Pending CJEU data protection cases
What are the data protection cases currently pending at the Court of Justice of the EU – CJEU (preliminary questions about GDPR, ePrivacy 2002/58/EC, LED Directive 2016/680)?
Powered by Digibeetle
The table below is only a limited view of what Digibeetle offers. Don’t miss the opportunity to save time on research and supercharge your decision-making process with Digibeetle. Unlock the full potential of our intuitive search, referenced and curated documents.
Case | Stage | Case lodge date | Referring court | Origin country | Preliminary questions or pleas in law | Advocate General | Date of A-G's opinion | Relevant GDPR articles | Hearing date | |||
---|---|---|---|---|---|---|---|---|---|---|---|---|
CJEU Inspektorat kam Visshia sadeben savet [C-313/23, C-316/23 and C-332/23] | C-313/23, C-316/23 and C-332/23 | Inspektorat kam Visshia sadeben savet | A-G opinion delivered | 2023-05-22 | 2024-10-04 | Sofiyski rayonen sad | Bulgaria | First questionMust the second subparagraph of Article 19(1) [TEU], read in conjunction with the second paragraph of Article 47 Charter, be interpreted as meaning that it is per se or under certain conditions an infringement of the obligation incumbent on Member States to provide effective remedies sufficient to ensure independent judicial review for the functions of an authority which can impose disciplinary penalties on judges and has powers to collect data relating to their assets and liabilities to be indefinitely extended after the constitutionally stipulated term of office of that body comes to an end? If such an extension is permissible, under what conditions is that the case? Second questionMust Article 2(2)(a) GDPR be interpreted as meaning that the disclosure of data covered by banking secrecy for the purposes of verifying assets and liabilities of judges and public prosecutors which are subsequently made public constitutes an activity which falls outside the scope of Union law? Is the answer different where that activity also includes the disclosure of data relating to family members of those judges and public prosecutors who are not judges or public prosecutors themselves? Third questionIf the answer to the second question is that Union law is applicable, must Article 4(7) GDPR be interpreted as meaning that a judicial authority which allows another State authority to access data concerning the account balances of judges and public prosecutors and their family members determines the purposes or means of the processing of personal data and is therefore a ‘controller’ for the purposes of the processing of personal data? Fourth questionIf the answer to the second question is that Union law is applicable and the third question is answered in the negative, must Article 51 GDPR be interpreted as meaning that a judicial authority which allows another State authority to access data concerning the account balances of judges and public prosecutors and their family members is responsible for monitoring [the application of] that regulation and must therefore be classified as a ‘supervisory authority’ in relation to those data? Fifth question
a judicial authority which allows another State authority to access data concerning the account balances of judges and public prosecutors and their families, is obliged, in the presence of data concerning a personal data breach committed in the past by the authority to which such access is to be granted, to obtain information on the data protection measures taken and to take into account the appropriateness of those measures in its decision to permit access? Sixth questionIf the answer to the second question is that Union law is applicable, and irrespective of the answers to the third and fourth questions, must Article 79(1) GDPR, read in conjunction with Article 47 Charter, to be interpreted as meaning that, where the national law of a Member State provides that certain categories of data may be disclosed only after permission to do so has been granted by a court, the court so competent must of its own motion grant legal protection to the persons whose data are to be disclosed, by requiring the authority which has applied for access to the data in question and which is known to have committed a personal data breach in the past to provide information on the measures taken pursuant to Article 33(3)(d) GDPR and their effective application? | Pikamäe | 2024-10-04 | 2 GDPR, 2(2)(a) GDPR, 4 GDPR, 4(7) GDPR, 32 GDPR, 32(1)(b) GDPR, 33 GDPR, 33(3)(d) GDPR, 51 GDPR, 51(1) GDPR, 51(2) GDPR, 51(3) GDPR, 51(4) GDPR, 57 GDPR, 57(1)(a) GDPR, 79 GDPR, 79(1) GDPR | |
CJEU Dun & Bradstreet Austria [C-203/22] | C-203/22 | Dun & Bradstreet Austria | A-G opinion delivered | 2022-03-16 | 2024-09-12 | Verwaltungsgericht Wien | Austria | First questionWhat requirements as to content does information provided need to satisfy in order to be regarded as sufficiently 'meaningful' within the meaning of Article 15(1)(h) GDPR? In the case of profiling, must the information essential for making the result of the automated decision transparent in each individual case also be disclosed by the controller - where necessary in compliance with an existing trade secret - as part of the disclosure of the 'logic involved' which includes, in particular,
In cases involving profiling, must the party entitled to access for the purpose of Article 15(1)(h) GDPR be provided, as a minimum, with the following information on the specific processing concerning him or her, even if a trade secret is involved, in order to enable him or her to protect his or her rights under Article 22(3) GDPR:
Second questionIs the right of access granted by Article 15(1)(h) GDPR related to the rights guaranteed by Article 22(3) GDPR to express one's point of view and to challenge an automated decision taken within the meaning of Article 22 GDPR in so far as the scope of the information to be provided on the basis of an access request within the meaning of Article 15(1)(h) GDPR is only sufficiently 'meaningful' if the party requesting access and the data subject for the purpose of Article 15(1)(h) GDPR is enabled to exercise the rights guaranteed by Article 22(3) GDPR to express his or her own point of view and to challenge the automated decision for the purpose of Article 22 GDPR concerning him or her in a real, profound and promising way? Third question
Can this tension between the right of access within the meaning of Article 15(1) GDPR and the data protection rights of third parties also be resolved by disclosing the data of third parties (which have also been subjected to the same profiling process) required for the accuracy check only to the authority or the court for the authority or the court to check independently whether the disclosed data of these third parties is accurate?
Fourth question
Can the tension between the right of access guaranteed by Article 15(1)(h) GDPR and the right to non-disclosure of a trade secret protected by the Trade Secrets and Know-How Directive be resolved by allowing the information to be disclosed as a trade secret within the meaning of Article 2(1) Trade Secrets and Know-How Directive 2016/943 be disclosed to the authority or the court only, so that the authority or the court must independently verify whether it must be assumed that a trade secret within the meaning of Article 2(1) Trade Secrets and Know-How Directive 2016/943 exists and whether the information provided by the controller within the meaning of Article 15(1) GDPR is accurate?
In this case of discrepancy between the information to be disclosed to the authority or the court and the information to be disclosed to the person entitled to access within the meaning of Article 15(1)(h) GDPR, in cases involving profiling, must the party entitled to access for the purpose of Article 15(1)(h) GDPR also be provided, as a minimum, with the following information on the specific processing concerning him or her in order to enable him or her to protect his or her rights under Article 22(3) GDPR in their entirety:
Fifth questionDoes the provision of Article 15(4) GDPR in any way limit the scope of the information to be provided pursuant to Article 15(1)(h) GDPR? If this question is answered in the affirmative, is this right of access limited by Article 15(4) GDPR, and how is the extent of the limitation to be determined in each individual case? Sixth questionIs the provision of Article 4(6) of the Law on Data protection, according to which 'the right of access of the data subject pursuant to Article 15 GDPR, as a rule, does not (exist) vis-à-vis the controller if the provision of such information would violate a business or trade secret of the controller or third parties' compatible with the requirements of Article 15(1) GDPR in conjunction with Article 22(3) GDPR? If the above question is answered in the affirmative, what are the conditions for such compatibility? | Richard de la Tour | 2024-09-12 | 15 GDPR, 15(1) GDPR, 15(1)(h) GDPR, 15(4) GDPR, 22 GDPR, 22(3) GDPR, 23 GDPR, 23(1) GDPR, 23(1)(i) GDPR | |
CJEU ILVA - Fine for infringement of the GDPR [C-383/23] | C-383/23 | ILVA | A-G opinion delivered | 2023-06-21 | 2024-09-12 | Vestre Landsret | Denmark | First questionMust the term ‘undertaking’ in Article 83(4) to (6) GDPR be understood as an undertaking within the meaning of Articles 101 and 102 TFEU, in conjunction with recital 150 GDPR, and the case-law of the Court of Justice of the European Union concerning EU competition law, so that the term ‘undertaking’ covers any entity engaged in an economic activity, regardless of that entity’s legal status and the way in which it is financed? Second questionIf the answer to the Question 1 is in the affirmative, must Article 83(4) to (6) GDPR be interpreted as meaning that, when imposing a fine on an undertaking, regard must be had to the total worldwide annual turnover of the economic entity of which the undertaking forms part, or only the total worldwide annual turnover of the undertaking itself? | Medina | 2024-09-12 | 83 GDPR, 83(5)(a) GDPR, 83(5)(b) GDPR, 83(5)(e) GDPR, 83(5)(c) GDPR, 83(5)(d) GDPR, 83(4) GDPR, 83(4)(a) GDPR, 83(4)(b) GDPR, 83(4)(c) GDPR, 83(6) GDPR | 2024-06-19 |
