrestricted right (1a) or to make an exception to the restriction applicable to a restricted right to information (1b)?
  2. Or is an interest in information potentially relevant only where its disclosure is requested with the express intention of contacting other partners in order to invite them to coordinate on specifically designated matters on which a consensus is needed for the purpose of partner' resolutions?
6 GDPR, 6(1)(b) GDPR, 6(1)(f) GDPR

The CJEU pending cases newsletter

Join our exclusive monthly newsletter dedicated to the latest pending cases at the Court of Justice of the European Union (CJEU).