CJEU - C-620/19 - J & S Service

From GDPRhub
CJEU - C-620/19 J & S Service
Court: CJEU
Jurisdiction: European Union
Relevant Law: Article 1 GDPR
Article 23(1)(j) GDPR
Decided: 10.12.2020
Parties: Land Nordrhein-Westfalen
D.-H.T. as liquidator of J & S Service UG
Case Number/Name: C-620/19 J & S Service
European Case Law Identifier: ECLI:EU:C:2020:1011
Reference from: BVwG (Austria)
Language: 24 EU Languages
Original Source: AG Opinion
Initial Contributor: Oluwanonso

The CJEU held that it could review a national legislation extending the application of the GDPR only where the national legislation does not have any fundamental or conceptual differences from the provisions of the GDPR.

English Summary


D.-H.T acting as the insolvency administrator of J & S Service (‘data subject’) requested certain tax information about the data subject from the German local tax authorities (‘data controller’). The German Abgabenordnung (‘Tax Code’) extends the application of the GDPR to legal persons, not just natural persons.

However, the data controller refused D.-H.T’s request for information, relying on Article 23(1)(e)&(j) GDPR and Paragraph 32 German Tax Code. D.-H.T successfully challenged this refusal at the German Administrative Court. The data controller lodged an appeal to the Higher Administrative Court which affirmed the judgment of the court of first instance, holding that because D.-H.T (a company) was the insolvency administrator of the data subject (another company), it could therefore exercise all access rights of the data subject. It also reasoned that the data subject's right to access information was not limited by any specific legislation on tax secrecy.

The dissatisfied data controller lodged a further appeal against this decision to the German Federal Administrative Court which then requested a preliminary ruling from the CJEU on interpretation of Article 23(1)(j) GDPR.

Advocate General Opinion

The Advocate General found that the CJEU lacked jurisdiction to give a preliminary ruling because the scope of the relevant provision of the German Tax Code which sought to protect information of legal persons was materially different from the scope of the GDPR which protects the personal data of natural persons.

On the merits, he found that the limitation in Article 23(1)(j) GDPR applies to the enforcement of civil law claims pursued by both private persons and public bodies. He also found that this limitation in Article 23(1)(j) GDPR includes the defence against civil law claims and does not depend on the condition that a civil law claim must first be established.


The CJEU emphasized that the GDPR’s main aim is to protect the fundamental right of natural persons with respect to the processing of their personal data. It also held that the concept of personal data of natural persons (e.g. human beings) and information of legal persons (e.g. companies) are very different under EU law because a natural person has the fundamental right to the protection of his personal data protected by Article 8(1) Charter on Fundamental Rights of the EU.

In addition, this right is so fundamental that any restriction must be backed by legislation, respect the essence of the right to protection of personal data and also fulfil the EU ‘necessary and proportionate’ test. However, there is no similar legal protection for information concerning legal persons under EU law.

The court then held that the German Tax Code despite being a near literal reproduction of the GDPR essentially differed from the GDPR because it did not apply to the protection of personal data of natural persons, but rather of legal persons which is a concept founded in German national law and not EU law. Thus, the questions referred to the court concerns the interpretation of German national law and not EU law. The Court concluded that Article 23(1) GDPR was not applicable and declined to exercise jurisdiction.


Share your comments here!

Further Resources

Share blogs or news articles here!