This article provides an overview and summary of several of the key data protection judgments issued by the CJEU this month. The judgments consider issues including: whether legitimate interests can cover purely commercial interests;  whether competitors are entitled to bring an injunction claim based on an infringement of the GDPR; what constitutes ‘health data’ within the meaning of Art. 4 and Art. 9 of the GDPR, whether a controller can rely on an opinion of the national supervisory authority to be exempt from liability under Art. 82(2) GDPR; and what constitutes sufficient compensation for non-material damages and many more. 

• KNLTB case  (C-621/22)

Following preliminary questions from the Amsterdam district court, the CJEU has provided valuable clarification in relation to whether “legitimate interests” under Art. 6 (1)(f) GDPR can be “purely commercial”. In its judgement, the CJEU recognized that a wide range of interests can be considered a ‘legitimate interest’ under the GDPR and there is no requirement that the interests of the controller are laid down by law. While the CJEU decided not to answer the specific preliminary questions received from the Amsterdam district court, the attitude of the CJEU is clear: “legitimate interests” can serve purely commercial interests.  

For further information on this decision, please see our blog post available here.  

• Lindenapotheke (C-21/23) 

In its judgement, the CJEU ruled that Chapter VIII of the GDPR allows for national rules which grant undertakings the right to take action in case of an infringement of substantive provisions of the GDPR allegedly committed by a competitor. Such an action would be on the basis of the prohibition of acts considered to be unfair competition. The CJEU further ruled, that the data of a pharmacist’s customers, which are provided when ordering pharmacy-only but non-prescription medicines on an online sales platform, constitute “health data” within the meaning of Art. 4 (15) and Art. 9 GDPR (to that extent contrary to the Advocate General’s opinion of 25 April 2024). 

For further information on this decision, please see our blog post available here.  

• Maximilian Schrems v Meta Platforms Ireland Ltd (C-446/21) 

Background 

The privacy activist, Maximilian Schrems, brought an action before the Austrian courts challenging the processing of his personal data by Meta Platforms Ireland (“Meta”) in the context of the online social network Facebook. Mr Schrems argued that personal data relating to his sexuality had been processed unlawfully by Meta to send him personalised advertisements.   

Mr Schrems alleged that this processing took place without his consent or other lawful means under the GDPR. The CJEU noted that Mr Schrems had not posted sensitive data on his Facebook profile and further did not consent to Meta using a wider pool of personal data received from advertisers and other partners concerning Mr Schrems’ activities outside Facebook for the purpose of providing personalised advertising.  

The personalised advertisements in question were not based directly on his sexual orientation but on an analysis of his particular interests, drawn from a wider pool of data processed by Meta, as nothing had been openly published by Mr Schrems via Facebook about his sexuality. 

Key findings 

In its judgment, CJEU held that Art. 5(1)(c) GDPR does not allow the controller, in particular a social network platform, to process data collected inside and outside the platform for the purpose of personalised advertising for unlimited time and without distinction as to type of data. 

The CJEU emphasised that the principle of data minimisation requires the controller to limit the retention period of personal data to what is strictly necessary in the light of the objective of the processing activity. 

Regarding the collection, aggregation and processing of personal data for the purposes of targeted advertising, without distinction as to the type of those data, the CJEU held that a controller may not collect personal data in a generalised and indiscriminate manner and must refrain from collecting data which are not strictly necessary for the processing purpose. 

The CJEU also held that the fact that an individual manifestly made public information concerning their sexual orientation does not mean that the individual consented to processing of other data relating to their sexual orientation by the operator of an online social network platform within the meaning of Art. 9(2)(a) GDPR. 

• Agentsia po vpisvaniyata (C‑200/23) 

Background 

The data subject is a shareholder of a company in Bulgaria. The company’s constitutive instrument was sent to the Registration Agency (Agentsia po vpisvaniyata), the Bulgarian authority managing the commercial register. 

