On November 28, 2024 (Case C-169/23), the European Court of Justice (ECJ) issued a landmark ruling on the information obligation under the General Data Protection Regulation (GDPR). The decision clarifies the scope of the information obligation for personal data not collected directly from individuals.
The court expanded the exceptions under Article 14 GDPR: These now apply even when a company generates data through its own investigations—not just when data is collected from third-party sources. This interpretation is particularly relevant for companies with data-intensive business models.
Case Background
In Hungary, immunity certificates were issued during the COVID-19 pandemic. Authorities used data collected within their own systems. A citizen complained that he had not been informed, arguing that the authority should have notified him since the data was not directly provided by him. The authority relied on an exemption under Article 14 GDPR, but a Hungarian court ruled that the exemption applied only to third-party data, not self-generated data.
ECJ Decision
The ECJ overruled the Hungarian court’s decision. The judges clarified that the exemptions from the information obligation apply to all data, regardless of how it was collected. It does not matter whether the data originates from a third party or was gathered internally by the authority.
Key points of the ruling:
- Expanded scope of Article 14(5) GDPR: The exemption applies to all data not directly received from the data subject.
- Irrelevance of data origin: Whether the data comes from an external source or is generated internally is not a deciding factor.
- Balancing obligations and feasibility: The ECJ argued that a strict interpretation of the rule would create a disproportionate burden for companies. The exemption is meant to ease the information obligation in certain cases.
Practical Implications
The ruling has significant consequences:
- Advantages for data traders: Companies engaged in address trading and data enrichment benefit from this decision. They can more easily invoke exemptions from the information obligation, even for self-generated data. This allows for more efficient data processing without the need to notify every individual.
- More flexibility for businesses: In general, companies now have greater leeway in data processing, as they are not required to inform individuals if the data was not directly collected from them.
Summary
The ECJ’s ruling is an important clarification: exemptions from the information obligation also apply to self-generated data (as long as it was not collected directly from the data subject). This is particularly beneficial for businesses operating with large amounts of data.
