CJEU clarifies key aspects of the GDPR: an overview of recent cases

The Court of Justice of the European Union (CJEU) issued on 4 May 2023 three decisions in cases concerning interpretation of key aspects of the GDPR. It also published three opinions of the Advocate General (AG). Below is a brief overview of these cases. 

In the Case C-300/21 (UI v Österreichische Post AG), the CJEU considered the right to compensation for non-material damage under Article 82 GDPR. It ruled that mere infringement of the GDPR does not give rise to a right to compensation, but also that there is no minimum threshold of seriousness for entitlement to compensation. To determine the amount of financial compensation, national courts must apply domestic rules in each Member State (provided those are compliant with the principles of equivalence and effectiveness of EU law). Watch this space for an in-depth analysis of this decision!

In the Case C-487/21 (Österreichische Datenschutzbehörde and CRIF), the CJEU considered the scope of the GDPR right of access. The CJEU ruled that the right to obtain a “copy” of personal data means that the data subject must be given a “faithful and intelligible” reproduction of all those data. This means that copies of extracts from documents, entire documents or extracts from databases which contain those data should be provided, if necessary to enable the data subject to exercise effectively the rights under GDPR. If this poses a conflict with the rights and freedoms of others, a balance must be struck between the rights in question. The CJEU also interpreted the concept of “information” in the third sentence of Article 15(3) GDPR narrowly, concluding that it refers exclusively to the “copy of personal data undergoing processing”. 

In the Case C-60/22 (UZ v Bundesrepublik Deutschland), the CJEU ruled that not every violation of the GDPR (for instance, of accountability requirements) would render all related processing to be unlawful. Specifically, the violation of GDPR requirements to enter into a joint controller agreement or to maintain the records of processing activities by the controller does would not render processing unlawful under the GDPR. This is significant, as it means that the right of data subjects to erasure or to the restriction of processing does not arise as a consequence of these violations. Further, the CJEU clarified that consent is not necessary for processing of personal data by national courts. If exercising judicial powers conferred by national law, the processing of personal data carried out by a court is necessary for performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, pursuant to Article 6(1)(e) GDPR. 

The CJEU also published three opinions of CJEU AG.

In the Case C 683/21 (Nacionalinis visuomenės sveikatos centras prie Sveikatos apsaugos ministerijos (NVSC) v Valstybinė duomenų apsaugos inspekcija (Lithuanian DPA)), the AG concluded that a fine can only be imposed to sanction a violation of the GDPR that was committed “intentionally or negligently”. The AG also looked into the concepts of “controller”, “joint controllers” and “processing” in a case concerning a Covid-19 contact tracing mobile app. The AG concluded that question of whether a party acts as a “controller” should be determined by factual rather than formal factors (for instance, deciding to release the mobile app to the public). The AG also considered the circumstances in which a controller should or should not be held responsible for the acts of its processor.

In the Case C 319/22 (Gesamtverband Autoteile-Handel e.V.v Scania CV AB), the AG concluded that vehicle identification numbers (VINs, numbers appearing on the chassis of a vehicle) constitute personal data within the meaning of Article 4(1) GDPR, in so far as whoever has access to a VIN has means which reasonably allow them to use the VIN to identify the owner of the vehicle to which it relates.  Whether this is factually the case should be determined by the national courts in each case. Motor vehicle manufacturers have a legal obligation to process the relevant personal data, within the meaning of Article 6(1)(c) and Article 6(3) GDPR, based on EU Regulation 2018/858 on the approval and market surveillance of motor vehicles and their trailers, and of systems, components and separate technical units intended for such vehicles and, where applicable, disclose the VINs to independent operators.

In its Opinion published a week earlier, the AG in the Case C-340/21 (VB v Natsionalna agentsia za prihodite) addressed the right to compensation for non-material damage under GDPR, in the context of a personal data breach arising from a cyberattack. The AG concluded that detriment consisting in the fear of possible misuse of personal data, the existence of which the data subject has demonstrated, may constitute non-material damage giving rise to a right to compensation. However, it should be “actual and certain” emotional damage and not simply trouble or inconvenience. The AG further suggested that an occurrence of a “personal data breach” is not sufficient in itself to conclude that the technical and organisational measures implemented by the controller were not “appropriate” to ensure protection of the data. This should be assessed by the national courts in each case. The fact that a cyberattack was perpetrated by a third party does not exempt the controller from liability, as the attack could have been caused by the controller’s negligence or by its failure to implement appropriate security measures. 

AG opinions are not binding on the CJEU but are highly influential and are often followed by the court.

Our international data protection team is also analysing the cases and will publish more detailed analysis on A&O's Data Hub. Watch this space!