CJEU Deldits [C-247/23] | C-247/23 | Deldits | A-G opinion delivered | 2023-04-18 | 2024-09-12 | Fővárosi Törvényszék | Hungary | First questionMust Article 16 GDPR be interpreted as meaning that, in connection with the exercise of the rights of the data subject, the authority responsible for keeping registers under national law is required to rectify the personal data relating to the sex of that data subject recorded by that authority, where those data have changed after they were entered in the register and therefore do not comply with the principle of accuracy established in Article 5(1)(d) GDPR? Second questionIf the answer to the first question referred is in the affirmative, must Article 16 GDPR be interpreted as meaning that it requires the person requesting rectification of the data relating to his or her sex to provide evidence in support of the request for rectification? Third questionIf the answer to the second question referred is in the affirmative, must Article 16 GDPR be interpreted as meaning that the person making the request is required to prove that he or she has undergone sex reassignment surgery? | Collins | 2024-09-12 | 5 GDPR, 5(1)(d) GDPR, 16 GDPR | 2024-06-03 |
CJEU Österreichische Datenschutzbehörde - Excessive requests [C-416/23] | C-416/23 | Österreichische Datenschutzbehörde (Excessive requests) | A-G opinion delivered | 2023-07-06 | 2024-09-05 | Verwaltungsgerichtshof | Austria | First questionMust the concept of ‘requests’ or ‘request’ in Article 57(4) GDPR be interpreted as meaning that it also covers ‘complaints’ under Article 77(1) of the GDPR? If Question 1 is answered in the affirmative: Second questionMust Article 57(4) GDPR be interpreted as meaning that, for requests to be ‘excessive’, it is sufficient that a data subject has merely addressed a certain number of requests (complaints under Article 77(1) GDPR) to a supervisory authority within a certain period of time, irrespective of whether the facts are different and/or whether the requests (complaints) concern different controllers, or is an abusive intention on the part of the data subject required in addition to the frequent repetition of requests (complaints)? Third questionMust Article 57(4) GDPR be interpreted as meaning that, in the case of a ‘manifestly unfounded’ or ‘excessive’ request (complaint), the supervisory authority is free to choose whether to charge a reasonable fee based on the administrative costs of processing it or refuse to process it from the outset? If not, which circumstances and criteria must the supervisory authority take into account? In particular, is the supervisory authority obliged to charge a reasonable fee primarily, as a less severe measure, and entitled to refuse to process manifestly unfounded or excessive requests (complaints) only in the event that charging a fee to prevent such requests is futile? | Richard de la Tour | 2024-09-05 | 57 GDPR, 57(4) GDPR, 77 GDPR, 77(1) GDPR | |
CJEU Your personal driver [C-534/24] | C-534/24 | Your personal dirver | Proceedings initiated | 2024-08-02 | 2024-08-02 | Giudice di pace di Roma | Italy | |||||
CJEU Brillen Rottler [C-526/24] | C-526/24 | Brillen Rottler | Questions or pleas published | 2024-07-31 | 2024-07-31 | Amtsgericht Arnsberg | Germany | First questionIs Article 12 (5) second sentence GDPR to be interpreted as meaning that an excessive request for information by the data subject cannot be present at the first request to the controller? Second questionIs Article 12(5) second sentence of the GDPR to be interpreted as meaning that the controller may refuse a data subject's request for information if the data subject intends to use the request for information to provoke claims for damages against the controller? Third questionIs Article 12(5) second sentence GDPR to be interpreted as meaning that publicly accessible information about the data subject which allows the conclusion that the data subject, in a large number of cases of data protection infringements, asserts claims for damages against controllers, can justify the refusal to provide information? Fourth questionIs Article 4(2) GDPR to be interpreted as meaning that a data subject's request for information to the controller under Article 15(1) GDPR and/or the controller's response to that request constitutes processing within the meaning of Article 4(2) GDPR? Fifth questionIs Article 82(1) of the GDPR, in the light of recital 146, first sentence, 1 GDPR to be interpreted as meaning that only those damages that arise or have arisen for the data subject as a result of processing are eligible for compensation? Does this mean that, for a claim for damages under Article 82(1) of the GDPR, provided that the data subject has suffered causal damage, there must necessarily have been processing of the personal data of the data subject? Sixth questionIf the answer to question 5 is in the affirmative: does this mean that the data subject – assuming the existence of causal damage – has no right to compensation under Article 82(1) GDPR solely on the basis of a breach of his right of access under Article 15(1) GDPR? Seventh questionIs Article 82(1) GDPR to be interpreted as meaning that the controller's objection of abuse of rights in relation to a data subject's request for information, having regard to EU law, cannot consist in the fact that the data subject has brought about the processing of his personal data solely or inter alia in order to assert claims for damages? Eighth questionIf the answers to questions 5 and 6 are in the negative: does the mere loss of control and/or uncertainty regarding the processing of the data subject's personal data, which is associated with a breach of Article 15(1) GDPR, constitute non-material damage to the data subject within the meaning of Article 82(1) GDPR, or is a further (objective or subjective) restriction and/or (appreciable) impairment of the data subject required? | 4(2) GDPR, 12 GDPR, 12(5) GDPR, 12(5)(a) GDPR, 12(5)(b) GDPR, 15 GDPR, 15(1) GDPR, 15(1)(a) GDPR, 15(1)(b) GDPR, 15(1)(c) GDPR, 15(1)(d) GDPR, 15(1)(e) GDPR, 15(1)(f) GDPR, 15(1)(g) GDPR, 15(1)(h) GDPR, 82 GDPR, 82(1) GDPR | |||
CJEU Mousse [C-394/23] | C-394/23 | Mousse | A-G opinion delivered | 2023-06-28 | 2024-07-11 | Conseil d'État | France | First questionIn order to assess whether data collection is adequate, relevant and limited to what is necessary, within the meaning of Article 5(1)(c) GDPR and the need for processing in accordance with Article 6(1)(b) GDPR and 6(1)(f) GDPR, may account be taken of commonly accepted practices in civil, commercial and administrative communications, with the result that the collection of data relating to customers’ civil titles, which is limited to ‘Mr’ or ‘Ms’, may be regarded as necessary, without this being precluded by the principle of data minimisation? Second questionIn order to assess the need for the compulsory collection and processing of data relating to customers’ civil titles, even though some customers consider that they do not come under either of the two civil titles and that the collection of such data is not relevant in their case, should account be taken of the fact that those customers may, after having provided those data to the data controller in order to benefit from the service offered, exercise their right to object to the use and storage of those data by relying on their particular situation, in accordance with Article 21 GDPR? | Szpunar | 2024-07-11 | 5 GDPR, 5(1)(c) GDPR, 6 GDPR, 6(1)(b) GDPR, 6(1)(f) GDPR, 21 GDPR, 21(1) GDPR | 2024-04-29 |
CJEU NTH Haustechnik [C-484/24] | C-484/24 | NTH Haustechnik | Questions or pleas published | 2024-07-10 | 2024-07-10 | Landesarbeitsgericht Niedersachsen | Germany | First questionDo the provisions of Article 92 of the Grundgesetz (Basic Law, ‘the GG’), Sections 138, 286, 355 et seq. of the Zivilprozessordnung (Code of Civil Procedure, ‘the ZPO’) in the case of an independent judicial processing activity falling under Article 6(1)(e) GDPR and 6(3) GDPR fulfil the requirement of certainty arising from Article 8(2), Article 52(1) Charter of Fundamental Rights of the European Union (‘the CFR’) and Article 5(1)(c) GDPR if the judicial processing activity involves interference with fundamental rights for a party or a third party? Second questionSub-question (a)When processing data – in particular personal data – can a national court rely on the fact that such processing is authorised under Article 17(3)(e) GDPR, or do Articles 6 GDPR and 9 GDPR constitute the exclusive basis for judicial processing activities? Sub-question (b)If Article 17(3)(e) GDPR can in principle form a legal basis for judicial processing activities: (aa) Does this also apply to cases in which the original collection of those data by a litigant or a third party was not lawful? (bb) Does the processing of originally unlawfully collected data under the generally applicable principle of good faith (Article 5(1)(a) GDPR) lead to a restriction of judicial processing under secondary law in the sense that Article 17(3)(e) GDPR is only applicable under certain conditions or within certain limits? (cc) Is the provision in Article 17(3)(e) GDPR to be understood in such a way that a prohibition on the judicial utilisation of originally unlawfully obtained data is always excluded – i.e. the court must always utilise those data – if the original data collection was not covert and was used to prove an intentional breach of duty? Third questionIrrespective of whether the judicial data processing activity is subject to Article 17(3)(e) GDPR or Article 6(1)(c) GDPR or 6(1)(e) GDPR, 6(3) GDPR, Article 9 GDPR or other provisions of EU law: Sub-question (a)Do the principles of necessity and data minimisation under data protection law pursuant to Article 52(1) sentence 2 Charter, Article 5(1)(a) GDPR, in particular with regard to the processing of originally unlawfully collected or stored data, give rise to the need for a comprehensive proportionality test and balancing by the courts? Sub-question (b)What impact does Article 5(1)(e) GDPR, which stipulates that personal data may be kept for no longer than is necessary for the purposes for which such data are processed, have on subsequent judicial data processing activities, in particular in cases where
