CJEU - C-60/22 - Federal Republic of Germany

From GDPRhub
CJEU - C-60/22 Federal Republic of Germany
Court: CJEU
Jurisdiction: European Union
Relevant Law: Article 5(2) GDPR
Article 6 GDPR
Article 17(1)(d) GDPR
Article 18(1)(b) GDPR
Article 26 GDPR
Article 30 GDPR
Decided: 04.05.2023
Parties: UZ
Federal Republic of Germany,
Case Number/Name: C-60/22 Federal Republic of Germany
European Case Law Identifier: ECLI:EU:C:2023:373
Reference from: VG Wiesbaden (Germany)
Language: 24 EU Languages
Original Source: Judgement
Initial Contributor: Lauren Edwards

The CJEU held that failure by the controller to comply with the obligations laid down in Article 26 and 30 GDPR does not constitute unlawful processing and does not confer on the data subject a right to erasure or restriction of processing.

English Summary


An applicant (data subject) lodged an application for international protection with the Federal Office for Migration and Refugees in Germany (‘the Federal Office’). The Federal Office rejected the application, relying on the electronic ‘MARIS’ file which it had compiled, and of which contained the personal data relating to the applicant.

The applicant bought an action against the Federal Office before the Administrative Court in Wiesbaden, Germany (Verwaltungsgericht Wiesbaden). The electronic ‘MARIS’ file was sent to court in the context of a joint procedure under Article 26 GDPR, via the Electronic Court and Administration Mailbox. However, the lawfulness of such transfer was questioned by the Court as the Federal Office was unable to evidence an arrangement of the respective responsibilities of the joint controllership, despite a request made to that effect by the Court.

Furthermore, the Court expressed doubt that the maintenance of the electronic MARIS file with the combined provisions of Article 5(1) and Article 30 GDPR due to the Federal Office failing to produce a complete record of processing activities relating to that file upon request.

The Court decided to stay the proceedings and refer the following questions to the CJEU:

(1) whether the failure of a controller to comply with the accountability principle (Article 5(2)) amounts to ‘unlawful processing’ which would enable an individual to exercise their right to erasure or rectification under Article 17(1)(d) and 18(1)(b) GDPR. In particular, the controller in this case failed to maintain a record of processing activities (ROPA) pursuant to Article 30 GDPR and lacked an arrangement for joint procedure in accordance with Article 26 GDPR.

(2) whether the fact that the data subject has given his or her express consent or objects to the use of his or her personal data in the context of judicial proceedings can affect the possibility of those data being taken into account. If that court were unable to consider the data contained in the electronic ‘MARIS’ file based on the alleged unlawful processing vitiating the maintenance and transmission of that file, there would be no legal basis for the purpose of taking a decision on the application for the grant of refugee status.


With reference to the first question, according to Article 17(1)(d) and 18(1)(b) GDPR, the data subject is to have the right to erasure or rectification where such processing is ‘unlawful’. However, the CJEU noted the lawfulness of processing is precisely the subject of Article 6 GDPR. Therefore, to be regarded as lawful, the processing must fall within one of the lawful bases set out in Article 6(1) GDPR. Consequently, the absence of an arrangement to determine joint responsibility, or of a record of processing activities is not sufficient in itself to constitute unlawful processing. As such, the CJEU held that a data subject is not entitled to exercise their right to erasure or rectification for this sole reason.

In respect of the second question, the CJEU noted that consent is only one of the six grounds for lawful processing. Where a court exercises the judicial powers conferred on it by national law, the processing of personal data which that court is called upon to carry out must be regarded as necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (Article 6(1)(e) GDPR).

Therefore, since the infringement of Articles 26 and 30 GDPR does not constitute unlawful processing, and one of the conditions laid down in Article 6(1) GDPR has been met, the processing of such data is not subject to the data subject’s consent.


Share your comments here!

Further Resources

Share blogs or news articles here!