This document is an excerpt from the EUR-Lex website
Document 62022CJ0757
Judgment of the Court (Fourth Chamber) of 11 July 2024.#Meta Platforms Ireland Limited v Bundesverband der Verbraucherzentralen und Verbraucherverbände - Verbraucherzentrale Bundesverband e.V.#Request for a preliminary ruling from the Bundesgerichtshof.#Reference for a preliminary ruling – Protection of natural persons with regard to the processing of personal data – Regulation (EU) 2016/679 – First sentence of Article 12(1) – Transparency of information – Article 13(1)(c) and (e) – Obligation of the controller to provide information – Article 80(2) – Representation of data subjects by a consumer protection association – Representative action in the absence of a mandate and independently of the infringement of specific rights of a data subject – Action based on infringement by the controller of its obligation to provide information – Concept of ‘infringement of [the rights of a data subject] as a result of the processing’.#Case C-757/22.
Judgment of the Court (Fourth Chamber) of 11 July 2024.
Meta Platforms Ireland Limited v Bundesverband der Verbraucherzentralen und Verbraucherverbände - Verbraucherzentrale Bundesverband e.V.
Request for a preliminary ruling from the Bundesgerichtshof.
Reference for a preliminary ruling – Protection of natural persons with regard to the processing of personal data – Regulation (EU) 2016/679 – First sentence of Article 12(1) – Transparency of information – Article 13(1)(c) and (e) – Obligation of the controller to provide information – Article 80(2) – Representation of data subjects by a consumer protection association – Representative action in the absence of a mandate and independently of the infringement of specific rights of a data subject – Action based on infringement by the controller of its obligation to provide information – Concept of ‘infringement of [the rights of a data subject] as a result of the processing’.
Case C-757/22.
Judgment of the Court (Fourth Chamber) of 11 July 2024.
Meta Platforms Ireland Limited v Bundesverband der Verbraucherzentralen und Verbraucherverbände - Verbraucherzentrale Bundesverband e.V.
Request for a preliminary ruling from the Bundesgerichtshof.
Reference for a preliminary ruling – Protection of natural persons with regard to the processing of personal data – Regulation (EU) 2016/679 – First sentence of Article 12(1) – Transparency of information – Article 13(1)(c) and (e) – Obligation of the controller to provide information – Article 80(2) – Representation of data subjects by a consumer protection association – Representative action in the absence of a mandate and independently of the infringement of specific rights of a data subject – Action based on infringement by the controller of its obligation to provide information – Concept of ‘infringement of [the rights of a data subject] as a result of the processing’.
Case C-757/22.
ECLI identifier: ECLI:EU:C:2024:598
Provisional text
JUDGMENT OF THE COURT (Fourth Chamber)
11 July 2024 (*)
(Reference for a preliminary ruling – Protection of natural persons with regard to the processing of personal data – Regulation (EU) 2016/679 – First sentence of Article 12(1) – Transparency of information – Article 13(1)(c) and (e) – Obligation of the controller to provide information – Article 80(2) – Representation of data subjects by a consumer protection association – Representative action in the absence of a mandate and independently of the infringement of specific rights of a data subject – Action based on infringement by the controller of its obligation to provide information – Concept of ‘infringement of [the rights of a data subject] as a result of the processing’)
In Case C‑757/22,
REQUEST for a preliminary ruling under Article 267 TFEU from the Bundesgerichtshof (Federal Court of Justice, Germany), made by decision of 10 November 2022, received at the Court on 15 December 2022, in the proceedings
Meta Platforms Ireland Ltd, formerly Facebook Ireland Ltd,
v
Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband eV,
THE COURT (Fourth Chamber),
composed of C. Lycourgos, President of the Chamber, O. Spineanu-Matei, J.-C. Bonichot, S. Rodin and L.S. Rossi (Rapporteur), Judges,
Advocate General: J. Richard de la Tour,
Registrar: D. Dittert, Head of Unit,
having regard to the written procedure and further to the hearing on 23 November 2023,
after considering the observations submitted on behalf of:
– Meta Platforms Ireland Ltd, by M. Braun, H.-G. Kamann, and V. Wettner, Rechtsanwälte,
– Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband eV, by P. Wassermann, Rechtsanwalt,
– the German Government, by J. Möller and P.-L. Krüger, acting as Agents,
– the Portuguese Government, by P. Barros da Costa, J. Ramos and C. Vieira Guerra, acting as Agents,
– the European Commission, by A. Bouchagiar, F. Erlbacher and H. Kranenborg, acting as Agents,
after hearing the Opinion of the Advocate General at the sitting on 25 January 2024,
gives the following
Judgment
1 This request for a preliminary ruling concerns the interpretation of Article 80(2) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016 L 119, p. 1) (‘the GDPR’), read in conjunction with the first sentence of Article 12(1) and Article 13(1)(c) and (e) of that regulation.
