In its judgment of 2 March 2023, the European Court of Justice (ECJ) (C-268/21) issued a preliminary ruling on whether and to what extent provisions of the General Data Protection Regulation (GDPR) are applicable in the context of national civil procedural law of the EU member states. Specifically, the question was whether third party personal data, which were originally collected for tax purposes, can be used as evidence in civil court proceedings – and thus under a changed processing purpose – in accordance with data protection law pursuant to Art 6(3), (4) GDPR. In its decision, the ECJ affirms the general applicability of the GDPR provisions within the framework of the national civil procedural law of the EU member states.
Background of the judgment
Both parties to the dispute are subject to Swedish law. The plaintiff constructed an office building for the defendant. The persons working on the construction site in question recorded their presence by means of an electronic staff register. According to the Swedish Tax Procedure Act (Chapter 39 of the skatteförfarandelagen), any person who carries on a construction activity is obliged, in certain cases, to maintain an electronic staff register. The register assists in identifying undeclared work and must contain all the information required to identify the persons involved in the respective economic activity. This includes, among other things, the identity, the national tax identification number, and the beginning and end of the working hours of all persons involved.
The plaintiff brought an action at first instance seeking payment of the outstanding balance of the work performed. The defendant claimed, among other things, that the number of hours to be remunerated was lower than those quantified in the plaintiff’s request. In order to prove this, the defendant requested the submission of the unredacted personnel register for the period in question. Under Swedish law, if a document can be considered as evidence, the respective party is, in principle, obliged to produce it in civil proceedings.
In the opinion of the plaintiff, however, this procedure violates the principle of purpose limitation from Article 5(1)(b) GDPR. The plaintiff’s personnel directory contained personal data that had been collected to allow Swedish tax authorities to monitor the company’s activities. The plaintiff argued that it is incompatible with this purpose to disclose this data in an unredacted form before the court. After the plaintiff was ordered to produce an unredacted version of the personnel directory at first instance, the Court of Appeal referred the question of its legality to the ECJ for a preliminary ruling (according to Art. 267 TFEU).
Reasons for the decision
The ECJ first clarifies that the material scope of Art 2(1) GDPR applies to processing operations carried out by private individuals as well as to processing operations carried out by public authorities, including judicial authorities such as courts. No distinction is made in this respect according to the originator of the data processing. Furthermore, the ECJ clarifies that both the creation and maintenance of the electronic personnel register for tax purposes and the production of this document ordered in the context of court proceedings each constitute a processing of personal data within the meaning of Art 4(2) GDPR. The scope of application of the GDPR is thus opened for the underlying case, so that the court-ordered production of documents as evidence requires a legal basis under Art 6 GDPR.
In the specific case, the ECJ considered Art 6(1)(e) GDPR to be applicable, according to which the processing of personal data is lawful if it is necessary for the performance of a task carried out in the public interest – in this case, the judicial powers of the courts – and is laid down by law in accordance with Art 6(3) GDPR in the law of the Member State concerned. According to the ECJ, the latter requirement is also fulfilled due to the obligation under Swedish law to submit evidence to the courts if it is fundamentally suitable.
By also recognising the change of purpose put forward by the plaintiff – from fiscal to civil procedural processing purposes – the ECJ is of the opinion that the further requirements of the respective data processing are to be determined on the basis of the provisions of Article 6(4) GDPR. According to this provision, a legal provision of the Union or of the Member States is required which constitutes a necessary and proportionate measure in a democratic society for the protection of the objectives stated in Article 23(1) GDPR. In its decision, the ECJ indicates that, in its opinion, Article 23(1)(j) GDPR – the enforcement of civil claims – could be considered as such a suitable objective. However, the ECJ emphasises that it is up to the referring court to examine whether the requirements of Article 6(4) GDPR in conjunction with Article 23(1) GDPR are met. This requires a court decision on a case-by-case basis. In general, however, according to the ECJ, the provision was applicable.
With this judgment, the ECJ provides legal certainty on the relationship between the GDPR and national civil procedural law. On closer examination, the answer to this question, i.e., the affirmation of the applicability of Article 6(3) and Article 6(4) GDPR, is not very surprising.
However, the real impact of the ruling comes from its generalizability. This is because the ECJ’s findings that courts are bound by the principles of the GDPR are easily transferable to the processing of personal data by other litigants. Parties and counsel should therefore keep the requirements of the GDPR in mind when submitting evidence or otherwise processing personal data in connection with litigation, including receiving, using, or disclosing it. This applies at the entire stage of a lawsuit, i.e., from its initiation to the end of a subsequent enforcement.
From a German perspective, Sec. 24(1) No. 2 Federal Data Protection Act (Bundesdatenschutzgesetz – “BDSG”) should also be considered when assessing the lawfulness of a change to the purpose of a data processing activity. This legal provision applies to the processing of data by private bodies for a different purpose and states that this is permissible if it is necessary for the establishment, exercise or defence of legal claims, unless the data subject has an overriding interest in not having the data processed.