CJEU - C‑26/22 and C‑64/22 - SCHUFA Holding and Others (Discharge from remaining debts) (Joined Cases): Difference between revisions

From GDPRhub
No edit summary
Line 61: Line 61:
}}
}}


Lorem ipsum
The CJEU held (i) that Article 78(1) GDPR allows for full judicial review of DPA decisions and (ii) that credit information agencies are not allowed to process certain data in connection with insolvency proceedings beyond their availability in public databases.


==English Summary==
==English Summary==
Line 99: Line 99:


=== Advocate General Opinion ===
=== Advocate General Opinion ===
AG ''Pikamäe'' suggested to interpret [[Article 78(1) GDPR]] as meaning that under that provision a legally binding decision of a supervisory authority is subject to a full substantive judicial review. The AG emphasized that a complaint procedure under [[Article 77 GDPR]] cannot be viewed in the same way as a petition.
Regarding question 1, AG ''Pikamäe'' suggested to interpret [[Article 78(1) GDPR]] as meaning that under that provision a legally binding decision of a supervisory authority is subject to a full substantive judicial review. The AG emphasized that a complaint procedure under [[Article 77 GDPR]] cannot be viewed in the same way as a petition.


As for the questions 2 to 5, the AG suggested:
As for the questions 2 to 5, the AG suggested


(i) to interpret [[Article 6 GDPR|Article 6(1)(f) GDPR]] meaning that it precludes the storage by a private credit information agency of personal data from a public register on insolvency proceedings for a period beyond that for which the data are stored in the public register.
(i) to interpret [[Article 6 GDPR|Article 6(1)(f) GDPR]] meaning that it precludes the storage by a private credit information agency of personal data from a public register on insolvency proceedings for a period beyond that for which the data are stored in the public register.
Line 110: Line 110:


=== Holding ===
=== Holding ===
Lorem ipsum
The CJEU followed the AG's opinion almost entirely.
 
On question 1, the CJEU held that under [[Article 78 GDPR|Article 78(1) GDPR]] a court reviewing a DPA decision in a complaint procedure under [[Article 77 GDPR]] should exercise full jurisdiction, examine all questions of fact and law relevant to the dispute. For a judicial remedy to be effective, a <u>DPA decision must be subject to full judicial review.</u>
 
As the CJEU clarified, a compliant procedure under [[Article 77 GDPR]] is not similar to that of a petition but designed a mechanism capable of effectively safeguarding the rights and interests of data subjects. Hence, a DPA must deal with a complaint with all due diligence and is required to react appropriately in order to remedy GDPR violations.
 
The CJEU emphasized that the interpretation of the HBDI that a court could only assess a) whether the DPA has investigated a complaint to the extent appropriate and b) whether a complainant has been informed of outcome of the investigation would compromise the objectives of GDPR. The CJEU added that a DPA assessing a complaint has a margin of discretion as to the choice of appropriate and necessary means.
 
On questions 2 to 5, the CJEU first referred to its reasoning in [[CJEU - C-252/21 - Meta Platforms and Others v Bundeskartellamt|''Meta Platforms and Others (General terms of use of a social network)'', C‑252/21]] on the concept of legitimate interest under Article 6(1)(f) GDPR, emphasizing that said provision lays down three cumulative conditions for the processing of personal data to be lawful (first, the pursuit of a legitimate interest by the data controller or by a third party; second, the need to process personal data for the purposes of the legitimate interests pursued; and third, that the interests or freedoms and fundamental rights of the person concerned by the data protection do not take precedence). The CJEU then held that it is for the referring VG Wiesbaden to ascertain whether the storage of the data at issue by SCHUFA in its own databases meets these requirements f<u>or the period during which the data are made available to the public.</u>
 
Regarding the <u>storing of decisions on debt discharges beyond their public availability</u>, the CJEU held that this processing constitutes a serious interference with the fundamental rights of the data subject, enshrined in Articles 7 and 8 of the Charter. The longer the data are stored with the credit information agency, the greater the requirements relating to the lawfulness of the storage of that information. The CJEU reasoned that the discharge from remaining debts in an insolvency proceeding is intended to allow the person who benefits from it to re-enter economic life. Hence, credit information agencies retaining data on such discharges beyond their public availability and considering it a negative factor when assessing  the persons creditworthiness jeopardize this intention.
 
