CJEU - C-169/23 - Másdi: Difference between revisions
mNo edit summary |
|||
Line 49: | Line 49: | ||
}} | }} | ||
Article 14(5)(c) GDPR includes data | The exception to the controller’s information obligation under [[Article 14 GDPR|Article 14(5)(c) GDPR]] includes data generated by the controller. If this exception is invoked, DPAs can verify whether the national law provides appropriate measures to protect the data subject's legitimate interests. | ||
==English Summary== | ==English Summary== | ||
Line 62: | Line 62: | ||
The data subject challenged the decision in court. The first instance court considered that the exception laid down in [[Article 14 GDPR#5c|Article 14(5)(c) GDPR]] was not applicable because certain personal data produced in relation to the immunity certificates were not collected from another body by the controller, but were generated by that controller itself in the performance of its tasks. In that court’s view, only personal data obtained from another body could be covered by the exception laid down in [[Article 14 GDPR#5c|Article 14(5)(c) GDPR]]. | The data subject challenged the decision in court. The first instance court considered that the exception laid down in [[Article 14 GDPR#5c|Article 14(5)(c) GDPR]] was not applicable because certain personal data produced in relation to the immunity certificates were not collected from another body by the controller, but were generated by that controller itself in the performance of its tasks. In that court’s view, only personal data obtained from another body could be covered by the exception laid down in [[Article 14 GDPR#5c|Article 14(5)(c) GDPR]]. | ||
This decision was appealed by the DPA. The court of appeals then stayed the proceedings and forwarded three questions to the CJEU for a preliminary ruling | This decision was appealed by the DPA. The court of appeals then stayed the proceedings and forwarded three questions to the CJEU for a preliminary ruling: | ||
# Does the exception laid down in Article 14(5)(c) also apply to data generated by the controller in the context of its own processes or only to data which the controller has specifically obtained from another person? | |||
# If so, must the right to lodge a complaint with a supervisory authority in Article 77(1) GDPR, be interpreted as meaning that a data subject is entitled, when lodging a complaint, to request an examination of whether Member State law provides appropriate measures to protect the data subject’s legitimate interests, in accordance with Article 14(5)(c) of the GDPR? | |||
# If so, does Article 14(5)(c) GDPR mean that the “appropriate measures” referred to in that provision require the national legislature to transpose (by means of legislation) the measures relating to the security of data laid down in Article 32 of the GDPR? | |||
=== Advocate General Opinion === | === Advocate General Opinion === | ||
Advocate General Medina concluded on the first question that the exception in [[Article 14 GDPR#5c|Article 14(5)(c) GDPR]] applies to all data which the controller has not obtained from the data subject. It is not relevant, in that regard, whether the data are expressly obtained from another entity or if the data are generated by the controller in its own procedure. | Advocate General Medina concluded on the first question that the exception in [[Article 14 GDPR#5c|Article 14(5)(c) GDPR]] applies to all data which the controller has not obtained from the data subject. It is not relevant, in that regard, whether the data are expressly obtained from another entity or if the data are generated by the controller in its own procedure. | ||
On the second question she concluded that the national supervisory authority has the power to examine all conditions in [[Article 14 GDPR#5c|Article 14(5)(c) GDPR]], including whether the law, to which the controller is subject and lays down the processing, provides appropriate measures to protect the data subject’s legitimate interests. | On the second question she concluded that the national supervisory authority has the power to examine all conditions in [[Article 14 GDPR#5c|Article 14(5)(c) GDPR]], including whether the law, to which the controller is subject and lays down the processing, provides appropriate measures to protect the data subject’s legitimate interests. | ||
=== Holding === | === Holding === | ||
First question: | '''First question:''' | ||
The CJEU first noted that the wording of [[Article 14 GDPR#5c|Article 14(5)(c) GDPR]] differed between languages, referring to “information” in some languages, while referring to “data” in others, and some languages not referring to the subject matter of the obtaining or disclosure. Therefore, the provision must be interpreted in the light of the whole GDPR. Thus, the CJEU held that the provision refers to personal data as they are the key aspect of the regulatory framework. | The CJEU first noted that the wording of [[Article 14 GDPR#5c|Article 14(5)(c) GDPR]] is differed between languages, referring to “information” in some languages, while referring to “data” in others, and some languages not referring to the subject matter of the obtaining or disclosure. Therefore, the provision must be interpreted in the light of the whole GDPR. Thus, the CJEU held that the provision refers to personal data as they are the key aspect of the regulatory framework. | ||
