CJEU - C-180/21 - Inspektor v Inspektorata kam Visshia sadeben savet (Purposes of the processing of personal data – Criminal investigation): Difference between revisions

From GDPRhub

Revision as of 13:22, 17 October 2024

CJEU - C-180/21 Inspektor v Inspektorata kam Visshia sadeben savet
Cjeulogo.png
Court: CJEU
Jurisdiction: European Union
Relevant Law: Article 6(1)(f) GDPR
Article 1 Directive 2016/680
Decided:
Parties: VS
Inspektor v Inspektorata kam Visshia sadeben savet
Case Number/Name: C-180/21 Inspektor v Inspektorata kam Visshia sadeben savet
European Case Law Identifier:
Reference from: Administrative Court - Blagoevgrad
Language: 24 EU Languages
Original Source: Judgement
Initial Contributor: n/a

The CJEU held that the provisions of the GDPR apply to the processing of personal data by the public prosecutor's office for the purpose of exercising its rights of defendence in civil proceedings.

English Summary

Facts

In 2013, the District Public Prosecutor’s Office in Petrich (Bulgaria) opened pre-trial proceedings (No 252/2013) against an unknown person for the commission of a crime. The applicant in the case in question (VS) took part in those proceedings as a victim.

In 2016, the District Public Prosecutor’s Office in Petrich, compiled a number of criminal files containing information relating to VS, [after receiving a number of complaints concerning, inter alia, VS]. However, the Public Prosecutor's Office did not open any pre-trial proceedings in the absence of evidence.

In 2018, the public prosecutor made formal accusations in respect of all the persons who took part in the incident at issue in the pre-trial proceedings (No 252/2013), including VS.

VS brought an action before the Regional Court in Blagoevgrad (Bulgaria) against the Public Prosecutor’s Office of the Republic of Bulgaria seeking damages for the harm allegedly resulting from the excessive duration of the pre-trial proceedings (No 252/2013). At the hearing, the Public Prosecutor's Office requested that the files opened in 2016, concerning VS, be produced for the purposes of defending the public prosecutor's office against claims made by VS. The Regional Court ordered that public prosecutor's office to produce certified copies of the documents in the files in question.

In March 2020, VS lodged a complaint with the Supreme Judicial Council, Bulgaria (‘the IVSS’), claiming that the District Public Prosecutor’s Office in Petrich, had infringed the data protection legislation. VS claimed, firstly, that that public prosecutor’s office had unlawfully used his personal data collected when he was considered to be a victim of a crime, in order to prosecute him in the same proceedings. Secondly, VS alleged that the public prosecutor’s office acted unlawfully as regards the processing of personal data that were collected in the files, in 2016, in the context of his action for damages against the Public Prosecutor’s Office of the Republic of Bulgaria. The IVSS rejected that complaint.

In July 2020, VS brought an action before the Administrative Court in Blagoevgrad (Bulgaria) against that decision, claiming, first, that the processing of his personal data in the course of pre-trial proceedings (No 252/2013) is contrary to, inter alia, the principles of the Law Enforcement Directive 2016/680 ("LED 2016/680"), and second, that the processing of the data collected in the files, in 2016, after the Public Prosecutor’s Office had refused to initiate pre-trial proceedings, infringes the principles of the GDPR.

The Administrative Court decided to stay the proceedings and to refer to the CJEU for a preliminary ruling.

Holding

Within this particular case, the CJEU addressed whether the provisions of the GDPR apply to the processing of personal data by the public prosecutor's office for the purpose of exercising its rights of defendence in civil proceedings.

Firstly, the CJEU considered the conditions for the definition of 'personal data' under 4(1) GDPR and 'processing' under Article 4(2) GDPR were met in this case, where a defendant, in civil proceedings, informs the competent court, even succinctly, of the opening of files concerning a natural person, in particular for the purposes of the ‘detection’ or ‘investigation’ of a criminal offence.

With regard to the exception provided for in Article 2(2)(d) GDPR, which concerns the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, the CJEU held that the exception should be interpreted strictly. In this regard, it was also held that, the reason for that exception is that the processing of personal data by the competent authorities for the purposes set out in Article 2(2)(d) GDPR is governed by LED 2016/680.

As in the present case, the CJEU found that even where the bringing action for damages against the State from alleged misconduct by the public prosecutor’s office in the course of criminal proceedings, the aim of the State’s defence in such an action is not to perform, as such, tasks for the purposes set out in Article 1(1) of LED 2016/680. Furthermore, it was stated that the participation of a public authority in civil proceedings as a defendant in an action for damages against the State does not seek to safeguard national security or of an activity which can be classified in the same category, in the light of Article 2(2)(a) GDPR.

The public prosecutor’s office must be considered to be a ‘controller’, within the meaning not only of Article 4(7) GDPR, but also of Article 3(8) of LED 2016/680. The CJEU held that the GDPR is applicable to the processing of personal data by the public prosecutor’s office for the purpose of exercising its rights of defence in an action for damages against the State, where, first, it informs the competent court of the opening of files relating to a natural person who is a party to that action for the purposes set out in Article 1(1) of LED 2016/680 and, second, it transmits those files to that court.

With regard to the lawfulness of the processing, the CJEU considered first that it must be determined whther the processing, by the public prosecutor’s officef or the purpose of defending the State or a public body in an action for damages for harm caused by misconduct on the part of the State or a public body, is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in it, within the meaning of Article 6(1)(e) GDPR. Moreover, it cannot be ruled out that, where, for the purpose of defending the State in an action for damages, the public prosecutor’s office of transmits the personal data to the court at that court’s request, that transmission is also liable to come within the scope of Article 6(1)(c) GDPR where that public prosecutor’s office is required to comply with such a request pursuant to national law.

It is for the referring court to verify whether, in accordance with Article 6(3) GDPR, the national law lays down, 1) the basis for such processing and, 2) the purposes of that processing or, as regards Article 6(1)(e) GDPR, whether that processing is necessary for the public prosecutor’s office’s performance of its task carried out in the public interest. Furthermore the CJEU emphazised that the processing of personal data must also copmly with all the applicable requirements provided for by the GDPR.

This decision represents an important milestone case for data protection in the context of law enforcement.

Comment