TBC


== Comment ==
== Comment ==

Revision as of 11:06, 12 December 2023

CJEU - Joined Cases C‑26/22 and C‑64/22 SCHUFA
Cjeulogo.png
Court: CJEU
Jurisdiction: European Union
Relevant Law: Article 6(1) GDPR
Article 17(1)(d) GDPR
Article 40 GDPR
Article 77(1) GDPR
Article 78(1) GDPR
Article 7 Charter of Fundamental Rights of the European Union
Article 8 Charter of Fundamental Rights of the European Union
§ 3 Verordnung zu öffentlichen Bekanntmachungen in Insolvenzverfahren im Internet (InsBekV)
§ 9(1) Insolvenzordnung
Decided: 07.12.2023
Parties: UF (data subject and claimant before national court)
AB (data subject and claimant before national court)
Land Hessen (respondent before national court)
Case Number/Name: Joined Cases C‑26/22 and C‑64/22 SCHUFA
European Case Law Identifier: ECLI:EU:C:2023:958
Reference from: VG Wiesbaden
6 K 441/21.WI
Language: 24 EU Languages
Original Source: AG Opinion
Judgement
Initial Contributor: n/a


The CJEU held (i) that Article 78(1) GDPR allows for full judicial review of DPA decisions and (ii) that credit information agencies are not allowed to process certain data in connection with insolvency proceedings beyond their availability in public databases.

English Summary

Facts

The data subjects UF and AB underwent insolvency proceeding in Germany and were granted an early discharge from remaining debts by court decisions of 17 December 2020 and 23 March 2021 respectively. In accordance with § 9(1) Insolvenzordnung (Insolvency Code) and § 3(1)(2) InsBekV (Regulation on public notifications in insolvency proceedings on the internet), the official publication of these decisions on debt discharges was erased after 6 months.

SCHUFA Holding AG (SCHUFA), a German credit information agency had recorded these decisions on debt discharges in their own data bases and intended to store it for three years after registration, in accordance with a code of conduct under Article 40 GDPR approved by the competent DPA.

UF and AB requested SCHUFA to erase the (no longer public) decisions on the debt discharges. SCHUFA refused, UF and AB lodged complaints with the Hessian DPA (HBDI) under Article 77 GDPR. The HBDI dismissed the complaints, finding SCHUFA's processing lawful.

UF and AB each brought an action under Article 78 GDPR against the HBDI's decisions before the Verwaltungsgericht Wiesbaden (VG Wiesbaden), arguing that the HBDI was obliged to take measures in respect of SCHUFA to enforce deletion of the entries concerning them.

The HBDI requested the dismissal of the actions, arguing that Article 77(1) GDPR constitutes a mere "right of petition". Hence the VG Wiesbaden could only review whether the HBDI handled the complaints and informed the complainants of their progress and outcome but not review the substantive correctness of the decisions.

On UF's and AB's requests for erasure, the HBDI argued that SCHUFA could store the decisions on debt discharges for as long as is necessary for the purpose of processing (i.e. assessing the creditworthiness of UF and AB) and that the storage period of three years after entry in the file according to the codes of conduct should apply.

The VG Wiesbaden doubted the HBDI’s line of argument and referred the following questions to the CJEU under Article 267 TFEU:

(1) Is Article 77(1) of [the GDPR], read in conjunction with Article 78(1) thereof, to be understood as meaning that the outcome that the supervisory authority reaches and notifies to the data subject:

– has the character of a decision on a petition? This would mean that judicial review of a decision on a complaint taken by a supervisory authority in accordance with Article 78(1) of that regulation is, in principle, limited to the question of whether the authority has handled the complaint, investigated the subject matter of the complaint to the extent appropriate and informed the complainant of the outcome of the investigation,

or

– is to be understood as a decision on the merits taken by a public authority? This would mean that a decision on a complaint taken by a supervisory authority would be subject to a full substantive review by the court in accordance with Article 78(1) of that regulation, whereby, in individual cases – for example where discretion is reduced to zero – the supervisory authority may also be obliged by the court to take a specific measure within the meaning of Article 58 of that same regulation?

(2) Is the storage of data at a private credit information agency, where personal data from a public register, such as the “national databases” within the meaning of Article 79(4) and (5) of Regulation [2015/848] are stored without a specific reason in order to be able to provide information in the event of a request, compatible with Articles 7 and 8 of the [Charter]?

(3) (a) Are private databases (in particular databases of a credit information agency) which exist in parallel with, and are set up in addition to, the State databases and in which the data from the latter (in casu, insolvency announcements) are stored for longer than the period provided for within the narrow framework of Regulation 2015/848, read in conjunction with the national law, permissible in principle?