Sub-question (c)Does it follow from EU law, in particular from Article 8 Charter, Article 6(1)(c) GDPR or 6(1)(e) GDPR, 6(3) GDPR, Article 9 GDPR, that the national court can utilise evidence that was obtained in violation of personal rights only if there is a recognisable interest of the party bearing the burden of proof that goes beyond the simple interest in evidence, or do no requirements follow from EU law in this respect, such that it is up to the national legal system to make provisions in that regard? Sub-question (d)Does it follow from Article 47(2) Charter, which guarantees the right to effective judicial protection and, in particular, to a fair trial, according to which the parties to civil proceedings must in principle be able sufficiently to substantiate and prove their legal protection objective, that the judicial processing of personal data of the applicant employee unlawfully collected by the employer can only be inappropriate and disproportionate in the narrower sense if the data collection under EU law would prove to be a serious infringement of Article 7 Charter and Article 8 Charter and other possible sanctions for the employer (e.g. compensation for damages under Article 82 GDPR and the imposition of fines under Article 83 GDPR) would be completely inadequate, or can inappropriateness and disproportionality be established even in the case of other, less serious breaches of data protection law during the original data collection? Sub-question (e)When deciding whether to utilise the data originally collected from a party or a third party as part of its judicial data processing activities, does the court have to take into account whether the data collector has complied with its information obligations under Article 13 GDPR? If so: Under what conditions and according to what standards must the court take this into account? Sub-question (f)Does the fact that the Court is bound by the GDPR and the Charter of Fundamental Rights of the European Union when processing personal data also include the personal data of third parties? In what way does a possible breach of data protection law in the original data collection have an effect on any subsequent judicial data processing in a dispute between two parties? Can a party rely on an offence committed not against it but against third parties, or is that not the case? | 5 GDPR, 5(1) GDPR, 5(1)(a) GDPR, 5(1)(c) GDPR, 5(1)(e) GDPR, 6 GDPR, 6(1) GDPR, 6(1)(c) GDPR, 6(1)(e) GDPR, 6(3) GDPR, 9 GDPR, 9(1) GDPR, 9(2) GDPR, 9(2)(a) GDPR, 9(2)(b) GDPR, 9(2)(c) GDPR, 9(2)(d) GDPR, 9(2)(e) GDPR, 9(2)(f) GDPR, 9(2)(g) GDPR, 9(2)(h) GDPR, 9(2)(i) GDPR, 9(2)(j) GDPR, 9(3) GDPR, 9(4) GDPR, 13 GDPR, 13(1) GDPR, 13(1)(a) GDPR, 13(1)(b) GDPR, 13(1)(c) GDPR, 13(1)(d) GDPR, 13(1)(e) GDPR, 13(1)(f) GDPR, 13(2) GDPR, 13(2)(a) GDPR, 13(2)(b) GDPR, 13(2)(c) GDPR, 13(2)(d) GDPR, 13(2)(e) GDPR, 13(2)(f) GDPR, 13(3) GDPR, 17 GDPR, 17(3) GDPR, 17(3)(e) GDPR, 82 GDPR, 82(1) GDPR, 82(2) GDPR, 82(3) GDPR, 82(4) GDPR, 82(5) GDPR, 82(6) GDPR, 83 GDPR, 83(1) GDPR, 83(2) GDPR, 83(2)(a) GDPR, 83(2)(b) GDPR, 83(2)(c) GDPR, 83(2)(d) GDPR, 83(2)(e) GDPR, 83(2)(f) GDPR, 83(2)(g) GDPR, 83(2)(h) GDPR, 83(2)(i) GDPR, 83(2)(j) GDPR, 83(2)(k) GDPR, 83(3) GDPR, 83(4) GDPR, 83(4)(a) GDPR, 83(4)(b) GDPR, 83(4)(c) GDPR, 83(5) GDPR, 83(5)(a) GDPR, 83(5)(b) GDPR, 83(5)(c) GDPR, 83(5)(d) GDPR, 83(5)(e) GDPR, 83(6) GDPR, 83(7) GDPR, 83(8) GDPR, 83(9) GDPR | |||
CJEU Čiekuri-Shishki [C-480/24] | C-480/24 | Čiekuri-Shishki | Questions or pleas published | 2024-07-09 | 2024-07-09 | Augstākā tiesa (Senāts) | Latvia | First questionWhat circumstances indicate that the person concerned is a person within the meaning of Article 2 of Council Regulation (EU) No 269/2014 of 17 March 2014 concerning restrictive measures in respect of acts undermining or threatening the territorial integrity, sovereignty and independence of Ukraine ('Regulation No 269/2014')? Is a legal person whose shares are 50 % held by a legal person whose beneficial owner is on the list of natural persons listed in the Annex to Council Implementing Regulation (EU) 2022/336 of 28 February 2022 implementing Regulation (EU) No 269/2014 concerning restrictive measures concerning acts that undermine or threaten the territorial integrity, sovereignty and independence of Ukraine to be regarded as a related legal person? Second questionIf the answer to the second part of Question 1 is in the affirmative, is a legal person, within the meaning of Article 2 of Regulation (EU) No 269/2014, also a related legal person of which the legal person described in the second part of Question 1 has a 50 % shareholding? Third questionAre the persons, entities or bodies referred to in Article 11(1)(b) of Regulation No 269/2014 also to be regarded as connected legal persons within the meaning of Article 2 of Regulation No 269/2014? Fourth questionIn the determination of any claim, must the Court independently verify whether the parties to the claim are persons referred to in Article 2 or Article 11(1)(a) or (b) of Regulation No 269/2014? Fifth questionWhat are the legal consequences of Article 11(1) of Regulation No 269/2014 stating that claims brought by persons referred to in subparagraph 'a' or 'b' of that paragraph are 'unsatisfactory', and is it permissible to examine the merits of such claims if the court states in the operative part of the judgment that the judgment is not enforceable so long as those persons are included in the relevant lists? Sixth questionDoes Article 11(1) of Regulation No 269/2014 produce legal effects where the claimant is not the person referred to in subparagraph (a) or (b) but the respondent is the person referred to in subparagraph (a) or (b)? Seventh questionShould the data of the natural person subject to sanctions (name and surname) be disclosed in the grounds for the judicial decision and should those personal data be pseudonymised when the judicial decision is published? | 2 GDPR, 2(1) GDPR, 2(2) GDPR, 2(2)(a) GDPR, 2(2)(b) GDPR, 2(2)(c) GDPR, 2(2)(d) GDPR, 2(3) GDPR, 2(4) GDPR, 4(5) GDPR | |||
CJEU NADA Austria and Others II [C-474/24] | C-474/24 | NADA and Others II | Questions or pleas published | 2024-07-04 | 2024-07-04 | Bundesverwaltungsgericht | Austria | First questionDoes the processing of personal data, by which their name, the sport practised, the anti-doping rule violation committed, the sanction and the start and end of the sanction are published on the publicly accessible part of the website of XXXX in the form of an entry in a table and in publicly accessible XXXX of XXXX under XXXX, fall within the scope of application of Union law within the meaning of the first sentence of Article 16(2), first sentence, TFEU, so that the GDPR applies to such processing of personal data? Second questionIf the answer to question 1 is in the affirmative: Is the information that a particular person has committed a particular doping offence and is banned from participating in (national and international) competitions because of this offence a "health data" within the meaning of Article 9 GDPR? Third questionDoes the GDPR – in particular with regard to Article 6(3) GDPR second subparagraph – preclude a national provision which provides for the publication of the name of the persons affected by the decision of the Austrian Anti-Doping Legal Commission or the Independent Arbitration Commission, the duration of the ban and the reasons for it, without it being possible to draw conclusions about the health data of the person concerned? Does it matter that, according to the national legislation, publication of this information to the general public can only be avoided if the person concerned is a recreational athlete, a minor or a person who has contributed significantly to the discovery of potential anti-doping violations by disclosing information or other evidence? Fourth questionDoes the GDPR – in particular with regard to the principles of Article 5(1)(a) GDPR and 5(1)(c) GDPR – require, in any event, a balancing of interests before publication, on the one hand, between the personal interests of the data subject affected by publication and, on the other hand, the public interest in information about the anti-doping offence committed by an athlete? Fifth questionDoes the information that a particular person has committed a particular doping offence and is banned from participating in (national and international) competitions because of that offence constitute the processing of personal data relating to criminal convictions and offences within the meaning of Article 10 GDPR? Sixth questionIf the answer to question 5 is in the affirmative: Must the activities or decisions of a public authority to which the supervision of the processing of personal data relating to criminal convictions and offences or related security measures has been delegated in accordance with Article 10 GDPR be subject to judicial review?
| 5 GDPR, 5(1)(a) GDPR, 5(1)(c) GDPR, 6 GDPR, 6(3) GDPR, 9 GDPR, 9(1) GDPR, 9(2) GDPR, 9(2)(a) GDPR, 9(2)(b) GDPR, 9(2)(c) GDPR, 9(2)(d) GDPR, 9(2)(e) GDPR, 9(2)(f) GDPR, 9(2)(g) GDPR, 9(2)(h) GDPR, 9(2)(i) GDPR, 9(2)(j) GDPR, 9(3) GDPR, 9(4) GDPR, 10 GDPR, 17 GDPR, 17(1) GDPR, 17(1)(a) GDPR, 17(1)(b) GDPR, 17(1)(c) GDPR, 17(1)(d) GDPR, 17(1)(e) GDPR, 17(1)(f) GDPR, 17(2) GDPR, 17(3) GDPR, 17(3)(a) GDPR, 17(3)(b) GDPR, 17(3)(c) GDPR, 17(3)(d) GDPR, 17(3)(e) GDPR, 77 GDPR, 77(1) GDPR, 77(2) GDPR | |||
CJEU Netz Niederösterreich [C-468/24] | C-468/24 | Netz Niederösterreich | Questions or pleas published | 2024-07-03 | 2024-07-03 | Landesgericht St. Pölten | Austria | First questionMust Article 22 of Directive (EU) 2019/944 of the European Parliament and of the Council of 5 June 2019 on common rules for the internal market for electricity and amending Directive 2012/27/EU ('the Electricity Directive 2019/944'), read in conjunction with Annex II of that directive, be interpreted as meaning that a system operator is required to [take into consideration] a final customer's wish not to receive a smart meter, and has an obligation in such a case to provide the final customer with a conventional meter instead of a smart meter? Second questionMust Article 2(1) of Directive 2014/32/EU of the European Parliament and of the Council of 26 February 2014 on the harmonisation of the laws of the Member States relating to the making available on the market of measuring instruments, which defines in more detail a 'measuring instrument' within the meaning of the instrument-specific Annexes III to XII (active electrical energy meters [MI-003]), read in conjunction with Article 20(b) and (c) and Article 23(3) of the Electricity Directive 2019/44, be interpreted in such a way that it runs counter to a provision of national law (point 31 of Paragraph 7(1) of the Elektrizitätswirtschafts- und organisationsgesetz 2010 (Law on the organisation of the electricity sector 2010) in the version in BGBl I No. 17/2021, 'the ElWOG'), which does not lay down any specific data protection requirements in relation to meters? Third questionMust Article 20(b) and (c), Article 21(1)(a) and Article 23(3) of the Electricity Directive 2019/44 also take into consideration Article 6(1) of Directive 1999/34/EC of the European Parliament and of the Council of 10 May 1999 amending Council Directive 85/37/EEC on the approximation of the laws, resolutions and administrative provisions