CJEU - C-169/23 - Másdi: Difference between revisions
(ManTechnologist moved page CJEU - C-169/23 - Másdi to AG - C-169/23 - Másdi) Tag: New redirect |
(Removed redirect to AG - C-169/23 - Másdi) Tags: Removed redirect submission [1.0] |
||
Line 1: | Line 1: | ||
{{CJEUdecisionBOX | |||
|Case_Number_Name=C-169/23 Másdi | |||
|ECLI=ECLI:EU:C:2024:988 | |||
|Opinion_Link=https://curia.europa.eu/juris/document/document.jsf?docid=286855&doclang=en | |||
|Judgement_Link=https://curia.europa.eu/juris/document/document.jsf?text=&docid=292739&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=10542020 | |||
|Date_Decided=28.11.2024 | |||
|Year=2024 | |||
|GDPR_Article_1=Article 6(1)(e) GDPR | |||
|GDPR_Article_Link_1=Article 6 GDPR#1e | |||
|GDPR_Article_2=Article 9(2)(i) GDPR | |||
|GDPR_Article_Link_2=Article 9 GDPR#2i | |||
|GDPR_Article_3=Article 14(5)(c) GDPR | |||
|GDPR_Article_Link_3=Article 14 GDPR#5c | |||
|GDPR_Article_4= | |||
|GDPR_Article_Link_4= | |||
|GDPR_Article_5= | |||
|GDPR_Article_Link_5= | |||
|EU_Law_Name_1= | |||
|EU_Law_Link_1= | |||
|EU_Law_Name_2= | |||
|EU_Law_Link_2= | |||
|National_Law_Name_1=Government Decree No 60/2021 | |||
|National_Law_Link_1=https://njt.hu/jogszabaly/en/2021-60-20-22 | |||
|National_Law_Name_2= | |||
|National_Law_Link_2= | |||
|National_Law_Name_3= | |||
|National_Law_Link_3= | |||
|Party_Name_1=Nemzeti Adatvédelmi és Információszabadság Hatóság | |||
|Party_Link_1=https://www.naih.hu/ | |||
|Party_Name_2=UC | |||
|Party_Link_2= | |||
|Party_Name_3= | |||
|Party_Link_3= | |||
|Party_Name_4= | |||
|Party_Link_4= | |||
|Reference_Body=Kúria | |||
|Reference_Case_Number_Name= | |||
|Initial_Contributor=la | |||
| | |||
}} | |||
Article 14(5)(c) GDPR includes data that have been generated by the controller. The DPA has the competence to review if the respective Member State law provides appropriate measures for the protection of the data subject’s legitimate interests. | |||
==English Summary== | |||
=== Facts === | |||
The data subject had obtained an immunity certificate confirming the vaccination against COVID-19, issued by the respective authority (the controller). This certificate included data that was generated by the controller itself, especially an ID number and a QR code. In April 2021, the data subject filed a complaint with the Hungarian DPA alleging that the controller had not published any data protection statement concerning the issuing of vaccination certificates. | |||
During the subsequent procedure the controller declared that [[Article 6 GDPR#1e|Article 6(1)(e) GDPR]] and [[Article 9 GDPR#2i|Article 9(2)(i) GDPR]] were the respective legal bases for the processing. Furthermore, they stated that they obtained the personal data that it processed from another body, in accordance with the provisions of Decree No 60/2021. On that basis, it asserted that, pursuant to Article 14(5)(c) of the GDPR, it was not required to provide information on the processing of those data. It nonetheless drew up the requested statement concerning the protection of personal data and published it on its website. | |||
The Hungarian DPA dismissed the complaint and found that the processing fell under [[Article 14 GDPR#5c|Article 14(5)(c) GDPR]] and the domestic law included appropriate safeguards for the legitimate interests of the data subject. | |||
The data subject challenged the decision in court. The first instance court considered that the exception laid down in [[Article 14 GDPR#5c|Article 14(5)(c) GDPR]] was not applicable because certain personal data produced in relation to the immunity certificates were not collected from another body by the controller, but were generated by that controller itself in the performance of its tasks. In that court’s view, only personal data obtained from another body could be covered by the exception laid down in [[Article 14 GDPR#5c|Article 14(5)(c) GDPR]]. | |||
This decision was appealed by the DPA. The court of appeals then stayed the proceedings and forwarded three questions to the CJEU for a preliminary ruling. | |||
=== Advocate General Opinion === | |||
Advocate General Medina concluded on the first question that the exception in [[Article 14 GDPR#5c|Article 14(5)(c) GDPR]] applies to all data which the controller has not obtained from the data subject. It is not relevant, in that regard, whether the data are expressly obtained from another entity or if the data are generated by the controller in its own procedure. | |||
On the second question she concluded that the national supervisory authority has the power to examine all conditions in [[Article 14 GDPR#5c|Article 14(5)(c) GDPR]], including whether the law, to which the controller is subject and lays down the processing, provides appropriate measures to protect the data subject’s legitimate interests. | |||
=== Holding === | |||
First question: | |||
The CJEU first noted that the wording of [[Article 14 GDPR#5c|Article 14(5)(c) GDPR]] differed between languages, referring to “information” in some languages, while referring to “data” in others, and some languages not referring to the subject matter of the obtaining or disclosure. Therefore, the provision must be interpreted in the light of the whole GDPR. Thus, the CJEU held that the provision refers to personal data as they are the key aspect of the regulatory framework. | |||
The ratio legis of the exception laid down in [[Article 14 GDPR#5c|Article 14(5)(c) GDPR]] was that information do not have to be provided to the data subject under this very provision if Member State law provided a sufficient obligation to provide the data subject with information itself. | |||
The CJEU also found that the wording of the provision did not limit the application to data obtained from a person other than the data subject themselves. Also, the scope of [[Article 14 GDPR|Article 14 GDPR]] was defined by a negative reference to [[Article 13 GDPR|Article 13 GDPR]]. By comparing the headings of both provisions one could see that [[Article 14 GDPR|Article 14 GDPR]] was about data not collected from the data subject which included data generated by the controller themselves. | |||
The CJEU also held that in order to be fully consistent with the objective pursued by the GDPR, the application of [[Article 14 GDPR#5c|Article 14(5)(c) GDPR]] was subject to strict compliance with the requirements provided in this provision, especially a level of protection of the data subject at least equivalent to that guaranteed by Article 14(1) to (4) GDPR. | |||
Second and third question: | |||
The CJEU held that in order to ensure and enforce the GDPR’s application the DPAs had the right to examine if the requirements of [[Article 14 GDPR#5c|Article 14(5)(c) GDPR]] are met, especially if the respective Member State law provides for appropriate measures to protect the data subject’s legitimate interests. | |||
Therefore, a complaint under [[Article 77 GDPR#1|Article 77(1) GDPR]] may be based on an infringement of the controller’s obligation to provide information, alleging non-compliance with the conditions for the application of the exception laid down in [[Article 14 GDPR#5c|Article 14(5)(c) GDPR]]. | |||
This meant that the DPA had the competence to ensure that the Member State law guaranteed a level of protection of the data subject with regard to the processing of his or her personal data which is at least equivalent to that provided for in Article 14(1) to (4) GDPR. Thus, those provisions must be such as to put the data subject in a position to enable him or her to exercise control over his or her personal data and to exercise the rights conferred on him or her by the GDPR. | |||
== Comment == | |||
''Share your comments here!'' | |||
== Further Resources == | |||
''Share blogs or news articles here!'' |
Revision as of 16:26, 3 December 2024
CJEU - C-169/23 Másdi | |
---|---|
Court: | CJEU |
Jurisdiction: | European Union |
Relevant Law: | Article 6(1)(e) GDPR Article 9(2)(i) GDPR Article 14(5)(c) GDPR Government Decree No 60/2021 |
Decided: | 28.11.2024 |
Parties: | Nemzeti Adatvédelmi és Információszabadság Hatóság UC |
Case Number/Name: | C-169/23 Másdi |
European Case Law Identifier: | ECLI:EU:C:2024:988 |
Reference from: | Kúria |
Language: | 24 EU Languages |
Original Source: | AG Opinion Judgement |
Initial Contributor: | la |
Article 14(5)(c) GDPR includes data that have been generated by the controller. The DPA has the competence to review if the respective Member State law provides appropriate measures for the protection of the data subject’s legitimate interests.
English Summary
Facts
The data subject had obtained an immunity certificate confirming the vaccination against COVID-19, issued by the respective authority (the controller). This certificate included data that was generated by the controller itself, especially an ID number and a QR code. In April 2021, the data subject filed a complaint with the Hungarian DPA alleging that the controller had not published any data protection statement concerning the issuing of vaccination certificates.
During the subsequent procedure the controller declared that Article 6(1)(e) GDPR and Article 9(2)(i) GDPR were the respective legal bases for the processing. Furthermore, they stated that they obtained the personal data that it processed from another body, in accordance with the provisions of Decree No 60/2021. On that basis, it asserted that, pursuant to Article 14(5)(c) of the GDPR, it was not required to provide information on the processing of those data. It nonetheless drew up the requested statement concerning the protection of personal data and published it on its website.
The Hungarian DPA dismissed the complaint and found that the processing fell under Article 14(5)(c) GDPR and the domestic law included appropriate safeguards for the legitimate interests of the data subject.
The data subject challenged the decision in court. The first instance court considered that the exception laid down in Article 14(5)(c) GDPR was not applicable because certain personal data produced in relation to the immunity certificates were not collected from another body by the controller, but were generated by that controller itself in the performance of its tasks. In that court’s view, only personal data obtained from another body could be covered by the exception laid down in Article 14(5)(c) GDPR.
This decision was appealed by the DPA. The court of appeals then stayed the proceedings and forwarded three questions to the CJEU for a preliminary ruling.
Advocate General Opinion
Advocate General Medina concluded on the first question that the exception in Article 14(5)(c) GDPR applies to all data which the controller has not obtained from the data subject. It is not relevant, in that regard, whether the data are expressly obtained from another entity or if the data are generated by the controller in its own procedure. On the second question she concluded that the national supervisory authority has the power to examine all conditions in Article 14(5)(c) GDPR, including whether the law, to which the controller is subject and lays down the processing, provides appropriate measures to protect the data subject’s legitimate interests.
Holding
First question:
The CJEU first noted that the wording of Article 14(5)(c) GDPR differed between languages, referring to “information” in some languages, while referring to “data” in others, and some languages not referring to the subject matter of the obtaining or disclosure. Therefore, the provision must be interpreted in the light of the whole GDPR. Thus, the CJEU held that the provision refers to personal data as they are the key aspect of the regulatory framework.
The ratio legis of the exception laid down in Article 14(5)(c) GDPR was that information do not have to be provided to the data subject under this very provision if Member State law provided a sufficient obligation to provide the data subject with information itself.
The CJEU also found that the wording of the provision did not limit the application to data obtained from a person other than the data subject themselves. Also, the scope of Article 14 GDPR was defined by a negative reference to Article 13 GDPR. By comparing the headings of both provisions one could see that Article 14 GDPR was about data not collected from the data subject which included data generated by the controller themselves.
The CJEU also held that in order to be fully consistent with the objective pursued by the GDPR, the application of Article 14(5)(c) GDPR was subject to strict compliance with the requirements provided in this provision, especially a level of protection of the data subject at least equivalent to that guaranteed by Article 14(1) to (4) GDPR.
Second and third question:
The CJEU held that in order to ensure and enforce the GDPR’s application the DPAs had the right to examine if the requirements of Article 14(5)(c) GDPR are met, especially if the respective Member State law provides for appropriate measures to protect the data subject’s legitimate interests.
Therefore, a complaint under Article 77(1) GDPR may be based on an infringement of the controller’s obligation to provide information, alleging non-compliance with the conditions for the application of the exception laid down in Article 14(5)(c) GDPR.
This meant that the DPA had the competence to ensure that the Member State law guaranteed a level of protection of the data subject with regard to the processing of his or her personal data which is at least equivalent to that provided for in Article 14(1) to (4) GDPR. Thus, those provisions must be such as to put the data subject in a position to enable him or her to exercise control over his or her personal data and to exercise the rights conferred on him or her by the GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!