2 The request has been made in proceedings between Meta Platforms Ireland Ltd, formerly Facebook Ireland Ltd, whose registered office is in Ireland, and Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband eV (Federal Union of Consumer Organisations and Associations, Germany) (‘the Federal Union’) concerning the infringement by Meta Platforms Ireland of the German legislation on the protection of personal data constituting, at the same time, an unfair commercial practice, an infringement of a law relating to consumer protection and a breach of the prohibition of the use of invalid general terms and conditions.
Legal context
The GDPR
3 Recitals 10, 13, 39, 58, 60 and 142 of the GDPR state:
‘(10) In order to ensure a consistent and high level of protection of natural persons and to remove the obstacles to flows of personal data within the [European] Union, the level of protection of the rights and freedoms of natural persons with regard to the processing of such data should be equivalent in all Member States. Consistent and homogenous application of the rules for the protection of the fundamental rights and freedoms of natural persons with regard to the processing of personal data should be ensured throughout the Union. …
…
(13) In order to ensure a consistent level of protection for natural persons throughout the Union and to prevent divergences hampering the free movement of personal data within the internal market, a Regulation is necessary to provide legal certainty and transparency for economic operators, including micro, small and medium-sized enterprises, and to provide natural persons in all Member States with the same level of legally enforceable rights and obligations and responsibilities for controllers and processors, to ensure consistent monitoring of the processing of personal data, and equivalent sanctions in all Member States as well as effective cooperation between the supervisory authorities of different Member States. …
…
(39) Any processing of personal data should be lawful and fair. It should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed. The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used. That principle concerns, in particular, information to the data subjects on the identity of the controller and the purposes of the processing and further information to ensure fair and transparent processing in respect of the natural persons concerned and their right to obtain confirmation and communication of personal data concerning them which are being processed. …
…
(58) The principle of transparency requires that any information addressed to the public or to the data subject be concise, easily accessible and easy to understand, and that clear and plain language and, additionally, where appropriate, visualisation be used. Such information could be provided in electronic form, for example, when addressed to the public, through a website. This is of particular relevance in situations where the proliferation of actors and the technological complexity of practice make it difficult for the data subject to know and understand whether, by whom and for what purpose personal data relating to him or her are being collected, such as in the case of online advertising. …
…
(60) The principles of fair and transparent processing require that the data subject be informed of the existence of the processing operation and its purposes. The controller should provide the data subject with any further information necessary to ensure fair and transparent processing taking into account the specific circumstances and context in which the personal data are processed. …
…
(142) Where a data subject considers that his or her rights under this Regulation are infringed, he or she should have the right to mandate a not-for-profit body, organisation or association which is constituted in accordance with the law of a Member State, has statutory objectives which are in the public interest and is active in the field of the protection of personal data to lodge a complaint on his or her behalf with a supervisory authority, exercise the right to a judicial remedy on behalf of data subjects or, if provided for in Member State law, exercise the right to receive compensation on behalf of data subjects. A Member State may provide for such a body, organisation or association to have the right to lodge a complaint in that Member State, independently of a data subject’s mandate, and the right to an effective judicial remedy where it has reasons to consider that the rights of a data subject have been infringed as a result of the processing of personal data which infringes this Regulation. That body, organisation or association may not be allowed to claim compensation on a data subject’s behalf independently of the data subject's mandate.’
4 Article 1 of that regulation, entitled ‘Subject matter and objectives’, provides, in paragraph 1 thereof:
‘This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.’
5 Article 4(1), (2), (9) and (11) of that regulation is worded as follows:
‘For the purposes of this Regulation:
(1) “personal data” means any information relating to an identified or identifiable natural person (“data subject”); …
(2) “processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
…
(9) “recipient” means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. …
…
(11) “consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her’.