of the Member States concerning liability for defective products? Fourth questionMust Article 5(3) of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector ('Directive on privacy and electronic communication'), be interpreted as meaning that the term 'electronic communications network' is also applicable to an electricity system via which data (consumption data, metadata, personal identity) are transmitted for the purposes of Article 20(b) and (c), Article 21(1)(a) and Article 23(3) of the Electricity Directive 2019/944? Fifth questionMust Articles 5(1)(f) GDPR, Article 13 GDPR and Article 32(2) GDPR and Article 7, Article 8(1) and (2) of the Charter of Fundamental Rights of the European Union ('the Charter') be interpreted as contradicting a national provision (Paragraph 1(6) of the Intelligente Messgeräte-Einführungsverordnung (Ordinance on the introduction of smart meters), BGBl II No. 138/2012 in the version in BGBl II No. 9/2022 of 13 January 2022, 'the IME-VO'), according to which only the respective configuration of the reading interval must be visible for the final customer, but not whether the system operator recognised a 'justified individual case' (Paragraph 84a(1) of the ElWOG) and has retrieved data of the final customer before the set interval? Sixth questionHaving regard to Article 52(3) of the Charter, the fifth recital thereof and the explanations relating to Article 7 of the Charter, must the case-law of the European Court of Human Rights on Article 8 of the European Convention on Human Rights taken into account for the purpose of interpreting Article 20(b) and (c), Article 21(1)(a) and Article 23(3) of the Electricity Directive? | 13 GDPR, 13(1) GDPR, 13(1)(a) GDPR, 13(1)(b) GDPR, 13(1)(c) GDPR, 13(1)(d) GDPR, 13(1)(e) GDPR, 13(1)(f) GDPR, 13(2) GDPR, 13(2)(a) GDPR, 13(2)(b) GDPR, 13(2)(c) GDPR, 13(2)(d) GDPR, 13(2)(e) GDPR, 13(2)(f) GDPR, 13(3) GDPR, 13(4) GDPR, 5 GDPR, 5(1) GDPR, 5(1)(f) GDPR, 32 GDPR, 32(2) GDPR | |||
CJEU Russmedia Digital and Inform Media Press [C-492/23] | C-492/23 | Russmedia Digital and Inform Media Press | Hearing held | 2023-08-03 | 2024-07-02 | Curtea de Apel Cluj | Romania | First questionDo Articles 12 to 14 eCommerce Directive 2000/31/EC also apply to a storage and hosting information service provider that makes available to users a website on which free or paid advertisements may be published, which claims that its role in publishing users’ advertisements is purely technical (making the platform available), but which, through the general terms and conditions of use of the website, indicates that it does not claim ownership over the content that is provided, published, uploaded or transmitted, yet retains the right to use the content, including by means of copying it, distributing it, transmitting it, publishing it, reproducing it, modifying it, translating it, transferring it to partners and removing it at any time, without the need for any reason for doing so? Second questionMust Article 2(4) GDPR, Article 4(7) GDPR and 4(11) GDPR, Article 5(1)(f) GDPR, Article 6(1)(a) GDPR, Articles 7 GDPR, 24 GDPR and 25 GDPR and Article 15 eCommerce Directive 2000/31/EC be interpreted as requiring such a storage and hosting information service provider, which is the personal data controller, to verify before publishing an advertisement whether the person publishing the advertisement and the owner of the personal data referred to in the advertisement are the same person? Third questionMust Article 2(4) GDPR, Article 4(7) GDPR and 4(11) GDPR, Article 5(1)(f) GDPR, Article 6(1)(a) GDPR, Articles 7 GDPR, 24 GDPR and 25 GDPR and Article 15 eCommerce Directive 2000/31/EC be interpreted as requiring such a storage and hosting information service provider, which is the personal data controller, to verify in advance the content of advertisements published by users, in order to exclude advertisements which are potentially unlawful in nature or likely to infringe a person’s private and family life? Fourth questionMust Article 5(1)(b) GDPR and 5(1)(f) GDPR, Articles 24 GDPR and 25 GDPR and Article 15 eCommerce Directive 2000/31/EC be interpreted as requiring such a storage and hosting information service provider, which is the personal data controller, to apply safeguards which prevent or limit the reproduction and redistribution of the content of the advertisements published through it? | 2 GDPR, 2(4) GDPR, 4 GDPR, 4(7) GDPR, 4(11) GDPR, 5 GDPR, 5(1)(f) GDPR, 6 GDPR, 6(1)(a) GDPR, 7 GDPR, 7(1) GDPR, 7(2) GDPR, 7(3) GDPR, 7(4) GDPR, 24 GDPR, 24(1) GDPR, 24(2) GDPR, 24(3) GDPR, 25 GDPR, 25(1) GDPR, 25(2) GDPR, 25(3) GDPR | 2024-07-02 | ||
CJEU Imagens Médicas Integradas [C-258/23 to C-260/23] | C-258/23 to C-260/23 | Imagens Médicas Integradas | A-G opinion delivered | 2023-06-24 | 2024-06-20 | Tribunal da Concorrência, Regulação e Supervisão | Portugal | Medina | 2024-06-20 | |||
CJEU Multan [C-431/24] | C-431/24 | Multan | Questions or pleas published | 2024-06-20 | 2024-06-20 | Rechtbank Den Haag, zittingsplaats Roermond - Netherlands | Netherlands | First questionShould Article 23(1) of Directive 2013/32, read in conjunction with Article 46(1) of Directive 2013/32, and having regard to Articles 4 and 47 of the Charter of Fundamental Rights of the European Union, be interpreted as meaning that the (access to the) information in the applicant's file on the basis of which a decision has been or will be made also includes (access to) information on the manner in which that information was gathered and obtained? Second questionDoes Article 5 of Directive 2008/115, read in conjunction with Article 13(1) of Directive 2008/115, and having regard to Articles 4, 19(2) and 47 of the Charter of Fundamental Rights of the European Union, require the judicial authority reviewing the lawfulness of a return decision to ascertain how the information referred to in Article 23(1) of Directive 2013/32 was gathered and obtained? | ||||
CJEU Storstockholms Lokaltrafik [C-422/24] | C-422/24 | AB Storstockholms Lokaltrafik | Questions or pleas published | 2024-06-17 | 2024-06-17 | Högsta förvaltningsdomstolen | Sweden | Which of Articles 13 and 14 of the GDPR applies where personal data are obtained by a body camera? | 13 GDPR, 13(1) GDPR, 13(1)(a) GDPR, 13(1)(b) GDPR, 13(1)(c) GDPR, 13(1)(d) GDPR, 13(1)(e) GDPR, 13(1)(f) GDPR, 13(2) GDPR, 13(2)(a) GDPR, 13(2)(b) GDPR, 13(2)(c) GDPR, 13(2)(d) GDPR, 13(2)(e) GDPR, 13(2)(f) GDPR, 13(3) GDPR, 13(4) GDPR, 14 GDPR, 14(1) GDPR, 14(1)(a) GDPR, 14(1)(b) GDPR, 14(1)(c) GDPR, 14(1)(d) GDPR, 14(1)(e) GDPR, 14(1)(f) GDPR, 14(2) GDPR, 14(2)(a) GDPR, 14(2)(b) GDPR, 14(2)(c) GDPR, 14(2)(d) GDPR, 14(2)(e) GDPR, 14(2)(f) GDPR, 14(2)(g) GDPR, 14(3) GDPR, 14(3)(a) GDPR, 14(3)(b) GDPR, 14(3)(c) GDPR, 14(4) GDPR, 14(5) GDPR, 14(5)(a) GDPR, 14(5)(b) GDPR, 14(5)(c) GDPR, 14(5)(d) GDPR | |||
CJEU Ministerstvo na vatreshnite raboti [Registration of biometric and genetic data II] [C-80/23] | C-80/23 | Ministerstvo na vatreshnite raboti (Registration of biometric and genetic data II) | A-G opinion delivered | 2023-02-14 | 2024-06-13 | Sofiyski gradski sad | Bulgaria | First questionIs the requirement of assessing ‘strict necessity’ under Article 10 LED Directive 2016/680, as interpreted by the Court of Justice in paragraph 133 of the judgment of 26 January 2023, Ministerstvo na vatreshnite raboti, C-205/21, satisfied if it is carried out solely on the basis of the decision accusing the person and on the basis of her written refusal to have her biometric and genetic data collected, or is it necessary for the court to have before it all the material in the file which, under national law, is made available to it in the event of an application for authorisation to carry out investigative measures which infringe the legal sphere of natural persons, where that application is made in a criminal case? Second questionIf the Court of Justice answers the first question in the affirmative – after having been provided with the case file, may the court in the context of the assessment of ‘strict necessity’ pursuant to Article 10 LED Directive 2016/680 in conjunction with Article 6(a) LED Directive 2016/680 also consider whether there are reasonable grounds to suspect that the accused has committed the criminal offence referred to in the accusation? | Richard de la Tour | 2024-06-13 | 2024-03-20 | |
CJEU DocFinder and Others [C-414/24] | C-414/24 | DocFinder and Others | Questions or pleas published | 2024-06-13 | 2024-06-13 | Verwaltungsgerichtshof | Austria | First questionAre Articles 77 GDPR and 79 GDPR applicable in light of the ECJ's statements in the judgments of 12 January 2023, Nemzeti Adatvédelmi és Információszabadság Hatóság, C-132/21, EU:C:2023:2 and of 7 December 2023, SCHUFA Holding and Others (Release of outstanding debt), C-26/22 and C-64/22, EU:C:2023:958, to the effect that
Second questionand if the first question is answered in the negative,
| 77 GDPR, 77(1) GDPR, 77(2) GDPR, 79 GDPR, 79(1) GDPR, 79(2) GDPR | |||
CJEU Másdi [C-169/23] | C-169/23 | Masdi | A-G opinion delivered | 2023-03-17 | 2024-06-06 | Kúria | Hungary | First questionMust Article 14(5)(c) GDPR, read in conjunction with Article 14(1) GDPR and recital 62 thereof, be interpreted as meaning that the exception laid down in Article 14(5)(c) GDPR does not refer to data generated by the controller in its own procedure but rather only to data which the controller has expressly obtained from another person? Second questionIf Article 14(5)(c) GDPR is also applicable to data generated by the controller in its own procedure, must the right to lodge a complaint with a supervisory authority, laid down in Article 77(1) GDPR, be interpreted as meaning that a natural person who alleges an infringement of the obligation to provide information is entitled, when exercising his or her right to lodge a complaint, to request an examination of whether Member State law provides appropriate measures to protect the data subject’s legitimate interests, in accordance with Article 14(5)(c) GDPR? Third questionIf the answer to the second question is in the affirmative, may Article 14(5)(c) GDPR be interpreted as meaning that the ‘appropriate measures’ referred to in that provision require the national legislature to transpose (by means of legislation) the measures relating to the security of data laid down in Article 32 GDPR? | Medina | 2024-06-06 | 14 GDPR, 77 GDPR, 32(1) GDPR, 32(1)(a) GDPR, 32(1)(b) GDPR, 32(1)(c) GDPR, 32(1)(d) GDPR, 32(2) GDPR, 32(3) GDPR, 32(4) GDPR, 14(1) GDPR, 14(5)(c) GDPR, 32 GDPR, 77(1) GDPR | |
