GDPR | 6-year anniversary. Our top picks of past and upcoming judgements of the Court of Justice of the European Union

21.06.2024

This technology-inspired data abstract background is perfect for capturing the essence of the internet's vast expanse of information.
Authors: Iurie Cojocaru, Mihai Rotaru

Our top judgements of the Court of Justice of the European Union

(26 MAY 2023 – 25 MAY 2024)

1. Judgement in the Case C-634/21 – SCHUFA Holding and Others (Scoring)

What the Court mainly said: The CJEU stated that the automated establishment of a probability value concerning the ability of a natural person to benefit of a loan in the future already constitutes an automated decision in the sense of Art. 22 GDPR, where that value, determined by means of personal data of the data subject, is transmitted by the controller to a third-party controller and the latter draws strongly on that value for its decision on the establishment, implementation or termination of a contractual relationship with the data subject. The Advocate General, in his opinion of 16 March 2023, answered giving a positive response to that question.

What are the practical implications: Companies must be ready to apply the automated decision restrictions under Art. 22 GDPR also in certain cases when they only perform the automated assessment, while the decision is taken by other entities to which such assessment is communicated and which strongly rely on the communicated assessment.

2. Judgement in the Case C 683/21 – Nacionalinis visuomenės sveikatos centras

What the Court mainly said: In line with its existing case-law in which the concept of joint controllership has been subject to review, as exemplified in cases Wirtschaftsakademie Schleswig-Holstein (C-210/16) and Fashion ID (C‑40/17), the CJEU stated that the joint control of data under GDPR does not exclusively involve deliberately coordinated actions for determining the purpose and means of data processing. In this decision, the Court covered the situations in which there is not even a clear arrangement in respect of the purpose and means of data processing and/or actions are not coordinated between the entities.

What are the practical implications: Companies need to check their capacity in the context of data processing activities (opting for separate or joint controllership, as the case may be).

3. Judgement in the Case C‑740/22–Endemol Shine Finland Oy

What the Court mainly said: The CJEU held that the oral disclosure of information about a natural person’s involvement in possible ongoing or completed criminal proceedings constitutes processing of personal data, within the meaning of Article 4(2) of that regulation, and comes within the material scope of that regulation where that information forms part of a filing system or is intended to form part of a filing system.

What are the practical implications: Further to this CJEU ruling, companies and organizations must treat oral disclosures about criminal proceedings involving individuals as processing personal data if this information is part of, or intended to be part of, a filing system. This means they need to comply with GDPR requirements, such as providing privacy notices and maintaining adequate records in this respect, even for information communicated verbally.

4. Judgement in the Case C 604/22 – IAB Europe

What the Court mainly said: According to the CJEU, a string made up of letters and characters representing a user’s consent preferences is considered “personal data” if it can be reasonably linked to an identifier, like the user’s IP address, allowing for their identification. Even if an organization holding the string cannot access the data processed by its members or combine the string with other information without external help, the string still qualifies as personal data.

What are the practical implications: The decision clarifies what is considered personal data, including strings that can be linked to identifiers. Companies must assess whether their data processing activities match the Court’s interpretation. Nonetheless, handling of data strings must meet GDPR requirements, including obtaining explicit user consent, where applicable, ensuring data security, and enabling user rights such as the right of access and the right f deletion.

Our top upcoming judgements of the Court of Justice of the European Union 

1. Judgement in the Case C-446/21 – Maximilan Schrems

What the matter mainly refers to: The CJEU will interpret, amongst others, whether a statement made by a person about his or her own sexual orientation for the purposes of a panel discussion permits the processing of other data concerning sexual orientation with a view to aggregating and analyzing the data for the purposes of personalized advertising by a social media platform.

What are the practical implications: If the Court will adopt the position of the Advocate General answering in a positive manner, companies, especially social media platforms, must be cautious when processing personal data related to sexual orientation. Even if a person voluntarily discloses his/her sexual orientation in a panel discussion, the processing of additional related data for purposes like personalized advertising requires clear legal grounds. Companies must ensure strict compliance with GDPR, which includes obtaining explicit consent and providing transparency about how the data will be used.

2. Judgement in the Case C-621/22 – Koninklijke Nederlandse Lawn Tennisbond

What the matter mainly refers to: The CJEU has to interpret the term “legitimate interest”. Specifically, the Court will have to determine if a purely commercial interest, such as the provision of personal data in return for payment without the consent of the data subject concerned, is to be regarded as a legitimate interest under certain circumstances and, if the answer is positive, the Court will have to say what are the circumstances which determine whether a purely commercial interest is a legitimate interest.

What are the practical implications: If the Court rules that the purely commercial interest is not sufficient for a legitimate interest, companies would need to reassess their applicable grounds of processing, especially for instances when they initially relied on a purely commercial interest. Companies will also have to evaluate their purely commercial legitimate interests, if the Court says that such legitimate interests would work, but only in certain circumstances.

3. Judgement in the Case C 693/22 – I. (Vente d’une base de données)

What the matter mainly refers to: The Court must consider whether, under the GDPR, a national law that permits the sale of a database containing personal data in enforcement proceedings, even when the data subject has not consented to the sale, is permissible.

What are the practical implications: If the Court mirrors the Advocate General’s position and allows the sale of a database containing personal data without the data subjects’ consent, provided it is deemed necessary and proportionate to enforce a civil law claim, several practical implications arise. Firstly, it could lead to reduced control over personal data for individuals involved in enforcement proceedings. Secondly, there might be increased reliance on court enforcement officers to determine the necessity and proportionality of such data processing, potentially raising concerns about privacy and data protection. Additionally, it could prompt a closer examination of the balance between civil law enforcement and individual privacy rights, possibly requiring clearer guidelines or safeguards to ensure responsible handling of personal data in such scenarios.

4. Judgement in the Inteligo Case (no number allotted yet)

What the matter mainly refers to: The CJEU must interpret, amongst others, whether Art. 83 paragraph 2 of the GDPR means that a supervisory authority imposing an administrative fine is required to assess and explain within the sanctioning document the impact of each of the criteria provided at letters (a) to (k) upon the decision to impose a fine and, respectively, upon the decision with regard to the amount of the fine applied.

What are the practical implications: Depending on the answer of the Court, supervisory authorities may need to redraft their sanctioning document templates or at least to change the manner in which such documents are filled in, so as to reflect therein the criteria employed in determining both the decision to impose a fine and the specific amount of the fine. In this case, companies may have a reason to challenge the sanctioning document if the supervisory authorities do not adequately explain such sanctioning criteria.

Statistics