Data Protection Insider, Issue 125

16. January 2025  |   by DPI Editorial Team
Data Protection Insider, Issue 125 - DPI 21

-CJEU: High Number of Complaints Does Not Amount Automatically to ‘Excessive Requests’-

On 9th January, the CJEU ruled that a data protection authority may not automatically designate complaints submitted to it as ‘excessive requests’ based purely on their huge number in Österreichische Datenschutzbehörde v FR. As to the facts of the case, FR submitted approximately 77 similar complaints based on Article 15 GDPR within 20 months with the DSB (Austrian Data Protection Authority) and contacted the DSB by phone to inform it of additional facts and make further requests. The DSB refused to act upon the complaints submitted last, arguing that the amount of complaints was ‘excessive’. The dispute escalated to the CJEU and can be summarized under the following three questions: (1) does the concept of ‘request(s)’ in Article 57(4) GDPR cover also the concept of ‘complaints’ under Article 77(1) GDPR?; (2) does a high number of complaints automatically amount to ‘excessive’ requests under Article 57(4) GDPR?; and (3) in cases of ‘excessive’ and ‘manifestly unfounded’ requests, is a data protection authority free to choose between discarding the requests from the outset and charging a reasonable fee? The CJEU answered as follows. First, it established that ‘Article 57(4) of the GDPR must be interpreted as meaning that the concept of a ‘request’ in that provision covers the complaints referred to in Article 57(1)(f) and Article 77(1) of that regulation.’ Second, it ruled that ‘Article 57(4) of the GDPR must be interpreted as meaning that requests cannot be classified as ‘excessive’, within the meaning of that provision, solely on account of their number during a specific period, since the exercise of the option provided for in that provision is subject to the supervisory authority’s demonstrating the existence of an abusive intention on the part of the person who submitted those requests’. Third, the CJEU ruled that Article 57(4) GDPR leaves it open to the data protection authority to decide whether to charge a reasonable fee or whether to refuse to act upon excessive complaints, as long as the chosen measure is ‘appropriate, necessary and proportionate, taking into account the relevant circumstances and avoiding unnecessary costs and excessive inconvenience to the data subject’. It clarified, though, that data protection authorities might want to first charge a reasonable fee as this measure might have ‘less of an adverse effect on the rights that data subjects derive from that regulation’.

-CJEU: Title and Gender Identity Data Not Always ‘Necessary’ for Issuing Tickets-

On 9th December, the CJEU ruled that a transport company may not always collect gender data of its customers in Mousse v Commission nationale de l’informatique et des libertes (CNIL), SCNF Connect. As to the facts of the case, Mousse is an association, which complained against SNCF Connect with the CNIL for collecting gender data of its customers in order to issue them with a ticket or a travel card for the purposes of personalising commercial communication. It argued that the collection of these data was not necessary under Article 6(1) GDPR, read in conjunction with Article 5(1)(c) GDPR (data minimisation). The CNIL rejected the complaint and the dispute escalated to the CJEU, which was asked to rule on whether the conditions for lawful processing in Article 6(1)(b) and (f) GDPR, read in light of the data minimisation principle, were satisfied. It was asked also to rule on the question of whether, in assessing the necessity for the processing of the disputed data, one should consider the existence of the right to object under Article 21 GDPR. The CJEU answered as follows. First, it ruled that the collection of the disputed data ‘does not appear to be either objectively indispensable or essential to enable the proper performance of a contract (under Article 6(1)(b) GDPR) and, therefore, cannot be regarded as necessary for the performance of that contract’. Second, it ruled that as regards the collection of the data under Article 6(1)(f) GDPR, read in light of the data minimisation principle, ‘the processing of personal data relating to the title of the customers of a transport undertaking, the purpose of which is to personalise the commercial communication based on their gender identity, cannot be regarded as necessary for the purposes of the legitimate interests pursued by the controller or by a third party, where:

  • those customers were not informed of the legitimate interest pursued when those data were collected; or
  • that processing is not carried out only in so far as is strictly necessary for the attainment of that legitimate interest; or
  • in the light of all the relevant circumstances, the fundamental freedoms and rights of those customers can prevail over that legitimate interest, in particular because of a risk of discrimination on grounds of gender identity’.

As to the question whether the right to object under Article 21 GDPR can be a factor in assessing the necessity for the data processing, the CJEU ruled in the negative. It recalled that the right to object may be exercised only where the data processing was lawful from the outset, including where it satisfies the conditions of Article 6(1) GDPR, and that the right to object may not extend the legitimate grounds for processing personal data.

-CJEU Rules on Processing in the Context of Employment Relations-

On 19th December, the Court ruled in the case of MK v K GmbH. In terms of the facts, MK is an employee of the defendant. The defendant implemented new employee data management software. In relation to this software, in the introductory phase, a works agreement – an agreement between the defendant and its works council – was signed according to which only certain types of information on employees were to be sent to the software company’s servers in the US. Following initial actions before the national courts, the applicant eventually brought an appeal before the referring court. In this regard, the central focus of consideration was on the lawfulness of processing. The applicant claimed, ‘first, that that processing was not necessary for the purposes of the employment relationship, for which the defendant in the main proceedings at the time used’ another system, ‘or for the purpose of testing the…software, since the use of dummy data would have been sufficient for that purpose and would have ensured that no actual data would be made accessible…Secondly, even if the works agreement…could constitute a valid basis for that processing, the authorisation contained therein was exceeded, since that defendant transmitted data other than those provided for in…that agreement’. In light of the above, the following questions were considered by the Court:

  • Do Articles 88(1) and (2) GDPR mean ‘a provision of national law which concerns the processing of personal data for the purposes of employment relationships…adopted pursuant to Article 88(1)…must have the effect of requiring its addressees to comply not only with the requirements’ of ‘Article 88(2)…but also with those arising from Article 5, Article 6(1) and Article 9(1) and (2)’?
  • Does Article 88(1) GDPR mean ‘that, where a collective agreement falls within the scope of that provision, the margin of discretion that the parties to that agreement have to determine whether the processing…is ‘necessary’, within the meaning of Article 5, Article 6(1) and Article 9(1) and (2)…has the effect of preventing the national court from carrying out a full judicial review in that regard’?

In this regard, the Court concluded that:

  • Articles 88(1) and (2) mean ‘a provision of national law which concerns the processing of personal data for the purposes of employment relationships…adopted pursuant to Article 88(1)…must have the effect of requiring…addressees to comply not only with the requirements arising from Article 88(2)…but also with those arising from Article 5, Article 6(1) and Article 9(1) and (2)’.
  • Article 88(1) GDPR means ‘that, where a collective agreement falls within the scope of that provision, the margin of discretion that the parties to that agreement have to determine whether the processing of personal data is ‘necessary’, within the meaning of Article 5, Article 6(1) and Article 9(1) and (2)…, does not prevent the national court from carrying out a full judicial review in that regard’.

The Court’s reasoning and conclusions will likely come as no surprise to many in the data protection community. Nevertheless, the case is interesting, for example for its consideration, and clarification, of the relationship between multiple layers of EU data protection law – EU law, national law, and collective agreements – as they relate to the employment context.

-CJEU Rules on Transfers to the US in relation to the use of Commission Websites

On 8th January, the CJEU ruled in the case of Thomas Bindl v European Commission. In terms of the facts, the case concerned the use, in 2021 and in 2022, by the applicant, of the Conference for the Future of Europe website, which is managed by the Commission. The applicant claimed that his personal data were transferred to servers in the US. They claimed that transfers happened to Amazon Web Services, related to certain aspects of the website, as well as to Meta Platforms, as a result of their use of the option of signing in via a facebook account. The applicant asserted that the US did not have an adequate level of protection at the time and that the Commission had not indicated the presence of safeguards which would legitimate transfers. The applicant thus sought non-material damages resulting from the transfers, annulment of the transfers, a declaration to the effect that the Commission illegitimately failed to clarify its stance in relation to a request for information, and non-material damages relating to this lack of clarification. The Court dismissed as inadmissible the claim for annulment of the transfers – finding that ‘the transfers at issue are not likely to have binding legal effects capable of affecting the interests of the applicant by bringing about a distinct change in his legal position’, and thus ‘cannot therefore be considered challengeable acts for the purpose of Article 263 TFEU’. The Court found there was no need to decide on the Commission’s failure to act regarding the request for information – on the basis that the Commission had ended the alleged failure to act in the period following the claim and before the judgment – and dismissed the associated claim for non-material damages on the basis that no such damages were identifiable – considering that it had ‘not been demonstrated that the Commission’s failure to observe the time limit prescribed in Article 14(4) of Regulation 2018/1725 was such as to cause the applicant the non-material damage’. Regarding the transfers, the Court found that the specific transfers to Amazon were not illegitimate – in one instance, as data were transferred and retained only in the EU, and in another instance as the applicant themselves was responsible for the transfer taking place, owing ‘to a technical adjustment made by the applicant to change his apparent location, by presenting himself in the digital sphere as though he were, on the same day, in various places near Munich, London, Hillsboro, Newark and Frankfurt am Main, one after the other’. In relation to transfers to Meta Platforms, however, the Court concluded that the Commission was indeed responsible, that personal data had been transferred to the US, that there was no relevant adequacy agreement in place, and that the Commission had failed to implement legitimating supplemental safeguards. Accordingly, the Court ordered the Commission to pay non-material damages of 400 Euros – the amount claimed. This is a lengthy and involved case, and makes interesting reading for a number of reasons – not least as it predominantly concerns one of the lesser discussed pieces of EU data protection law, Regulation 2018/1725, concerns the always-interesting issue of third-country transfers, and includes fascinating discussions of Commission liability and non-material damages.

About

DPI Editorial Team

Dara Hallinan, Editor: Legal academic working at FIZ Karlsruhe. His specific focus is on the interaction between law, new technologies – particularly ICT and biotech – and society. He studied law in the UK and Germany, completed a Master’s in Human Rights and Democracy in Italy and Estonia and wrote his PhD at the Vrije Universiteit Brussel on the better regulation of genetic privacy in biobanks and genomic research through data protection law. He is also programme director for the annual Computers, Privacy and Data Protection conference.

Diana Dimitrova, Editor: Researcher at FIZ Karlsruhe. Focus on privacy and data protection, especially on rights of data subjects in the Area of Freedom, Security and Justice. Completed her PhD at the VUB on the topic of ‘Data Subject Rights: The rights of access and rectification in the AFSJ’. Previously, legal researcher at KU Leuven and trainee at EDPS. Holds LL.M. in European Law from Leiden University.

Leave a Reply

back to overview