1.

A basic principle of Regulation (EU) 2016/679 ( 2 ), which is the general legislation on the protection of personal data, and of Directive (EU) 2016/680 ( 3 ) (lex specialis on the same subject in relation to criminal proceedings) is the limitation of the collection of personal data and the processing of such data to the specific purposes stipulated by law.

2.

In this case, the Court of Justice is required to answer questions from a Bulgarian court concerning the interpretation of the GDPR and of Directive 2016/680, in order to determine whether personal data held by the public prosecutor’s office of a Member State has been unlawfully processed where:

3.

Pursuant to Article 2 (‘Material scope’):

‘1.   This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.

2.   This Regulation does not apply to the processing of personal data:

…

…’

4.

Article 4 (‘Definitions’) provides:

‘For the purposes of this Regulation:

…

…

…’

5.

Article 5 (‘Principles relating to processing of personal data’) provides:

‘1.   Personal data shall be:

…’

6.

Article 6 (‘Lawfulness of processing’) reads:

‘1.   Processing shall be lawful only if and to the extent that at least one of the following applies:

…

…

Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.

…

3.   The basis for the processing referred to in point (c) and (e) of paragraph 1 shall be laid down by:

The purpose of the processing shall be determined in that legal basis or, as regards the processing referred to in point (e) of paragraph 1, shall be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. That legal basis may contain specific provisions to adapt the application of rules of this Regulation … The Union or the Member State law shall meet an objective of public interest and be proportionate to the legitimate aim pursued.

4.   Where the processing for a purpose other than that for which the personal data have been collected is not based on the data subject’s consent or on a Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard the objectives referred to in Article 23(1), the controller shall, in order to ascertain whether processing for another purpose is compatible with the purpose for which the personal data are initially collected, take into account, inter alia:

7.

In accordance with Article 1 (‘Subject matter and objectives’):

‘1.   This Directive lays down the rules relating to the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.

2.   In accordance with this Directive, Member States shall:

…’

8.

Article 2 (‘Scope’) provides:

‘1.   This Directive applies to the processing of personal data by competent authorities for the purposes set out in Article 1(1).

…

3.   This Directive does not apply to the processing of personal data:

…’

9.

Article 3(1), (2) and (8) adopts the definitions laid down in Article 4(1), (2) and (7) of the GDPR.

10.

Article 4 (‘Principles relating to processing of personal data’) provides:

‘…

2.   Processing by the same or another controller for any of the purposes set out in Article 1(1) other than that for which the personal data are collected shall be permitted in so far as:

…’

11.

Article 6 (‘Distinction between different categories of data subject’) provides:

‘Member States shall provide for the controller, where applicable and as far as possible, to make a clear distinction between personal data of different categories of data subjects, such as:

12.

Article 8 (‘Lawfulness of processing’) states:

‘1.   Member States shall provide for processing to be lawful only if and to the extent that processing is necessary for the performance of a task carried out by a competent authority for the purposes set out in Article 1(1) and that it is based on Union or Member State law.

2.   Member State law regulating processing within the scope of this Directive shall specify at least the objectives of processing, the personal data to be processed and the purposes of the processing.’

13.

In accordance with Article 9 (‘Specific processing conditions’):

‘1.   Personal data collected by competent authorities for the purposes set out in Article 1(1) shall not be processed for purposes other than those set out in Article 1(1) unless such processing is authorised by Union or Member State law. Where personal data are processed for such other purposes, [the GDPR] shall apply unless the processing is carried out in an activity which falls outside the scope of Union law.

2.   Where competent authorities are entrusted by Member State law with the performance of tasks other than those performed for the purposes set out in Article 1(1), [the GDPR] shall apply to processing for such purposes, including for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, unless the processing is carried out in an activity which falls outside the scope of Union law.

…’

14.

Article 127 provides that the Public Prosecutor’s Office has exclusive powers to conduct investigations, make formal accusations in respect of offenders, and prosecute before the courts in the case of criminal proceedings subject to public prosecution.

15.

Article 1 provides:

‘(1)   The present law governs public relationships relating to the protection of natural persons with regard to the processing of their personal data, in so far as these are not governed by the [GDPR].

(2)   The present law also lays down rules relating to the protection of natural persons with regard to the processing of personal data by the competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public order and security.

…’

16.

