Data Protection Insider, Issue 105

15. January 2024  |   by DPI Editorial Team
Data Protection Insider, Issue 105 - DPI2

– CJEU: Official Journal Acts as a Controller When Publishing Data

On 11th January, the CJEU ruled that the Belgian Official Journal should bear the responsibilities of a controller when publishing personal data, as the data processing is regulated by Belgian law in Etat belge v Autorite de protection des donnees. As to the facts of the case, the Belgian Official Journal (Moniteur belge) receives documents or extracts from documents, e.g. from the Belgian courts, which it then publishes. The obligation to publish the information, as well as the means and purposes of this publication, are anchored in Belgian law. In the case at hand, the applicant in the main proceedings was a shareholder of a company. Due to the changes in the company, its articles of association were amended. The applicant’s notary sent an extract of this amendment to a Belgian court (the company court), which sent it for publication to Moniteur belge, which published the extract as it was, meaning it contained some additional personal data of the applicant. The latter requested the deletion of this additional personal data. Two question arose, namely (1) whether, in the circumstances at hand, Moniteur belge should be seen as a controller within the meaning of Article 4(7) GDPR (especially because it does not have a legal personality) and (2) in how far it is responsible for complying with the principle of accountability enshrined in Article 5(2) GDPR – and also with the principles in Article 5 (1) GDPR. The Court answered the first question in the positive. It referred to Google Spain, adding that whilst ‘it is true that the Moniteur belge must publish the document in question as it stands, it is the Moniteur belge alone that undertakes that task and then disseminates the act or document concerned. The publication of such acts and documents without any possibility of checking or amending their content is intrinsically linked to the purposes and means of processing determined by national law, in that the role of an official journal such as the Moniteur belge is confined to informing the public of the existence of those acts and documents, as they stand when sent to that official journal in the form of copies in accordance with the applicable national law, so as to make them enforceable against third parties.’ With regards to (2), the Court did not rule out the possibility of a joint controllership with the other data processing authorities, but it ruled that Moniteur belge is in any case solely responsible for complying with Article 5 GDPR when performing the data processing operations it is entrusted with under national law.

 

– CJEU Rules on the Processing of Medical Data in the Employment Context –

On 21st December, the CJEU ruled in the case of ZQ v Medizinischer Dienst der Krankenversicherung Nordrhein, Körperschaft des öffentlichen Rechts. As to the facts of the case, the applicant in the main proceedings, ZQ, was an employee in the IT department of the medical service of a health insurance company (MDK), which provides medical opinions on the health situation of employees who become sick and are compensated by health insurance. The applicant fell sick, as a result of which he was on sick leave, paid by the health insurance, for a prolonged period of time. His employer, MDK, requested an opinion on his health, of which ZQ became aware after asking an ex-colleague who had access to the

information processed by MDK. After the opinion was issued, ZQ was dismissed from his job. ZQ raised claims that the processing of his medical data was illegal under the GDPR and the case reached the CJEU via the preliminary ruling procedure. The questions raised concerned the legality of the processing of health data under Articles 9(2), 9(3) and 6 GDPR, as well as the assessment of material and non-material damages under Articles 82(1) and (2). The Court came to five key conclusions. First, Article 9(2)(h) applies – subject to relevant guarantees being in place – if a medical assessment service processes an employee’s personal data in its capacity as a medical assessment service with the aim to assess that employee’s ability to work. Second, Article 9(3) means, where the controller processes health data based on 9(2), that this controller is not obliged to ensure that none of the employee’s colleagues have access to the health data in question. Such an obligation can, however, appear on the basis of Member State law, or on the basis of the integrity and confidentiality obligations outlined in Article 5(1)(f). Third, any processing legitimated under Article 9(2)(h) can only be legitimate if one of the grounds for legitimate processing in Article 6(1) also applies. Fourth, Article 82(1) has, via monetary payment, a compensatory function for the actual damage suffered, whereas this payment is not intended to function as a dissuasive or punitive sanction. Fifth, Article 82 means that, on the one hand, liability is attributable to a party where fault is present, which is the case where the party cannot prove that the act in question was not attributable to them, and, on the other hand, Article 82 does not require the degree of responsibility to be taken into account in calculating the amount of damages due as a result of immaterial harms. We note there are many significant clarifications of law made in this case – for example concerning the relationship between Articles 9 and 6, and on calculation of the size of compensation for immaterial harm. Unfortunately, at the time of writing, the judgment was not available in English. The author has thus relied on another language version. The author cannot, however, rule out the possibility that errors were made in translation. Accordingly, the author urges all readers interested in the decision to consult the primary materials themselves.

 

– EDPB Publications in the Past Month – 

Since the last edition of this newsletter in mid-December 2023, the EDPB has published a number of documents – including several on Binding Corporate Rules:

  • ‘EDPB Response to the Personal Information Protection Commission of South Korea’;

  • ‘Opinion 36/2023 on the draft decision of the Dutch Supervisory Authority regarding the Controller Binding Corporate Rules of the Booking.com Group’;
  • ‘Opinion 35/2023 on the draft decision of the Danish Supervisory Authority regarding the Controller Binding Corporate Rules of the Carlsberg Group’;
  • ‘Opinion 34/2023 on the draft decision of the Hesse Supervisory Authority (Germany) regarding the Processor Binding Corporate Rules of the Cerner Group’;
  • ‘Opinion 33/2023 on the draft decision of the Hesse Supervisory Authority (Germany) regarding the Controller Binding Corporate Rules of the Cerner Group’;
  • ‘EDPB reply to the Commission’s Initiative for a voluntary business pledge to simplify the management by consumers of cookies and personalised advertising choices’.

Each of these is available on the EDPB’s website.

 

 

About

DPI Editorial Team

Dara Hallinan, Editor: Legal academic working at FIZ Karlsruhe. His specific focus is on the interaction between law, new technologies – particularly ICT and biotech – and society. He studied law in the UK and Germany, completed a Master’s in Human Rights and Democracy in Italy and Estonia and wrote his PhD at the Vrije Universiteit Brussel on the better regulation of genetic privacy in biobanks and genomic research through data protection law. He is also programme director for the annual Computers, Privacy and Data Protection conference.

Diana Dimitrova, Editor: Researcher at FIZ Karlsruhe. Focus on privacy and data protection, especially on rights of data subjects in the Area of Freedom, Security and Justice. Completed her PhD at the VUB on the topic of ‘Data Subject Rights: The rights of access and rectification in the AFSJ’. Previously, legal researcher at KU Leuven and trainee at EDPS. Holds LL.M. in European Law from Leiden University.

Leave a Reply

back to overview