Masdi (Protection of personal data - Regulation (EU) 2016/679 - Processing of data for the issuance of a COVID-19 certificate - Opinion) [2024] EUECJ C-169/23

BAILII is celebrating 24 years of free online access to the law! Would you consider making a contribution?
No donation is too small. If every visitor before 31 December gives just £1, it will have a significant impact on BAILII's ability to continue providing free access to the law.
Thank you very much for your support!

( Reference for a preliminary ruling - Protection of personal data - Regulation (EU) 2016/679 - Processing of data for the issuance of a COVID‑19 certificate - Information to be provided where personal data have not been obtained from the data subject - Article 14(1) - Derogations from the obligation to provide information - Obtaining or disclosure expressly laid down by EU or Member State law - Appropriate measures to protect the data subject’s legitimate interests - Article 14(5)(c) - Right to lodge a complaint with a supervisory authority - Article 77 )

1. Οne of the most important obligations of the data controller is the obligation to provide information to the data subject. In his Opinion in the Bara case, Advocate General Cruz Villalón put it eloquently when he stated that the requirement to inform the data subject ‘guarantees transparency of all processing’. (2) The obligation to inform corresponds to a key right of the data subject to receive information on the processing of his or her data. It is observed in legal literature (3) that the right to information ‘exemplifies’ the principle of transparency and ‘represents the focal point’ for all other rights. Indeed, extensive information requirements enable the data subject to exercise other important rights recognised by Regulation (EU) 2016/679. (4)

2. The present case arose in the context of the issuance of COVID‑19 certificates. It invites the Court, for the first time, to interpret an important derogation from the obligation on the data controller to provide information, laid down in Article 14(5)(c) of the GDPR. The relevant derogation will be analysed in relation to the powers of the supervisory authority in the context of a complaint lodged by the data subject.

3. Article 14 of the GDPR, entitled ‘Information to be provided where personal data have not been obtained from the data subject’, provides, in paragraphs 1, 2 and 5:

‘1. Where personal data have not been obtained from the data subject, the controller shall provide the data subject with the following information:

(a) the identity and the contact details of the controller and, where applicable, of the controller’s representative;

(c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;

(f) where applicable, that the controller intends to transfer personal data to a recipient in a third country or international organisation and the existence or absence of an adequacy decision by the [European] Commission …

2. In addition to the information referred to in paragraph 1, the controller shall provide the data subject with the following information necessary to ensure fair and transparent processing in respect of the data subject:

(a) the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;

(b) where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party;

(c) the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject and to object to processing as well as the right to data portability;

(d) where processing is based on point (a) of Article 6(1) or point (a) of Article 9(2), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;

(f) from which source the personal data originate, and if applicable, whether it came from publicly accessible sources;

(g) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

(c) obtaining or disclosure is expressly laid down by Union or Member State law to which the controller is subject and which provides appropriate measures to protect the data subject’s legitimate interests;

4. Article 32 of the GDPR, entitled ‘Security of processing’, states in paragraph 1:

‘Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk …

5. Article 77 of the GDPR, entitled ‘Right to lodge a complaint with a supervisory authority’, states in paragraph 1:

‘Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes this Regulation.’

6. Paragraph 2(1)(a) to (g) of the a koronavírus elleni védettségi igazolásról szóló 60/2021. (II.12.) Korm. rendelet (Government Decree 60/2021 of 12 February on the coronavirus immunity certificate; ‘Decree 60/2021’), in the version applicable to the dispute in the main proceedings, provides:

(c) the number and document identifier of the permanent identity document of the person concerned, if he or she has a permanent identity document;

(f) where proof of recovery from infection is provided, the date of validity of the proof;

(g) a data storage code that is optically readable by computing devices, generated using the data listed in (a) to (f);

7. According to Paragraph 2(6) and (7) of Decree 60/2021, the immunity certificate was to be issued by the Budapest Főváros Kormányhivatala (Budapest Metropolitan Government Office, Hungary; ‘the Budapest Office’) in favour of the entitled natural person, either ex officio or on application.

‘In the cases provided for in Paragraph 2(6)(c) and (d), the [Budapest Office] shall collect, by the automated transmission of information - where necessary through the relevant departments of the összerendelési nyilvántartás [(Registry for the electronic organisation of identification data, Hungary)] –

(a) from the EESZT [(Elektronikus Egészségügyi Szolgáltatási Tér (Electronic Healthcare Service Space))] operator: the social security number of the person concerned, the data set out in Paragraph 2(1)(e) and (g), and the data set out in subparagraph 1;

(b) from the body responsible for the recording of personal data and addresses: the name, document identifiers from the passport and permanent identity document, and address of the person concerned.’

III. The dispute in the main proceedings and the questions referred for a preliminary ruling

9. UC, a natural person, received from the Budapest Office a certificate of immunity confirming his vaccination against COVID‑19.