Article 17 provides:

‘(1)   The Inspectorate at the Supreme Judicial Council … shall monitor and ensure compliance with the [GDPR], the present law and any normative acts on the subject of the protection of personal data as regards the processing of personal data by:

1. a court, exercising its role as a judicial authority, and

2. the Public Prosecutor’s Office and the investigating authorities in the exercise of their judicial functions, for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties.

…’

17.

Article 42 provides:

‘(1)   The rules laid down in the present chapter shall apply where personal data are processed by the competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security and public policy.

(2)   Personal data collected for the purposes referred to in paragraph 1 may not be processed for other purposes, unless EU law or the law of the Republic of Bulgaria provide otherwise.

(3)   Where the competent authorities process personal data under paragraph 1 for purposes other than those provided for in paragraph 1 and in the cases provided for in paragraph 2, the [GDPR] and the relevant provisions of the present law laying down measures for the implementation of [the GDPR] shall apply.

(4)   A competent authority within the meaning of paragraph 1 shall mean any public authority with responsibility for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security and public policy.

(5)   Unless otherwise provided for in legislation, a controller, within the meaning of the present chapter, who processes personal data for the purposes laid down in paragraph 1, is a competent authority within the meaning of paragraph 4 or the administrative structure of which that authority forms part, which, alone or jointly with other authorities, determines the purposes and the means of processing personal data.’

18.

Article 45 provides:

‘…

(2)   The processing of personal data by a controller who initially collected that data or by another controller for any of the purposes provided for in Article 42(1), other than that for which the personal data were collected, shall be permitted in so far as:

1. the controller is authorised to process personal data for that purpose, in accordance with EU law or the law of the Republic of Bulgaria, and

2. processing is necessary and proportionate to that other purpose in accordance with EU law or the law of the Republic of Bulgaria.

…’

19.

Article 47 reproduces Article 6 of Directive 2016/680.

20.

Article 49 reads:

‘The processing of personal data shall be lawful if it is necessary for the exercise of powers by a competent authority for the purposes referred to in Article 42(1) and is provided for by EU law or by a normative act which specifies the purposes of the processing and the categories of personal data subject to processing.’

21.

Under the direction of the Rayonna prokuratura – Petrich (District Public Prosecutor’s Office, Petrich, Bulgaria) the pre-trial stage of criminal proceedings (No 252/2013 of the Petrich Police) ( 6 ) was initiated in order to investigate certain acts constituting an offence ( 7 ) which took place on 18 April 2013.

22.

During that pre-trial stage, personal data were initially collected from VS in his capacity as victim.

23.

By decisions of the Public Prosecutor’s Office of 4 and 5 April 2018, formal accusations were made in respect of four individuals (including VS) as regards those acts.

24.

On 10 November 2020, the Rayonen sad Petrich (District Court, Petrich, Bulgaria) ordered that the criminal proceedings be discontinued on the grounds that they were time-barred.

25.

In 2016 and 2017, following complaints made against VS, the District Public Prosecutor’s Office, Petrich, opened several files ( 8 ) which, in the absence of evidence of a criminal offence, did not result in a pre-trial stage in respect of criminal proceedings being initiated.

26.

In 2018, VS brought a civil action ( 9 ) against the Public Prosecutor’s Office of the Republic of Bulgaria before the Okrazhen sad – Blagoevgrad (Regional Court, Blagoevgrad, Bulgaria), seeking damages for the harm caused by the excessive duration of the pre-trial stage in criminal proceedings No 252/2013.

27.

For the purpose of mounting a defence against that civil action, the Public Prosecutor’s Office claimed that the court should order the District Public Prosecutor’s Office, Petrich, to produce investigation files No 517/2016 and No 1872/2016.

28.

By order of 15 October 2018, the Okrazhen sad – Blagoevgrad (District Court, Blagoevgrad) ordered the District Public Prosecutor’s Office, Petrich, to produce copies of the documents contained in investigation files No 517/2016 and No 1872/2016.

29.

On 12 March 2020, VS complained to the Inspektorat kam Visshia sadeben savet (Inspectorate at the Supreme Judicial Council; ‘IVSS’) about what he regarded as the unlawful double processing of his personal data by the Public Prosecutor’s Office, which, according to him, had misused:

30.

On 22 June 2020, the IVSS dismissed both of VS’ claims.

31.

