CJEU - C-180/21 - Inspektor v Inspektorata kam Visshia sadeben savet (Purposes of the processing of personal data – Criminal investigation): Difference between revisions

From GDPRhub
No edit summary
No edit summary
Line 56: Line 56:


=== Holding ===
=== Holding ===
Article 4(2) of LED 2016/680 authorises further processing of personal data for another purpose than that for which those data wereinitially collected, where that purpose is one of the ones set out in Article 1(1) of LED 2016/680 and that processing satisfies the two conditions laid down in Article 4(2)(a-b) of LED 2016/680: 1) the controller must be authorised to process such personal data for such a purpose in accordance with EU or Member State law; 2) processing must be necessary and proportionate to that other purpose.  
The Court addresses whther the GDPR applies to the processing of personal data by the public prosecutor's office for the purpose of exercising its rights of defendence in civil proceedings.  


After assessing the wording of Articles 1(1) and 4(2) of LED 2016/680, the CJEU found that it can be inferred from Article 1(1), read in conjunction with Article 4(2), that where personal data have been collected for the purposes of the 'detection' and 'investigation' of a crime and have subsequently been processed for the purposes of 'prosection' that collection and that processing serve different purposes.  
Firstly, the CJEU considered the conditions for the definition of '<nowiki/>''personal data''<nowiki/>' under 4(1) GDPR and '''processing''<nowiki/>' under Article 4(2) GDPR were met in this case, where a defendant, in civil proceedings, informs the competent court, even succinctly, of the opening of files concerning a natural person, in particular for the purposes of the ‘detection’ or ‘investigation’ of a criminal offence.  


Consequently, the CJEU held, that when a person had initially been considered to be a victim of a criminal offence, within the meaning of Article 6(c) of LED 2016/680, the controller should take into account that that processing reflects a change in that person’s category within the meaning of Article 6(a) of LED 2016/680, and make a clear distinction between data of different categories of persons.
With regard to the exception provided for in Article 2(2)(d) GDPR, which concerns the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, the CJEU held that the exception should be interpreted strictly. In this regard, it was also held that, the reason for that exception is that the processing of personal data by the competent authorities for the purposes set out in Article 2(2)(d) GDPR is governed by LED 2016/680.


Article 1(1) of LED 2016/680, read in conjunction with Article 4(2) and Article 6 thereof, means that (i) the processing of personal data serves a purpose other than that for which those data were collected, where such data were collected for detecting and investigating a crime, but that processing is carried out for the purpose of prosecuting a person following the conclusion of the criminal investigation at issue, irrespective of the fact that that person was considered to be a victim at the time of that collection, and that (ii) such processing is permitted pursuant to Article 4(2) of that directive, provided that it meets the conditions laid down in that provision.
As in the present case, the CJEU found that even where the bringing action for damages against the State from alleged misconduct by the public prosecutor’s office in the course of criminal proceedings, the aim of the State’s defence in such an action is not to perform, as such, tasks for the purposes set out in Article 1(1) of LED 2016/680. Furthermore, it was stated that the participation of a public authority in civil proceedings as a defendant in an action for damages against the State does not seek to safeguard national security or of an activity which can be classified in the same category, in the light of Article 2(2)(a) GDPR.  


'''Firstly, the Court concluded that Article 1(1) of LED 2016/680, read in conjunction with Article 4(2) and Article 6 thereof, means that (i) where''' personal data was initially collected for detecting and investigating a crime, but subsequent processing is carried out for prosecuting a person following the conclusion of the criminal investigation at issue, the processing serves a different purpose than that for which those data were initially collected, irrespective of the fact that that person was considered to be a victim at the time of the collection, and that (ii) Article 4(2) of LED 2016/680 permits such processing, provided that it meets the two (2) conditions laid down in that provision.
The public prosecutor’s office must be considered to be a ‘''controller''’, within the meaning not only of Article 4(7) GDPR, but also of Article 3(8) of LED 2016/680. The CJEU held that the GDPR is applicable to the processing of personal data by the public prosecutor’s office for the purpose of exercising its rights of defence in an action for damages against the State, where, first, it informs the competent court of the opening of files relating to a natural person who is a party to that action for the purposes set out in Article 1(1) of LED 2016/680 and, second, it transmits those files to that court.


The two conditions laid down in Article 4(2) of LED 2016/680 are that 1) the controller must be authorised to process such personal data for such a purpose in accordance with EU or Member State law; 2) processing must be necessary and proportionate to that other purpose.
With regard to the lawfulness of the processing, the CJEU considered first that it must be determined whther the processing, by the public prosecutor’s officef or the purpose of defending the State or a public body in an action for damages for harm caused by misconduct on the part of the State or a public body, is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in it, within the meaning of Article 6(1)(e) GDPR. Moreover, it cannot be ruled out that, where, for the purpose of defending the State in an action for damages, the public prosecutor’s office of transmits the personal data to the court at that court’s request, that transmission is also liable to come within the scope of Article 6(1)(c) GDPR where that public prosecutor’s office is required to comply with such a request pursuant to national law.


