CJEU - Joined Cases C‑26/22 and C‑64/22 - SCHUFA: Difference between revisions
(Created page with "{{CJEUdecisionBOX |Case_Number_Name=Joined Cases C‑26/22 and C‑64/22 SCHUFA |ECLI=ECLI:EU:C:2023:958 |Opinion_Link=https://curia.europa.eu/juris/document/document.jsf;jsessionid=713ED93629C16790E0BDF443F515831F?text=&docid=271345&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=824311 |Judgement_Link=https://curia.europa.eu/juris/document/document.jsf;jsessionid=713ED93629C16790E0BDF443F515831F?text=&docid=280428&pageIndex=0&doclang=EN&mode=lst&dir=&occ=fi...") |
(→Facts) |
||
| Line 66: | Line 66: | ||
=== Facts === | === Facts === | ||
The data subjects UF and AB underwent insolvency proceeding in Germany and were granted an early discharge from remaining debts by court decisions | The data subjects UF and AB underwent insolvency proceeding in Germany and were granted an early discharge from remaining debts by court decisions of 17 December 2020 and 23 March 2021 respectively. In accordance with § 9(1) Insolvenzordnung (Insolvency Code) and § 3(1)(2) InsBekV (Regulation on public notifications in insolvency proceedings on the internet), the official publication of these decisions on debt discharges was erased after 6 months. | ||
SCHUFA Holding AG (SCHUFA), a German credit | SCHUFA Holding AG (SCHUFA), a German credit information agency had recorded these decisions on debt discharges in their own data bases and intended to store it for three years after registration, in accordance with a code of conduct under [[Article 40 GDPR|Article 40 GDPR]] approved by the competent DPA. | ||
UF and AB requested SCHUFA to erase the (no | UF and AB requested SCHUFA to erase the (no longer public) decisions on the debt discharges. SCHUFA refused, UF and AB lodged complaints with the Hessian DPA (HBDI) under [[Article 77 GDPR]]. The HBDI dismissed the complaints, finding SCHUFA's processing lawful. | ||
UF and AB each brought an action under [[Article 78 GDPR|Article 78 GDPR]] against the HBDI's decisions before the Verwaltungsgericht Wiesbaden (VG Wiesbaden), arguing that the HBDI was obliged to take measures in respect of SCHUFA to enforce deletion of the entries concerning them. | UF and AB each brought an action under [[Article 78 GDPR|Article 78 GDPR]] against the HBDI's decisions before the Verwaltungsgericht Wiesbaden (VG Wiesbaden), arguing that the HBDI was obliged to take measures in respect of SCHUFA to enforce deletion of the entries concerning them. | ||
The HBDI requested the dismissal of the actions, arguing that [[Article 77 GDPR#1|Article 77(1) GDPR]] constitutes a mere "right of petition". Hence the VG Wiesbaden could only review whether the HBDI handled the complaints and informed the complainants of their progress and outcome but not review the substantive correctness of the decisions. On UF's and AB's requests for erasure, the HBDI argued that SCHUFA could store the decisions on debt discharges for as long as is necessary for the purpose of processing (i.e. assessing the creditworthiness of UF and AB) and that the storage period of three years after entry in the file according to the codes of conduct should apply. | The HBDI requested the dismissal of the actions, arguing that [[Article 77 GDPR#1|Article 77(1) GDPR]] constitutes a mere "right of petition". Hence the VG Wiesbaden could only review whether the HBDI handled the complaints and informed the complainants of their progress and outcome but not review the substantive correctness of the decisions. | ||
On UF's and AB's requests for erasure, the HBDI argued that SCHUFA could store the decisions on debt discharges for as long as is necessary for the purpose of processing (i.e. assessing the creditworthiness of UF and AB) and that the storage period of three years after entry in the file according to the codes of conduct should apply. | |||
The VG Wiesbaden doubted the HBDI’s line of argument and referred the following questions to the CJEU under Article 267 TFEU: | The VG Wiesbaden doubted the HBDI’s line of argument and referred the following questions to the CJEU under Article 267 TFEU: | ||
(1) Is Article 77(1) of [the GDPR], read in conjunction with Article 78(1) thereof, to be understood as meaning that the outcome that the supervisory authority reaches and notifies to the data subject: | '''''(1)''' Is Article 77(1) of [the GDPR], read in conjunction with Article 78(1) thereof, to be understood as meaning that the outcome that the supervisory authority reaches and notifies to the data subject:'' | ||
