CJEU - C-180/21 - Inspektor v Inspektorata kam Visshia sadeben savet (Purposes of the processing of personal data – Criminal investigation): Difference between revisions

From GDPRhub
No edit summary
(url+common name)
 
(9 intermediate revisions by 3 users not shown)
Line 1: Line 1:
{{CJEUdecisionBOX
{{CJEUdecisionBOX


|Case_Number_Name=C-180/21 Inspektor v Inspektorata kam Visshia sadeben savet
|Case_Number_Name=C-180/21 Inspektor v Inspektorata kam Visshia sadeben savet (Purposes of the processing of personal data – Criminal investigation)
|ECLI=
|ECLI=


|Opinion_Link=
|Opinion_Link=
|Judgement_Link=https://curia.europa.eu/juris/document/document.jsf?text=&docid=241816&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=10583803
|Judgement_Link=https://curia.europa.eu/juris/document/document.jsf?docid=241816&doclang=en


|Date_Decided=
|Date_Decided=
Line 33: Line 33:
|Initial_Contributor=n/a
|Initial_Contributor=n/a
|
|
}}
}}The CJEU held that the provisions of the GDPR apply to the processing of personal data by the public prosecutor's office for the purpose of exercising its rights of defendence in civil proceedings.
 
See Holding for questions referred.


==English Summary==
==English Summary==
[to be updated]
=== Facts ===
=== Facts ===
In 2013, the District Public Prosecutor’s Office in Petrich (Bulgaria) opened pre-trial proceedings (No 252/2013) against an unknown person for the commission of a crime. The applicant in the case in question (VS) took part in those proceedings as a victim.
In 2013, the District Public Prosecutor’s Office in Petrich (Bulgaria) opened pre-trial proceedings (No 252/2013) against an unknown person for the commission of a crime. The applicant in the case in question (VS) took part in those proceedings as a victim.
Line 56: Line 52:


=== Holding ===
=== Holding ===
After assessing the wording of Articles 1(1) and 4(2) of LED 2016/680, the CJEU found that it can be inferred from Article 1(1), read in conjunction with Article 4(2), that where personal data have been collected for the purposes of the 'detection' and 'investigation' of a criminal offence and have subsequently been processed for the purposes of 'prosection' that collection and that processing serve different purposes.  
Within this particular case, the CJEU addressed whether the provisions of the GDPR apply to the processing of personal data by the public prosecutor's office for the purpose of exercising its rights of defendence in civil proceedings.  


Consequently, the CJEU held, that when a person had initially been considered to be a victim of a criminal offence, within the meaning of Article 6(c) of LED 2016/680, the controller should take into account that that processing reflects a change in that person’s category within the meaning of Article 6(a) of LED 2016/680, and to make a clear distinction between data of different categories of persons.
Firstly, the CJEU considered the conditions for the definition of '<nowiki/>''personal data''<nowiki/>' under 4(1) GDPR and '''processing''<nowiki/>' under Article 4(2) GDPR were met in this case, where a defendant, in civil proceedings, informs the competent court, even succinctly, of the opening of files concerning a natural person, in particular for the purposes of the ‘detection’ or ‘investigation’ of a criminal offence.


[to be updated]
With regard to the exception provided for in Article 2(2)(d) GDPR, which concerns the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, the CJEU held that the exception should be interpreted strictly. In this regard, it was also held that, the reason for that exception is that the processing of personal data by the competent authorities for the purposes set out in Article 2(2)(d) GDPR is governed by LED 2016/680.


'''Questions referred:'''
As in the present case, the CJEU found that even where the bringing action for damages against the State from alleged misconduct by the public prosecutor’s office in the course of criminal proceedings, the aim of the State’s defence in such an action is not to perform, as such, tasks for the purposes set out in Article 1(1) of LED 2016/680. Furthermore, it was stated that the participation of a public authority in civil proceedings as a defendant in an action for damages against the State does not seek to safeguard national security or of an activity which can be classified in the same category, in the light of Article 2(2)(a) GDPR.


'''1.''' Is Article 1(1) of Directive 2016/680 to be interpreted as meaning that, when stating the objectives of that directive, the terms ‘prevention, investigation, detection or prosecution of criminal offences’ are listed as aspects of a general objective?
The public prosecutor’s office must be considered to be a ‘''controller''’, within the meaning not only of Article 4(7) GDPR, but also of Article 3(8) of LED 2016/680. The CJEU held that the GDPR is applicable to the processing of personal data by the public prosecutor’s office for the purpose of exercising its rights of defence in an action for damages against the State, where, first, it informs the competent court of the opening of files relating to a natural person who is a party to that action for the purposes set out in Article 1(1) of LED 2016/680 and, second, it transmits those files to that court.


'''2.''' Are the provisions of Regulation 2016/679 applicable to the Public Prosecutor’s Office of the Republic of Bulgaria in view of the fact that information concerning a person, which was collected by the Public Prosecutor’s Office, in its capacity as ‘controller’ pursuant to point 8 of Article 3 of Directive 2016/680, in an investigation file opened in relation to that person with a view to verifying indications of a criminal offence, was used in the context of the judicial defence of the Public Prosecutor’s Office as a party to civil proceedings – by virtue of the fact that the circumstance of that file having been opened was revealed or that the contents of the file were presented?
With regard to the lawfulness of the processing, the CJEU considered first that it must be determined whther the processing, by the public prosecutor’s officef or the purpose of defending the State or a public body in an action for damages for harm caused by misconduct on the part of the State or a public body, is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in it, within the meaning of Article 6(1)(e) GDPR. Moreover, it cannot be ruled out that, where, for the purpose of defending the State in an action for damages, the public prosecutor’s office of transmits the personal data to the court at that court’s request, that transmission is also liable to come within the scope of Article 6(1)(c) GDPR where that public prosecutor’s office is required to comply with such a request pursuant to national law.


'''2.1''' If that question is answered in the affirmative:
It is for the referring court to verify whether, in accordance with Article 6(3) GDPR, the national law lays down, 1) the basis for such processing and, 2) the purposes of that processing or, as regards Article 6(1)(e) GDPR, whether that processing is necessary for the public prosecutor’s office’s performance of its task carried out in the public interest. Furthermore the CJEU emphazised that the processing of personal data must also copmly with all the applicable requirements provided for by the GDPR.


Is the expression ‘legitimate interests’ in Article 6(1)(f) of Regulation 2016/679 to be interpreted as including the disclosure, in whole or in part, of information concerning a person which has been collected in a public prosecution investigation file opened in relation to that person for the purposes of the prevention, investigation, detection or prosecution of criminal offences, in the case where that disclosure is carried out for the purposes of the defence of the controller as a party to civil proceedings, and does that expression exclude the consent of the data subject?
''This decision represents an important milestone case for data protection in the context of law enforcement.''


== Comment ==
== Comment ==
''This decision represents an important milestone case for data protection in the context of law enforcement.''
== Further Resources ==
''Share blogs or news articles here!''

Latest revision as of 13:26, 17 October 2024

CJEU - C-180/21 Inspektor v Inspektorata kam Visshia sadeben savet (Purposes of the processing of personal data – Criminal investigation)
Cjeulogo.png
Court: CJEU
Jurisdiction: European Union
Relevant Law: Article 6(1)(f) GDPR
Article 1 Directive 2016/680
Decided:
Parties: VS
Inspektor v Inspektorata kam Visshia sadeben savet
Case Number/Name: C-180/21 Inspektor v Inspektorata kam Visshia sadeben savet (Purposes of the processing of personal data – Criminal investigation)
European Case Law Identifier:
Reference from: Administrative Court - Blagoevgrad
Language: 24 EU Languages
Original Source: Judgement
Initial Contributor: n/a

The CJEU held that the provisions of the GDPR apply to the processing of personal data by the public prosecutor's office for the purpose of exercising its rights of defendence in civil proceedings.

English Summary

Facts

In 2013, the District Public Prosecutor’s Office in Petrich (Bulgaria) opened pre-trial proceedings (No 252/2013) against an unknown person for the commission of a crime. The applicant in the case in question (VS) took part in those proceedings as a victim.

In 2016, the District Public Prosecutor’s Office in Petrich, compiled a number of criminal files containing information relating to VS, [after receiving a number of complaints concerning, inter alia, VS]. However, the Public Prosecutor's Office did not open any pre-trial proceedings in the absence of evidence.

In 2018, the public prosecutor made formal accusations in respect of all the persons who took part in the incident at issue in the pre-trial proceedings (No 252/2013), including VS.

VS brought an action before the Regional Court in Blagoevgrad (Bulgaria) against the Public Prosecutor’s Office of the Republic of Bulgaria seeking damages for the harm allegedly resulting from the excessive duration of the pre-trial proceedings (No 252/2013). At the hearing, the Public Prosecutor's Office requested that the files opened in 2016, concerning VS, be produced for the purposes of defending the public prosecutor's office against claims made by VS. The Regional Court ordered that public prosecutor's office to produce certified copies of the documents in the files in question.

In March 2020, VS lodged a complaint with the Supreme Judicial Council, Bulgaria (‘the IVSS’), claiming that the District Public Prosecutor’s Office in Petrich, had infringed the data protection legislation. VS claimed, firstly, that that public prosecutor’s office had unlawfully used his personal data collected when he was considered to be a victim of a crime, in order to prosecute him in the same proceedings. Secondly, VS alleged that the public prosecutor’s office acted unlawfully as regards the processing of personal data that were collected in the files, in 2016, in the context of his action for damages against the Public Prosecutor’s Office of the Republic of Bulgaria. The IVSS rejected that complaint.

In July 2020, VS brought an action before the Administrative Court in Blagoevgrad (Bulgaria) against that decision, claiming, first, that the processing of his personal data in the course of pre-trial proceedings (No 252/2013) is contrary to, inter alia, the principles of the Law Enforcement Directive 2016/680 ("LED 2016/680"), and second, that the processing of the data collected in the files, in 2016, after the Public Prosecutor’s Office had refused to initiate pre-trial proceedings, infringes the principles of the GDPR.

The Administrative Court decided to stay the proceedings and to refer to the CJEU for a preliminary ruling.

Holding

Within this particular case, the CJEU addressed whether the provisions of the GDPR apply to the processing of personal data by the public prosecutor's office for the purpose of exercising its rights of defendence in civil proceedings.

Firstly, the CJEU considered the conditions for the definition of 'personal data' under 4(1) GDPR and 'processing' under Article 4(2) GDPR were met in this case, where a defendant, in civil proceedings, informs the competent court, even succinctly, of the opening of files concerning a natural person, in particular for the purposes of the ‘detection’ or ‘investigation’ of a criminal offence.

With regard to the exception provided for in Article 2(2)(d) GDPR, which concerns the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, the CJEU held that the exception should be interpreted strictly. In this regard, it was also held that, the reason for that exception is that the processing of personal data by the competent authorities for the purposes set out in Article 2(2)(d) GDPR is governed by LED 2016/680.

As in the present case, the CJEU found that even where the bringing action for damages against the State from alleged misconduct by the public prosecutor’s office in the course of criminal proceedings, the aim of the State’s defence in such an action is not to perform, as such, tasks for the purposes set out in Article 1(1) of LED 2016/680. Furthermore, it was stated that the participation of a public authority in civil proceedings as a defendant in an action for damages against the State does not seek to safeguard national security or of an activity which can be classified in the same category, in the light of Article 2(2)(a) GDPR.

The public prosecutor’s office must be considered to be a ‘controller’, within the meaning not only of Article 4(7) GDPR, but also of Article 3(8) of LED 2016/680. The CJEU held that the GDPR is applicable to the processing of personal data by the public prosecutor’s office for the purpose of exercising its rights of defence in an action for damages against the State, where, first, it informs the competent court of the opening of files relating to a natural person who is a party to that action for the purposes set out in Article 1(1) of LED 2016/680 and, second, it transmits those files to that court.

With regard to the lawfulness of the processing, the CJEU considered first that it must be determined whther the processing, by the public prosecutor’s officef or the purpose of defending the State or a public body in an action for damages for harm caused by misconduct on the part of the State or a public body, is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in it, within the meaning of Article 6(1)(e) GDPR. Moreover, it cannot be ruled out that, where, for the purpose of defending the State in an action for damages, the public prosecutor’s office of transmits the personal data to the court at that court’s request, that transmission is also liable to come within the scope of Article 6(1)(c) GDPR where that public prosecutor’s office is required to comply with such a request pursuant to national law.

It is for the referring court to verify whether, in accordance with Article 6(3) GDPR, the national law lays down, 1) the basis for such processing and, 2) the purposes of that processing or, as regards Article 6(1)(e) GDPR, whether that processing is necessary for the public prosecutor’s office’s performance of its task carried out in the public interest. Furthermore the CJEU emphazised that the processing of personal data must also copmly with all the applicable requirements provided for by the GDPR.

This decision represents an important milestone case for data protection in the context of law enforcement.

Comment