This instrument, which includes the surname, first name, identification number, identity card number, date and place of issue of that card, as well as the data subject’s address and signature, was made available to the public by the Agency as submitted. The data subject requested the Agency to erase the personal data relating to her contained in that constitutive instrument. As it is a legal requirement to publish certain information relating to the company’s constitutive instrument in the commercial register under Directive 2017/1132 (relating to certain aspects of company law), the Agency refused to delete it when requested by the data subject. The Agency also did not want to delete the personal data that is not required under the Directive but was nevertheless published as it was contained in the instrument. The data subject brought an action before the Administrative Court of Dobrich (Administrativen sad Dobrich) seeking annulment of the Agency’s decision and an order that the Agency compensates her for the alleged non-material damage she suffered.  

 Key findings 

Of the in total eight questions asked by the national court, the CJEU answered six, of which five related directly to the GDPR. Firstly, the CJEU held that an operator of a public register, which receives personal data as part of the constitutive instrument that is subject to compulsory disclosure under EU law, is both a ‘recipient’ of the personal data insofar the operator makes it available to the public, and also a ‘controller’, even if the instrument contains personal data that is not required based on EU or member state laws for the operator to process. This does not change even if the Agency receives additional information because the data subject did not redact their personal data when sharing the constitutive instrument when they should have according to the operator’s procedural rules. 

Secondly, the controller managing the national register may not outrightly refuse any request of erasure of personal data published in the register using the argument that the data subject should have provided a redacted copy of the constitutive instrument. A data subject enjoys a right to object to processing and a right to erasure, unless there are overriding legitimate grounds (which is not the case here).  

Thirdly, the CJEU confirmed that a handwritten signature of a natural person is considered personal data as it is usually used to identify a person and has evidential value regarding the accuracy and sincerity of a document.  

Fourthly, the CJEU held that Art. 82(1) GDPR must be interpreted as meaning that a loss of control for a limited period by the data subject over their personal data, due to the making available to the public of such data online in the commercial register of a Member State, may be sufficient to cause ‘non-material damage’. What in any case is required, is that the person demonstrates that they actually suffered such damage, however minimal. The concept of ‘non-material damage’ does not require the demonstration of the existence of additional tangible negative adverse consequences.  

Lastly, if the supervisory authority of a member state issues an opinion on the basis of Art. 58(3)(b) GDPR, the controller is not exempt from liability under Art. 82(2) GDPR if it acts in line with that opinion. The Agency namely argued that a company’s constitutive instrument may still be entered into the register even if personal data is not redacted and referred hereby to an opinion of the Bulgarian supervisory authority. However, as such an opinion issued to the controller is not legally binding, it can therefore not demonstrate that damages suffered by the data subject are not attributable to the controller which means that it is insufficient to exempt the controller from liability.  

• Patērētāju tiesību aizsardzības centrs (Latvia Consumer Rights Protection Centre) (C-507/23) 

Background 

The data subject is a well-known journalist and expert in the automotive sector in Latvia. During a campaign to make consumers aware of the risks involved in purchasing a second-hand vehicle, the Latvian Consumer Rights Protection Centre (“PTAC”) published a video on several websites which, among other things, featured a character imitating the data subject, without his consent.  

The journalist brought an action before the District Administrative Court in Latvia seeking (i) a finding that the actions of the PTAC, consisting in the use and distribution of his personal data without authorisation, were unlawful, and (ii) compensation for non-material damage in the form of an apology and the payment of EUR 2,000. The court ruled that the actions in question were unlawful, ordered the PTAC to end to acts, to make a public apology to the journalist and to pay him EUR 100 in compensation in respect of the non-material damage he had suffered. However, on appeal, although the Regional Administrative Court confirmed that the processing of personal data by the PTAC was unlawful and ordered the processing to cease and the publication of an apology on the websites which had disseminated the video footage, it dismissed the claim for financial compensation for the non-material damage suffered. The court found that the infringement that had been committed was not serious on the ground that the video footage was intended to perform a task in the public interest and not to harm the data subject’s reputation, honour and dignity.  

The journalist appealed this decision, and the Latvian Supreme Court referred a number of questions on the interpretation of Art 82(1) GDPR to the CJEU 

 Key findings 

Firstly, the CJEU found that an infringement of a provision of the GDPR, including the unlawful processing of personal data, is not sufficient, in itself, to constitute ‘damage’ within the meaning of Art. 82(1) GDPR.  