Secondly, the Court addresses whther the GDPR applies to the processing of personal data by the public prosecutor's office for the purpose of exercising its rights of defendence in civil proceedings.
It is for the referring court to verify whether, in accordance with Article 6(3) GDPR, the national law lays down, 1) the basis for such processing and, 2) the purposes of that processing or, as regards Article 6(1)(e) GDPR, whether that processing is necessary for the public prosecutor’s office’s performance of its task carried out in the public interest. Furthermore the CJEU emphazised that the processing of personal data must also copmly with all the applicable requirements provided for by the GDPR.
 
''By its second question, the referring court asks, in essence, first, whether Article 3(8) and Article 9(1) and (2) of Directive 2016/680 and Article 2(1) and (2) of the GDPR must be interpreted as meaning that that '''<u>regulation is applicable to the processing of personal data by the public prosecutor’s office of a Member State for the purpose of exercising its rights of defence in an action for damages against the State,</u>''' where it informs the court having jurisdiction of the existence of files concerning a natural person who is a party to that action, opened for the purposes set out in Article 1(1) of that directive, and transmits those files to that court and, second, if that question were to be answered in the affirmative, whether point (f) of the first subparagraph of Article 6(1) of that regulation must be interpreted as meaning that such processing of personal data may be regarded as lawful for the purposes of the legitimate interests pursued by the controller, within the meaning of that provision.''
 
The CJEU considered the conditions for the definition of personal data under 4(2) GDPR to have been met.
 
When a defendant, in civil proceedings, informs the competent court, even succinctly, of the opening of files concerning a natural person, in particular for the purposes of the ‘detection’ or ‘investigation’ of a criminal offence, means that that defendant ‘''consulted''’, ‘''used''’ and ‘''transmitted''’ or ‘''disclosed''’ ‘''personal data''’ for the purposes of Article 4(1) and (2) GDPR. Thus, that information is linked to a particular person, who is identifiable. Moreover, when a defendant, at the request of the competent court, produces files relating to procedures concerning anatural person involves, at the very least, the ‘''use''’ and ‘''disclosure by transmission''’ of ‘''personal data''’ within the meaning of Article 4(1) and (2) GDPR.
 
With regard to the exception provided for in Article 2(2)(d) GDPR, which concerns the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, the CJEU held that the exception should be interpreted strictly.  In this regard, the Court also held that, the reason for that exception is that the processing of personal data by the competent authorities for the purposes set out in Article 2(2)(d)  GDPR is governed by LED 2016/680.
 
In that regard, Article 9(1) of Directive 2016/680 provides, first, that such processing of personal data cannot, in principle, be carried out, unless it is authorised by EU or Member State law and, second, that the GDPR is to apply to that processing, unless the processing is carried out in an activity which falls outside the scope of EU law. Furthermore, under Article 9(2) of that directive, unless the processing is carried out in such an activity, the GDPR is to apply to the processing by the competent authorities in the performance of their tasks other than those performed for the purposes set out in Article 1(1) of that directive.
 
 
 
[to be updated]


''This decision represents an important milestone case for data protection in the context of law enforcement.''
''This decision represents an important milestone case for data protection in the context of law enforcement.''


== Further Resources ==
== Comment ==
''Share blogs or news articles here!''

Revision as of 12:26, 23 June 2023

CJEU - C-180/21 Inspektor v Inspektorata kam Visshia sadeben savet
Cjeulogo.png
Court: CJEU
Jurisdiction: European Union
Relevant Law: Article 6(1)(f) GDPR
Article 1 Directive 2016/680
Decided:
Parties: VS
Inspektor v Inspektorata kam Visshia sadeben savet
Case Number/Name: C-180/21 Inspektor v Inspektorata kam Visshia sadeben savet
European Case Law Identifier:
Reference from: Administrative Court - Blagoevgrad
Language: 24 EU Languages
Original Source: Judgement
Initial Contributor: n/a


See Holding for questions referred.

English Summary

[to be updated]

Facts

In 2013, the District Public Prosecutor’s Office in Petrich (Bulgaria) opened pre-trial proceedings (No 252/2013) against an unknown person for the commission of a crime. The applicant in the case in question (VS) took part in those proceedings as a victim.

In 2016, the District Public Prosecutor’s Office in Petrich, compiled a number of criminal files containing information relating to VS, [after receiving a number of complaints concerning, inter alia, VS]. However, the Public Prosecutor's Office did not open any pre-trial proceedings in the absence of evidence.

