On 6 June 2024, Advocate General Medina provided an opinion on Case C-169/23, marking the first time the Court interprets GDPR Article 14(5)(c) concerning derogations from the obligation of data controllers to provide information to data subjects.
Context and Legal Background
The case originated from a complaint by UC, a Hungarian citizen, who received an immunity certificate from the Budapest Metropolitan Government Office. UC claimed the office failed to create or publish a privacy notice regarding the processing of his personal data and provide sufficient information about the processing’s purpose, legal basis, and available rights. The Hungarian supervisory authority initially dismissed the complaint, citing Article 14(5)(c) of the GDPR as a reason for exemption from providing this information.
UC challenged this decision before the Fővárosi Törvényszék (Budapest High Court, Hungary). The court upheld UC’s action, annulled the supervisory authority’s decision, and ordered a new procedure. The court reasoned that the derogation in Article 14(5)(c) did not apply because some data associated with the immunity certificates were generated by the controller itself, not obtained from another body. These included the serial number, validity period, QR code, bar code, and other alphanumerical codes generated during the procedure.
Under GDPR, data controllers must inform data subjects about data processing when data is not obtained directly from them (Article 14). Article 14(5)(c) provides an exemption from this obligation if the obtaining or disclosure of data is explicitly required by Union or Member State law, provided the law includes appropriate measures to protect the data subject’s legitimate interests.
Questions referred
- Does Article 14(5)(c) apply to data generated by the controller?
- AG Answer: Yes, it applies to all data not obtained from the data subject, including data generated by the controller.
- AG Reasoning: The term “obtaining” in Article 14(5)(c) encompasses any method of acquiring data, including generation by the controller. This interpretation aligns with GDPR’s transparency objective and ensures data subjects can exercise control over their data. The underlying assumption of the derogation is that EU or Member State law replaces the controller’s obligation to provide information, as data subjects are assumed to have sufficient knowledge of the data’s obtaining or disclosure. Such laws must expressly concern the obtaining or disclosure of the data and make it mandatory for the controller.
- Can supervisory authorities examine national laws for appropriate protective measures under Article 14(5)(c)?
- AG Answer: Yes, supervisory authorities have the power to review whether national laws provide appropriate measures to protect data subjects’ interests.
- AG Reasoning: Supervisory authorities are tasked with enforcing GDPR compliance. This includes assessing if the law is mandatory for the controller and if it requires obtaining or disclosure of personal data, as well as if it offers sufficient safeguards for data subjects. If the law does not provide appropriate measures to protect the data subject’s legitimate interests, the obligation to provide information will apply. The Hungarian DPA had argued against this position, considering this exceeds its tasks, but the AG is of the opinion that this is an not an examination of the validity of national law, but only an examination of the question whether the data controller is entitled to invoke the derogation towards a particular data subject in a particular situation.
- Do national laws need to transpose data security measures as per Article 32 of GDPR?
- AG Answer: No, national laws do not need to specifically transpose the data security measures outlined in Article 32.
- AG Reasoning: Article 14(5)(c) and Article 32 cover different aspects of data protection. The “appropriate measures” required under Article 14(5)(c) should ensure transparency and fairness, but they do not need to mirror the technical and organizational security measures of Article 32.
TL;DR
AG Medina’s opinion clarifies that Article 14(5)(c) of the GDPR exempts controllers from providing information about data processing in any situation when the data is not obtained directly from the subject, provided that there is a legal requirement to obtain or disclose such data and the law in question adequately protects data subjects’ interests. Supervisory authorities are empowered to assess these protections, ensuring that transparency and control over personal data are maintained in all processing contexts.
👉 Read the opinion here.
♻️ Share this if you found it useful.
💥 Follow me on Linkedin for updates and discussions on privacy education.
📍 Subscribe to my newsletter for weekly updates and insights – subscribers get an integrated view of the week and more information than on the blog.