The ratio legis of the exception laid down in [[Article 14 GDPR#5c|Article 14(5)(c) GDPR]] was that information do not have to be provided to the data subject under this very provision if Member State law provided a sufficient obligation to provide the data subject with information itself. | The ratio legis of the exception laid down in [[Article 14 GDPR#5c|Article 14(5)(c) GDPR]] was that information do not have to be provided to the data subject under this very provision if Member State law provided a sufficient obligation to provide the data subject with information itself. | ||
The CJEU also | The CJEU also held that in order to be fully consistent with the objective pursued by the GDPR, the application of [[Article 14 GDPR#5c|Article 14(5)(c) GDPR]] was subject to strict compliance with the requirements provided in this provision, especially a level of protection of the data subject at least equivalent to that guaranteed by Article 14(1) to (4) GDPR. | ||
The CJEU also | The CJEU also found that the wording of the provision did not limit the application to data obtained from a person other than the data subject themselves. Also, the scope of [[Article 14 GDPR]] was defined by a negative reference to [[Article 13 GDPR]]. By comparing the headings of both provisions one could see that [[Article 14 GDPR]] was about data not collected from the data subject which included data generated by the controller themselves. Therefore, Article [[Article 14 GDPR|14(5)(c) GDPR]] must be interpreted as meaning that this exception to the controller’s obligation to provide information to the data subject, covers all personal data that have not been collected by the controller directly from the data subject, whether those data have been obtained by the controller from a person other than the data subject or whether they have been generated by the controller itself. | ||
Second and third question: | '''Second and third question:''' | ||
The CJEU held that in order to ensure and enforce the GDPR’s application the DPAs had the right to examine if the requirements of [[Article 14 GDPR#5c|Article 14(5)(c) GDPR]] are met, especially if the respective Member State law provides for appropriate measures to protect the data subject’s legitimate interests. | The CJEU held that in order to ensure and enforce the GDPR’s application the DPAs had the right to examine if the requirements of [[Article 14 GDPR#5c|Article 14(5)(c) GDPR]] are met, especially if the respective Member State law provides for appropriate measures to protect the data subject’s legitimate interests. | ||
Line 85: | Line 90: | ||
Therefore, a complaint under [[Article 77 GDPR#1|Article 77(1) GDPR]] may be based on an infringement of the controller’s obligation to provide information, alleging non-compliance with the conditions for the application of the exception laid down in [[Article 14 GDPR#5c|Article 14(5)(c) GDPR]]. | Therefore, a complaint under [[Article 77 GDPR#1|Article 77(1) GDPR]] may be based on an infringement of the controller’s obligation to provide information, alleging non-compliance with the conditions for the application of the exception laid down in [[Article 14 GDPR#5c|Article 14(5)(c) GDPR]]. | ||
This meant that the DPA had the competence to | This meant that the DPA had the competence to verify that the Member State law guaranteed a level of protection of the data subject with regard to the processing of his or her personal data which is at least equivalent to that provided for in [[Article 14 GDPR|Article 14(1) to (4) GDPR]]. Thus, those provisions must be such as to put the data subject in a position to enable him or her to exercise control over his or her personal data and to exercise the rights conferred on him or her by the GDPR. However, the DPA's verification do not cover the appropriateness of the measures which the controller is required to implement, under [[Article 32 GDPR]], in order to guarantee the security of processing of personal data. | ||
== Comment == | == Comment == |
Revision as of 10:10, 4 December 2024
CJEU - C-169/23 Másdi | |
---|---|
Court: | CJEU |
Jurisdiction: | European Union |
Relevant Law: | Article 6(1)(e) GDPR Article 9(2)(i) GDPR Article 14(5)(c) GDPR Government Decree No 60/2021 |
Decided: | 28.11.2024 |
Parties: | Nemzeti Adatvédelmi és Információszabadság Hatóság UC |
Case Number/Name: | C-169/23 Másdi |
European Case Law Identifier: | ECLI:EU:C:2024:988 |
Reference from: | Supreme Court (Hungary) |
Language: | 24 EU Languages |
Original Source: | AG Opinion Judgement |
Initial Contributor: | la |
The exception to the controller’s information obligation under Article 14(5)(c) GDPR includes data generated by the controller. If this exception is invoked, DPAs can verify whether the national law provides appropriate measures to protect the data subject's legitimate interests.
English Summary
Facts
The data subject had obtained an immunity certificate confirming the vaccination against COVID-19, issued by the respective authority (the controller). This certificate included data that was generated by the controller itself, especially an ID number and a QR code. In April 2021, the data subject filed a complaint with the Hungarian DPA alleging that the controller had not published any data protection statement concerning the issuing of vaccination certificates.