VS contested the decision of the IVSS before the Administrativen sad – Blagoevgrad (Administrative Court, Blagoevgrad, Bulgaria), which has referred the following questions to the Court of Justice for a preliminary ruling:

32.

The request for a preliminary ruling was received at the Registry of the Court of Justice on 23 March 2021.

33.

VS, the IVSS, the Bulgarian, Czech and Netherlands Governments and the European Commission entered an appearance and submitted written observations.

34.

The Court did not consider it necessary to hold a hearing, such a hearing not having been requested by any of the parties.

35.

The GDPR and Directive 2016/680 form a cohesive system in which:

36.

The protection afforded by the body of rules established by both provisions is based on the principles of lawfulness, fairness, transparency and, in so far as is relevant for the present purposes, on the principle of the strict limitation of the collection and processing of data to the purposes laid down by law. ( 10 )

37.

In particular, Article 5(1)(b) of the GDPR provides that data are to be ‘collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes’. ( 11 ) Article 4(1)(b) of Directive 2016/680, as lex specialis, is also worded in those terms.

38.

Therefore, personal data may not be collected or processed on a general basis but rather only by reference to certain specified purposes ( 12 ) and subject to the conditions of lawfulness stipulated by the EU legislature.

39.

The principle that the collection and processing of data, on the one hand, must be strictly linked to the purposes that both operations must serve, on the other, is not absolute, since both the GDPR and Directive 2016/680 allow a degree of flexibility, as I shall explain below.

40.

In the main proceedings, the administrative court must determine whether the supervisory authority (the IVSS) ( 13 ) acted lawfully in dismissing the complaint by which VS alleged that the Bulgarian Public Prosecutor’s Office had unlawfully processed his personal data.

41.

As already stated, those data were collected in two different contexts:

42.

By the same token, the questions submitted by the referring court encompass:

43.

I agree with the referring court, and with all the parties which have participated in these preliminary ruling proceedings, that the processing of personal data to which Question 1 refers is governed by Directive 2016/680.

44.

In accordance with Article 1(1) and Article 2(1) of Directive 2016/680, the directive applies to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences. In the present case, VS’ data were collected and processed in the context of a criminal investigation.

45.

However, as regards the transmission of personal data for the purposes of the civil proceedings brought against the Public Prosecutor’s Office (Question 2), the GDPR will apply if the transmission of those data constitutes data processing for purposes other than those set out in Article 1(1) of Directive 2016/680 but part of an activity coming within the scope of EU law.

46.

In accordance with Article 4(2) of Directive 2016/680, processing by the same or another controller for any of the purposes set out in Article 1(1) ( 15 ) other than that for which the personal data are collected is to be permitted in so far as:

47.

Directive 2016/680 therefore permits a transfer ad intra of personal data collected thereunder. Any data which have been collected for one of the purposes listed in Article 1(1) may also be used, under certain conditions, for one or more other purposes specified in that list.

48.

The difficulty raised by Question 1 is whether, following the collection of VS’ personal data when he was an alleged victim of the crime under investigation, those data may also be subsequently processed for use against him as a person under investigation or an accused person in the course of the same criminal proceedings.

49.

In other words, it is necessary to determine whether VS’ personal data were processed for the same purpose which warranted their original collection or, rather, for two different purposes, but where both purposes come within the scope of Directive 2016/680. In the latter situation, processing should be made subject to the specific conditions set out in Article 4(2) of that directive.

50.

The referring court’s first question is worded somewhat ambiguously as regards the subject matter of the proceedings. The referring court asks, literally, whether Article 1(1) of Directive 2016/680 is to be interpreted ‘as meaning that, when stating the objectives of that directive, the terms “prevention, investigation, detection or prosecution of criminal offences” are listed as aspects of a general objective’.

51.

In the light of the referring court’s presentation, it would perhaps be helpful to reformulate its first question, as the parties and interveners in these preliminary ruling proceedings have proposed. Rather than focusing on the abstract relationship between general purpose and specific purpose, what really matters (and that is what VS’ complaint actually concerns) is whether, in the context of criminal proceedings governed by Directive 2016/680, the purpose which led to collection of a person’s data in his or her capacity as the alleged victim of an offence continues to exist if those data result in formal accusations subsequently being made in the same proceedings in respect of that person.

52.

The literal interpretation of Article 1(1) of Directive 2016/680 indicates that three types of purpose can be identified under the directive, which reflect different points in time and different activities:

53.