(b) If Question 3a is answered in the affirmative, does it follow from the “right to be forgotten” under Article 17(1)(d) of [the GDPR] that such data must be deleted where the processing period provided for in respect of the public register has expired?

(4) In so far as point (f) of [the first subparagraph of] Article 6(1) of [the GDPR] enters into consideration as the sole legal basis for the storage of data at private credit information agencies with regard to data also stored in public registers, is a credit information agency already to be regarded as pursuing a legitimate interest in the case where it imports data from the public register without a specific reason so that those data are then available in the event of a request?

(5) Is it permissible for codes of conduct which have been approved by the supervisory authorities in accordance with Article 40 of [the GDPR], and which provide for time limits for review and erasure that exceed the retention periods for public registers, to suspend the balancing of interests prescribed under point (f) of [the first subparagraph of] Article 6(1) of that regulation?

Advocate General Opinion

Regarding question 1, AG Pikamäe suggested to interpret Article 78(1) GDPR as meaning that under that provision a legally binding decision of a supervisory authority is subject to a full substantive judicial review. The AG emphasized that a complaint procedure under Article 77 GDPR cannot be viewed in the same way as a petition.

As for the questions 2 to 5, the AG suggested

(i) to interpret Article 6(1)(f) GDPR meaning that it precludes the storage by a private credit information agency of personal data from a public register on insolvency proceedings for a period beyond that for which the data are stored in the public register.

(ii) to interpret Article 17(1)(d) GDPR as meaning that the data subject has the right to obtain from the controller the erasure of personal data concerning him or her without undue delay where those data have been unlawfully processed in accordance with Article 6(1) GDPR

(iii) to interpret Article 17(1)(c) GDPR as meaning that the data subject has, in principle, the right to obtain from the controller the erasure of personal data concerning him or her without undue delay where he or she objects to the processing pursuant to Article 21(1) GDPR. It is for the referring court to examine if, exceptionally, there are overriding legitimate grounds for the processing.

Holding

The CJEU followed the AG's opinion almost entirely.

On question 1, the CJEU held that under Article 78(1) GDPR a court reviewing a DPA decision in a complaint procedure under Article 77 GDPR should exercise full jurisdiction, examine all questions of fact and law relevant to the dispute. For a judicial remedy to be effective, a DPA decision must be subject to full judicial review.

As the CJEU clarified, a compliant procedure under Article 77 GDPR is not similar to that of a petition but designed a mechanism capable of effectively safeguarding the rights and interests of data subjects. Hence, a DPA must deal with a complaint with all due diligence and is required to react appropriately in order to remedy GDPR violations.

The CJEU emphasized that the interpretation of the HBDI that a court could only assess a) whether the DPA has investigated a complaint to the extent appropriate and b) whether a complainant has been informed of outcome of the investigation would compromise the objectives of GDPR. The CJEU added that a DPA assessing a complaint has a margin of discretion as to the choice of appropriate and necessary means.

On questions 2 to 5, the CJEU first referred to its reasoning in Meta Platforms and Others (General terms of use of a social network), C‑252/21 on the concept of legitimate interest under Article 6(1)(f) GDPR, emphasizing that said provision lays down three cumulative conditions for the processing of personal data to be lawful (first, the pursuit of a legitimate interest by the data controller or by a third party; second, the need to process personal data for the purposes of the legitimate interests pursued; and third, that the interests or freedoms and fundamental rights of the person concerned by the data protection do not take precedence). The CJEU then held that it is for the referring VG Wiesbaden to ascertain whether the storage of the data at issue by SCHUFA in its own databases meets these requirements for the period during which the data are made available to the public.

Regarding the storing of decisions on debt discharges beyond their public availability, the CJEU held that this processing constitutes a serious interference with the fundamental rights of the data subject, enshrined in Articles 7 and 8 of the Charter. The longer the data are stored with the credit information agency, the greater the requirements relating to the lawfulness of the storage of that information. The CJEU reasoned that the discharge from remaining debts in an insolvency proceeding is intended to allow the person who benefits from it to re-enter economic life. Hence, credit information agencies retaining data on such discharges beyond their public availability and considering it a negative factor when assessing the persons creditworthiness jeopardize this intention.

TBC

Comment

Lorem ipsum

Further Resources

Share blogs or news articles here!