CJEU Comdribus [C-371/24] | C-371/24 | Comdribus | Questions or pleas published | 2024-05-24 | 2024-05-24 | Cour d'appel de Paris | France | First questionIs Article 10 LED, read in conjunction with Article 4(1)(a) LED, 4(1)(b) LED and 4(1)(c) LED and Article 8(1) LED and 8(2) LED, to be interpreted as precluding national legislation, such as Article 55-1 of the French Code of Criminal Procedure, which provides for the systematic gathering of identification data (fingerprints and photographs) from persons who are suspected on one or more grounds of having committed or attempted to commit an offence? Second questionIs Article 10 LED, read in conjunction with Article 4(1)(a) LED, 4(1)(b) LED and 4(1)(c) LED and Article 8(1) LED and 8(2) LED, to be interpreted as precluding national legislation, such as Article 55-1 of the French Code of Criminal Procedure, which does not impose on the competent authority an obligation to provide, in each individual case, a sufficient statement of reasons as to why it is strictly necessary to gather identification data? Third questionIs Article 10 LED, read in conjunction with Article 4(1)(a) LED, 4(1)(b) LED and 4(1)(c) LED and Article 8(1) LED and 8(2) LED, to be interpreted as precluding national legislation, such as Article 55-1 of the French Code of Criminal Procedure, which allows the prosecution and conviction on a standalone basis of a person who has refused to consent to the gathering of identification data even though that person is not prosecuted for or convicted of the offence which formed the basis of the measure for gathering identification data? | ||||
CJEU AGCOM [C-345/24] | C-345/24 | AGCOM | Questions or pleas published | 2024-05-10 | 2024-05-10 | Consiglio di Stato | Italy | First questionDoes Regulation (EU) 2018/644 of the European Parliament and of the Council of 18 April 2018 on cross-border parcel delivery services, with regard to the collection of information, apply as such only to cross-border delivery service providers or, in general, to all parcel delivery service providers, subject to specific exclusions relating to individual provisions? Second questionIf the answer to Question 1 is that it applies only to cross-border delivery service providers, does Directive 97/67/EC, or do the so-called ‘implied powers’, provide the legal basis for the national regulatory authorities to impose, in any event, on delivery service providers, even non-cross-border ones, general obligations to provide information? Third questionIf the answer to Question 2 is no, must the fact that Regulation (EU) 2018/644 of the European Parliament and of the Council of 18 April 2018 does not apply to non-cross-border delivery providers be regarded as reasonable, nondiscriminatory and in accordance with Articles 14, 114 and 169 of the Treaty on the Functioning of the European Union? Fourth questionTo what extent (including from the perspective of necessity and proportionality) can the national regulatory authority impose obligations to provide information on parcel delivery service providers and, in particular, is it possible to impose, on all providers without distinction, obligations to provide information concerning:
(i) the conditions applied to different types of customers; (ii) the contracts which govern the relations between the individual undertaking that provides the parcel delivery service and the undertakings which in various ways, according to the specificities of the sector, contribute to providing that service; (iii) the economic conditions and the legal protection afforded to workers employed in various capacities in providing the service? | ||||
CJEU Darashev [C-312/24] | C-312/24 | Darashev | Questions or pleas published | 2024-04-29 | 2024-04-29 | Sofiyski rayonen sad | Bulgaria | Is Article 2(1)GDPR to be interpreted as meaning that data processing includes activities within one and the same organisational structure, in which some of its directorates perform the duties of an employer while one other directorate has the function of an investigating authority in criminal proceedings against employees of the other directorates? If the answer is in the affirmative: First questionIs the expression ‘processing of personal data’ in Article 4(2) GDPR to be interpreted as covering an activity in the context of which information concerning a particular employee which has been obtained by the employer, in its capacity as the investigating authority, through one of its directorates is added to that employee’s personal file? Second questionIs the expression ‘filing system’ in Article 4(6) GDPR to be interpreted as covering the personal file of an employee or worker working in a directorate of the employer where the information has been collected by another directorate of the employer which has the status of an investigating authority? Third questionIs Article 9(2)(b) GDPR to be interpreted as meaning that an organisational entity of an employer may gather and store data indicating that a particular employee was suspected of, charged with or put on trial for a criminal offence in criminal proceedings if that information was collected by another organisational entity of the employer which has the status of an investigating authority? Fourth questionIs the ‘right to be forgotten’ within the meaning of Article 17(1)(a) GDPR to be interpreted as meaning that an employer is required to erase from the personal file of the employee any data which it has collected and stored through another of its directorates, which has the status of a public authority for the purposes of investigating its employees, and which indicate that the employee: 4.1. is suspected of, charged with or on trial for a criminal offence in pending criminal proceedings, or 4.2. was suspected of, charged with or put on trial for a criminal offence for which criminal proceedings were stayed or abandoned? Fifth question5. Must personal data ‘unlawfully processed’ within the meaning of Article 17(1)(d) GDPR be interpreted as including data which the employer has received, collected and stored through another of its organisational entities which performs investigative functions in criminal proceedings against employees of other organisational entities of the employer, where those data are recorded in the personal file and relate to the fact that the employee has been suspected of, charged with or on trial for a criminal offence, that is to say: 5.1. is suspected of, charged with or on trial for a criminal offence in pending criminal proceedings, or 5.2. was suspected of, charged with or on trial for a criminal offence for which criminal proceedings were stayed or abandoned? Sixth questionAre ‘personal data’ within the meaning of Article 3(1) LED, read in conjunction with Article 52 Charter of Fundamental Rights of the European Union, to be interpreted as meaning data which have been obtained, collected and stored by the employer through one of its organisational entities which performs the functions of an investigating authority in criminal proceedings against an employee serving in another organisational entity of the employer? Seventh questionIs ‘processing’ within the meaning of Article 3(2) LED, read in conjunction with Article 52 Charter of Fundamental Rights of the European Union, to be interpreted as meaning that it encompasses an activity consisting in the employer storing in the employee’s personal file data which the employer has obtained, collected and stored through one of its organisational entities which performs the duties of an investigating authority in criminal proceedings against any of the employer’s employees serving in another of its organisational entities? Eighth questionIs Article 9(1) LED, read in conjunction with Article 52 Charter of Fundamental Rights of the European Union, to be interpreted as meaning that it permits the employer to collect and store information on an employee who is suspected of, charged with or on trial for a criminal offence in cases where the employer collected that information through another of its organisational entities which has the status of an investigating authority in criminal proceedings against that employee? Ninth questionIs Article 16(2) LED, read in conjunction with Article 52 Charter of Fundamental Rights of the European Union, to be interpreted as meaning that the employer must erase from the employee’s personal file any data which the employer has collected and stored through another of its organisational entities which has the status of an investigating authority in criminal proceedings against that employee and which relate to the fact that the employee: 9.1. is suspected of, charged with or on trial for a criminal offence in pending criminal proceedings, or 9.2. was suspected of, charged with or put on trial for a criminal offence for which criminal proceedings were stayed or abandoned? Tenth questionIs Article 1 of Council Directive 2000/78/EC of 27 November 2000 establishing a general framework for equal treatment in employment and occupation to be interpreted as not permitting an employer, one of whose organisational entities undertakes investigative actions against an employee of another organisational entity, to deny an employee promotion on the sole ground that he: 10.1. is suspected of, charged with or on trial for a criminal offence in pending criminal proceedings, or 10.2. was suspected of, charged with or put on trial for a criminal offence for which criminal proceedings were stayed or abandoned? | 2 GDPR, 2(1) GDPR, 4 GDPR, 4(2) GDPR, 4(6) GDPR, 9 GDPR, 9(2)(b) GDPR, 17 GDPR, 17(1)(a) GDPR, 17(1)(d) GDPR | |||
CJEU Criminal Injuries Compensation Tribunal and Others [C-284/24] | C-284/24 | Criminal Injuries Compensation Tribunal and Others | Questions or pleas published | 2024-04-23 | 2024-04-23 | High Court | Ireland | First question (a)Does the obligation imposed on Member States by Article 12(2) of Directive 2004/80/EC (“the Compensation Directive”) to provide “fair and appropriate compensation” to victims of violent intentional crimes, require that a victim be compensated for both material and non-material loss within the meaning of Presidenza del Consiglio dei Ministri v BV (“BV”) (Case C-129/19,EU:C:2020:566)? Second question (b)If the answer to Question (a) is yes, what forms of loss fall within the scope of “non-material loss”? Third question (c)In particular, does a victim’s ‘pain and suffering’ fall within the scope of “non-material loss?” Fourth question (d)If the answer to a) and c) is yes, bearing in mind that [M]ember [S]tates are required to ensure that their schemes are financially viable, what relationshipshould the “fair and appropriate compensation” awarded to a victim pursuant tothe Compensation Directive bear to the damages in tort that would be awarded to that victim as against the relevant perpetrator as tort-feasor. Fifth question (e)Can the compensation established for victims of violent intentional crimes under the ‘Scheme of Compensation for Personal Injuries Criminally Inflicted’ (the “Scheme”) be regarded as “fair and appropriate compensation to victims” within the meaning of Article 12(2) of the Compensation Directive if a victim is awarded the sum of €645.65 as compensation for a serious eye injury resulting inpermanent sight impairment? | ||||