– has the character of a decision on a petition? This would mean that judicial review of a decision on a complaint taken by a supervisory authority in accordance with Article 78(1) of that regulation is, in principle, limited to the question of whether the authority has handled the complaint, investigated the subject matter of the complaint to the extent appropriate and informed the complainant of the outcome of the investigation, | ''– has the character of a decision on a petition? This would mean that judicial review of a decision on a complaint taken by a supervisory authority in accordance with Article 78(1) of that regulation is, in principle, limited to the question of whether the authority has handled the complaint, investigated the subject matter of the complaint to the extent appropriate and informed the complainant of the outcome of the investigation,'' | ||
or | ''or'' | ||
– is to be understood as a decision on the merits taken by a public authority? This would mean that a decision on a complaint taken by a supervisory authority would be subject to a full substantive review by the court in accordance with Article 78(1) of that regulation, whereby, in individual cases – for example where discretion is reduced to zero – the supervisory authority may also be obliged by the court to take a specific measure within the meaning of Article 58 of that same regulation? | ''– is to be understood as a decision on the merits taken by a public authority? This would mean that a decision on a complaint taken by a supervisory authority would be subject to a full substantive review by the court in accordance with Article 78(1) of that regulation, whereby, in individual cases – for example where discretion is reduced to zero – the supervisory authority may also be obliged by the court to take a specific measure within the meaning of Article 58 of that same regulation?'' | ||
(2) Is the storage of data at a private credit information agency, where personal data from a public register, such as the “national databases” within the meaning of Article 79(4) and (5) of Regulation [2015/848] are stored without a specific reason in order to be able to provide information in the event of a request, compatible with Articles 7 and 8 of the [Charter]? | '''''(2)''' Is the storage of data at a private credit information agency, where personal data from a public register, such as the “national databases” within the meaning of Article 79(4) and (5) of Regulation [2015/848] are stored without a specific reason in order to be able to provide information in the event of a request, compatible with Articles 7 and 8 of the [Charter]?'' | ||
(3) | '''''(3) (a)''' Are private databases (in particular databases of a credit information agency) which exist in parallel with, and are set up in addition to, the State databases and in which the data from the latter (in casu, insolvency announcements) are stored for longer than the period provided for within the narrow framework of Regulation 2015/848, read in conjunction with the national law, permissible in principle?'' | ||
(a) Are private databases (in particular databases of a credit information agency) which exist in parallel with, and are set up in addition to, the State databases and in which the data from the latter (in casu, insolvency announcements) are stored for longer than the period provided for within the narrow framework of Regulation 2015/848, read in conjunction with the national law, permissible in principle? | |||
( | '''''(b)''' If Question 3a is answered in the affirmative, does it follow from the “right to be forgotten” under Article 17(1)(d) of [the GDPR] that such data must be deleted where the processing period provided for in respect of the public register has expired?'' | ||
(5) Is it permissible for codes of conduct which have been approved by the supervisory authorities in accordance with Article 40 of [the GDPR], and which provide for time limits for review and erasure that exceed the retention periods for public registers, to suspend the balancing of interests prescribed under point (f) of [the first subparagraph of] Article 6(1) of that regulation? | '''''(4)''' In so far as point (f) of [the first subparagraph of] Article 6(1) of [the GDPR] enters into consideration as the sole legal basis for the storage of data at private credit information agencies with regard to data also stored in public registers, is a credit information agency already to be regarded as pursuing a legitimate interest in the case where it imports data from the public register without a specific reason so that those data are then available in the event of a request?'' | ||