10. On 30 April 2021, UC lodged a complaint on the basis of Article 77(1) of the GDPR with the Nemzeti Adatvédelmi és Információszabadság Hatóság (National Authority for Data Protection and Freedom of Information, Hungary; ‘the Hungarian supervisory authority’). UC asked that authority to order the Budapest Office to bring its processing operations in line with the provisions of the GDPR. In the complaint, UC claimed, inter alia, that the Budapest Office did not create or publish a privacy notice on the processing of data relating to the issuance of immunity certificates and that there was insufficient information concerning the purpose and legal basis of the processing, the rights available to data subjects and how those rights could be exercised.

11. In the procedure initiated as a result of the complaint lodged, the Budapest Office declared that it performed its duties relating to the issuance of immunity certificates pursuant to Paragraph 2 of Decree 60/2021, and that the legal basis for the processing was Article 6(1)(e) of the GDPR and, as regards the processing of special categories of personal data, Article 9(2)(i) of the GDPR.

12. Moreover, the Budapest Office stated that, in accordance with Paragraph 3(2) and (3) of Decree 60/2021, it had collected the data processed by the automated transmission of information from the Electronic Healthcare Service Space operator and from the body responsible for the recording of personal data and addresses. It stated that, pursuant to Article 14(5)(c) of the GDPR, it was not required to provide information on processing. That being so, it had created a privacy notice on the relevant processing and had published that notice on its website.

13. By decision of 15 November 2021, the Hungarian supervisory authority dismissed the complaint on the ground that the Budapest Office did not have an obligation to provide information, since the derogation laid down in Article 14(5)(c) of the GDPR was applicable to the processing. More specifically, that supervisory authority considered that Decree 60/2021 constituted the legal basis for the processing and that the Budapest Office did not obtain the data from the data subjects themselves. Furthermore, it stated that Paragraph 3(1) of Decree 60/2021 expressly directed the Budapest Office to collect the data. The fact that the Budapest Office published information on the processing of data on its website, even though it did not have a legal obligation to do so, was deemed to be good practice.

14. The Hungarian supervisory authority examined of its own motion the issue of appropriate measures to protect the data subject’s legitimate interests, referred to in Article 14(5)(c) of the GDPR, and considered that Paragraphs 2 and 3 and Paragraphs 5 to 7 of Decree 60/2021 should be treated as such measures.

15. UC challenged the decision of the Hungarian supervisory authority before the Fővárosi Törvényszék (Budapest High Court, Hungary). That court upheld the action, annulled the decision of the Hungarian supervisory authority and ordered it to conduct a new procedure.

16. In the reasoning of its judgment, the Fővárosi Törvényszék (Budapest High Court) stated that the derogation laid down in Article 14(5)(c) of the GDPR was not applicable because some of the data in connection with the immunity certificates were not collected from another body but were instead generated by that controller. Those data include the serial number of the immunity certificate, the period of validity of the certificate, the QR code incorporated into the certificate, the bar code and other alphanumerical codes generated by the controller during its procedure.

17. The Hungarian supervisory authority brought an extraordinary appeal in cassation against that final judgment of the Fővárosi Törvényszék (Budapest High Court) before the Kúria (Supreme Court, Hungary).

18. With regard to the application of the derogation laid down in Article 14(5)(c) of the GDPR, the referring court considers that it may apply to all types of processing which do not concern data collected from the data subject within the meaning of Article 13 of the GDPR, including data generated by the controller.

19. If that interpretation of Article 14(5)(c) of the GDPR is followed, the referring court has doubts as to the scope of the corrective powers of the national supervisory authorities in the context of a complaint lodged under Article 77(1) of the GDPR. More specifically, the referring court has doubts as to whether, in the context of such a complaint, the supervisory authority has the power to examine the issue of appropriate measures provided in national law to protect the data subject’s legitimate interests, to which Article 14(5)(c) of the GDPR refers.

20. If it were to be held that the supervisory authority has that power, the referring court is uncertain as to the exact meaning of the concept of ‘appropriate measures to protect the data subject’s legitimate interests’. In that regard, it observes that it could be found that ‘appropriate measures’ entail, on the one hand, the transposition into national law of the matters listed in Article 14(1)(a) to (f) of the GDPR. On the other hand, those measures could entail the right to request an examination of the security of processing, governed by Article 32 of the GDPR. However, that understanding of ‘appropriate measures’ would risk encumbering legislation with technical provisions, running counter to the requirement for legislative acts to be intelligible and clear. It could also be a sufficient guarantee if the measures relating to the security of data are complied with, even where they have not been specifically transposed.