CJEU Garrapatica [C-199/24] | C-199/24 | Garrapatica | Questions or pleas published | 2024-03-13 | 2024-03-13 | Attunda tingsrätt | Sweden | First questionDoes Article 85(1) GDPR make it possible for the Member States to adopt legislative measures in addition to those which they must adopt under Article 85(2) GDPR relating to the processing of personal data for purposes other than journalistic ones or the purposes of academic, artistic or literary expression? Second questionIf the previous question is answered in the affirmative: Does Article 85(1) GDPR allow a reconciliation of the right to the protection of personal data pursuant to that regulation with the freedom of expression and of information which means that the only legal remedy available to a person whose personal data are processed by making criminal convictions involving that person available to the public on the internet in return for payment is the initiation of criminal proceedings for defamation or the claiming of damages for defamation? Third questionIf the first question is answered in the negative or the second questionis answered in the negative: Can an activity which consists of making available to the public on the internet in return for payment, without any processing or editing, public documents in the form of criminal convictions constitute processing of personal data for the purposes set out in Article 85(2) GDPR? | 85 GDPR, 85(1) GDPR, 85(2) GDPR, 85(3) GDPR | |||
CJEU Ministerstvo zdravotnictví II [C-710/23] | C-710/23 | Ministerstvo zdravotnictví II | Questions or pleas published | 2023-11-22 | 2023-11-22 | Nejvyšší správní soud | Czech Republic | First questionDoes the disclosure of the first name, surname, signature and contact information of a natural person as the director or responsible representative of a legal person, made exclusively for the purpose of identification of the (person authorised to represent a certain) legal person still constitute processing of ‘personal data’ of the natural person concerned, pursuant to Article 4(1) GDPR, and thus fall within the scope of GDPR? Second questionCan national law, including settled case-law, render the application by an administrative authority of a directly applicable EU regulation, namely Article 6(1)(c) GDPR or 6(1)(e) GDPR, conditional on compliance with other conditions that do not follow from the text of the regulation itself but which, nevertheless, essentially extend the level of protection of personal data subjects, namely the obligation of a public authority to inform the data subject in advance of the submission of a request for the provision of his or her personal data to a third party? | 4 GDPR, 4(1) GDPR, 6 GDPR, 6(1)(a) GDPR, 6(1)(c) GDPR, 6(1)(e) GDPR | |||
CJEU Quirin Privatbank [C-655/23] | C-655/23 | Quirin Privatbank | Questions or pleas published | 2023-11-07 | 2023-11-07 | Bundesgerichtshof | Germany | First question
Second questionIf the answers to Questions 1(a) and/or 1(b) are in the affirmative:
Third questionIf the answers to Questions 1(a) and 1(b) are in the negative: Must Article 84 of the GDPR, in conjunction with Article 79 thereof, be interpreted as permitting the national court to confer on the data subject whose personal data were unlawfully disclosed by the controller through onward transfer, in addition to the right to obtain compensation for material or non-material damage pursuant to Article 82 GDPR and the rights arising from Articles 17 GDPR and 18 GDPR, a right to obtain a prohibitory injunction against the controller prohibiting further unlawful onward transfer of those data in accordance with the provisions of national law? Fourth questionMust Article 82(1) GDPR be interpreted as meaning that mere negative feelings such as annoyance, displeasure, dissatisfaction, worry and fear, which are in themselves part of the general risk of life and often part of everyday experience, are sufficient for the assumption of non-material damage within the meaning of that provision? Or is a disadvantage to the natural person concerned which goes beyond those feelings necessary for the assumption of damage? Fifth questionMust Article 82(1) GDPR to be interpreted as meaning that the degree of fault of the controller or processor or its employees constitutes a relevant criterion in assessing the amount of non-material damage to be compensated? Sixth questionIf the answers to Questions 1(a), 1(b) or 3 are in the affirmative: Must Article 82(1) GDPR be interpreted as meaning that, in assessing the amount of non-material damage to be compensated, the fact that the data subject concerned has a right to obtain a prohibitory injunction in addition to the right to compensation can be taken into account as reducing the claim? | 17 GDPR, 17(1) GDPR, 17(1)(a) GDPR, 17(1)(b) GDPR, 17(1)(c) GDPR, 17(1)(d) GDPR, 17(1)(e) GDPR, 17(1)(f) GDPR, 17(2) GDPR, 17(3) GDPR, 17(3)(a) GDPR, 17(3)(b) GDPR, 17(3)(c) GDPR, 17(3)(d) GDPR, 17(3)(e) GDPR, 18 GDPR, 18(1) GDPR, 18(1)(a) GDPR, 18(1)(b) GDPR, 18(1)(c) GDPR, 18(1)(d) GDPR, 18(2) GDPR, 18(3) GDPR, 79 GDPR, 79(1) GDPR, 79(2) GDPR, 82 GDPR, 82(1) GDPR, 84 GDPR, 84(1) GDPR, 84(2) GDPR | |||
CJEU Inteligo Media [C-654/23] | C-654/23 | Inteligo Media | Questions or pleas published | 2023-11-02 | 2023-11-02 | Curtea de Apel Bucureşti | Romania | First questionIn a case in which a publisher of online news publications providing information to the general public, which does not specialise in the field, regarding the legislative amendments issued each day in Romania, obtains the email address of a user when the latter creates a free user account entitling him or her:
Second questionIf the answers to Question 1(a) and (b) are in the affirmative, which of the conditions laid down in Article 6(1)(a) to 6(1)(f) GDPR must be interpreted as applying when the publisher uses the user’s email address for the purpose of sending a daily newsletter such as that described in Question 1(ii), in accordance with the requirements of Article 13(2) of Directive 2002/58/EC? Third questionMust Article 13(1) ePrivacy Directive 2002/58/EC and 13(2) ePrivacy Directive 2002/58/EC be interpreted as precluding national legislation which uses the concept of ‘commercial communication’ laid down in Article 2(f) E-Commerce Directive 2002/58/EC instead of the concept of ‘direct marketing’ laid down in Directive 2002/58/EC? If not, does a newsletter such as that described in Question 1(ii) constitute a ‘commercial communication’ within the meaning of Article 2(f) ePrivacy Directive 2000/31/EC? Fourth questionIf the answers to Question 1(a) and (b) are in the negative:
Fifth questionMust Article 83(2) GDPR be interpreted as meaning that a supervisory authority which decides whether to impose an administrative fine and decides on the amount of the administrative fine in each individual case is obliged to analyse and explain in the administrative act imposing the fine the effect of each of the criteria laid down in points (a) to (k) on the decision to impose a fine and, respectively, on the decision regarding the amount of the fine imposed? | 6 GDPR, 6(1) GDPR, 6(1)(a) GDPR, 6(1)(b) GDPR, 6(1)(c) GDPR, 6(1)(d) GDPR, 6(1)(e) GDPR, 6(1)(f) GDPR, 83 GDPR, 83(2) GDPR, 83(2)(a) GDPR, 83(2)(b) GDPR, 83(2)(c) GDPR, 83(2)(d) GDPR, 83(2)(e) GDPR, 83(2)(f) GDPR, 83(2)(g) GDPR, 83(2)(h) GDPR, 83(2)(i) GDPR, 83(2)(j) GDPR, 83(2)(k) GDPR, 95 GDPR | |||
CJEU Amt der Tiroler Landesregierung [C-638/23] | C-638/23 | Amt der Tiroler Landesregierung | Questions or pleas published | 2023-10-24 | 2023-10-24 | Verwaltungsgerichtshof | Austria | Is Article 4(7) GDPR, to be interpreted as precluding application of a provision of national law (such as, in the present case, Paragraph 2(1) of the Tiroler Datenverarbeitungsgesetz (Tyrol Law on data processing)) in which a particular controller is provided for within the meaning of the second part of Article 4(7) GDPR but
| 4 GDPR, 4(7) GDPR | |||
CJEU Natsionalna agentsia za prihodite II [C-563/23] | C-563/23 | Natsionalna agentsia za prihodite | Questions or pleas published | 2023-09-12 | 2023-09-12 | Sofiyski rayonen sad | Bulgaria | First questionMust Article 4(7) GDPR be interpreted as meaning that a judicial authority which allows another State authority to access data concerning the account balances of taxable persons determines the purposes or means of the processing of personal data and is therefore a ‘controller’ for the purposes of the processing of personal data? Second questionIf the first question is answered in the negative, must Article 51 GDPR be interpreted as meaning that a judicial authority which allows another State authority to access data concerning the account balances of taxable persons is responsible for monitoring [the application of] that regulation and must therefore be classified as a ‘supervisory authority’ in relation to those data? Third questionIf either of the above questions is answered in the affirmative, must Article 32(1)(b) GDPR and Article 57(1)(a) GDPR be interpreted as meaning that a judicial authority which allows another State authority to access data concerning the account balances of taxable persons is obliged, in the presence of data concerning a personal data breach committed in the past by the body to which such access is to be granted, to obtain information on the data protection measures taken and to assess the appropriateness of those measures in its decision to permit access? Fourth questionIrrespective of the answers to the [second] and [third] questions, must Article 79(1) GDPR, read in conjunction with Article 47 Charter of Fundamental Rights of the European Union, be interpreted as meaning that, where the national law of a Member State provides that certain categories of data may be disclosed only after permission to do so has been granted by a court, the court so competent must of its own motion grant legal protection to the persons whose data are to be disclosed, by requiring the authority which has applied for access to the data in question, and which is known to have received binding instructions from the authority under Article 51(1) GDPR following a personal data breach, to provide information on the implementation of the measures imposed on it by administrative decision pursuant to Article 58(2)(d) GDPR? | 4 GDPR, 4(7) GDPR, 32 GDPR, 32(1)(b) GDPR, 51 GDPR, 51(1) GDPR, 51(2) GDPR, 51(3) GDPR, 51(4) GDPR, 57 GDPR, 57(1)(a) GDPR, 58 GDPR, 58(2)(d) GDPR, 79 GDPR, 79(1) GDPR | |||
