A busy CJEU

It’s been a busy year for the CJEU, with the court handing down a flurry of data protection decisions. Here’s a whistlestop round-up…

In RW v Österreichische Post AG (C-154/21), the CJEU held that, as part of the right of access, individuals have the right to know not just the categories but also the specific 
identities of the recipients of their personal data. The decision means that individuals who submit an access request may ask for a list of the specific entities their personal data has been shared with – controllers must provide that information unless it is impossible to identify the recipients or the request is manifestly unfounded or excessive. 

In J.M. vs. Apulaistietosuojavaltuutettu, Pankki S (Case C-579/21), the question was whether the employees of the controller should be considered “recipients” of personal data for Article 15, such that the data subject had the right to know which employees had accessed his personal data. The Court held that employees acting on their employer’s authority (i.e., the controller) cannot be considered “recipients”. The Court did note, however, that ‘log data’ showing who had consulted the individual’s data may constitute the data subject’s personal data. However, whether to disclose such information would depend on balancing the rights of the requestor and the employees.

In UZ v Bundesrepublik Deutschland (Case C 60/22), the CJEU held that not all breaches of the GDPR will render the related processing unlawful (which would give rise to a right of erasure). In particular, failing to meet the obligation to enter into a joint controller agreement or maintain records does not mean that the related processing would be unlawful under GDPR. The Court also held that national courts do not require consent to process personal data. Instead, the appropriate lawful basis is Article 6(1)(e) GDPR: processing necessary for performing a task in the public interest or in exercising official authority vested in the controller.

In an unsurprising decision (Gesamtverband Autoteile-Handel eV v Scania CV AB C 319/22), the CJEU confirmed that a Vehicle Identification Number could be personal data where an operator “may reasonably have at their disposal the means enabling them to link a VIN to an identified or identifiable natural person”.

With its detailed discussion of the application of Article 6 to personalised advertising, the decision in Meta Platforms Inc. v Bundeskartellamt (C-252/21) is too extensive to summarise fully here. Its key impacts are the CJEU’s restrictive interpretation of contractual necessity (processing “must be objectively indispensable for a purpose that is integral to the contractual obligation intended for the data subject”) and its confirmation of the right of a national competition authority to make a finding about data protection compliance when looking at potential abuse of a dominant position, subject to cooperation with the appropriate DPAs.

In Case C-487/21, F.F. v Österreichische Datenschutzbehörde, the CJEU clarified that the right to “a copy” under GDPR Article 15(3) means an exact and complete reproduction of the subject’s personal data, not just a summary or an overview. It may also be necessary to provide extracts from documents where the contextualisation of the personal data processed is necessary to ensure the data are intelligible.

In Case C 307/22, FT v DW, the CJEU overruled a national law provision allowing treatment providers to be reimbursed the costs of providing a copy of medical records to a patient as it undermined the effectiveness of the protection given by the GDPR’s right of access. The Court emphasised the importance of ensuring the data provided was intelligible when dealing with medical records, which meant providing copies of extracts or even entire documents might be necessary. It also reiterated the principle that requests for access to data can’t be rejected based on motive.

In Case C-683/21, the CJEU held that a party which commissions the development of a mobile IT application may be a controller even if it does not itself process data using the app or agree to the app being made publicly available, since it may still have participated in the determination of the means and purposes of processing to be carried out through the app.

In Case C-453/21, X-FAB Dresden GmbH & Co. KG v FC, the CJEU examined the scope of protection offered to Data Protection Officer r It held that a DPO could not be given tasks or duties which would result in him determining the objectives and methods of processing personal data, as this would undermine the DPO’s independence when monitoring the controller’s compliance with GPDR. This is consistent with previous guidance by the Article 29 Working Party.

Case C-300/21, UI v Österreichische Post AG, clarified that an individual must be able to demonstrate material or non-material damage caused by an infringement of GDPR to claim compensation for that infringement. Damage should be broadly interpreted so it does not have to meet a certain threshold of seriousness.

In Case C 807/21, Deutsche Wohnen SE v Staatsanwaltschaft Berlin, the CJEU held that under GDPR, it is not necessary to show that an infringement can be attributed to a natural person to impose an administrative fine eon a legal person, notwithstanding any such requirement in national law. It further confirmed that to impose an administrative fine it must be established that the controller’s infringement was intentional or negligent.

In Case C 340/21, VB v Natsionalna agentsia za prihodite, the CJEU established that fear of misuse of personal data can constitute non-material damage under the GDPR. However, the national court should confirm that the fear can be regarded as well-founded. The Court also confirmed that an unauthorised disclosure to a third party does not necessarily mean the security measures adopted by the controller were inappropriate, and that this was a matter for national courts to assess.

This article is part of our Data Protection Top 10 2024 publication.