By this, the CJEU repeats and emphasises its previous interpretations of Art. 82(1) GDPR to the effect that a mere infringement of the GDPR is not sufficient to confer a right to compensation, since cumulatively and in addition to an ‘infringement’, the existence of ‘damage’ and of a ‘causal link between damage and infringement constitutes the conditions for the right to compensation in Art. 82(1) GDPR. According to the CJEU, this principle even applies if a provision of the GDPR has been infringed that grants rights to natural persons, as such an infringement cannot, in itself, constitute ‘non-material damage’. In particular, the CJEU held that the occurrence of damage in the context of the unlawful processing of personal data is only a potential and not an automatic consequence of such processing. 

Secondly, the CJEU found the presentation of an apology may constitute sufficient compensation for non-material damage on the basis of Art 82(1) GDPR. This applies in particular where it is impossible to restore the situation that existed prior to the occurrence of that damage, provided that that form of redress is capable of fully compensating for the damage suffered by the data subject. 

According to the CJEU, Art. 82(1) GDPR does not preclude the making of an apology from being able to constitute standalone or supplementary compensation for non-material damage provided that such a form of compensation complies with those principles of equivalence and effectiveness. In the present case, providing an apology as a possible compensation was explicitly laid down in Art. 14 of the Latvian Law on compensation for damage caused by public authorities. Other jurisdictions, however, such as German civil law, do not explicitly provide in their national laws the possibility of an apology as a form of compensation. Nevertheless, some courts have already taken apologies into account when determining the amount of monetary compensation. In light of this decision, courts may therefore consider an apology even more as a means of reducing the monetary amount of compensation for damages.  

Thirdly, according to the CJEU, Art. 82(1) GDPR precludes the controller’s attitude and motivation from being taken into account when deciding whether to grant the data subject less compensation than the damage actually suffered.  

According to the CJEU, Art. 82(1) GDPR has an exclusively compensatory and not a punitive function. Therefore, the gravity of an infringement cannot influence the amount of damages awarded under Art. 82(1) GDPR. The amount of damages may not be set at a level that exceeds full compensation for the actually suffered damage. 

Conclusion/implications 

While these five judgements were published on the same day, the decisions relate to a number of different topics. What they do have in common is that they all demonstrate the CJEU’s willingness to impose its reach and tackle difficult questions on the interpretation of the GDPR, particularly where there has not always been agreement or clarity among supervisory authorities. Although these decisions generally clarify and strengthen the CJEU’s previous interpretation of a number of issues, such as those relating to the compensation of non-material damages pursuant Art. 82(1) GDPR, it is interesting that for both the KLNTB decision and the Agentsia po vpisvaniyata decision, the CJEU followed a different interpretation of the GDPR to that of the relevant supervisory authorities (and in the KLNTB decision, contrary to the AG Opinion).

As we start to head into 2025, we can expect continued judgments from the CJEU on the interpretation and application of the GDPR with more than 20 pending cases with the CJEU relating to the GDPR.

In its judgement of 04 October 2024 (C-21/23), the European Court of Justice (“ECJ”, “Court”) ruled, that the provisions of Chapter VIII of the GDPR, do not preclude national rules which grant undertakings the right to rely, on the basis of the prohibition of acts of unfair competition, on infringements of the substantive provisions of the GDPR allegedly committed by their competitors. The ECJ further ruled, that the data of a pharmacist’s customers, which are provided when ordering pharmacy-only but non-prescription medicines on an online sales platform, constitute “health data” within the meaning of Art. 4 (15) and Art. 9 GDPR (to that extent contrary to the Advocate General’s opinion of 25 April 2024).

Background

The plaintiff and the defendant in the main proceedings each operate a pharmacy. The defendant also holds a mail order license and sells its range of products, including pharmacy-only medicines, through the online sales platform Amazon Marketplace, which allows the seller to offer products directly to consumers. The plaintiff sought an injunction to prohibit the defendant selling pharmacy-only pharmaceuticals via the online sales platform. In the plaintiff’s opinion, such distribution constitutes an unfair commercial practice because the defendant was violating a statutory provision within the meaning of Section 3a of the German Act Against Unfair Competition (Gesetz gegen den unlauteren Wettbewerb – “UWG”).