21. In that context, the Kúria (Supreme Court), decided to stay the proceedings and to refer the following questions to the Court of Justice for a preliminary ruling:

‘(1) Must Article 14(5)(c) of [the GDPR], read in conjunction with Article 14(1) and recital 62 thereof, be interpreted as meaning that the exception laid down in Article 14(5)(c) does not refer to data generated by the controller in its own procedure but rather only to data which the controller has expressly obtained from another person?

(2) If Article 14(5)(c) of the GDPR is also applicable to data generated by the controller in its own procedure, must the right to lodge a complaint with a supervisory authority, laid down in Article 77(1) of the GDPR, be interpreted as meaning that a natural person who alleges an infringement of the obligation to provide information is entitled, when exercising his or her right to lodge a complaint, to request an examination of whether Member State law provides appropriate measures to protect the data subject’s legitimate interests, in accordance with Article 14(5)(c) of the GDPR?

(3) If the answer to the second question is in the affirmative, may Article 14(5)(c) of the GDPR be interpreted as meaning that the “appropriate measures” referred to in that provision require the national legislature to transpose (by means of legislation) the measures relating to the security of data laid down in Article 32 of the GDPR?’

22. Written observations were submitted by UC, the Hungarian supervisory authority, the Hungarian Government and the Commission. The Court sent questions for written response to the parties and the interested parties according to Article 23 of the Statute of the Court of Justice of the European Union, to which UC, the Czech Government, the Hungarian Government and the Commission responded.

A. Preliminary observations on the information obligation and the derogation under Article 14(5)(c) of the GDPR

23. The provision of information to data subjects is a central element of the principle of transparency laid down in Article 5(1)(a) of the GDPR. Transparency ‘empowers data subjects to hold data controllers and processors accountable’ as it strengthens their possibility to exercise control over their data. (5) Indeed, as stated in the judgment in Bara and Others, ‘the requirement to inform the data subjects about the processing of their personal data is all the more important since it affects the exercise by the data subjects of their right of access to, and right to rectify, the data being processed’. (6) The key provisions in that regard are Articles 12, 13 and 14 of the GDPR.

24. Pursuant to Article 12(1) of the GDPR, the controller must take appropriate measures to provide the information referred to in Articles 13 and 14 ‘in a concise, transparent, intelligible and easily accessible form, using clear and plain language’. Typically, the information is communicated in a privacy policy, privacy notice or privacy statement. (7)

25. The content and scope of the obligation to inform are set out in Articles 13 and 14 of the GDPR. Article 13 regulates the information to be provided where personal data are collected from the data subject (direct collection), whereas Article 14 regulates the information to be provided where personal data have not been obtained from the data subject (indirect collection). (8) The information to be provided under those two provisions overlaps significantly. (9)

26. As far as the indirect collection of data is concerned, Article 14(1) of the GDPR includes in the ‘standard information catalogue’ (10) the information on the identity of the data controller, the purposes of processing, the recipients of the data and the possible transfer of data to a recipient in a third country. Amongst the additional information necessary to guarantee fair and transparent processing, Article 14(2) of the GDPR expressly refers to the period for which the personal data is stored, the legitimate interests pursued by the controller (11) or the existence of the right to request from the controller access to and rectification or erasure of personal data.

27. The obligation on the data controller to provide information in case of indirect collection under Article 14 of the GDPR is subject to four derogations, set out in paragraph 5 thereof. The derogation relevant for the case in the main proceedings is the one stipulated in Article 14(5)(c), which contains an ‘opening clause’. (12) The controller is exempt from providing information where and in so far as ‘obtaining or disclosure is expressly laid down by Union or Member State law to which the controller is subject’ and the law provides ‘appropriate measures to protect the data subject’s legitimate interests’.

28. The English-language version of Article 14(5)(c) of the GDPR, as well as other language versions,(13) does not make express reference to the subject matter of the act of ‘obtaining or disclosure’. A number of other language versions refer explicitly to the obtaining or disclosure of ‘data’. (14) It appears that only the French-language version refers to the obtaining or disclosure of ‘information’. (15)

29. However, since all language versions of an EU act must, in principle, be recognised as having the same value, in the case of divergence between those versions, the provision in question must be interpreted by reference to the purpose and general scheme of the rules of which it forms part. (16)

30. In that regard, it is apparent from the general scheme of the rules of which Article 14(5)(c) of the GDPR forms part that the obtaining or disclosure concerns personal data (as opposed to information). It follows already from the title of Article 14 that the information is ‘provided’ while the act of obtaining concerns ‘personal data’. That interpretation is corroborated by recital 61, which refers to ‘personal data’ obtained from another source, and by recital 62, which refers to the recording or disclosure of the ‘personal data’. Moreover, taking into account the broad meaning of the concept of ‘processing’ under Article 4(2) of the GDPR, that is to say any operation or set of operations which is performed on personal data, (17) the ‘obtaining or disclosure’ must be qualified as a processing operation performed on personal data.

