Opinion of Advocate General Szpunar delivered on 11 July 2024.
Jurisdiction | European Union |
Celex Number | 62023CC0394 |
ECLI | ECLI:EU:C:2024:610 |
Date | 11 July 2024 |
Court | Court of Justice (European Union) |
Provisional text
OPINION OF ADVOCATE GENERAL
SZPUNAR
delivered on 11 July 2024 (1)
Case C‑394/23
Association Mousse
v
Commission nationale de l’informatique et des libertés (CNIL),
SNCF Connect
(Request for a preliminary ruling from the Conseil d’État (France))
(Reference for a preliminary ruling – Protection of natural persons with regard to the processing of personal data – Regulation (EU) 2016/679 – Article 6(1) – Principle of lawfulness of processing – Article 5(1)(c) – Principle of data minimisation – Title – Online purchase of a transport service – Article 21 – Right to object)
I. Introduction
1. Regulation (EU) 2016/679 (2) (‘the GDPR’) aims to ensure a high level of protection of natural persons with regard to the processing of their personal data. In order to do so, it places on controllers an obligation to respect a number of principles when they process personal data, including the principle of ‘data minimisation’ and the principle of lawfulness of processing.
2. Those two principles are at the heart of the present case, which relates to a dispute between an association and a national supervisory authority, concerning the processing by a transport undertaking of data relating to the customer’s title with the stated aim of using those data in its commercial communications, and which thus provides the Court with the opportunity to clarify the scope of those principles.
II. Legal framework
A. European Union law
3. Recitals 4, 10, 39, 40, 44, 47, 69 and 75 of the GDPR state:
‘(4) The processing of personal data should be designed to serve mankind. The right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality. This Regulation respects all fundamental rights and observes the freedoms and principles recognised in the Charter of Fundamental Rights of the European Union (‘the Charter’) as enshrined in the Treaties, in particular the respect for private and family life, home and communications, the protection of personal data, freedom of thought, conscience and religion, freedom of expression and information, freedom to conduct a business, the right to an effective remedy and to a fair trial, and cultural, religious and linguistic diversity.
…
(10) In order to ensure a consistent and high level of protection of natural persons and to remove the obstacles to flows of personal data within the Union, the level of protection of the rights and freedoms of natural persons with regard to the processing of such data should be equivalent in all Member States. Consistent and homogenous application of the rules for the protection of the fundamental rights and freedoms of natural persons with regard to the processing of personal data should be ensured throughout the Union. …
…
(39) … The personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed. … Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means. …
(40) In order for processing to be lawful, personal data should be processed on the basis of the consent of the data subject concerned or some other legitimate basis, laid down by law, either in this Regulation or in other Union or Member State law as referred to in this Regulation, including … the necessity for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
…
(44) Processing should be lawful where it is necessary in the context of a contract or the intention to enter into a contract.
…
(47) The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller. Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client … of the controller. At any rate the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place. … The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned. The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.
…
(69) Where personal data might lawfully be processed because processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, or on grounds of the legitimate interests of a controller or a third party, a data subject should, nevertheless, be entitled to object to the processing of any personal data relating to his or her particular situation. It should be for the controller to demonstrate that its compelling legitimate interest overrides the interests or the fundamental rights and freedoms of the data subject.
…
(75) The risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from personal data processing which could lead to physical, material or non-material damage, in particular: where the processing may give rise to discrimination …’
4. As set out in Article 2(1), the GDPR applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.
5. Article 4 of the GDPR, entitled ‘Definitions’, provides:
‘For the purposes of this Regulation:
(1) “personal data” means any information relating to an identified or identifiable natural person …
(2) “processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording …
…
(7) “controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; …
…
(11) “consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
…’
6. Article 5 of the GDPR, entitled ‘Principles relating to processing of personal data’, provides:
‘1. Personal data shall be:
(a) processed lawfully, fairly and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”);
…
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimisation”);
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (“accuracy”);
…’
7. Article 6 of the GDPR, entitled ‘Lawfulness of processing’, provides, in paragraph 1:
‘Processing shall be lawful only if and to the extent that at least one of the following applies:
(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
…’
8. Article 13 of the GDPR, entitled ‘Information to be provided where personal data are collected from the data subject’ provides:
‘1. Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information:
…
(d) where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party;
…’
9. Article 21 of the GDPR, entitled ‘Right to object’, provides, in paragraph 1:
‘The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.’
10. Article 25 of...
To continue reading
Request your trial