According to the GDPR, data controllers must inform data subjects about all relevant information and their rights regarding the processing of their personal data in a comprehensible and easily accessible form before processing.
If data subjects believe that their data have been processed unlawfully, the GDPR provides for a range of legal remedies: Not only the data subjects themselves, but also non-profit organisations may assert alleged violations of the regulation on their behalf (Art. 80 para. 1 GDPR). Moreover, Member States may even adopt legislation authorising non-profit organisations to exercise the legal remedies of the GDPR without a mandate from a data subject if an infringement has occurred "as a result of processing" (Art. 80 para. 2 GDPR).
In its decision of 11 July 2024 (C-757/22), the ECJ took a closer look at the requirements for the legal standing of a non-profit organisation without a mandate. We would like to provide you with a brief overview of this decision, which is binding upon all Member States:
The dispute in the main proceedings and the first preliminary ruling
As the operator of a social network, Meta Platforms Ireland, formerly Facebook Ireland, provides free games from third-party providers in a separate section. Before accessing this section, users are informed that some of the applications will require their consent to the collection of personal data by the third-party provider and permission to publish results in their name in the social network.
The Federation of German Consumer Organisations (Verbraucherzentrale Bundesverband) was of the opinion that the users' consent did not meet the legal requirements and brought an action against Meta Platforms Ireland.
The German Federal Court of Justice had doubts that the Bundesverband's had standing to bring an action because the action was brought without a mandate from a data subject; therefore, it referred this matter to the ECJ for interpretation. The ECJ stated that it was not necessary to identify data subjects in advance in order to have legal standing under Art. 80 para. 2 GDPR, but that it would be sufficient to designate a category or group of persons affected by unlawful processing.
In this referral procedure, the ECJ remained silent on whether a data controller’s breach of the duty to inform about the purpose of data processing and the recipients of the data had happened, such that it was to be regarded as a breach "as a result of processing", and whether the term "processing" also included circumstances which occurred before the data were collected.
The original proceedings were therefore suspended by the German Federal Court of Justice once more and these questions were again referred to the ECJ for a preliminary ruling.
The interpretation of "as a result of processing"
The processing of personal data within the meaning of the GDPR is only permitted if, on the one hand, the general principles are complied with (Art. 5 GDPR) and if, on the other hand, a consent requirement has been complied with (Art. 6 GDPR). In particular, the purpose of the data processing must be established and clearly defined at the time of processing (Art. 5 para. 1 lit. a GDPR). In order to comply with this principle, the GDPR provides for an obligation to inform data subjects in a comprehensible and easily accessible form, including the purpose of processing and the recipient of the data (Art. 13 para. 1 lit. c and e GDPR).
The ECJ concluded that the information rights of the data subjects would be ineffective without a duty to inform on the part of the data controller so that this must be regarded as a logical prerequisite of the right to information. Compliance with these rights is therefore also covered by the scope of application of Art. 80 para. 2 GDPR. Valid consent to processing also requires that consent be given in an "informed manner". However, the requirement of "informed consent" within the meaning of the GDPR cannot be fulfilled at all if the data controller has not complied with the duty to inform.
Significance of the decision
This decision by the ECJ is significant in several respects: On the one hand, with regard to recent legislation on collective action (“Verbandsklage NEU”). Dr Thomas Frad recently held an interesting webinar on the subject of such NEW collective actions. The recording can be accessed here. On the other hand, this decision emphasises yet again the high level of protection provided by the GDPR and the need to comply with all obligations, in particular the obligations to furnish information under Art. 12 et seq of the GDPR.
KWR's Data Protection Team will be happy to assist you with any questions you may have and to review your privacy policy.