CJEU - C-169/23 - Másdi: Difference between revisions

CJEU - C-169/23 Másdi
Court:	CJEU
Jurisdiction:	European Union
Relevant Law:	Article 6(1)(e) GDPR Article 9(2)(i) GDPR Article 14(5)(c) GDPR Government Decree No 60/2021
Decided:	28.11.2024
Parties:	Nemzeti Adatvédelmi és Információszabadság Hatóság UC
Case Number/Name:	C-169/23 Másdi
European Case Law Identifier:	ECLI:EU:C:2024:988
Reference from:	Supreme Court (Hungary)
Language:	24 EU Languages
Original Source:	AG Opinion Judgement
Initial Contributor:	la

Article 14(5)(c) GDPR includes data that have been generated by the controller. The DPA has the competence to review if the respective Member State law provides appropriate measures for the protection of the data subject’s legitimate interests.

English Summary

Facts

The data subject had obtained an immunity certificate confirming the vaccination against COVID-19, issued by the respective authority (the controller). This certificate included data that was generated by the controller itself, especially an ID number and a QR code. In April 2021, the data subject filed a complaint with the Hungarian DPA alleging that the controller had not published any data protection statement concerning the issuing of vaccination certificates.

During the subsequent procedure the controller declared that Article 6(1)(e) GDPR and Article 9(2)(i) GDPR were the respective legal bases for the processing. Furthermore, they stated that they obtained the personal data that it processed from another body, in accordance with the provisions of Decree No 60/2021. On that basis, it asserted that, pursuant to Article 14(5)(c) of the GDPR, it was not required to provide information on the processing of those data. It nonetheless drew up the requested statement concerning the protection of personal data and published it on its website.

The Hungarian DPA dismissed the complaint and found that the processing fell under Article 14(5)(c) GDPR and the domestic law included appropriate safeguards for the legitimate interests of the data subject.

The data subject challenged the decision in court. The first instance court considered that the exception laid down in Article 14(5)(c) GDPR was not applicable because certain personal data produced in relation to the immunity certificates were not collected from another body by the controller, but were generated by that controller itself in the performance of its tasks. In that court’s view, only personal data obtained from another body could be covered by the exception laid down in Article 14(5)(c) GDPR.

This decision was appealed by the DPA. The court of appeals then stayed the proceedings and forwarded three questions to the CJEU for a preliminary ruling.

Advocate General Opinion

Advocate General Medina concluded on the first question that the exception in Article 14(5)(c) GDPR applies to all data which the controller has not obtained from the data subject. It is not relevant, in that regard, whether the data are expressly obtained from another entity or if the data are generated by the controller in its own procedure. On the second question she concluded that the national supervisory authority has the power to examine all conditions in Article 14(5)(c) GDPR, including whether the law, to which the controller is subject and lays down the processing, provides appropriate measures to protect the data subject’s legitimate interests.

Holding

First question:

The CJEU first noted that the wording of Article 14(5)(c) GDPR differed between languages, referring to “information” in some languages, while referring to “data” in others, and some languages not referring to the subject matter of the obtaining or disclosure. Therefore, the provision must be interpreted in the light of the whole GDPR. Thus, the CJEU held that the provision refers to personal data as they are the key aspect of the regulatory framework.

The ratio legis of the exception laid down in Article 14(5)(c) GDPR was that information do not have to be provided to the data subject under this very provision if Member State law provided a sufficient obligation to provide the data subject with information itself.

The CJEU also found that the wording of the provision did not limit the application to data obtained from a person other than the data subject themselves. Also, the scope of Article 14 GDPR was defined by a negative reference to Article 13 GDPR. By comparing the headings of both provisions one could see that Article 14 GDPR was about data not collected from the data subject which included data generated by the controller themselves.

The CJEU also held that in order to be fully consistent with the objective pursued by the GDPR, the application of Article 14(5)(c) GDPR was subject to strict compliance with the requirements provided in this provision, especially a level of protection of the data subject at least equivalent to that guaranteed by Article 14(1) to (4) GDPR.

Second and third question:

The CJEU held that in order to ensure and enforce the GDPR’s application the DPAs had the right to examine if the requirements of Article 14(5)(c) GDPR are met, especially if the respective Member State law provides for appropriate measures to protect the data subject’s legitimate interests.

Therefore, a complaint under Article 77(1) GDPR may be based on an infringement of the controller’s obligation to provide information, alleging non-compliance with the conditions for the application of the exception laid down in Article 14(5)(c) GDPR.

This meant that the DPA had the competence to ensure that the Member State law guaranteed a level of protection of the data subject with regard to the processing of his or her personal data which is at least equivalent to that provided for in Article 14(1) to (4) GDPR. Thus, those provisions must be such as to put the data subject in a position to enable him or her to exercise control over his or her personal data and to exercise the rights conferred on him or her by the GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!