CJEU - C-180/21 - Inspektor v Inspektorata kam Visshia sadeben savet (Purposes of the processing of personal data – Criminal investigation)
CJEU - C-180/21 Inspektor v Inspektorata kam Visshia sadeben savet | |
---|---|
Court: | CJEU |
Jurisdiction: | European Union |
Relevant Law: | Article 6(1)(f) GDPR Article 1 Directive 2016/680 |
Decided: | |
Parties: | VS Inspektor v Inspektorata kam Visshia sadeben savet |
Case Number/Name: | C-180/21 Inspektor v Inspektorata kam Visshia sadeben savet |
European Case Law Identifier: | |
Reference from: | Administrative Court - Blagoevgrad |
Language: | 24 EU Languages |
Original Source: | Judgement |
Initial Contributor: | n/a |
See Holding for questions referred.
English Summary
[to be updated]
Facts
In 2013, the District Public Prosecutor’s Office in Petrich (Bulgaria) opened pre-trial proceedings (No 252/2013) against an unknown person for the commission of a crime. The applicant in the case in question (VS) took part in those proceedings as a victim.
In 2016, the District Public Prosecutor’s Office in Petrich, compiled a number of criminal files containing information relating to VS, [after receiving a number of complaints concerning, inter alia, VS]. However, the Public Prosecutor's Office did not open any pre-trial proceedings in the absence of evidence.
In 2018, the public prosecutor made formal accusations in respect of all the persons who took part in the incident at issue in the pre-trial proceedings (No 252/2013), including VS.
VS brought an action before the Regional Court in Blagoevgrad (Bulgaria) against the Public Prosecutor’s Office of the Republic of Bulgaria seeking damages for the harm allegedly resulting from the excessive duration of the pre-trial proceedings (No 252/2013). At the hearing, the Public Prosecutor's Office requested that the files opened in 2016, concerning VS, be produced for the purposes of defending the public prosecutor's office against claims made by VS. The Regional Court ordered that public prosecutor's office to produce certified copies of the documents in the files in question.
In March 2020, VS lodged a complaint with the Supreme Judicial Council, Bulgaria (‘the IVSS’), claiming that the District Public Prosecutor’s Office in Petrich, had infringed the data protection legislation. VS claimed, firstly, that that public prosecutor’s office had unlawfully used his personal data collected when he was considered to be a victim of a crime, in order to prosecute him in the same proceedings. Secondly, VS alleged that the public prosecutor’s office acted unlawfully as regards the processing of personal data that were collected in the files, in 2016, in the context of his action for damages against the Public Prosecutor’s Office of the Republic of Bulgaria. The IVSS rejected that complaint.
In July 2020, VS brought an action before the Administrative Court in Blagoevgrad (Bulgaria) against that decision, claiming, first, that the processing of his personal data in the course of pre-trial proceedings (No 252/2013) is contrary to, inter alia, the principles of the Law Enforcement Directive 2016/680 ("LED 2016/680"), and second, that the processing of the data collected in the files, in 2016, after the Public Prosecutor’s Office had refused to initiate pre-trial proceedings, infringes the principles of the GDPR.
The Administrative Court decided to stay the proceedings and to refer to the CJEU for a preliminary ruling.
Holding
Article 4(2) of LED 2016/680 authorises further processing of personal data for another purpose than that for which those data wereinitially collected, where that purpose is one of the ones set out in Article 1(1) of LED 2016/680 and that processing satisfies the two conditions laid down in Article 4(2)(a-b) of LED 2016/680: 1) the controller must be authorised to process such personal data for such a purpose in accordance with EU or Member State law; 2) processing must be necessary and proportionate to that other purpose.
After assessing the wording of Articles 1(1) and 4(2) of LED 2016/680, the CJEU found that it can be inferred from Article 1(1), read in conjunction with Article 4(2), that where personal data have been collected for the purposes of the 'detection' and 'investigation' of a crime and have subsequently been processed for the purposes of 'prosection' that collection and that processing serve different purposes.