31. With regard to the purpose of the rules of which Article 14(5)(c) forms part, the underlying assumption of the relevant derogation seems to be that EU or Member State law replaces or substitutes the obligation normally imposed on the controller to provide information regarding the obtaining or disclosure of data. (18) By virtue of the relevant law, data subjects will already have sufficient knowledge of the obtaining or disclosure of the data. (19) Such law to which the data controller is subject must expressly concern the obtaining or disclosure of the data and the obtaining or disclosure in question should be mandatory for the data controller. (20)

32. It follows, therefore, clearly from the above that the object of the derogation on obtaining or disclosure concerns personal data.

33. It is in the light of those observations that I will further explore the derogation laid down in Article 14(5)(c) of the GDPR in the context of the analysis of the questions referred.

34. By its first question, the referring court asks, in essence, whether Article 14(5)(c) of the GDPR must be interpreted as meaning that the derogation from the obligation on the data controller to provide information to the data subject applies only to data which the controller has expressly obtained from another person, excluding data generated by the controller in its own procedure.

35. That question stems from the fact that, in the case in the main proceedings, certain data contained in the COVID‑19 certificates were not obtained by another organisation but were generated by the Budapest Office. (21)

36. It must therefore be determined whether the term ‘obtaining’, laid down in Article 14(5)(c) of the GDPR, excludes data generated by the controller.

37. In order to answer that question, it should be borne in mind, as a preliminary point, that the interpretation of a provision of EU law requires that account be taken not only of its wording, but also of its context and the objectives and purpose pursued by the act of which it forms part. (22)

38. With respect to the wording of Article 14(5)(c) of the GDPR, that provision does not set out a limitation with regard to a specific type of processing or the exact method by which the data controller obtains the data. The data can be obtained by a technical procedure, such as the generation of the data by the controller.

39. The broad understanding of the term ‘obtaining’ is confirmed by recital 62 of the GDPR. That recital uses the term ‘recording’ of the data, an operation which, as pointed out by the referring court, refers to a wider group of processing operations that can be performed by the data controller. Article 14(5)(c) cannot therefore be interpreted as applicable with regard only to data obtained from another entity and not to data generated by the controller.

40. That interpretation of Article 14(5)(c) of the GDPR is also confirmed by the context in which that provision occurs and by the objectives and purpose pursued by that provision.

41. In that regard, it must be pointed out that the derogations set out in Article 14(5) relate to paragraphs 1 to 4 of that same article. The material scope of Article 14 (of which the relevant derogation forms part) is defined in a negative manner compared to Article 13. While Article 13 governs the information to be provided where personal data are collected from the data subject, Article 14 governs the provision of information where personal data have not been obtained from the data subject. It follows from the dichotomy between direct and indirect collection of data that all cases in which the data are not obtained from the data subject fall under the material scope of Article 14. It is irrelevant whether the data are generated by the controller to the extent that they are not obtained from the data subject. The broad material scope of Article 14 is also confirmed by recital 61, which refers to data ‘obtained from another source’, that is to say, a source other than the data subject.

42. Moreover, as the Commission and the Hungarian supervisory authority observed, in essence, the rules set out in Articles 13 and 14 of the GDPR form a comprehensive system governing the provision of information to the data subject in all possible situations. If the term ‘obtaining’ in Article 14(5)(c) of the GDPR were to be interpreted as excluding data generated by the controller, that provision would have more restrictive scope than Article 14, of which it forms part.

43. As far as the specific purpose of the relevant derogation is concerned, as pointed out in the preliminary observations of this Opinion, the exemption of the controller to provide information is based on the assumption that the law replaces the obligation that is normally imposed on the controller to provide information. (23) The derogation laid down in Article 14(5)(c) confers a margin of discretion on Member States to provide for a different avenue of informing the data subject and of ensuring fair and transparent processing compared to the information provided by the controller on an individual basis. The different legal avenue must still achieve the same result. The law that substitutes for the obligation imposed on controllers to inform must put the data subject in a position to exercise control over his or her data and to exercise his or her rights under the GDPR. (24)

44. Interpreting Article 14(5)(c) as excluding from its scope the generation of data by the controller would restrict the margin of discretion left to the Member States on the basis of a ground that does not appear relevant for the protection of the data subject’s legitimate interests.

45. Moreover, a different interpretation - that would introduce an exception to the derogation laid down in Article 14(5)(c) when the data is generated by the data controller - would risk adding an extra layer of complexity for the data subject. The data subject must be able to know from which source he or she will obtain information on the processing of his or her data when those data are not collected from the data subject himself or herself. The relevant law must make processing predictable for the data subject in all such situations. (25)

46. It follows from the foregoing that Article 14(5)(c) of the GDPR must be interpreted as meaning that the derogation from the obligation on the data controller to provide information to the data subject applies to all data which the controller has not obtained from the data subject. It is not relevant, in that regard, whether the data are expressly obtained from another entity or if the data are generated by the controller in its own procedure.

47. By its second question, the referring court asks, in essence, whether Article 77(1) of the GDPR must be interpreted as meaning that, in the context of a complaint procedure, the supervisory authority has the power to examine whether Member State law, to which the controller is subject, provides appropriate measures to protect the data subject’s legitimate interests, for the purposes of applying the derogation laid down in Article 14(5)(c) of that regulation.

48. In that regard, it must be recalled, first, that, according to Article 77(1) of the GDPR, every data subject has the right to lodge a complaint with a supervisory authority, if the data subject considers that the processing of personal data relating to him or her infringes that regulation. (26)

49. Second, under Article 55(1) of that regulation, each supervisory authority is to be competent for the performance of the tasks assigned to it and the exercise of the powers conferred on it in accordance with that regulation on the territory of its own Member State. (27) Moreover, in accordance with Article 57(1)(a) of the GDPR, the national supervisory authorities are responsible for monitoring and enforcing the application of the GDPR.

50. The provisions cited in the two points above do not exclude from the national supervisory authorities’ sphere of competence the conditions for applying the derogation set out in Article 14(5)(c) of the GDPR.

51. Thus, as the Hungarian Government and the Commission submitted, in essence, in the context of a complaint lodged under Article 77(1) of the GDPR, the supervisory authorities are vested with the power to check whether all the conditions laid down in Article 14(5)(c) are complied with. As follows from the first sentence of Article 14(5), all the derogations it lays down apply ‘where and in so far as’ the conditions set out therein are fulfilled.

52. In that regard, the supervisory authorities must have the power to examine, more specifically, first, whether the law directly addresses the data controller and whether obtaining or disclosure is mandatory for the controller. (28) Second, the supervisory authorities must be able to examine whether the law upon which the controller relies provides ‘appropriate measures to protect the data subject’s legitimate interests’ and whether the data controller is able to demonstrate that the obtaining or disclosure of personal data complies with those measures. (29)

53. The Hungarian supervisory authority submits that reviewing the question whether national law provides appropriate measures to protect the data subject’s legitimate interests would exceed its tasks and powers pursuant to Articles 57 and 58 of the GDPR respectively. That authority considers that those provisions do not confer, on the supervisory authorities, corrective powers on national law and that it is not possible to exercise such powers towards a controller who merely complied with national law.

54. In that regard, it must be pointed out that the examination by a national supervisory authority of the question whether all the requirements for the application of the derogation laid down in Article 14(5)(c) are fulfilled does not involve, as the Commission rightly observed, an examination of the validity of national law. The supervisory authority examines only the question whether the data controller is entitled to invoke the derogation towards a particular data subject in a particular situation.

55. It is incumbent, therefore, upon the national supervisory authority to examine a data subject’s claim that the data controller should not be exempt from providing information on the ground that the relevant law does not provide appropriate measures to protect the data subject’s legitimate interests.

56. If the national supervisory authority comes to the conclusion that the claim is unfounded, the person who lodged the claim and who contests that finding must, as is apparent from Article 78 of the GDPR, have access to judicial remedies enabling him or her to challenge such a decision before the national courts.

57. If the national supervisory authority considers that the claim is founded and that the conditions of the derogation are not fulfilled, it has the power, as the Hungarian Government and the Commission essentially maintained, to order the controller to comply with the data subject’s request. In that situation, the controller must provide the information according to paragraphs 1 to 4 of Article 14.

58. In response to the written questions put by the Court, the Czech Government argued that the examination of the appropriateness of measures to protect the data subject’s legitimate interests is not possible when the national law provides, in a targeted manner, with regard to a specific situation, for an exception to the obligation to provide information. Relying on the judgment in Schrems, (30)that government observes, in essence, that the examination of the compatibility of one source of law with another source of law is the sole responsibility of courts and not of an administrative authority.

59. In that regard, it must be recalled that one of the main issues raised in Schremsconcerned the powers of national supervisory authorities to examine the claim of a person concerning the protection of his rights and freedoms with regard to a Commission decision finding that a third country ensures an adequate level of protection. (31)The Court ruled, in essence, that when the national supervisory authorities examine such a claim, they are not entitled to declare that decision invalid themselves. (32)Where the national supervisory authority considers that the objections advanced by the person who has lodged a claim are well founded, that authority must be able to engage in legal proceedings. (33)

60. However, the judgment in Schrems does not seem of direct relevance with regard to the issue of the powers of the supervisory authorities in relation to the examination of the derogation laid down in Article 14(5)(c) of the GDPR. It must be pointed out at the outset that in the context of that examination, the supervisory authority does not interfere with the legal obligation imposed on the data controller to obtain or disclose the personal data. In other words, the supervisory authority does not order the controller to abstain from applying a legal requirement to obtain or disclose to which the data controller remains bound. As the Commission and the Hungarian Government maintained, in essence, in such situation, the power of the national supervisory authority consists in ordering the controller to provide the necessary information on its privacy notice (34) if the conditions of the relevant derogation are not fulfilled. Such an order, as pointed out above, does not interfere with the validity of the legal measure to which the controller is subject.

61. The power of the supervisory authority to order the controller to provide information is without prejudice to the power of that authority, if it considers that the legal measure in question is invalid, from engaging in legal proceedings provided to that effect by national law, pursuant to Article 58(5) of the GDPR.

62. Finally, on a more systemic level, as all the interested parties submitted, the supervisory authority has the power to advise the legislature or the executive to modify the relevant legal measure if it considers that it does not provide appropriate measures to protect the data subject’s legitimate interests. In that regard, it must be recalled that the supervisory authorities are responsible for advising the national parliament and the government and other institutions and bodies, pursuant to Article 57(1)(c) of the GDPR. They also enjoy the advisory powers set out in Article 58(3)(b) of the GDPR.

63. It follows from the above that Article 77(1) of the GDPR must be interpreted as meaning that, in the context of a complaint procedure, the supervisory authority has the power to examine whether all the conditions laid down in Article 14(5)(c) of that regulation are complied with. More particularly, it has the power to examine the question whether Member State law, to which the controller is subject, provides appropriate measures to protect the data subject’s legitimate interests.

64. By its third question, the referring court asks, in essence, whether Article 14(5)(c) of the GDPR must be interpreted as meaning that the ‘appropriate measures’ referred to in that provision require the national legislature to transpose the measures relating to the security of the data laid down in Article 32 of that regulation.

65. In that regard, it must be recalled, on the one hand, that the applicability of the derogation from the obligation to provide information according to Article 14(5)(c) of the GDPR depends on the provision of ‘appropriate measures’ to protect the data subject’s legitimate interests. On the other hand, it follows from Article 32 of the GDPR that the controller and the processor must implement ‘appropriate technical and organisational measures’ to ensure security of processing.

66. However, as the Commission submits, Articles 14 and 32 have distinct scope. The scope of the ‘appropriate measures’ must be examined in the context of Article 14 of the GDPR. It is not possible, therefore, to determine one of the conditions of application of the derogation laid down in Article 14(5)(c) by transposing the concept of the ‘appropriate technical and organisational measures’ used in another provision. Moreover, in the context of Article 32 of the GDPR, it does not appear relevant whether it is the controller providing information or whether obtaining or disclosure is laid down in the law. Accordingly, the object of the examination carried out by the supervisory authority must be circumscribed by the scope of application of Article 14.

67. The exact content of the ‘appropriate measures’ is not specified in Article 14(5)(c) of the GDPR. It is sufficiently broad to cover any measure the legislature deems necessary and appropriate. The concept of ‘appropriate measures’ must be interpreted, as the Commission submitted, in essence, in the light of the principle of transparency set out in Article 5(1)(a) of the GDPR. In that regard, it is important to take into account that the relevant law, as pointed out in the preliminary observations of this Opinion, (35) is a ‘substitute’ for the information obligation which the controller normally bears. It falls on the legislature to determine the appropriate measures depending, for instance, on the category of data obtained and the context in which the processing takes place.

68. The Czech Government submitted in the response to the question put by the Court that the scope of the appropriate measures is broader than the list of information set out in paragraphs 1, 2 and 4 of Article 14 of the GDPR.

69. I agree that the appropriateness of the measures cannot be assessed solely by means of a ‘mechanic’ comparison with the information obligations of the controller harmonised by the GDPR. It would seem meaningless to provide for an ‘opening clause’ under Article 14(5)(c) (36) while imposing exactly the same obligations without leaving any margin of discretion to the legislature. That said, the relevant law must ensure a standard of fair and transparent processing which is equivalent to the one ensured by paragraphs 1 to 4 of Article 14. (37) In order for the data subject to assess any risk associated with the obtaining of the data and the processing thereof, (38) it must be clear through a simple reading of the relevant legal provision who processes the data, for what reason and in which way. (39) As I pointed out above, (40) the different legal avenue must achieve the same result, which consists in putting the data subject in a position to exercise control over his or her data and to exercise his or her rights under the GDPR.

70. The specific legal ground for processing also has an impact on the determination of the ‘appropriate measures’ for the specific circumstances of processing. In that regard, it must be recalled that it follows from Article 6(1)(c) and (e) of the GDPR that processing is lawful if and to the extent that processing is necessary for compliance with a legal obligation to which the controller is subject and when processing is necessary for the performance of a task carried out in the public interest. With regard to such processing, according to Article 6(2), Member States may maintain or introduce more specific provisions to adapt the application of the rules of the GDPR with regard to processing by determining more precisely specific requirements for the processing and other measures to ensure lawful and fair processing. (41) Moreover, according to Article 9(2)(i) of the GDPR, when processing is necessary for reasons of public interest in the area of public health, Member State (or EU) law must provide for suitable and specific measures to safeguard the rights and freedoms of the data subject.

