On 22 February 2024, the Advocate General (AG) of the Court of Justice of the European Union (CJEU) delivered his opinion in Case C‑693/22.
In this case, a company based in Poland (the claimant) had a claim confirmed by a final court decision against another company (NMW), specializing in online sales, whose board member was MW.
At the claimant’s request, enforcement proceedings were commenced against NMW in order to satisfy the claim. On the grounds that NMW had no assets that could be the subject of execution, the proceedings were terminated with a stay of execution. In these circumstances, the claimant brought an action against MW on the basis of the patrimonial liability of a member of the board of directors of the company in the event of the impossibility of recovering a claim from the assets of that company.
MW sought to dismiss the action, arguing that NMW had assets of greater value than the claim, namely the source code of an online shopping software (the M. platform) and two databases relating to the users of that platform. It was therefore necessary, according to the court, to obtain an answer to the question of whether the databases created by NMW could be disposed of in the context of a judicial enforcement procedure.
Regarding the existence of a processing operation and the identification of the controller, the AG considered that:
- processing carried out in the context of the enforcement of a civil law claim is not excluded from the scope of the GDPR;
- the personal data contained in databases such as those in question are at least extracted, consulted and used by the judicial officer in the context of the valuation and subsequently made available to the buyer; it should be noted that a processing operation of personal data may consist of several operations, each of which relates to one of the various stages that a processing operation may comprise; therefore, there is a processing of personal data in this case;
- the judicial officer can be considered a controller, as the public authority responsible for carrying out any enforcement procedure, including those involving a database;
- it is less likely, although conceivable in the abstract, that the judicial officer and NMW could be considered joint controllers for purposes of the proceeding; therefore, the AG’s analysis is based on the premise that the judicial officer is the only controller in the main proceeding.
On the lawfulness of the processing of the personal data concerned, the AG considered that:
- in the main proceedings, no evidence was provided to show that the data subjects had consented to the transfer of their data to third parties outside the M. platform;
- the processing by the judicial officer cannot be qualified under Article 6 para. (1) letter c) of the GDPR (i.e., processing is necessary for compliance with a legal obligation to which the controller is subject), but under Article 6 para. (1) letter e) of the GDPR (i.e., processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller);
- the purpose of the processing of personal data carried out by the judicial officer, i.e., the sale of the M. platform users’ databases to satisfy the claims of NMW, differs from the original purpose of the processing of personal data by this company, i.e., to enable the use of the M. platform for the needs of the online sales activity carried out by the company;
- since the users of the M. platform have not given their consent to processing for a purpose other than that for which their personal data were collected, a question which arises is whether such processing can be considered a necessary and proportionate measure in a democratic society to achieve one of the purposes listed in Article 23 para. (1) of the GDPR (this being the derogation from the principle of purpose limitation which was analyzed since the purposes compatibility assessment was not applicable);
- the right to protection of personal data is not an absolute right and must be balanced with other fundamental rights, such as the right to property;
- in assessing the balance between the right to property and the rights to protection of personal data, a specific factor is whether the legislation requires the third party purchaser of the database via auction to comply with the rules of the data protection under GDPR;
- since the aforesaid legal provision was not identified by the AG in the Polish law, the AG considered that the processing in question would lead to an excessive sacrifice of the right to the protection of personal data and could therefore not be considered a proportionate measure.
In conclusion, the AG proposed to the Court to interpret the GDPR as not precluding a national legislation to allow a judicial officer, in the context of enforcement proceedings, to sell a database containing personal data where the persons concerned by those data have not given their consent to such sale, provided that the processing of those data by the judicial officer constitutes a necessary and proportionate measure in a democratic society to ensure the enforcement of a civil law claim.
The AG’s opinion is available here (in English).