CJEU - C-101/01 - Lindqvist

From GDPRhub
Revision as of 21:41, 8 November 2020 by Elaine (talk | contribs)
CJEU - Case C-101/01 Bodil Lindqvist
Cjeulogo.png
Court: CJEU
Jurisdiction: European Union
Relevant Law:
Article 1 (1) Directive 95/46
Article 10 European Convention for the protection of Human Rights (ECHR)
Article 13 Directive 95/46
Article 25 Directive 95/46
Article 3 Directive 95/46
Article 8 Directive 95/46
Article 8 European Convention for the protection of Human Rights (ECHR)
Article 9 Directive 95/46
Paragraph 13 Swedish Law on Personal Data, ‘the PUL (1998:204)
Paragraph 33 Swedish Law on Personal Data, ‘the PUL (1998:204)
Paragraph 36 Swedish Law on Personal Data, ‘the PUL (1998:204)
Decided: 06.11.2003
Parties: Bodil Lindqvist
Royal Court (Göta hovrätt)
Case Number/Name: Case C-101/01 Bodil Lindqvist
European Case Law Identifier: ECLI:EU:C:2003:596
Reference from: Royal Court (Göta hovrätt)
Language: 24 EU Languages
Original Source: Judgement
Initial Contributor: Elaine Thuo


On 6th November 2003, the CJEU made a judgment on Bodil Lindqvist case. The case concerns the scope of processing of personal data by electronic means laid down under Article 3(1) of Directive 95/46.

English Summary

Facts

The case is about Mrs. Lindqvist who worked as a catechist in the Alseda Parish (Sweden). At the end of 1998, she set up internet pages on her personal computer in order to allow parishioners preparing for their confirmation to obtain any information they needed. She requested the administrator of the Swedish Church’s website to set up a link between those pages and the website. The pages she had set up contained information about Mrs. Lindqvist and 18 of her colleagues in the parish. The pages contained information including their full names, first names, jobs held, hobbies, telephone numbers and medical information on one of her colleagues. She had not informed her colleagues of those pages, obtain their consent or sought approval from the supervisory authority to process the personal data and sensitive personal data. The public prosecutor brought proceeding against her, that she was in breach of the PUL on grounds that she processed personal data automatically without giving prior written notice to the Supervisory Authority (Datainspektionen). In addition, she processed sensitive personal data and transferred personal data to a third country without authorization or consent from the data subjects. The Royal Court (Göta hovrätt) stayed the national proceedings and referred some question of law to the CJEU.

Dispute

The disputes in question are whether a self-made list, with personal data of others, on the internet constitutes processing by automatic means as defined under Article 3(1) of Directive 95/46. Secondly, does the mention of a colleague’s medical condition amount to processing of sensitive data? And lastly, does the publication of information on the internet amount to data transfer to third countries?

Holding

The CJEU held that internet pages referring to various people who can be identified by their name, telephone number or information regarding their hobbies constitutes processing of personal data wholly or partly by automatic means within the meaning of Article 3 (1). In addition, any reference made to the medical condition of another person constitutes the processing of sensitive personal data as enshrined under Article 8 (1) of Directive 95/46. Lastly, the court stated that information published on the internet does not constitute transfer to a third country as stated under Article 25 of Directive 95/46.

Comment

The courts have widely interpreted the term processing to include various activities that, on the face value do not present risks to the rights and freedoms of data subjects, but proper consideration shed more light on what is at stake for data subjects.

Further Resources

Share blogs or news articles here!