From a systematic or contextual point of view, Article 4(2) of Directive 2016/680 opts to treat each of those purposes as separable. Otherwise, as the Netherlands Government has observed, that provision would be deprived of substance, since it refers to ‘purposes set out in Article 1(1) other than that for which the personal data are collected …’

54.

On that basis, I shall endeavour to explain why, in this case, the data at issue were collected and processed for one of the purposes (that of ‘investigation’) referred to in Article 1(1) of Directive 2016/680, which means that that directive is applicable and that the processing is therefore lawful.

55.

In the alternative, if the data were collected and processed for two of the purposes referred to in Article 4(2) of Directive 2016/680, the lawfulness of that collection and processing cannot be called into question either.

56.

In the context of criminal files, it is not always possible to determine at the outset the procedural status of the individuals involved. In many cases, such files are aimed at identifying and, therefore, ‘categorising’ individuals who appear prima facie as perpetrators, victims or witnesses of the acts.

57.

During that preparatory stage, it is logical that there will be a degree of fluidity in the categorisation. Through the results it produces, that investigation must lead to the exact identification of the capacity in which those persons will act when the offences are tried.

58.

That is particularly the case in situations like the one in these proceedings. According to the referring court, a number of individuals assaulted one another. Formal accusations were eventually made in respect of one such individual, as a perpetrator of one of those assaults, who had initially appeared as a victim.

59.

Against that background, the activity carried out as a whole is in line with the concept of ‘investigation’ in Article 1(1) of Directive 2016/680. That activity therefore had a single aim which is consistent with one of the ‘purposes’ for which personal data may be processed.

60.

However, the referring court has doubts whether that interpretation of Article 1(1) of Directive 2016/680 is compatible with recital 31 thereof. ( 16 )

61.

I agree with the view put forward by the majority of the parties to the effect that that recital, like Article 6 of Directive 2016/680, which reproduces it, is not relevant in order to determine whether the change of purpose to which Article 4(2) of that directive refers has occurred.

62.

In accordance with Article 6 of Directive 2016/680, a clear distinction between the personal data of different categories of data subjects is to be made only ‘where applicable and as far as possible’. For the reasons already stated, it is difficult in initial files opened in respect of acts like those which occurred in this case for ‘different categories of data subjects’ to be identified clearly from the outset. Moreover, the same participant in those acts may have the status of victim and perpetrator of the assaults.

63.

Even if the controller of data obtained in the criminal files managed to differentiate clearly, at the start of and throughout the investigation, between victims, suspects and witnesses, the underlying purpose (investigation) of the collection and processing of those data would not change.

64.

In other words, the successive attribution of one or other status (victim, witness, implicated person) to persons concerned by a criminal investigation does not necessarily amount to a change of purpose pursuant to Article 4(2) of Directive 2016/680.

65.

In the alternative, should the situation provided for in Article 4(2) of Directive 2016/680 exist, the processing of the personal data at issue will be compatible with the conditions of lawfulness laid down by the directive. This was argued by the Bulgarian and Czech Governments, with whose view I agree.

66.

Although it is a matter for the referring court to verify, there appears to be no doubt that the Bulgarian Public Prosecutor’s Office is, pursuant to national law, the authority responsible for processing VS’ personal data ‘for any of the purposes set out in Article 1(1) other than that for which the personal data are collected’. The first condition, laid down in Article 4(2)(a) of Directive 2016/680, is therefore satisfied.

67.

As regards the second condition, laid down by Article 4(2)(b) (that ‘processing [be] necessary and proportionate to that other purpose’), I believe that:

68.

Applied to this case, the conditions laid down in Article 4(2) of Directive 2016/680 are of minor importance and the single nature of the purpose inherent in the collection of the personal data at issue is confirmed: there is a logical continuity between the initial processing of the data and the processing which subsequently led to formal accusations being made against the person involved.

69.

Therefore, it is not necessary to confirm the competence of a new controller (who would remain the same); nor is there any difficulty in establishing the need for the further processing (carried out in the course of the same proceedings), where the criterion of proportionality is common to all processing, as is apparent from the principles set out in Article 4(1) of Directive 2016/680.

70.

Article 9(1) of Directive 2016/680 provides for the possibility that personal data collected thereunder may be transferred ad extra.

71.

