CJEU - C-710/23 - Ministerstvo zdravotnictví
| CJEU - C-710/23 Ministerstvo zdravotnictví | |
|---|---|
 | |
| Court: | CJEU |
| Jurisdiction: | European Union |
| Relevant Law: | Article 2(1) GDPR Article 6(1)(c) GDPR Article 6(1)(e) GDPR Article 86 GDPR |
| Decided: | 03.04.2025 |
| Parties: | |
| Case Number/Name: | C-710/23 Ministerstvo zdravotnictví |
| European Case Law Identifier: | ECLI:EU:C:2025:231 |
| Reference from: | NSS (Czech Republic) |
| Language: | 24 EU Languages |
| Original Source: | Judgement |
| Initial Contributor: | n/a |
The CJEU ruled that Article 6(1)(c) and (e) GDPR do not preclude additional information obligations in national law for the disclosure of personal data contained in official documents by an authority. However, the additional obligations must not result in a disproportionate restriction on public access to these documents.
English Summary
Facts
L.H. lodged a request with the Ministry of Health (the controller) for information concerning the identification of persons (the data subjects) who had signed contracts for the purchase of COVID-19 screening tests concluded by the controller, as well as certificates relating to those tests and demonstrating that they may be used on the territory of the EU.
The controller partially granted L.H.’s request redacting the forename, surname, signature and position relating to the data subjects who had signed certificates on behalf of the legal persons concerned and, in some cases, the email address, telephone number and website of those legal persons.
The reason to justify the redaction was the protection of the personal data of the data subjects referred to in those certificates, in accordance with the requirements of the GDPR. According to the controller, the data subjects operate from China and the United Kingdom, where the legal persons issuing the certificates are registered, and that the domicile of those is unknown to it. It is therefore impossible for the controller to inform and consult them on that subject.
Czech case law provides for an obligation to inform or obtain the opinion of data subjects concerned by a disclosure request.
L.H. brought an action for annulment of the controller’s decision to disclose only redacted information before the Prague City Court.
The court upheld that action, holding that the controller could not refuse, as a matter of principle, to disclose information constituting personal data because it cannot first inform or obtain the opinion of the data subjects.
The controller brought an appeal on a point of law against the decision before the Czech Supreme Administrative Court, which is the referring court.
In that context, the that court stayed the proceedings referred in essence the following questions to the Court of Justice for a preliminary ruling:
- Must Article 4(1) and (2) GDPR be interpreted as meaning that the disclosure of the first name, surname, signature and contact details of a natural person representing a legal person constitutes processing of personal data, even if that disclosure is made for the sole purpose of enabling the identification of the natural person authorised to act on behalf of that legal person.
- Must Article 6(1)(c) and (e) GDPR be interpreted as precluding national case-law which requires a controller, being a public authority responsible for reconciling public access to official documents with the right to the protection of personal data, to inform and consult the natural person concerned prior to the disclosure of official documents containing such data.
Holding
1st question: does the processing of personal data constitute processing of personal data?(?)
The court held, that information relating to natural persons who are authorised to represent a company in dealings with third parties constitutes ‘personal data’ within the meaning of Article 4(1) GDPR. The fact that that information was provided as part of a professional activity does not mean that it cannot be characterised as personal data.
The court found that neither the wording of Article 4 GDPR nor its purpose suggests that the EU legislature intended the classification as ‘processing’ according to an operation's purpose.
Thus, the court concluded, that the answer to the first question is that Article 4(1) and (2) GDPR must be interpreted as meaning that the disclosure of the first name, surname, signature and contact details of a natural person representing a legal person constitutes processing of personal data. The fact that that disclosure is made for the sole purpose of enabling the identification of the natural person authorised to act on behalf of that legal person is irrelevant in that regard.
2nd question: can national case-law set a higher data protection standard?
The court stated that, regarding public access to official documents, Article 86 GDPR provides that personal data in official documents held by a public authority or a public body or a private body for the performance of a task carried out in the public interest may be disclosed by the authority or body in accordance with the relevant EU or Member State to reconcile public access to official documents with the right to the protection of personal data.
In the present case, the court found, that the processing may fall within Article 6(1)(c) and (e) GDPR, since it is imposed on the controller by national law, to ensure public access to official documents. The court also stated, that Article 6(1)(c) and (e) GDPR does not preclude, in principle, national case-law which lays down an obligation to inform and consult the data subject before any disclosure of personal data concerning him or her. This is because such case-law may form part of the legal basis for the processing, within the meaning of Article 6(3) GDPR.
The court held, that such an obligation contributes to the reconciliation of public access to official documents with the right to data protection required by Article 86 GDPR. Nevertheless, the court cautioned, that an absolute application of that obligation could give rise to a disproportionate restriction on public access to official documents.
Consequently, the court held, that in the present case, the controller appears to have based its decision not to disclose all the information requested on practical impossibility alone, without having made any attempt to reconcile interests.
Thus the court, held that Article Article 6(1)(c) and (e) GDPR, read in conjunction with Article 86 GDPR, must be interpreted as not precluding national case-law which requires a controller, being a public authority responsible for reconciling public access to official documents with the right to the protection of personal data, to inform and consult the natural person concerned prior to the disclosure of official documents containing such data, provided that such an obligation is not impossible to implement and that it does not require disproportionate effort and, therefore, it does not result in a disproportionate restriction on public access to those documents.
Comment
The referring court had already brought another referral on the meaning of Article 4(2) GDPR concerning the same controller: CJEU - C-659/22 - Ministerstvo zdravotnictví (COVID19 mobile application). In this case the court had already asked - in essence - the also somewhat obvious question, whether processing of personal data in a Covid19 (vaccination or testing) certification app actually constituted processing of personal data.
Further Resources
Share blogs or news articles here!
