AG - C-169/23 - Másdi

From GDPRhub
Revision as of 13:06, 17 October 2024 by ManTechnologist (talk | contribs) (url)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
CJEU - C-169/23 Másdi
Cjeulogo.png
Court: CJEU
Jurisdiction: European Union
Relevant Law: Article 14(5)(c) GDPR
Article 77(1) GDPR
koronavírus elleni védettségi igazolásról szóló 60/2021. (II.12.) Korm. rendelet (Government Decree 60/2021 of 12 February on the coronavirus immunity certificate)
Decided:
Parties:
Case Number/Name: C-169/23 Másdi
European Case Law Identifier: ECLI:EU:C:2024:474
Reference from: Supreme Court (Hungary)
Language: 24 EU Languages
Original Source: AG Opinion
Initial Contributor: nzm


The Advocate General considered that Article 14(5)(c) GDPR applies to all data which the controller has not obtained from the data subject, regardless of whether the data was obtained from another entity, or was generated by the controller in its own procedure.

English Summary

Facts

A data subject received a certificate confirming his vaccination against COVID-19 from the Budapest Office (‘controller’). On 30 April 2021, the data subject lodged a complaint with the Hungarian DPA, claiming that (i) the Budapest Office did not create or publish a privacy notice on the issuance of these certificates and (ii) there was insufficient information regarding the purpose and legal basis of the processing, and the rights of the data subject, as well as how those rights should be exercised.

The controller explained that the issuance of these certificates relied on a national Hungarian Law, Decree 60/2021. Therefore, the legal basis for the processing was Article 6(1)(e) GDPR and the processing of special categories of data under Article 9(2)(i) GDPR. In accordance with Decree 60/2021, the controller obtained the personal data by an automated transmission from the Electronic Healthcare Service Space operator and from the body responsible for recording the personal data and addresses. Therefore, the controller also argued that pursuant to Article 14(5)(c) GDPR, it was not required to provide information on the processing. The controller nonetheless created a privacy notice and published it on its website.

On 15 November 2021, the Hungarian DPA dismissed the complaint considering that the controller did not have an obligation to provide information since the derogation laid down in Article 14(5)(c) GDPR was applicable to the processing. The DPA found that the fact that the controller published the information on the processing on its website even though it had no legal obligation to do so was deemed to be a good practice.

The data subject challenged the decision of the Hungarian DPA before the Budapest High Court which annulled the DPA decision and ordered it to conduct a new procedure. The Budapest High Court claimed that Article 14(5)(c) was not applicable as some of the data related to the certificates were not collected by another body but were rather generated by the controller, namely, the serial number of the certificate, the period of validity of the certificate, the QR code incorporated into the certificate, the bar code as well as other codes generated by the controller.

The Hungarian DPA brought an extraordinary appeal in cassation before the Hungarian Supreme Court. The Supreme Court stayed the proceedings and referred the following questions to the CJEU:

  1. Does Article 14(5)(c) only refer to data which the controller has expressly obtained from another person or also to data generated by the controller in its own procedure?
  2. Does Article 77(1) GDPR mean that the DPA has the power to examine whether Member State law provides appropriate measures to protect the data subject’s legitimate interests for the purposes of applying Article 14(5)(c) GDPR?
  3. Do the ‘appropriate measures’ referred to in Article 14(5)(c) require the national legislation to transpose the measures relating to the security of data laid down in Article 32 GDPR?

Advocate General Medina issued his opinion on the matter on 6 June 2024.

Advocate General Opinion

Preliminarily, Article 14 GDPR establishes that a controller must provide information to the data subject when the personal data has not been directly collected from the data subject (indirect collection). This article provides a catalogue of information to be provided to the data subject. Article 14(5) GDPR sets out a list of four derogations to this principle. The relevant derogation in the present case is Article 14(5)(c) GDPR which states that a controller is exempt from providing information in the case where the obtaining or disclosure is expressly laid down by Member State law to which the controller is subject and the law provides appropriate measures to protect the data subject’s legitimate interests. The underlying assumption of this derogation is that the Member state law replaces or substitutes the obligation normally imposed on the controller to provide information regarding the obtaining of data, as data subjects will already have sufficient knowledge on this (§31 of the Opinion).