Proceeding on the basis that, as a rule, such data ‘shall not be processed for purposes other than those set out in Article 1(1) [thereof]’, Article 9(1) of Directive 2016/680 lays down the exception to the effect that EU or Member State law may authorise the processing of data for purposes other than those set out in Article 1(1). In that situation, the GDPR will apply (provided that the activity comes within the scope of EU law).

72.

By its second question, the referring court asks:

73.

The IVSS submits that, since VS’ complaint was dismissed at the relevant time for being out of time, the second question is inadmissible.

74.

I disagree with that argument.

75.

The Court may refuse to rule on a question referred for a preliminary ruling by a national court only where it is quite obvious that the interpretation of EU law that is sought is unrelated to the actual facts of the main action or its purpose, where the problem is hypothetical, or where the Court does not have before it the factual or legal material necessary to give a useful answer to the questions submitted to it. ( 17 )

76.

The argument put forward by the IVSS concerns a matter which comes within the exclusive jurisdiction of the referring court. It is for that court alone to define, under its own responsibility, the factual and legislative context of the question referred to the Court of Justice. ( 18 )

77.

Both the IVSS’ argument that the complaint is time-barred and the relevance of that for the purposes of the proceedings are matters for the referring court alone to assess. In this case, the referring court has stated that the question is relevant for the purposes of the resolution of the main proceedings, despite the argument put forward by the IVSS that the complaint is time-barred. ( 19 )

78.

That assessment may not be reviewed by the Court of Justice, which must follow, in principle, the interpretation and application of national law, both procedural and substantive, adopted by the national court when defining the context in which the reference for a preliminary ruling takes place.

79.

In the light of the reasons provided by the referring court for the reference of the second question for a preliminary ruling, what that court really seeks is for the Court of Justice to determine whether the transfer of the data at issue constitutes ‘data processing’ for the purposes of Article 4(1) and (2) of the GDPR ( 20 ) and whether that processing was lawful in accordance with Article 6 of the GDPR.

80.

Article 4(1) and (2) of the GDPR and Article 3(1) and (2) of Directive 2016/680 define the concepts of ‘personal data’ and ‘processing’ in the same terms.

81.

In accordance with those definitions, I conclude that the Public Prosecutor’s Office sought to use in its defence in the civil courts ‘information relating to an identified … natural person’, which included VS’ ‘personal data’.

82.

When those personal data were transferred to the civil proceedings, a number of the ‘operations’ which constitute ‘data processing’ took place without the data subject’s consent. At the very least, it would have been necessary for the Public Prosecutor’s Office itself to consult the data in order to assess their possible usefulness in defending its position in the civil proceedings. Also, presumably, the data were organised, structured, adapted or altered and, naturally, disclosed and disseminated, albeit only minimally, for the same purpose, when the request was made for their production in the civil proceedings. ( 21 )

83.

Ultimately, by recording those data, including them in its archives, and storing and consulting them, and by requesting the civil court to admit as evidence the information held in the criminal files, the Public Prosecutor’s Office carried out processing of VS’ personal data.

84.

The IVSS and the Commission argue that the Public Prosecutor’s Office may be a ‘controller’ only in so far as it is the competent authority for the purposes, of a criminal nature, included in the scope of Directive 2016/680.

85.

To my mind, that does not mean that the second question referred for a preliminary ruling is devoid of purpose, as the IVSS claims. Rather, it means that the lawfulness of the processing, pursuant to Article 9(1) of Directive 2016/680, will have to be verified in the light of the GDPR.

86.

The court with jurisdiction to rule in the civil proceedings will be the controller in those proceedings when those data are produced in them. That court’s decisions are excluded from the scrutiny of the supervisory authority, pursuant to Article 55(3) of the GDPR, in so far as those decisions are adopted by the court acting in its judicial capacity. ( 22 )

87.

The referring court confines its question to the applicability of the GDPR at the time when the Public Prosecutor’s Office sought to use the information it collected as ‘controller’, within the meaning of Directive 2016/680, for the purposes of its defence in the civil proceedings.

88.

For the reasons I have set out above, I believe that the GDPR is applicable because the purposes referred to in Article 1(1) of Directive 2016/680 do not include the defence of the Public Prosecutor’s Office in civil proceedings.

89.

The conditions of lawfulness for the processing of personal data are listed in Article 6(1) of the GDPR: ‘Processing shall be lawful only if and to the extent that at least one of the following [conditions] applies’, which are set out below. That list of conditions is exhaustive. ( 23 )

90.

