CJEU - C-184/20 - Vyriausioji Tarnybinės Etikos Komisija

From GDPRhub
CJEU - C-184/20 - Vyriausioji Tarnybinės Etikos Komisija
Cjeulogo.png
Court: CJEU
Jurisdiction: European Union
Relevant Law: Article 6(1) GDPR
Article 6(3) GDPR
Article 9(1) GDPR
Decision: 2008/801/EC
The Lietuvos Respublikos viešųjų ir privačių interesų derinimo valstybinėje tarnyboje įstatymas Nr. VIII-371 (Law No VIII-371 of the Republic of Lithuania on the reconciliation of public and private interests in the public service)
The United Nations Convention against Corruption - Resolution 58/4 of the United Nations General Assembly of 31 October 2003
Decided: 01.08.2022
Parties: OT
Vyriausioji tarnybinės etikos komisija (Chief Official Ethics Commission)
Fondas ‘Nevyriausybinių organizacijų informacijos ir paramos centras’
Case Number/Name: C-184/20 - Vyriausioji Tarnybinės Etikos Komisija
European Case Law Identifier: ECLI:EU:C:2022:601
Reference from: Vilnius Regional Administrative Court (Lithuania)
Language: 24 EU Languages
Original Source: AG Opinion
Judgement
Initial Contributor: Alexander Smith

The CJEU held that the mandatory disclosure, in the context of an online transparency publication, of personal information concerning a public officer violated the principle of data minimisation.

English Summary

Facts

The Chief Ethics Commission was a Lithuanian body checking declarations of private interests by public officers. According to Lithuanian law, public officers were asked to provide a large amount of information about themselves and their partner, including name, personal identification number, social security number, employment status, membership or undertakings with trade unions and/or political parties and details about transactions over €3,000 concluded in the last 12 months. The Chief Official Ethics Commission then published information on its website (after removing sensitive data). Notably, the published information, whilst removing what was obviously special categories of personal data, would still include the name of their spouse, cohabitant, or partner.

The data subject was a public officer who asked the annulment of a decision by the Chief Ethics Commission according to which they failed to disclose mandatory information.

The data subject claimed that this mandatory declaration violated their data protection rights under EU law. The Lithuanian court sent a preliminary reference to the CJEU to clarify whether Lithuanian law establishing the obligation violated Articles 6(1)(c) and (e), 6(3) and 9(1) GDPR.

Holding

The preliminary questions concern the issue whether the existence of a legal obligation – Article 6(1)(c) GDPR – or a public interest – Article 6(1)(e) GDPR – can authorise a mandatory disclosure of personal data of a public officer for online publication.

According to the CJEU, such mandatory declaration of private interests was a limitation of the data subject right to privacy and data protection; therefore, it shall be compliant with Article 52(1) of the European Charter of Fundamental Rights. The CJEU noticed that the mandatory declaration was based on Lithuanian law and pursued a public interest, namely the prevention of conflicts of interest and corruption. However, the measure shall also be proportionate. The Court found the declaration appropriate to achieve the public interest at issue, as an online publication of private interests pushes public officer to work impartially and increases their accountability.

However, the Court also held that an online publication was not necessary to achieve transparency, being sufficient a direct control by the Chief Ethics Commission. Also, even if the measure as such was deemed necessary by the Lithuanian authorities, data required in the mandatory declaration exceeded proportionality to the extent that made publicly available names and details of people connected to the data subject, such as their spouse, as well as other irrelevant information about the data subject. This disclosure obligation was clearly in contrast with the principle of data minimisation envisaged by the GDPR.

In addition, the Lithuanian law was at odd with Article 9(1) GDPR. The declaration of interests did not concern inherently sensitive data, but rather other information that could reveal special categories of data, such as sexual orientation, religious beliefs or political opinions. Given the broad formulation of Article 9(1) GDPR, data revealing sensitive data are covered by the special protection afforded by this provision.

Comment

Further Resources

Share blogs or news articles here!