The Court of Justice of the European Union regularly contributes to the interpretation of the General Data Protection Regulation (GDPR) through its decisions. Two recent judgments, issued in September 2024, addressed important issues regarding the processing of personal data, in particular in relation to the legitimate interests of controllers and the right of subjects to access data.
Judgment of the Court of Justice of the European Union (Fourth Chamber)
of 12 September2024 – C-17/22 and C-18/22
In connected cases concerning investment funds, the Court of Justice addressed the question whether members of investment companies have a right of access to the personal data of other members who hold shares through trust companies. This question concerned the interpretation of Article 6(1)(b) and (f) of the GDPR, i.e., the processing of personal data necessary for the performance of a contract and the legitimate interests of the controller.
The Court of Justice held that the right of shareholders to have access to the data of other shareholders may be justified if it is necessary to protect their rights as shareholders of investment funds and the effective exercise of their rights within the company. It also stressed that this right must be carefully weighed against the protection of the privacy of the other shareholders, in particular where the data subject does not reasonably expect their data to be shared for purposes not directly related to the exercise of the shareholder’s rights.
Judgment of the Court of Justice of the European Union (First Chamber)
of 26 September 2024 – C-768/21
This judgment dealt with the interpretation of Article 57(1)(a) and (f) and Article 58(2) of the GDPR concerning the tasks of the supervisory authority and the possibility of imposing administrative fines. The Wiesbaden Administrative Court referred a preliminary question in the context of a decision by the German supervisory authority (HBDI) refusing to impose sanctions on the banking institution Sparkasse despite complaints concerning the processing of personal data.
The factual circumstances of the case were as follows. Sparkasse reported a data breach to HBDI under Article 33 of the GDPR when one of its employees repeatedly accessed the personal data of one of its clients without authorisation. Sparkasse did not inform the client of the personal data breach.
After incidentally becoming aware of the improper handling of their personal data, the client lodged a complaint with the HBDI on the basis of Article 77 of the GDPR. HBDI then heard Sparkasse both in writing and orally on the allegations made against it. During this hearing, Sparkasse stated that it had refrained from notifying of the breach under Article 34 of the GDPR as its Data Protection Officer considered that there was not a high risk to the client’s rights and freedoms. In fact, disciplinary action had been taken against the employee concerned and she had confirmed in writing that she had not copied or stored personal data, had not passed it on to third parties, and would not do so in the future.
The HBDI eventually informed the client that Sparkasse had not infringed Article 34 of the GDPR. HBDI highlighted that Sparkasse’s assessment that the personal data breach committed was unlikely to result in a high risk to the client’s rights and freedoms was not manifestly incorrect. According to the HBDI, even though the employee had consulted the data, there was no evidence that the employee had disclosed them to third parties or had used them to the client’s disadvantage.
The client subsequently lodged an action against that decision before the Wiesbaden Administrative Court which referred a preliminary question to the Court of Justice of the European Union.
The Court of Justice assessed the question and held that supervisory authorities have a certain degree of discretion in the choice of measures they may take, including the decision not to impose an administrative fine. However, such decisions must comply with the principles of proportionality and effectiveness, which means that any decision not to impose a fine must be well reasoned and balanced against the seriousness of the infringement.
The Court of Justice’s decision therefore confirms that the GDPR not only allows flexibility in the application of sanctions, but also emphasises the need for supervisory authorities to consider the circumstances of each individual case properly.
In conclusion
Both of these judgments confirm that the GDPR is not a rigid legal instrument, but that it provides administrative authorities and courts with space to consider the specific circumstances of each individual case. The flexibility of supervisory authorities in enforcing fines and the careful assessment of the legitimate interests of controllers are key aspects that will continue to influence data protection in the EU. These cases also underline that legal protection of privacy is not absolute and must be balanced against other rights and interests, such as commercial interests or interests of transparency in publicly available information.