Consequently, the CJEU held, that when a person had initially been considered to be a victim of a criminal offence, within the meaning of Article 6(c) of LED 2016/680, the controller should take into account that that processing reflects a change in that person’s category within the meaning of Article 6(a) of LED 2016/680, and make a clear distinction between data of different categories of persons.
Article 1(1) of LED 2016/680, read in conjunction with Article 4(2) and Article 6 thereof, means that (i) the processing of personal data serves a purpose other than that for which those data were collected, where such data were collected for detecting and investigating a crime, but that processing is carried out for the purpose of prosecuting a person following the conclusion of the criminal investigation at issue, irrespective of the fact that that person was considered to be a victim at the time of that collection, and that (ii) such processing is permitted pursuant to Article 4(2) of that directive, provided that it meets the conditions laid down in that provision.
Firstly, the Court concluded that Article 1(1) of LED 2016/680, read in conjunction with Article 4(2) and Article 6 thereof, means that (i) where personal data was initially collected for detecting and investigating a crime, but subsequent processing is carried out for prosecuting a person following the conclusion of the criminal investigation at issue, the processing serves a different purpose than that for which those data were initially collected, irrespective of the fact that that person was considered to be a victim at the time of the collection, and that (ii) Article 4(2) of LED 2016/680 permits such processing, provided that it meets the two (2) conditions laid down in that provision.
The two conditions laid down in Article 4(2) of LED 2016/680 are that 1) the controller must be authorised to process such personal data for such a purpose in accordance with EU or Member State law; 2) processing must be necessary and proportionate to that other purpose.
Secondly, the Court addresses whther the GDPR applies to the processing of personal data by the public prosecutor's office for the purpose of exercising its rights of defendence in civil proceedings.
By its second question, the referring court asks, in essence, first, whether Article 3(8) and Article 9(1) and (2) of Directive 2016/680 and Article 2(1) and (2) of the GDPR must be interpreted as meaning that that regulation is applicable to the processing of personal data by the public prosecutor’s office of a Member State for the purpose of exercising its rights of defence in an action for damages against the State, where it informs the court having jurisdiction of the existence of files concerning a natural person who is a party to that action, opened for the purposes set out in Article 1(1) of that directive, and transmits those files to that court and, second, if that question were to be answered in the affirmative, whether point (f) of the first subparagraph of Article 6(1) of that regulation must be interpreted as meaning that such processing of personal data may be regarded as lawful for the purposes of the legitimate interests pursued by the controller, within the meaning of that provision.
The CJEU considered the conditions for the definition of personal data under 4(2) GDPR to have been met.
When a defendant, in civil proceedings, informs the competent court, even succinctly, of the opening of files concerning a natural person, in particular for the purposes of the ‘detection’ or ‘investigation’ of a criminal offence, means that that defendant ‘consulted’, ‘used’ and ‘transmitted’ or ‘disclosed’ ‘personal data’ for the purposes of Article 4(1) and (2) GDPR. Thus, that information is linked to a particular person, who is identifiable. Moreover, when a defendant, at the request of the competent court, produces files relating to procedures concerning anatural person involves, at the very least, the ‘use’ and ‘disclosure by transmission’ of ‘personal data’ within the meaning of Article 4(1) and (2) GDPR.
With regard to the exception provided for in Article 2(2)(d) GDPR, which concerns the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, the CJEU held that the exception should be interpreted strictly. In this regard, the Court also held that, the reason for that exception is that the processing of personal data by the competent authorities for the purposes set out in Article 2(2)(d) GDPR is governed by LED 2016/680.
In that regard, Article 9(1) of Directive 2016/680 provides, first, that such processing of personal data cannot, in principle, be carried out, unless it is authorised by EU or Member State law and, second, that the GDPR is to apply to that processing, unless the processing is carried out in an activity which falls outside the scope of EU law. Furthermore, under Article 9(2) of that directive, unless the processing is carried out in such an activity, the GDPR is to apply to the processing by the competent authorities in the performance of their tasks other than those performed for the purposes set out in Article 1(1) of that directive.
[to be updated]
This decision represents an important milestone case for data protection in the context of law enforcement.
Further Resources
Share blogs or news articles here!