All aboard! CJEU decides no need for your title on your train ticket

Another year begins and the CJEU is (perhaps unsurprisingly!) already busy with at least 4 judgments landing since the start of 2025. It’s nice however when some of those cases reaffirm core GDPR principles such as necessity for the performance of a contract, legitimate interests and data minimisation in a way that you have always suspected is exactly how the law should apply. 

Enter the CJEU’s ruling in case C-394/23, which delivers just this. The Court has clarified that train companies should not be requiring customers to indicate their title e.g., ‘Mr’, ‘Miss’ or ‘Mrs’ when buying a train ticket - at least not on the legal basis that this information is necessary for the purchase of the ticket. The CJEU also held that requiring such information does not meet the GDPR principle of data minimisation.

The case was brought by LGBTQI+ organisation Mousse in France, which argued to the French Data Protection Authority, the CNIL, that a railway company’s requirement that customers disclose their title when purchasing tickets was in violation of the GDPR. Interestingly, the CNIL initially disagreed with Mousse and that’s where the CJEU got involved. Mousse argued to the Court that personalising messages to customers according to a customer’s title (which in turn may reveal information about a customer’s gender identity and marital status) was not “objectively necessary” for the selling of a train ticket. Neither was collecting this information “adequate, relevant, and limited” to the purposes of processing, as set out under the principle of data minimisation.

The CJEU agreed with Mousse, retreading familiar turf that processing personal data must be legitimised in reliance on one of the lawful bases under Article 6 GDPR and that these bases may include that the processing was necessary for the performance of a contract or in the company’s legitimate interests. On performance of a contract, the Court reaffirmed principles already elucidated recently in cases like Meta v Bundeskartellamt - holding that collecting titles for the purpose of personalising communications does not qualify as “objectively indispensable” to fulfilling a rail transport contract. The Court explained that it would be perfectly possible for rail companies to communicate with their customers using generic, inclusive expressions instead. The upshot is that the CJEU underlined the narrow scope of performance of a contract as a legal basis: you don't need someone's title to sell them a train ticket. This is a “nice to have” not a “need to know”!

The Court went on to say that of course rail companies could request this additional information in reliance on its legitimate interests. The Court highlighted however that such reliance would require controllers to work through the three step test which balances the customer’s rights against the rail company’s interests in collecting titles for personalisation purposes. It held that this test was not met here - including because it was not strictly necessary for a train company to know its customers’ titles to pursue its commercial interests, and that there were less intrusive means of communicating with its customers. Importantly, when considering the balancing test, the CJEU held that the collection of this information could infringe data subject rights e.g., because there was a risk of discrimination where a customer’s title reveals information about marital status or gender identity.

Finally, the CJEU reaffirmed that the principle of data minimisation means controllers must demonstrate the information they are collecting is "adequate, relevant and limited to what is necessary." Sending personalised messages based on presumed gender identity from the processing of the title did not clear this threshold.

While a lot of this case runs through familiar GDPR principles, there are a few takeaways this new fact pattern brings. Firstly, this (arguably) makes it even harder to clear the (already) high bar of when you can offer a personalised service to your customers, without a non-personalised version being offered as an easy alternative. 

Further, collecting certain types of data – even if it initially does not seem particularly sensitive – can land you in hot water if you can infer more sensitive facts about an individual. In this context, the customer’s title led to assumptions about marital status and gender identity which could give rise to profiling or discrimination - a risk the CJEU was particularly mindful of in its judgment. 

Finally, collecting too much information always creates risk. Of course, there is the legal risk of a GDPR violation as in this case, but also collecting more personal data leaves you vulnerable in the event of a cyber incident. It’s always a bad look in front of regulators when the compromised data involves not only data that you needed but also additional and potentially sensitive information that was more of a “nice to have”.