71. In the case in the main proceedings, the obtaining of the data was imposed by Decree 60/2021, which, as it follows from the file, was adopted on the basis of Article 6(1)(c) and (e) and Article 9(2)(i) of the GDPR. The Hungarian Government submits that Decree 60/2021 - apart from the general safeguards that apply by virtue of the legal framework adopted to ensure lawfulness of processing - provided for additional safeguards. In that regard, that government stated that one of those guarantees consisted in the fact that the subcontractors designated by that decree are State-owned and have to observe the legislative framework with regard to the security of data applicable to State bodies and the local administration. It is the responsibility of the referring court to examine those submissions and to assess whether national law provides appropriate measures in the light of the above considerations.

72. In the light of the above, I take the view that Article 14(5)(c) of the GDPR must be interpreted as meaning that the ‘appropriate measures’ referred to in that provision do not require the national legislature to transpose the measures relating to the security of the data laid down in Article 32 of that regulation.

73. In the light of all the foregoing considerations, I propose that the Court answer the questions referred for a preliminary ruling by the Kúria (Supreme Court, Hungary) as follows:

(1) Article 14(5)(c) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation),

must be interpreted as meaning that the derogation from the obligation on the data controller to provide information to the data subject applies to all data which the controller has not obtained from the data subject. It is not relevant, in that regard, whether the data are expressly obtained from another entity or if the data are generated by the controller in its own procedure.

must be interpreted as meaning that, in the context of a complaint procedure, the supervisory authority has the power to examine whether all the conditions laid down in Article 14(5)(c) of that regulation are complied with. More particularly, it has the power to examine the question whether Member State law, to which the controller is subject, provides appropriate measures to protect the data subject’s legitimate interests.

must be interpreted as meaning that the ‘appropriate measures’ referred to in that provision do not require the national legislature to transpose the measures relating to the security of the data laid down in Article 32 of that regulation.

i The name of the present case is a fictitious name. It does not correspond to the real name of any party to the proceedings.

2 Opinion of Advocate General Cruz Villalón in Bara and Others (C‑201/14, EU:C:2015:461, point 74) (emphasis added).

3 Vrabec, U., H., ‘Data Subject Rights under the GDPR’, Oxford University Press, Oxford, 2021, p. 64.

4 Regulation of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016 L 119, p. 1; ‘the GDPR’).

5 See Article 29 Data Protection Working Party, Guidelines on transparency under Regulation 2016/679, adopted on 29 November 2017, 17/EN WP260 rev. 01 (‘the Transparency Guidelines’), point 4. That working party was then replaced by the European Data Protection Board (EDPB). However, the Transparency Guidelines remain valid. See also EDPB, Guidelines 03/2020 on the processing of data concerning health for the purpose of scientific research in the context of the COVID‑19 outbreak, adopted on 21 April 2020, point 5.1.2.4.

6 Judgment of 1 October 2015, Bara and Others (C‑201/14, EU:C:2015:638, paragraph 33), citing the Opinion of Advocate General Cruz Villalón in that case.

7 The Transparency Guidelines, point 24. See also Vrabec, U., H., Data Subject Rights under the GDPR, op. cit. above in footnote 3, p. 84.

8 See, Zanfir-Fortuna, G., ‘Article 14. Information to be provided where personal data have not been obtained from the data subject’, in Kuner, C., Bygrave, L.A. and Docksey, C. (eds), The EU General Data Protection Regulation (GDPR) - A Commentary, Oxford University Press, Oxford, 2020, pp. 435 to 448, at p. 436.

10 Vrabec, U., H., Data Subject Rights under the GDPR, op. cit. above in footnote 3, p. 68.

12 As a provision containing an opening clause, it makes it possible for Member States to lay down additional, stricter or derogating national rules and it leaves them a margin of discretion as to the manner in which the relevant provision may be implemented (see, to that effect, judgment of 30 March 2023, Hauptpersonalrat der Lehrerinnen und Lehrer, C‑34/21, EU:C:2023:270, paragraph 51). See Knyrim, R., ‘IV. Ausnahme von der Informationspflicht’, in Ehmann, E. and Selmayr, M., Datenschutz Grundverordnung, DS - GVO, Beck, Munich, 2nd edition, 2018, Article 14, paragraphs 42 to 48, at paragraph 47.

13 Namely the Bulgarian-, Danish-, German-, Greek-, Spanish-, Italian-, Latvian-, Polish-, Slovak- and Swedish-language versions.