During the subsequent procedure the controller declared that Article 6(1)(e) GDPR and Article 9(2)(i) GDPR were the respective legal bases for the processing. Furthermore, they stated that they obtained the personal data that it processed from another body, in accordance with the provisions of Decree No 60/2021. On that basis, it asserted that, pursuant to Article 14(5)(c) of the GDPR, it was not required to provide information on the processing of those data. It nonetheless drew up the requested statement concerning the protection of personal data and published it on its website.
The Hungarian DPA dismissed the complaint and found that the processing fell under Article 14(5)(c) GDPR and the domestic law included appropriate safeguards for the legitimate interests of the data subject.
The data subject challenged the decision in court. The first instance court considered that the exception laid down in Article 14(5)(c) GDPR was not applicable because certain personal data produced in relation to the immunity certificates were not collected from another body by the controller, but were generated by that controller itself in the performance of its tasks. In that court’s view, only personal data obtained from another body could be covered by the exception laid down in Article 14(5)(c) GDPR.
This decision was appealed by the DPA. The court of appeals then stayed the proceedings and forwarded three questions to the CJEU for a preliminary ruling:
- Does the exception laid down in Article 14(5)(c) also apply to data generated by the controller in the context of its own processes or only to data which the controller has specifically obtained from another person?
- If so, must the right to lodge a complaint with a supervisory authority in Article 77(1) GDPR, be interpreted as meaning that a data subject is entitled, when lodging a complaint, to request an examination of whether Member State law provides appropriate measures to protect the data subject’s legitimate interests, in accordance with Article 14(5)(c) of the GDPR?
- If so, does Article 14(5)(c) GDPR mean that the “appropriate measures” referred to in that provision require the national legislature to transpose (by means of legislation) the measures relating to the security of data laid down in Article 32 of the GDPR?
Advocate General Opinion
Advocate General Medina concluded on the first question that the exception in Article 14(5)(c) GDPR applies to all data which the controller has not obtained from the data subject. It is not relevant, in that regard, whether the data are expressly obtained from another entity or if the data are generated by the controller in its own procedure.
On the second question she concluded that the national supervisory authority has the power to examine all conditions in Article 14(5)(c) GDPR, including whether the law, to which the controller is subject and lays down the processing, provides appropriate measures to protect the data subject’s legitimate interests.
Holding
First question:
The CJEU first noted that the wording of Article 14(5)(c) GDPR is differed between languages, referring to “information” in some languages, while referring to “data” in others, and some languages not referring to the subject matter of the obtaining or disclosure. Therefore, the provision must be interpreted in the light of the whole GDPR. Thus, the CJEU held that the provision refers to personal data as they are the key aspect of the regulatory framework.
The ratio legis of the exception laid down in Article 14(5)(c) GDPR was that information do not have to be provided to the data subject under this very provision if Member State law provided a sufficient obligation to provide the data subject with information itself.
The CJEU also held that in order to be fully consistent with the objective pursued by the GDPR, the application of Article 14(5)(c) GDPR was subject to strict compliance with the requirements provided in this provision, especially a level of protection of the data subject at least equivalent to that guaranteed by Article 14(1) to (4) GDPR.
The CJEU also found that the wording of the provision did not limit the application to data obtained from a person other than the data subject themselves. Also, the scope of Article 14 GDPR was defined by a negative reference to Article 13 GDPR. By comparing the headings of both provisions one could see that Article 14 GDPR was about data not collected from the data subject which included data generated by the controller themselves. Therefore, Article 14(5)(c) GDPR must be interpreted as meaning that this exception to the controller’s obligation to provide information to the data subject, covers all personal data that have not been collected by the controller directly from the data subject, whether those data have been obtained by the controller from a person other than the data subject or whether they have been generated by the controller itself.
Second and third question:
The CJEU held that in order to ensure and enforce the GDPR’s application the DPAs had the right to examine if the requirements of Article 14(5)(c) GDPR are met, especially if the respective Member State law provides for appropriate measures to protect the data subject’s legitimate interests.
Therefore, a complaint under Article 77(1) GDPR may be based on an infringement of the controller’s obligation to provide information, alleging non-compliance with the conditions for the application of the exception laid down in Article 14(5)(c) GDPR.
This meant that the DPA had the competence to verify that the Member State law guaranteed a level of protection of the data subject with regard to the processing of his or her personal data which is at least equivalent to that provided for in Article 14(1) to (4) GDPR. Thus, those provisions must be such as to put the data subject in a position to enable him or her to exercise control over his or her personal data and to exercise the rights conferred on him or her by the GDPR. However, the DPA's verification do not cover the appropriateness of the measures which the controller is required to implement, under Article 32 GDPR, in order to guarantee the security of processing of personal data.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!