CJEU HP - Hrvatska pošta [C-336/23] | C-336/23 | HP - Hrvatska pošta | Questions or pleas published | 2023-05-26 | 2023-05-26 | Visoki upravni sud Republike Hrvatske | Croatia | First questionIs the term ‘re-use of information’ for the purposes of Article 2(11) Open Data Directive 2019/1024 of the European Parliament and of the Council of 20 June 2019 on open data and the re-use of public sector information ([OJ 2019] L 172, [p. 56]) (‘the Directive’) to be understood as meaning access to any information which a public sector body/public undertaking has produced or holds, and which a user (natural or legal person) requests from a public sector body for the first time? Second questionCan a request for information which a public sector body/public undertaking has produced or which it holds, and which was generated within the scope of its activities or in connection with its organisation and work, be regarded as a request for information to which the provisions of the Directive apply, that is to say, do the provisions of that directive apply to all requests for information held by public sector bodies? Third questionAre the entities obliged to provide information, listed in Article 2 Open Data Directive 2019/1024, only those public sector bodies to which requests for re-use of information are made, or do the new definitions concern all public sector bodies and all information held by those bodies, that is to say, are the entities listed in Article 2 Open Data Directive 2019/1024 obliged to provide information they have produced or hold, or are the entities listed in Article 2 of the Directive considered to be obliged to provide information only where the information is re-used? Fourth questionCan the exceptions to the obligation to make information available under Article 1(2) Open Data Directive 2019/1024 be regarded as exceptions by virtue of which public sector bodies may refuse to provide information produced or held by them, or are they exceptions which apply only where requests have been made to the public sector bodies for re-use of the information? | ||||
CJEU RRC Sports [C-209/23] | C-209/23 | RRC Sports | Questions or pleas published | 2023-03-31 | 2023-03-31 | Landgericht Mainz | Germany | Must Article 101 TFEU (prohibition on cartels), Article 102 TFEU (prohibition on abuse of a dominant position) and Article 56 TFEU (freedom to provide services) and also Article 6 GDPR be interpreted as precluding rules adopted by a world sporting association (in this case: FIFA), to which 211 national sports federations of the relevant sport (in this case: football) belong, and whose rules are therefore binding in any event on the majority of the actors active in the respective national professional leagues of the relevant sport (in this case: clubs (which also means football clubs organised as capital companies), players (who are club members) and players’ agents), and which have the following content: (1) it is prohibited to agree on players’ agents’ remuneration, or pay them remuneration, in excess of a cap calculated as a percentage of the transfer fee or the annual remuneration of that player, as provided for in Article 15(2) of the FIFA Football Agent Regulations (‘the FFAR’), (2) it is prohibited for third parties to pay remuneration due under a representation agreement in respect of the players’ agent’s contracting partner, as provided for in Article 14(2) and (3) of the FFAR, (3) clubs are prohibited from paying more than 50% of the total remuneration due from the player and the club for the services of the players’ agent in cases where a players’ agent acts on behalf of the engaging club and the player, as provided for in Article 14(10) of the FFAR, (4) for the grant of a licence as a players’ agent, which is a condition for being allowed to provide players’ agent services, it is required that the applicant submit to the internal regulations of the world sporting association (in this case: the FFAR, the FIFA Statutes, the FIFA Disciplinary Code, the FIFA Code of Ethics, the FIFA Regulations on the Status and Transfer of Players as well as the statutes, regulations, guidelines and decisions of authorities and bodies) and also to its jurisdiction as an association and that of confederations and member associations, as provided for in Article 4(2), Article 16(2)(b) and Article 20 of the FFAR, in conjunction with Article 8(3), Article 57(1) and Article 58(1) and (2) of the FIFA Statutes, Article 5(a), Article 49 and Article 53(3) of the FIFA Disciplinary Code, and Article 4(2) and Article 82(1) of the Code of Ethics, (5) requirements are laid down for the grant of a licence as a players’ agent, under which the grant of a licence is permanently excluded in the case of convictions or settlements in criminal proceedings or a suspension of two years or more, licence suspension or withdrawal, or other disqualification by an authority or a sports governing body, without the possibility of the licence being granted at a later date, as provided for in Article 5(1)(a)(ii) and (iii) of the FFAR, (6) players’ agents are prohibited, in connection with the conclusion of a transfer agreement and/or a contract of employment, from providing players’ agent services or any other services to, and being remunerated for them, by:
as provided for respectively in Article 12(8) and (9) of the FFAR, and (6a) players’ agents are prohibited, in connection with the conclusion of a transfer agreement and/or a contract of employment together with a connected players’ agent, from providing players’ agent services or any other services to, and being remunerated for them, by:
if the concept of connected players’ agent includes cooperation in accordance with the definition of ‘connected football agent’ laid down in the FFAR (fourth subparagraph on p. 6 of the FFAR), as provided for in Article 12(10) of the FFAR, in conjunction with the definition of ‘connected football agent’ in the fourth subparagraph on p. 6 of the FFAR, (7) players’ agents are prohibited from approaching or entering into a representation agreement with a club, player, or member association of the world sporting association or a legal person operating a single-entity league which is permitted to engage players’ agents and which have entered into an exclusive agreement with another players’ agent, as provided for in Article 16(1)(b) and (c) of the FFAR, (8) the names and details of all players’ agents, the names of the clients whom they represent, the players’ agent services which they provide to each individual client and/or the details of all transactions involving players’ agents, including the amount of remuneration payable to players’ agents, must be uploaded to a platform of the world sporting association and this information is made available in part to other clubs, players or players’ agents, as provided for in Article 19 of the FFAR, (9) it is prohibited to agree remuneration for players’ agent services on any other basis than the player’s remuneration or the transfer fee, as provided for in Article 15(1) of the FFAR, (10) it is presumed that other services provided by a players’ agent or a connected players’ agent in the 24 months prior to or following the provision of a players’ agent service to a client involved in the transaction for which player agency services were performed form part of the player agent’s services and, in so far that the presumption cannot be rebutted, remuneration for the other services is deemed to form part of the remuneration paid for the players’ agent service, as provided for in Article 15(3) and (4) of the FFAR, (11) the amount of the players’ agent’s remuneration to be calculated on a pro-rata basis is to be based solely on the salary actually received by the player, as provided for in Article 14(7) and (12) of the FFAR, (12) players’ agents are required to disclose the following information to the world sporting association:
as provided for in Article 16(2)(j)(ii) to (v) and (k)(ii) of the FFAR, (13) clubs are prohibited from agreeing on remuneration or elements of remuneration with players’ agents for the future transfer of a player or from paying remuneration or elements of remuneration to players’ agents, the calculation basis for which is (also) dependent on future transfer compensation received by the club from a subsequent transfer of the player, as provided for in Article 18ter(1), first alternative, of the FIFA Regulations on the Status and Transfer of Players (‘the FIFA RSTP’) and Article 16(3)(e) of the FFAR. | 6 GDPR, 6(1) GDPR, 6(1)(f) GDPR | |||
CJEU K GmbH - Processing of employees' personal data [C-65/23] | C-65/23 | K GmbH (Processing of employees' personal data) | Questions or pleas published | 2023-02-08 | 2023-02-08 | Bundesarbeitsgericht | Germany | First questionIs a national legal provision that has been adopted pursuant to Article 88(1) GDPR - such as Paragraph 26(4) of the Bundesdatenschutzgesetz (German Federal Law on data protection, ‘the BDSG’) - and which provides that the processing of personal data, including special categories of personal data, of employees for the purposes of the employment relationship is permissible on the basis of collective agreements subject to compliance with Article 88(2) GDPR, to be interpreted as meaning that the other requirements of the GDPR - such as Article 5 GDPR, Article 6(1) GDPR and Article 9(1) GDPR and 9(2) GDPR - must always also be complied with? Second questionIf the answer to Question 1 is in the affirmative: May a national legal provision adopted pursuant to Article 88(1) GDPR - such as Paragraph 26(4) of the BDSG - be interpreted as meaning that the parties to a collective agreement (in this case, the parties to a works agreement) are entitled to a margin of discretion in assessing the necessity of data processing within the meaning of Article 5 GDPR, Article 6(1) GDPR and Article 9(1) GDPR and 9(2) GDPR that is subject to only limited judicial review? Third questionIf the answer to Question 2 is in the affirmative: In such a case, to what is the judicial review to be limited? Fourth questionIs Article 82(1) GDPR to be interpreted as meaning that a person is entitled to compensation for non-material damage when his or her personal data have been processed contrary to the requirements of Regulation 2016/679, or does the right to compensation for non-material damage additionally require that the data subject demonstrate non-material damage - of some weight - suffered by him or her? Fifth questionDoes Article 82(1) GDPR have a specific or general preventive character, and must that be taken into account in the assessment of the amount of non-material damage to be compensated at the expense of the controller or processor on the basis of Article 82(1) GDPR? Sixth questionIs the degree of fault on the part of the controller or processor a decisive factor in the assessment of the amount of non-material damage to be compensated on the basis of Article 82(1) GDPR? In particular, can non-existent or minor fault on the part of the controller or processor be taken into account in their favour? | 5 GDPR, 5(1) GDPR, 5(1)(a) GDPR, 5(1)(b) GDPR, 5(1)(c) GDPR, 5(1)(d) GDPR, 5(1)(e) GDPR, 5(1)(f) GDPR, 5(2) GDPR, 6 GDPR, 6(1) GDPR, 9 GDPR, 9(1) GDPR, 9(2) GDPR, 82 GDPR, 82(1) GDPR, 88 GDPR, 88(1) GDPR, 88(2) GDPR | |||