14 That is particularly so with regard to the Estonian- (‘isikuandmed’), Lithuanian- (‘duomenų’), Hungarian- (‘adat’), Dutch- (‘gegevens’), Portuguese- (‘dados’), Romanian- (‘datelor’) and Finnish-language (‘tietojen’) versions.

15 In French-language legal literature it is observed that the French-language version should have indicated ‘data’ instead of ‘information’, as was the case under the predecessor to Article 14(5)(c) of the GDPR, namely Article 11(2) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ 1995 L 281, p. 31) (see de Terwangne, C. and Rosier, K., ‘Section 1. - Droit d’être informée de l’existence de traitements la concernant’, in Le règlement généralsur la protection des données (RGPD/GDPR), Larcier, Brussels, 1st edition, 2018, pp. 409 to 432, footnote 132).

16 See, to that effect, judgment of 21 March 2024, Cobult (C‑76/23, EU:C:2024:253, paragraph 25 and the case-law cited).

18 Ebner, K., ‘6. Ausschluss der Informationspflicht’, Weniger ist Mehr? Die Informationspflichten der DS-GVO - Eine kritische Analyse, Nomos, Baden-Baden, 2022, pp. 272 to 298, at p. 280. That author also observes (at p. 281) that exempting the controller from providing information in the situation laid down in Article 14(5)(c) is a means of avoiding the risk of information ‘fatigue’ or information ‘overload’; Dix, A., ‘DSGVO Art. 14 Informationspflicht, wenn die personenbezogenen Daten nicht bei der betroffenen Person erhoben wurden- g) Regelung durch das Recht der Mitgliedstaaten oder der Union (Abs. 5 lit. c)’, in Simitis, S., Hornung, G. and Spiecker, I., Datenschutzrecht DS-GVO mit BDSG Großkommentar, Beck, Munich, 2019, paragraphs 27 and 28, at paragraph 27, referring to the relevant law as a ‘sufficient substitute’ (‘hinreichendes Surrogat’) for the required information provided by the controller.

20 The Transparency Guidelines, point 66. Accordingly, data controllers must be able to demonstrate how the law in question applies to them and requires them either to obtain or to disclose the personal data in question.

25 Dix, A., in Simitis, S., Hornung, G. and Spiecker, I., op. cit. in footnote 18 and Ebner, K., ‘6. Ausschluss der Informationspflicht’, op. cit. in footnote 18, p. 281.

32 See, to that effect, judgment of 6 October 2015, Schrems (C‑362/14, EU:C:2015:650, paragraph 62).

34 This is without prejudice to any restrictions on the right to information that may be imposed by Union or Member State law under the conditions set out in Article 23 of the GDPR.

37 See, to that effect, Ebner, K., ‘6. Ausschluss der Informationspflicht’, op. cit. in footnote 18, p. 281, who refers to a comparable level of protection (‘vergleichbares Schutzniveau’); Mester, B.‑A., ‘DS-GVO Art. 14 Informationspflicht, wenn die personenbezogenen Daten nicht bei der betroffenen Person erhoben wurden- 3. Ausdrückliche Regelung (Abs. 5 lit. c)’, in Taeger, J. and Gabel, D., DSGVO - BDSG - TTDSG, Beck, Munich, 2022, paragraph 26; Paal, B. and Hennemann, M., ‘DS-GVO Art. 14 Informationspflicht, wenn die personenbezogenen Daten nicht bei der betroffenen Person erhoben wurden- III. Sonstige Regelung (lit. c)’, in Paal, B. and Pauly, D., Datenschutz-Grundverordnung Bundesdatenschutzgesetz: DS-GVO BDSG, Beck, Munich, 2021, paragraph 42.

39 Ebner, K., ‘6. Ausschluss der Informationspflicht’, op. cit. in footnote 18, p. 281.

41 Those specific provisions may contain the elements set out in Article 6(3) of the GDPR, inter alia: the general conditions governing the lawfulness of processing; the types of data which are subject to processing; the entities to, and the purposes for which, the personal data may be disclosed; the purpose limitation; storage periods; and processing operations and processing procedures, including measures to ensure lawful and fair processing such as those for other specific processing situations as provided for in Chapter IX of the GDPR.

	[Home] [Databases] [World Law] [Multidatabase Search] [Help] [Feedback]
	Court of Justice of the European Communities (including Court of First Instance Decisions)
You are here: BAILII >> Databases >> Court of Justice of the European Communities (including Court of First Instance Decisions) >> Masdi (Protection of personal data - Regulation (EU) 2016/679 - Processing of data for the issuance of a COVID-19 certificate - Opinion) [2024] EUECJ C-169/23_O (06 June 2024) URL: http://www.bailii.org/eu/cases/EUECJ/2024/C16923_O.html Cite as: ECLI:EU:C:2024:474, [2024] EUECJ C-169/23_O, EU:C:2024:474

Court of Justice of the European Communities (including Court of First Instance Decisions)