On the first question

First, the Advocate General considered that the first question requires determining if the term ‘obtaining’ used in Article 14(5)(c) GDPR excludes data generated by the controller (§36 of the Opinion). The Advocate General considered that the wording of Article 14(5)(c) GDPR does not set out a limitation with regard to a specific type of processing or the exact method by which the controller obtains the data (§38 of the Opinion). The broad understanding of this term is confirmed by recital 62 GDPR which uses the word ‘recording’, an operation which refers to a wider group of processing operations that can be performed by the controller. Therefore, the Advocate General held that Article 14(5)(c) cannot be interpreted as applicable only to data obtained from another entity, and not to data generated by the controller (§39 of the Opinion).

This broad material scope is also confirmed by recital 61 which refers to data ‘obtained from another source’, meaning a source other than the data subject (§41 of the Opinion). The Advocate General also pointed out that introducing an exception to Article 14(5)(c) when the data is generated by the controller would risk adding an extra layer of complexity for the data subject (§45 of the Opinion).

Therefore, the Advocate General found that Article 14(5)(c) GDPR applies to all data which the controller has not obtained from the data subject. It is not relevant whether the data are expressly obtained from another entity or if the data are generated by the controller in its own procedure (§46 of the Opinion).

On the second question

Second, Article 77(1) GDPR establishes that every data subject has a right to lodge a complaint with a DPA if they consider that the processing relating to them infringes the GDPR. Article 55(1) GDPR indicates that each DPA is competent for the performance of the tasks assigned to it and the exercise of powers conferred to it. The Advocate General considered that these two articles do not exclude from the DPA’s sphere of competence the conditions for applying Article 14(5)(c) GDPR (§50 of the Opinion).

The Advocate General agreed with the Hungarian DPA which noted that in the context of a complaint lodged under Article 77(1) GDPR, DPAs are vested with the power to check whether all the conditions laid down in Article 14(5)(c) GDPR are complied with (§51 of the Opinion). In that regard, DPAs must have the power (i) to examine whether the law directly addresses the controller and whether obtaining the data is mandatory for the controller and (ii) to examine whether the law upon which the controller relies provides appropriate measures to protect the data subject’s legitimate interests and whether the controller is able to demonstrate that the obtaining of personal data complies with those measures (§52 of the Opinion).

The Advocate General pointed out that assessing whether all the requirements for the application of the derogation laid down in Article 14(5)(c) GDPR are fulfilled does not involve an examination of the validity of the national law. The DPA only examines whether the controller is entitled to invoke the derogation towards a particular data subject in a particular situation (§54 of the Opinion). Therefore, the DPA must examine data subjects’ claims that the controller should not be exempt from providing the information on the grounds that the national law does not provide appropriate measures to protect their legitimate interests: if the claim is unfounded, the data subject must have access to judicial remedies (§56 of the Opinion) and if the claim is founded, the DPA has the power to order the controller to comply with the data subject’s request (§57 of the Opinion).

Therefore, in the context of a complaint procedure, the DPA has the power to examine whether all the conditions of Article 14(5)(c) GDPR are complied with, and more particularly, it can examine whether Member state law, to which the controller is subject, provides appropriate measures to protect the data subject’s legitimate interests.

On the third question

Third, Article 32 GDPR establishes that the controller and processor must implement ‘appropriate technical and organisational measures’ to ensure the security of the processing. However, the Advocate General pointed out that Articles 14 and 32 have a different scope. Therefore, it is not possible to determine one of the conditions of Article 14(5)(c) GDPR by transposing the concept of the ‘appropriate technical and organizational measures’ used in another provision (§66 of the Opinion).

The exact content of the ‘appropriate measures’ is not specified in Article 14(5)(c) GDPR. However, the Advocate General indicated that the ‘appropriate measures’ must be interpreted in light of the principle of transparency under Article 5(1)(a) GDPR. Therefore, it is important to take the relevant law into account, as it is a ‘substitute’ for the information obligation (§67 of the Opinion).

The Advocate General found that Article 14(5)(c) GDPR would be meaningless if it did not leave a margin of discretion to the legislature. Nonetheless, the relevant law must ensure a standard of fair and transparent processing which is ensured by Article 14(1) GDPR to 14(4) GDPR. The legal avenue must allow the data subject to exercise control over their data and to exercise their rights under the GDPR (§69 of the Opinion).

Therefore, the Advocate General concluded that the ‘appropriate measures’ referred to in Article 14(5)(c) GDPR do not require the national legislature to transpose the measures relating to the security of data under Article 32 GDPR (§72 of the Opinion).

Holding

The decision has not been adopted yet.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!