'''''(5)''' Is it permissible for codes of conduct which have been approved by the supervisory authorities in accordance with Article 40 of [the GDPR], and which provide for time limits for review and erasure that exceed the retention periods for public registers, to suspend the balancing of interests prescribed under point (f) of [the first subparagraph of] Article 6(1) of that regulation?'' | |||
=== Advocate General Opinion === | === Advocate General Opinion === | ||
AG ''Pikamäe'' suggested to interpret [[Article 78(1) GDPR]] as meaning that under that provision a legally binding decision of a supervisory authority is subject to a full substantive judicial review. The AG emphasized that a complaint procedure under [[Article 77 GDPR]] cannot be viewed in the same way as a petition. | |||
As for the questions 2 to 5, the AG suggested: | |||
(i) to interpret [[Article 6 GDPR|Article 6(1)(f) GDPR]] meaning that it precludes the storage by a private credit information agency of personal data from a public register on insolvency proceedings for a period beyond that for which the data are stored in the public register. | |||
(ii) to interpret Article [[Article 17 GDPR|17(1)(d) GDPR]] as meaning that the data subject has the right to obtain from the controller the erasure of personal data concerning him or her without undue delay where those data have been unlawfully processed in accordance with Article 6(1) GDPR | |||
(iii) to interpret [[Article 17 GDPR|Article 17(1)(c) GDPR]] as meaning that the data subject has, in principle, the right to obtain from the controller the erasure of personal data concerning him or her without undue delay where he or she objects to the processing pursuant to [[Article 21 GDPR|Article 21(1) GDPR]]. It is for the referring court to examine if, exceptionally, there are overriding legitimate grounds for the processing. | |||
=== Holding === | === Holding === | ||
Revision as of 10:08, 12 December 2023
| CJEU - Joined Cases C‑26/22 and C‑64/22 SCHUFA | |
|---|---|
 | |
| Court: | CJEU |
| Jurisdiction: | European Union |
| Relevant Law: | Article 6(1) GDPR Article 17(1)(d) GDPR Article 40 GDPR Article 77(1) GDPR Article 78(1) GDPR Article 7 Charter of Fundamental Rights of the European Union Article 8 Charter of Fundamental Rights of the European Union § 3 Verordnung zu öffentlichen Bekanntmachungen in Insolvenzverfahren im Internet (InsBekV) § 9(1) Insolvenzordnung |
| Decided: | 07.12.2023 |
| Parties: | UF (data subject and claimant before national court) AB (data subject and claimant before national court) Land Hessen (respondent before national court) |
| Case Number/Name: | Joined Cases C‑26/22 and C‑64/22 SCHUFA |
| European Case Law Identifier: | ECLI:EU:C:2023:958 |
| Reference from: | VG Wiesbaden 6 K 441/21.WI |
| Language: | 24 EU Languages |
| Original Source: | AG Opinion Judgement |
| Initial Contributor: | n/a |
Lorem ipsum
English Summary
Facts
The data subjects UF and AB underwent insolvency proceeding in Germany and were granted an early discharge from remaining debts by court decisions of 17 December 2020 and 23 March 2021 respectively. In accordance with § 9(1) Insolvenzordnung (Insolvency Code) and § 3(1)(2) InsBekV (Regulation on public notifications in insolvency proceedings on the internet), the official publication of these decisions on debt discharges was erased after 6 months.
SCHUFA Holding AG (SCHUFA), a German credit information agency had recorded these decisions on debt discharges in their own data bases and intended to store it for three years after registration, in accordance with a code of conduct under Article 40 GDPR approved by the competent DPA.
UF and AB requested SCHUFA to erase the (no longer public) decisions on the debt discharges. SCHUFA refused, UF and AB lodged complaints with the Hessian DPA (HBDI) under Article 77 GDPR. The HBDI dismissed the complaints, finding SCHUFA's processing lawful.
UF and AB each brought an action under Article 78 GDPR against the HBDI's decisions before the Verwaltungsgericht Wiesbaden (VG Wiesbaden), arguing that the HBDI was obliged to take measures in respect of SCHUFA to enforce deletion of the entries concerning them.