In my view, the conditions which are not satisfied are the condition relating to the data subject’s consent (point (a)), the condition relating to the performance of a contract (point (b)), the condition relating to compliance with a legal obligation (point (c)), ( 24 ) and the condition relating to protection of the vital interests of the data subject or a third party (point (d)).

91.

According to the referring court, the condition set out in point (f) of the first subparagraph of Article 6(1) of the GDPR is satisfied. However, as the Commission has submitted, the final subparagraph of that paragraph excludes point (f) in this case because that condition ‘shall not apply to processing carried out by public authorities in the performance of their tasks’. ( 25 )

92.

In reply to a question put by the Court of Justice, the Bulgarian Government, supported on that point by the Czech and Netherlands Governments, maintained that the condition laid down in point (f) of the first subparagraph of Article 6(1) of the GDPR is applicable. The Bulgarian Government submitted that it is necessary to have regard to ‘the nature of the activity carried out by the Public Prosecutor’s Office’, which, although it is a public body, may participate in civil proceedings as an ‘equal party’. ( 26 )

93.

However, the ‘legitimate interests’ which the Public Prosecutor’s Office defends as a public authority, in proceedings in which it is sued in relation to the procedural steps it has taken, are excluded from the case provided for in point (f) of the first subparagraph of Article 6(1) of the GDPR because the final subparagraph of that paragraph explicitly stipulates as much.

94.

For authorities acting in the performance of the tasks entrusted to them by law (in this case, bringing prosecutions and representing the State against actions for damages), the relevant interest, for the purposes of Article 6(1) of the GDPR, is the public interest which they serve, in accordance with point (e) of the first subparagraph of Article 6(1).

95.

The condition laid down in point (f) concerns the satisfaction of legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

96.

Therefore, rather than the public authority’s possibilities of defending itself – which could be based on point (e) of the first subparagraph of Article 6(1) – that provision is concerned with the fact that the interests, rights and freedoms of the data subject may prevail as against the controller or a third party. It applies, rather, to conflicts between (private) parties whose interests are not public in nature.

97.

Since, by definition, the Public Prosecutor’s Office acts in its capacity as a State institution, it is necessary to examine whether the processing at issue is covered by point (e) of the first subparagraph of Article 6(1) of the GDPR.

98.

That would be the case if that processing were ‘necessary for the performance of a task carried out in the public interest or in the exercise of official authority’ vested in the controller.

99.

I shall deal with the first of those two purposes, without it being necessary to consider the second, ( 27 ) in order to determine whether the involvement of the Public Prosecutor’s Office in the civil proceedings in which it is being sued for damages in respect of its conduct is consistent with the performance of a task carried out in the public interest.

100.

In accordance with national law, ( 28 ) it falls to the Public Prosecutor’s Office to represent the State in proceedings for non-contractual liability for damage caused by delay on the part of the State. By the same token, the Public Prosecutor’s Office also acts in defence of the State’s general (financial) interests and, therefore, in the performance of a task carried out in the public interest. ( 29 )

101.

Article 9(1) of Directive 2016/680 makes the transfer ad extra of data collected in investigation files subject to the requirement that processing of that data is authorised by EU or Member State law. In so far as is important for the present purposes, it is for the referring court to verify the existence of that authorisation, in the light of fulfilment of the public interest remit assigned to the Public Prosecutor’s Office for the purposes of the protection of the State’s assets.

102.

In accordance with Article 6(3) of the GDPR, the legal basis for the processing referred to in point (e) of the first subparagraph of Article 6(1) thereof ‘may contain specific provisions to adapt the application of rules’ of the GDPR. ( 30 ) If that legal basis is laid down by the law of the Member State which is applicable to the controller, it is for the national court to identify it. ( 31 )

103.

Lastly, even if the referring court failed to identify the relevant legal basis, the compatibility of the processing at issue with the purpose for which the data at issue were collected must be determined in accordance with Article 6(4) of the GDPR. To that end, account must be taken, inter alia, of any relationship between the original purposes and the purpose arising subsequently, the context in which the personal data were collected and the nature of those data, the possible consequences of the further processing for the data subject and the existence of adequate guarantees.

104.

In the light of the foregoing considerations, I propose that the Court of Justice answer the Administrativen sad – Blagoevgrad (Administrative Court, Blagoevgrad, Bulgaria) as follows: