CJEU - C‑313/23, C‑316/23 and C‑332/23 - Inspektorat kam Visshia sadeben savet
| CJEU - C‑313/23, C‑316/23 and C‑332/23 Inspektorat kam Visshia sadeben savet | |
|---|---|
 | |
| Court: | CJEU |
| Jurisdiction: | European Union |
| Relevant Law: | Article 2 GDPR Article 4(7) GDPR Article 51 GDPR Article 77(1) GDPR Article 78(1) GDPR Article 79(1) GDPR Article 19(1) TEU |
| Decided: | 30.04.2025 |
| Parties: | Inspektorat kam Visshia sadeben savet |
| Case Number/Name: | C‑313/23, C‑316/23 and C‑332/23 Inspektorat kam Visshia sadeben savet |
| European Case Law Identifier: | ECLI:EU:C:2025:303 |
| Reference from: | |
| Language: | 24 EU Languages |
| Original Source: | Judgement |
| Initial Contributor: | cwa |
The CJEU held that a national court does not act as a controller or a supervisory authority when authorising the disclosure of personal data to a judicial body competent to scrutinise the activities of judges, magistrates and public prosecutors. Further the national court is not required to ensure security for such disclosure.
English Summary
Facts
Following the expiration of the prescribed time limit for submission of annual declarations of assets of judges, public prosecutors and investigating magistrates and their families, the Inspectorate at the Bulgarian Supreme Judicial Council requested the Sofia District Court to lift the banking secrecy of several judges and public prosecutors, as well as their families.
The Inspectorate is comprised of an Inspector General and a panel of ten Inspectors. At the time, the terms of office of the Inspectorate members had been expired for two years and there was no provision in national law limiting the permissible extent of the extention of their duties . The referring Court was unsure as to whether the continuation of the performance of their duties by the Inspectorate past the expiry of their term undermines the independence of the Office under EU law and unsure as to the interplay between the provisions in the Bulgarian Constitution and the GDPR, and referred the following questions:
(1) Must the second subparagraph of Article 19(1) TEU, read in conjunction with the second paragraph of Article 47 of [the Charter], be interpreted as meaning that it is per se or under certain conditions an infringement of the obligation incumbent on Member States to provide effective remedies sufficient to ensure independent judicial review for the functions of an authority which can impose disciplinary penalties on judges and has powers to collect data relating to their assets and liabilities to be indefinitely extended after the constitutionally stipulated term of office of that body comes to an end? If such an extension is permissible, under what conditions is that the case?
(2) Must Article 2(2)(a) of [the GDPR] be interpreted as meaning that the disclosure of data covered by banking secrecy for the purposes of verifying assets and liabilities of judges and public prosecutors which are subsequently made public constitutes an activity which falls outside the scope of [EU] law? Is the answer different where that activity also includes the disclosure of data relating to family members of those judges and public prosecutors who are not judges or public prosecutors themselves?
(3) If the answer to the second question is that [EU] law is applicable, must Article 4(7) of [the GDPR] be interpreted as meaning that a judicial authority which allows another State authority to access data concerning the account balances of judges and public prosecutors and their family members determines the purposes or means of the processing of personal data and is therefore a “controller” for the purposes of the processing of personal data?
(4) If the answer to the second question is that [EU] law is applicable and the third question is answered in the negative, must Article 51 of [the GDPR] be interpreted as meaning that a judicial authority which allows another State authority to access data concerning the account balances of judges and public prosecutors and their family members is responsible for monitoring the application of that regulation and must therefore be classified as a “supervisory authority” in relation to those data?
(5) If the answer to the second question is that [EU] law is applicable and either the third or the fourth questions are answered in the affirmative, must Article 32(1)(b) of [the GDPR] and Article 57(1)(a) of that regulation be interpreted as meaning that a judicial authority which allows another State authority to access data concerning the account balances of judges and public prosecutors and their families, is obliged, in the presence of [information] concerning a personal data breach committed in the past by the authority to which such access is to be granted, to obtain information on the data protection measures taken and to take into account the appropriateness of those measures in its decision to permit access?
(6) If the answer to the second question is that [EU] law is applicable, and irrespective of the answers to the third and fourth questions, must Article 79(1) of [the GDPR], read in conjunction with Article 47 of [the Charter], be interpreted as meaning that, where the national law of a Member State provides that certain categories of data may be disclosed only after permission to do so has been granted by a court, the court so competent must of its own motion grant legal protection to the persons whose data are to be disclosed, by requiring the authority which has applied for access to the data in question and which is known to have committed a personal data breach in the past to provide information on the measures taken pursuant to Article 33(3)(d) of [the GDPR] and their effective application?
Holding
Question 1:
The Court ruled that that Article 19(1) TEU, read in light of Article 47 of the Charter must be interpreted as meaning that the principle of judicial independence precludes a Member State’s allowing the office holders of judicial body authorised to scrutinize the activities of judges, magistrates and public prosecutors to continue to perform their functions beyond their term where such extension does not have an explicit basis in national law which governs the exercise of such authority and where the extension is not limited in time.
Question 2:
The Court held that Article 2 of the GDPR must be interpreted as meaning that disclosures to judicial bodies of personal data concerning judges, public prosecutors and investigating magistrates, as well as their family members, with the view of verifying submitted declarations and are published constitutes processing within the material scope of the GDPR.
The Court noted that it had previously found (Commission v Poland C-204/21) that neither the fact that information which is the subject of national provisions relates to judges nor the fact that information might have certain links with the performance of their duties is, in itself, sufficient to remove those national provisions from the scope of the GDPR. Although the proper administration of justice and rules relating to the performance and conduct of judges come within the competence of Member States, the processing in question does not fall within that category, nor is it an activity intended to safeguard national security, the Court found. Accordingly, the Court held that the processing in question comes under the material scope of the GDPR.
Question 3:
The Court held that Article 4(7) of the GDPR must be interpreted as meaning that a court competent to authorise disclosure by a bank to a judicial authority data relating to the bank accounts of judges, public prosecutors and magistrates, and their family members, cannot be classified as a controller under that provision.
The Court reasoned that the national legislation determines the scope of such processing, the purpose of the processing and designates the body which is competent to carry it out. The national court, the Court found, confines itself to considering whether the conditions laid down in the national law are met. As such, the Court concluded that the national court determines neither the purposes nor the means and thus cannot be regarded as the controller under the GDPR. It is the designated body, in this case the Inspectorate, which is the controller.
Question 4
The Court held that Article 51 of the GDPR must be interpreted as meaning that a court competent to authorise disclosure of personal data to another judicial body does not constitute a supervisory authority in the meaning of that provision. The Court reasoned that the national court has not been designated under Bulgarian law as a supervisory authority, as envisaged in Article 51(1) GDPR. Member States are also obliged to notify the Commission of such provisions adopted or amended pursuant to Chapter VI GDPR. No such notification had been made as to the designation of the national court as supervisory authority.
Question 5:
As the Court answered both questions 2 & 3 in the negative, no response to question 5 was necessary.
Question 6:
The Court held that Article 79(1) GDPR, read in light of Article 47 of the Charter, must be interpreted as meaning that a court competent to authorise disclosure of personal data to another judicial body is not required to ensure, of its own volition, the security of the personal data to be disclosed in accordance with the GDPR. This is the case even where the receiving body has, in the past, infringed those provisions of the GDPR.
In reaching this conclusion, the Court highlighted the difference between supervisory authorities and their powers under the GDPR and the position of national courts. The Court also highlighted that it is the obligation of the Member State to ensure that practical arrangements have been made for the exercise of the remedies in Articles 77(1), 78(1) & 79(1).
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
