CJEU - C‑461/22 - MK v WB

From GDPRhub
CJEU - C‑461/22 MK v WB
Cjeulogo.png
Court: CJEU
Jurisdiction: European Union
Relevant Law: Article 4(7) GDPR
Decided: 11.07.2024
Parties: MK
WB
Case Number/Name: C‑461/22 MK v WB
European Case Law Identifier: ECLI:EU:C:2024:607
Reference from: LG Hannover (Germany)
Language: 24 EU Languages
Original Source: Judgement
Initial Contributor: wp

The CJEU found that the former guardian of a natural person, acting in the context of their professional activity and appointed according to national law, is a controller within the meaning of Article 4(7) GDPR.

English Summary

Facts

A data subject was under guardianship, duly appointed under German law (Article 1896 and 1897 BGB). The guardian was a lawyer acting in a professional manner and belonging to the personal circle of the data subject. They, performed their duties for a certain time and was later replaced by another person.

The data subject referred to the Local Court of Hannover (Amtsgericht Hannover – AG Hannover) for legal aid to access the data collected by the guardian when performing their duties. The AG Hannover rejected the application of the data subject. According to the court, since the guardian performed their duties in context of their professional activity it was not a data controller within the meaning of Article 4(7) GDPR. Hence, they were not obliged to respond to access request under Article 15 GDPR. Also, the court emphasised that the guardian was a legal representative of data subject under German law. That meant the guardian could process the personal data on behalf of data subject.

The data subject appealed against the decision of the AG Hannover to the Regional Court of Hannover (Landgericht Hannover - LG Hannover). The appeal raised the court’s doubts whether a professional guardian was covered by the definition of controller in Article 4(7) GDPR. Also, the court deliberated about the problem of the guardian being a part of the data subject’s personal circle. As a result, LG Hannover decided to refer the following preliminary questions to the CJEU:

  1. Is a legally appointed guardian who performs that activity in a professional capacity a controller within the meaning of Article 4(7) GDPR?
  2. Is he or she required to provide information in accordance with Article 15 GDPR?’

Holding

The CJEU answered both question positively.

The CJEU found the guardian as such to be a controller within the meaning of Article 4(7) GDPR.

Firstly, the CJEU excluded the application of Article 2(2)(c) GDPR to guardian’s activity, namely the exception of the applicability of the GDPR for the processing of personal data in the course of a purely personal or household activity. The guardian carried out their duties in a professional capacity so it didn’t matter if they came from the personal circle of the person under guardianship or not.

Secondly, the CJEU explained the guardian, in principle, was obliged to perform variety of activities on behalf of person under guardianship. Because of that, the guardian also determined the purposes and means of data processing.

Also, the CJEU made reference to the guardian’s status as a legal representative. Although the guarding was a legal representative of data subject, acting on behalf and in the name of that person, as mentioned by LG Hannover, it was not relevant for the case at hand. The data subject asked for the data collected by a former guardian. Thus, for CJEU it was clear the guardian was no longer representing the data subject.

Consequently, the guardian was a data controller and was obliged to fulfill all the obligations stemming from the GDPR, including answering the access request under Article 15 GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!