The District Court upheld the claim. The Higher Regional Court dismissed the defendant’s appeal and ruled that the defendant’s sale of pharmacy-only medicines via Amazon Marketplace violates the provisions of the UWG, as this distribution involves the processing of health data within the meaning of Art. 9(1) GDPR, to which the customers have not explicitly consented. According to the Higher Regional Court, the provisions of the GDPR must be regarded as market conduct rules within the meaning of national competition law, with the result that the plaintiff, as a competitor, is entitled to claim injunctive relief based on national competition law by relying on an infringement of the provisions of the GDPR by the defendant.

The defendant then appealed to the German Federal Court of Justice (Bundesgerichtshof – “BGH”), in which it maintained its application for dismissal of the injunction. The BGH stated that the key factor for the decision is how Chapter VIII and Art. 9 of the GDPR are to be interpreted, and referred the following questions to the ECJ for a preliminary ruling:

1. Do the rules in Chapter VIII GDPR preclude national rules which – alongside the powers of intervention of the supervisory authorities responsible for monitoring and enforcing the regulation and the options for legal redress for data subjects – empower competitors to bring proceedings for infringements of GDPR against the infringer before the civil courts on the basis of the prohibition of unfair commercial practices?

2. Do the data of the customers of a pharmacist, who acts as a seller on an online sales platform, provide when ordering pharmacy-only but not prescription-only medicines  (customer’s name, delivery address and information required for individualising the pharmacy-only medicine ordered) constitute data concerning health within the meaning of Article 9(1) GDPR?

Decision

First question (competitor’s right to bring injunction claims)

According to the ECJ, neither the wording of the provisions of Chapter VIII of the GDPR nor their context precludes competitors from bringing claims based on an infringement. On the contrary, where the infringement of the substantive provisions of the GDPR is likely to affect primarily the data subjects, it may also affect third parties. The Court notes that, in the context of the digital economy, access to personal data and the use that can be made of it are of considerable importance. Accordingly, in order to take account of real economic developments and to maintain fair competition, it may be necessary to take into account the rules on the protection of personal data when enforcing competition law and the rules on unfair commercial practices. The judgment recognises that the GDPR does not contain a specific opening clause, which expressly authorises Member States to allow competitors to seek an injunction to prevent an infringement of the GDPR. However, according to the Court, it is clear that the EU legislature, when adopting the GDPR, did not intend to achieve full harmonisation of the remedies available in the event of a breach of the provisions of the GDPR and, in particular, did not intend to exclude the possibility for competitors of an alleged infringer of the rules on the protection of personal data to bring an action under national law on the basis of the prohibition of unfair commercial practices.

Moreover, such an action for an injunction brought by a competitor could prove to be a particularly effective means of ensuring such protection, since it makes it possible to prevent numerous infringements of the rights of the data subjects (in this respect, the Court refers to its judgment of 28 April 2002, Meta Platforms Ireland, C-319/20, in which the Court ruled that the GDPR does not preclude national legislation which allows a consumer protection association to bring an action, in the absence of a mandate given to it for that purpose and irrespective of the infringement of specific rights of the data subjects).

In the light of the foregoing, the answer to the first question is that the provisions of Chapter VIII of the GDPR must be interpreted as not precluding a national law which, in addition to the powers of intervention of the supervisory authorities responsible for monitoring and enforcing that regulation, and the means of redress available to the data subjects, gives competitors of the alleged infringer the power to take action against the infringer before the civil courts on the basis of the prohibition of unfair commercial practices for infringements of the GDPR.

In the present case, it is therefore for the national court to determine whether the alleged infringement of the substantive provisions of the GDPR at issue in the main proceedings, if established, also constitutes an infringement of the prohibition of unfair commercial practices under the relevant national legislation.

Second question (scope of the protection of health data)

In the second part of its decision, the ECJ once again interpreted the term ‘special categories of personal data’ and, in this case specifically the term health data (Art. 4 no. 15 GDPR), very broadly. The Advocate General in its Opinion on the case had assumed that it is not possible to deduce the state of health of the customer with sufficient probability from orders of pharmacy-only but non-prescription medicines and therefore had found that such information is not health data.