CJEU Policejní prezidium [C-57/23] | C-57/23 | Policejní prezidium | Questions or pleas published | 2023-02-02 | 2023-02-02 | Nejvyšší správní soud | Czech Republic | First questionWhat degree of distinction between individual data subjects is required by Article 4(1)(c) LED Directive 2016/680 or Article 6 LED Directive 2016/680 in conjunction with Article 10 LED Directive 2016/680? Is it compliant with the obligation to minimise personal data processing, and with the obligation to distinguish between various categories of data subjects, for national law to permit the collection of genetic data in respect of all persons suspected or accused of having committed an intentional criminal offence? Second questionIs it in accordance with Article 4(1)(e) LED Directive 2016/680 if the necessity of continued retention of a DNA profile is assessed, with a reference to the general prevention, investigation, and detection of criminal activity, by Police authorities on the basis of their internal regulations, which frequently means in practice that sensitive personal data is retained for an unspecified period without a maximum limit for the duration of the retention of that personal data being set? If not, by what criteria should the proportionality of the period of the retention of the personal data collected and retained for that purpose be assessed? Third questionIn the case of particularly sensitive personal data falling under Article 10 LED Directive 2016/680, what is the minimal scope of the substantive or procedural conditions for obtaining, retaining, and deleting such data that must be regulated by a 'provision of general application' in the law of a Member State? Can judicial case-law qualify as 'Member State law' within the meaning of Article 8(2) LED Directive 2016/680 in conjunction with Article 10 LED Directive 2016/680? | ||||
CJEU Kinderrechtencoalitie Vlaanderen [C-280/22] | C-280/22 | Kinderrechtencoalitie Vlaanderen | Questions or pleas published | 2022-04-25 | 2022-04-25 | Raad van State (Belgium) | Belgium | Are Article 3(5) and (6) and Article 14 of Regulation (EU) 2019/1157 of the European Parliament and of the Council of 20 June 2019 on strengthening the security of identity cards of Union citizens and of residence documents issued to Union citizens and their family members exercising their right of free movement, read in conjunction with Commission Implementing Decision C(2018) 7767 of 30 November 2018 laying down the technical specifications for the uniform format for residence permits for third country nationals and repealing Decision C(2002)3069, valid and compatible with Article 16 TFEU and - as regards Article 3(5) and (6) - with Article 21 TFEU, as well as with Articles 7 Charter, 8 Charer and 52 Charter, in conjunction with:
in so far as Article 3(5) and (6) of Regulation (EU) 2019/1157 requires two fingerprints of the holder of the card to be stored in interoperable digital formats on a storage medium included on the identity card, and in so far as Article 3(5) and (6) and Article 14 of Regulation (EU) 2019/1157, read in conjunction with Annex III to the aforementioned Commission Implementing Decision C(2018) 7767 of 30 November 2018, require the fingerprint data on the identity cards and residence documents referred to in points (a) and (c) of Article 2 of that regulation to be stored in the form of a digital image of the fingerprints on an electronic microprocessor chip which uses RFID and can be read wirelessly/in contactless form? | 1 GDPR, 1(1) GDPR, 1(2) GDPR, 1(3) GDPR, 2 GDPR, 2(1) GDPR, 2(2) GDPR, 2(2)(a) GDPR, 2(2)(b) GDPR, 2(2)(c) GDPR, 2(2)(d) GDPR, 2(3) GDPR, 2(4) GDPR, 3 GDPR, 3(1) GDPR, 3(2) GDPR, 3(2)(a) GDPR, 3(2)(b) GDPR, 3(3) GDPR, 4 GDPR, 5 GDPR, 5(1) GDPR, 5(1)(a) GDPR, 5(1)(b) GDPR, 5(1)(c) GDPR, 5(1)(d) GDPR, 5(1)(e) GDPR, 5(1)(f) GDPR, 5(2) GDPR, 6 GDPR, 6(1) GDPR, 6(1)(a) GDPR, 6(1)(b) GDPR, 6(1)(c) GDPR, 6(1)(d) GDPR, 6(1)(e) GDPR, 6(1)(f) GDPR, 6(2) GDPR, 6(3) GDPR, 6(3)(a) GDPR, 6(3)(b) GDPR, 6(4) GDPR, 6(4)(a) GDPR, 6(4)(b) GDPR, 6(4)(c) GDPR, 6(4)(d) GDPR, 6(4)(e) GDPR, 9 GDPR, 9(1) GDPR, 9(2) GDPR, 9(2)(a) GDPR, 9(2)(b) GDPR, 9(2)(c) GDPR, 9(2)(d) GDPR, 9(2)(e) GDPR, 9(2)(f) GDPR, 9(2)(g) GDPR, 9(2)(h) GDPR, 9(2)(i) GDPR, 9(2)(j) GDPR, 9(3) GDPR, 9(4) GDPR, 25 GDPR, 25(1) GDPR, 25(2) GDPR, 25(3) GDPR, 32 GDPR, 32(1) GDPR, 32(1)(a) GDPR, 32(1)(b) GDPR, 32(1)(c) GDPR, 32(1)(d) GDPR, 32(2) GDPR, 32(3) GDPR, 32(4) GDPR, 35 GDPR, 35(1) GDPR, 35(2) GDPR, 35(3) GDPR, 35(3)(a) GDPR, 35(3)(b) GDPR, 35(3)(c) GDPR, 35(4) GDPR, 35(5) GDPR, 35(6) GDPR, 35(7) GDPR, 35(7)(a) GDPR, 35(7)(b) GDPR, 35(7)(c) GDPR, 35(7)(d) GDPR, 35(8) GDPR, 35(9) GDPR, 35(10) GDPR, 35(11) GDPR, 36 GDPR, 36(1) GDPR, 36(2) GDPR, 36(3) GDPR, 36(3)(a) GDPR, 36(3)(b) GDPR, 36(3)(c) GDPR, 36(3)(d) GDPR, 36(3)(e) GDPR, 36(3)(f) GDPR, 36(4) GDPR, 36(5) GDPR | |||
CJEU DX - Access to data held by suppliers for contractual purposes [C-241/22] | C-241/22 | DX (Access to data held by suppliers for contractual purposes) | Questions or pleas published | 2022-04-06 | 2022-04-06 | Hoge Raad der Nederlanden | Netherlands | First questionDo legislative measures which relate to granting public authorities access to traffic and location data (including identification data) in connection with the prevention, investigation, detection and prosecution of criminal offences fall within the scope of ePrivacy Directive 2002/58/EC if they concern the granting of access to data which are not retained on the grounds of legislative measures within the meaning of Article 15(1) ePrivacy Directive 2002/58/EC, but which are retained by the provider on some other ground? Second question
Third questionCan granting public authorities access to traffic and location data (other than mere identification data) for the purpose of the prevention, investigation, detection and prosecution of criminal offences be permissible under Directive 2002/58/EC if no serious criminal offences or serious crime are involved, that is to say, if in the specific case the granting of access to such data - in so far as may be assumed - causes only a minor interference with, in particular, the right to the protection of the private life of the user as referred to in Article 2(b) ePrivacy Directive 2002/58/EC? | ||||
CJEU Scalable Capital II [C-189/22] | C-189/22 | Scalable Capital II | Questions or pleas published | 2022-03-11 | 2022-03-11 | Amtsgericht München | Germany | First questionIs Article 82 GDPR to be interpreted as meaning that the right to compensation, including the determination of the amount of that compensation, does not have a punitive character, in particular, that it has no general or specific dissuasive function, but a purely compensatory function and, in some instances, a satisfaction function? Second questionSub question a Is the right to compensation for non-material damage to be determined on the basis that it also has an individual satisfaction function - understood here to mean the private interest of the injured party in seeing the behaviour that caused the damage penalised - or does it have only a compensatory function - understood here to mean the function of compensating for the detrimental effects suffered? Sub question b.1 If it is to be assumed that the right to compensation for non-material damage has both a compensatory and a satisfaction function: is it to be determined on the basis that the compensatory function has structural precedence over the satisfaction function or, at least, that the relationship between the two is that of the rule and the exception? Does that mean that it can have a satisfaction function only when the infringement is deliberate or a result of gross negligence? Sub question b.2 If the right to compensation for non-material damage does not have a satisfaction function: when determining that compensation, is additional weight attributed only to deliberate or grossly negligent data protection infringements deemed to be contributory factors? Third questionIs the compensation for non-material damage to be determined on the basis of a structural order of precedence or, at least, a rule-exception relationship, which attributes less weight to the detrimental effects of a data infringement than to the detrimental and painful effects associated with a physical injury? Fourth questionAssuming that damage has been sustained, can a national court award only minimal compensation, which may be perceived by the injured party or generally as merely symbolic, in the light of the non-serious nature of the damage? Fifth questionAre the consequences of the compensation for non-material damage to be assessed on the basis that identity theft within the meaning of recital 75 of the General Data Protection Regulation requires an offender to have actually assumed the identity of the person concerned, that is to say to have somehow impersonated that person, or does the mere fact that offenders have gained possession of data that identify the person concerned constitute such identity theft? | 82 GDPR, 82(1) GDPR, 82(2) GDPR, 82(3) GDPR, 82(4) GDPR, 82(5) GDPR, 82(6) GDPR | |||
CJEU Ökorenta [C-18/22] | C-18/22 | Oekorenta | Questions or pleas published | 2022-01-07 | 2022-01-07 | Amtsgericht München | Germany | First question
Second question
|
The CJEU pending cases newsletter
Join our exclusive monthly newsletter dedicated to the latest pending cases at the Court of Justice of the European Union (CJEU).
Already subscribed? Follow us on LinkedIn