In 2018, the public prosecutor made formal accusations in respect of all the persons who took part in the incident at issue in the pre-trial proceedings (No 252/2013), including VS.

VS brought an action before the Regional Court in Blagoevgrad (Bulgaria) against the Public Prosecutor’s Office of the Republic of Bulgaria seeking damages for the harm allegedly resulting from the excessive duration of the pre-trial proceedings (No 252/2013). At the hearing, the Public Prosecutor's Office requested that the files opened in 2016, concerning VS, be produced for the purposes of defending the public prosecutor's office against claims made by VS. The Regional Court ordered that public prosecutor's office to produce certified copies of the documents in the files in question.

In March 2020, VS lodged a complaint with the Supreme Judicial Council, Bulgaria (‘the IVSS’), claiming that the District Public Prosecutor’s Office in Petrich, had infringed the data protection legislation. VS claimed, firstly, that that public prosecutor’s office had unlawfully used his personal data collected when he was considered to be a victim of a crime, in order to prosecute him in the same proceedings. Secondly, VS alleged that the public prosecutor’s office acted unlawfully as regards the processing of personal data that were collected in the files, in 2016, in the context of his action for damages against the Public Prosecutor’s Office of the Republic of Bulgaria. The IVSS rejected that complaint.

In July 2020, VS brought an action before the Administrative Court in Blagoevgrad (Bulgaria) against that decision, claiming, first, that the processing of his personal data in the course of pre-trial proceedings (No 252/2013) is contrary to, inter alia, the principles of the Law Enforcement Directive 2016/680 ("LED 2016/680"), and second, that the processing of the data collected in the files, in 2016, after the Public Prosecutor’s Office had refused to initiate pre-trial proceedings, infringes the principles of the GDPR.

The Administrative Court decided to stay the proceedings and to refer to the CJEU for a preliminary ruling.

Holding

The Court addresses whther the GDPR applies to the processing of personal data by the public prosecutor's office for the purpose of exercising its rights of defendence in civil proceedings.

Firstly, the CJEU considered the conditions for the definition of 'personal data' under 4(1) GDPR and 'processing' under Article 4(2) GDPR were met in this case, where a defendant, in civil proceedings, informs the competent court, even succinctly, of the opening of files concerning a natural person, in particular for the purposes of the ‘detection’ or ‘investigation’ of a criminal offence.

With regard to the exception provided for in Article 2(2)(d) GDPR, which concerns the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, the CJEU held that the exception should be interpreted strictly. In this regard, it was also held that, the reason for that exception is that the processing of personal data by the competent authorities for the purposes set out in Article 2(2)(d) GDPR is governed by LED 2016/680.

As in the present case, the CJEU found that even where the bringing action for damages against the State from alleged misconduct by the public prosecutor’s office in the course of criminal proceedings, the aim of the State’s defence in such an action is not to perform, as such, tasks for the purposes set out in Article 1(1) of LED 2016/680. Furthermore, it was stated that the participation of a public authority in civil proceedings as a defendant in an action for damages against the State does not seek to safeguard national security or of an activity which can be classified in the same category, in the light of Article 2(2)(a) GDPR.

The public prosecutor’s office must be considered to be a ‘controller’, within the meaning not only of Article 4(7) GDPR, but also of Article 3(8) of LED 2016/680. The CJEU held that the GDPR is applicable to the processing of personal data by the public prosecutor’s office for the purpose of exercising its rights of defence in an action for damages against the State, where, first, it informs the competent court of the opening of files relating to a natural person who is a party to that action for the purposes set out in Article 1(1) of LED 2016/680 and, second, it transmits those files to that court.

With regard to the lawfulness of the processing, the CJEU considered first that it must be determined whther the processing, by the public prosecutor’s officef or the purpose of defending the State or a public body in an action for damages for harm caused by misconduct on the part of the State or a public body, is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in it, within the meaning of Article 6(1)(e) GDPR. Moreover, it cannot be ruled out that, where, for the purpose of defending the State in an action for damages, the public prosecutor’s office of transmits the personal data to the court at that court’s request, that transmission is also liable to come within the scope of Article 6(1)(c) GDPR where that public prosecutor’s office is required to comply with such a request pursuant to national law.

It is for the referring court to verify whether, in accordance with Article 6(3) GDPR, the national law lays down, 1) the basis for such processing and, 2) the purposes of that processing or, as regards Article 6(1)(e) GDPR, whether that processing is necessary for the public prosecutor’s office’s performance of its task carried out in the public interest. Furthermore the CJEU emphazised that the processing of personal data must also copmly with all the applicable requirements provided for by the GDPR.

This decision represents an important milestone case for data protection in the context of law enforcement.

Comment