The HBDI requested the dismissal of the actions, arguing that Article 77(1) GDPR constitutes a mere "right of petition". Hence the VG Wiesbaden could only review whether the HBDI handled the complaints and informed the complainants of their progress and outcome but not review the substantive correctness of the decisions.
On UF's and AB's requests for erasure, the HBDI argued that SCHUFA could store the decisions on debt discharges for as long as is necessary for the purpose of processing (i.e. assessing the creditworthiness of UF and AB) and that the storage period of three years after entry in the file according to the codes of conduct should apply.
The VG Wiesbaden doubted the HBDI’s line of argument and referred the following questions to the CJEU under Article 267 TFEU:
(1) Is Article 77(1) of [the GDPR], read in conjunction with Article 78(1) thereof, to be understood as meaning that the outcome that the supervisory authority reaches and notifies to the data subject:
– has the character of a decision on a petition? This would mean that judicial review of a decision on a complaint taken by a supervisory authority in accordance with Article 78(1) of that regulation is, in principle, limited to the question of whether the authority has handled the complaint, investigated the subject matter of the complaint to the extent appropriate and informed the complainant of the outcome of the investigation,
or
– is to be understood as a decision on the merits taken by a public authority? This would mean that a decision on a complaint taken by a supervisory authority would be subject to a full substantive review by the court in accordance with Article 78(1) of that regulation, whereby, in individual cases – for example where discretion is reduced to zero – the supervisory authority may also be obliged by the court to take a specific measure within the meaning of Article 58 of that same regulation?
(2) Is the storage of data at a private credit information agency, where personal data from a public register, such as the “national databases” within the meaning of Article 79(4) and (5) of Regulation [2015/848] are stored without a specific reason in order to be able to provide information in the event of a request, compatible with Articles 7 and 8 of the [Charter]?
(3) (a) Are private databases (in particular databases of a credit information agency) which exist in parallel with, and are set up in addition to, the State databases and in which the data from the latter (in casu, insolvency announcements) are stored for longer than the period provided for within the narrow framework of Regulation 2015/848, read in conjunction with the national law, permissible in principle?
(b) If Question 3a is answered in the affirmative, does it follow from the “right to be forgotten” under Article 17(1)(d) of [the GDPR] that such data must be deleted where the processing period provided for in respect of the public register has expired?
(4) In so far as point (f) of [the first subparagraph of] Article 6(1) of [the GDPR] enters into consideration as the sole legal basis for the storage of data at private credit information agencies with regard to data also stored in public registers, is a credit information agency already to be regarded as pursuing a legitimate interest in the case where it imports data from the public register without a specific reason so that those data are then available in the event of a request?
(5) Is it permissible for codes of conduct which have been approved by the supervisory authorities in accordance with Article 40 of [the GDPR], and which provide for time limits for review and erasure that exceed the retention periods for public registers, to suspend the balancing of interests prescribed under point (f) of [the first subparagraph of] Article 6(1) of that regulation?
Advocate General Opinion
AG Pikamäe suggested to interpret Article 78(1) GDPR as meaning that under that provision a legally binding decision of a supervisory authority is subject to a full substantive judicial review. The AG emphasized that a complaint procedure under Article 77 GDPR cannot be viewed in the same way as a petition.
As for the questions 2 to 5, the AG suggested:
(i) to interpret Article 6(1)(f) GDPR meaning that it precludes the storage by a private credit information agency of personal data from a public register on insolvency proceedings for a period beyond that for which the data are stored in the public register.
(ii) to interpret Article 17(1)(d) GDPR as meaning that the data subject has the right to obtain from the controller the erasure of personal data concerning him or her without undue delay where those data have been unlawfully processed in accordance with Article 6(1) GDPR
(iii) to interpret Article 17(1)(c) GDPR as meaning that the data subject has, in principle, the right to obtain from the controller the erasure of personal data concerning him or her without undue delay where he or she objects to the processing pursuant to Article 21(1) GDPR. It is for the referring court to examine if, exceptionally, there are overriding legitimate grounds for the processing.
Holding
Lorem ipsum
Comment
Lorem ipsum
Further Resources
Share blogs or news articles here!