The ECJ has now decided otherwise. The Court ruled that the provisions of the GDPR cannot be interpreted as meaning that the processing of personal data that only indirectly reveals sensitive information about a natural person would be exempt from the increased protection. For personal data to be classified as health data within the meaning of Article 9(1) of the GDPR, it is sufficient that the health of the data subject can be inferred by association or deduction. The Court affirms that the data provided by a customer when ordering pharmacy-only medicines via an online platform can be used to infer, by association or deduction, the health status of the data subject, since the order establishes a link between a medicinal product, its therapeutic indications and uses, and an identified natural person or a person who can be identified by information such as his or her name or delivery address.

Moreover, the prohibition on processing health data shall apply in principle, regardless of whether the information disclosed by the processing in question is accurate or not, and regardless of whether the data controller acts with the aim of obtaining information falling within one of the special categories referred to in Article 9(1) of the GDPR. Consequently, the information provided by customers when ordering non-prescription medicines online constitutes health data, even if those medicines are only intended for those customers with a certain probability and not with absolute certainty. In this context, the Court also mentions the possibility that the order data may allow conclusions about the health of third parties (e.g. by means of a different delivery address).

The court of the main proceedings will therefore have to decide whether the processing of health data of the customers of the defendant is permissible on the basis of one of the exceptions in Article 9(2) of the GDPR – in particular, because the data subject has given explicit informed consent, or whether the processing is permissible on the basis of Article 9(2)(h) of the GDPR because it is necessary for the purposes of health care and on the basis of Union or Member State law or pursuant to contract with a health professional .

Practical note

This is the third decision by the ECJ that allows actors other than data protection supervisory authorities to take legal action against controllers: in addition to the Meta Platforms decision of April 2022 mentioned above (C-319/20), in July this year, the ECJ clarified that the right of a consumer protection association to challenge the infringement of a data subject’s right “occurring in the course of processing” also extends to information obligations pursuant Articles 12(1) and 13(1) GDPR (C-752/22).

These rulings have significant consequences – they not only increase compliance risks, but also legal defense costs. In practice, consumer protection organisations – out of ignorance or lack of knowledge of business contexts – often take a more dogmatic approach than the competent data protection supervisory authority.

With the competitors, further inexperienced players are now entering the ring. Unlike in the past, it can be assumed that going forward, competitors will make use of the right to sue for injunctive relief if a controller is,  in its view, violating the provisions of the GDPR and this is deemed unfair within the meaning of national competition law. As the acts against unfair competition are based on the EU Directive 2005/29/EC and therefore largely harmonized within the European Union, the ECJ’ decision is likely to affect all data controllers in the European Union.

Accordingly, in order to identify potential shortcomings that could be the subject of a competitor’s claim, controllers are well advised to review their existing processes in light of their specific business model. With respect to the potential processing of health information, a careful assessment is necessary. In particular, the question arises as to which constellations the extensive interpretation of the ECJ still covers in relation to health data – for example, dietary supplements. Or whether – as we believe – it should remain limited to pharmacy-only medicines.

Furthermore, this aspect should be considered in the planning of future business activities in order to avoid a cease-and-desist order.

For any questions about this decision or any assistance please contact your local DLA Piper contact.

The subject of “legitimate interests” and in particular whether they can be “purely commercial” has been a topic of front and center stage debate in the Netherlands for some time. The Dutch data protection authority (AP) has historically interpreted the concept of legitimate interest narrowly, taking the position that organisations cannot rely on purely commercial interests as a legitimate interest and that instead, the interests must have a basis in law. This narrow interpretation makes it impractically difficult for organisations to rely on Article 6(1)(f) GDPR as the lawful basis on which to process personal data and created uncertainty.

Now, following preliminary questions from the Amsterdam district court, the Court of Justice of the European Union (CJEU) has provided valuable clarification – and one that allows organisations to breathe a sigh of relief. In its judgement of 4 October 20024, the CJEU recognized that a wide range of interests can be considered a ‘legitimate interest’ under the GDPR and there is no requirement that the interests of the controller are laid down by law. While the CJEU decided not to answer the specific preliminary questions received from the Amsterdam district court, the attitude of the CJEU is clear: “legitimate interests” can serve purely commercial interests.[1]

Setting the scene: AP’s historic viewpoint on legitimate interest

The AP has applied its narrow interpretation of the concept of legitimate interests for many years.[2] This position is also reflected in the AP’s enforcement actions. Including:

• Royal Dutch Tennis Association (KNLTB): The foundation of the referring case from the Amsterdam district court began in 2019 when the AP imposed a fine of EUR 525,000 on KNLTB for unlawfully sharing personal data of its members with two sponsors for marketing purposes, in return for payment. The AP concluded that the KNLTB could not rely on their legitimate interests as the interest was solely of a commercial nature. According to the AP, legitimate interests must “belong to the law, being lawful, enshrined in a law” and the interests claimed by KNLTB were lacking this.
• VoetbalTV: In 2020, the AP also issued a fine of EUR 575,000 to VoetbalTV for processing personal data on the basis of a purely commercial legitimate interest – please see our previous blog here.

The AP has consistently upheld their interpretation despite heavy criticism, including from the European Commission who raised their concerns on the AP’s strict interpretation in an open letter. According to the European Commission, the interpretation severely limits businesses’ possibilities of processing personal data for commercial interests.

The Dutch courts have also weighed in. In the VoetbalTV case the district court Midden-Nederland (perhaps boldly) concluded that the AP misinterpreted the concept of legitimate interest. The court ruled that the fact that VoetbalTV has a commercial interest does not mean that they have no legitimate interest, and excluding a particular interest as a legitimate interest in advance is contrary to European case law. However, in appeal, the Netherland’s highest appellate court was unable to ‘resolve’ this difference of opinion on the basis that there were other relevant legitimate interests that weren’t exclusively commercial in nature. Hence, while the court ruled in favour of VoetbalTV, the judgment did not yet clarify the use of legitimate interests as a legal basis for purely commercial interests.

CJEU judgment  4 October 2024

The KNLTB case has been brought before the Amsterdam district court[3], which turned to the CJEU for guidance in September 2022. The court referred preliminary questions to the CJEU to explain how the term “legitimate interest” should be interpreted. Should this be interpreted in such a way to include exclusively interests established in law, or can any interest be a legitimate interest provided that such interest does not conflict with the law? More specifically: can a purely commercial interest and the interest of the matter at hand (i.e., sharing personal data with a third party against payment without consent of the data subject) be regarded as legitimate interest? And if so, under what circumstances?

The CJEU chose not to answer these direct questions and reframed them based on the facts of the KNLTB case. However, regardless of this approach, the view of the CJEU is clear.

The CJEU reiterates the 3-step test to assess whether the legitimate interest can be used as lawful basis: (1) a legitimate interest should be pursued, (2) there must be a need to process personal data, and (3) the interests or fundamental freedoms and rights of the person(s) concerned should not override the legitimate interests.

The CJEU’s judgement on the first step is most crucial to the above-mentioned debate. At this step, the CJEU ruled that (i) a wide range of interests may be regarded as legitimate; and (ii) there is no need that the interest is provided for by law (but, of course, the legitimate interest should be lawful). Hence, commercial interests, such as the interest pursued by KNLTB, can also be legitimate interests.

It is now up to the Amsterdam district court to assess, based on the specifics of the KNLTB case, whether such a legitimate interest exists in that case and whether the second and third conditions are also met. In our view, given the facts of the KNLTB case and the CJEU’s remarks on the second and third conditions, it is unlikely that the commercial interests of KNLTB will pass the 3-step test. However, this does not detract from the (long awaited) clarification on the scope of what can be considered a “legitimate interest”.

Impact on Dutch businesses

The CJEU judgment is the final act in the heavily criticized strict interpretation of the AP on “legitimate interests”. While this judgment will not save VoetbalTV (which went bankrupt during the dispute with the AP) and might not save KNLTB either, this is a welcome development for other Dutch business.

For any questions about this decision or assistance on assessing legitimate interests, please contact Richard van Schaik (partner) Francesca Pole (Senior Associate) or Demi Rietveld (Associate) or your local DLA Piper contact.

[1] Judgement CJEU 4 October 2024, C-621/22 (Koninklijke Nederlandse Lawn Tennisbond v Autoriteit Persoonsgegevens)

[2] AP-normuitleg grondslag gerechtvaardigd belang | Autoriteit Persoonsgegevens.

[3] ECLI:NL:RBAMS:2022:5565, Rechtbank Amsterdam, 20/4850 (rechtspraak.nl)