6 Article 5 of the GDPR, entitled ‘Principles relating to processing of personal data’ provides:
‘1. Personal data shall be:
(a) processed lawfully, fairly and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”);
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; …
…
2. The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (“accountability”).’
7 Article 6 of the GDPR, entitled ‘Lawfulness of processing’, provides in paragraph 1, point (a):
‘Processing shall be lawful only if and to the extent that at least one of the following applies:
(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes’.
8 Chapter III of the GDPR, which includes Articles 12 to 23, is entitled ‘Rights of the data subject’.
9 Article 12 of that regulation, entitled ‘Transparent information, communication and modalities for the exercise of the rights of the data subject’, states, in paragraph 1:
‘The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means.’
10 Article 13 of that regulation, entitled ‘Information to be provided where personal data are collected from the data subject’, provides, in paragraph 1(c) and (e):
‘Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information:
…
(c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
…
(e) the recipients or categories of recipients of the personal data, if any’.
11 Chapter VIII of that regulation, which contains Articles 77 to 84, is entitled ‘Remedies, liability and penalties’.
12 Article 77 of the GDPR, entitled ‘Right to lodge a complaint with a supervisory authority’, provides, in paragraph 1:
‘Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes this Regulation.’
13 Article 78 of that regulation, entitled ‘Right to an effective judicial remedy against a supervisory authority’, provides, in paragraph 1:
‘Without prejudice to any other administrative or non-judicial remedy, each natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them.’
14 Article 79 of that regulation, entitled ‘Right to an effective judicial remedy against a controller or processor’, provides, in paragraph 1:
‘Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Article 77, each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation.’
15 Article 80 of that regulation, entitled ‘Representation of data subjects’, is worded as follows:
‘1. The data subject shall have the right to mandate a not-for-profit body, organisation or association which has been properly constituted in accordance with the law of a Member State, has statutory objectives which are in the public interest, and is active in the field of the protection of data subjects’ rights and freedoms with regard to the protection of their personal data to lodge the complaint on his or her behalf, to exercise the rights referred to in Articles 77, 78 and 79 on his or her behalf, and to exercise the right to receive compensation referred to in Article 82 on his or her behalf where provided for by Member State law.
2. Member States may provide that any body, organisation or association referred to in paragraph 1 of this Article, independently of a data subject's mandate, has the right to lodge, in that Member State, a complaint with the supervisory authority which is competent pursuant to Article 77 and to exercise the rights referred to in Articles 78 and 79 if it considers that the rights of a data subject under this Regulation have been infringed as a result of the processing.’
16 Article 82 of the GDPR, entitled ‘Right to compensation and liability’, provides, in paragraph 1:
‘Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.’
17 Article 84 of the GDPR, entitled ‘Penalties’, states, in paragraph 1:
‘Member States shall lay down the rules on other penalties applicable to infringements of this Regulation in particular for infringements which are not subject to administrative fines pursuant to Article 83, and shall take all measures necessary to ensure that they are implemented. Such penalties shall be effective, proportionate and dissuasive.’
German law
Law on Injunctions
18 Under Paragraph 2 of the Gesetz über Unterlassungsklagen bei Verbraucherrechts- und anderen Verstößen (Unterlassungsklagengesetz – UKlaG) (Law on injunctions against infringements of consumer law and other infringements) of 26 November 2001 (BGBl. 2001 I, p. 3138), in the version applicable to the dispute in the main proceedings (‘the Law on Injunctions’):
‘(1) Any person who infringes rules in place to protect consumers (consumer protection laws), other than in the application or recommendation of general terms and conditions, may be subject to an order to cease and desist and a prohibition order in the interest of consumer protection. …
(2) For the purposes of this provision, “consumer-protection laws” means, in particular:
…
11. the rules defining lawfulness
(a) of the collection of personal data of a consumer by an undertaking or
(b) the processing or use of personal data which have been collected by a business in relation to a consumer,
where the data are collected, processed or used for purposes of advertising, market and opinion research, use by an information agency, a personality and usage profile establishment, of any other data business or for similar commercial purposes.’
19 The Bundesgerichtshof (Federal Court of Justice, Germany) states that, under point 1 of the first sentence of Paragraph 3(1) of the Law on Injunctions, bodies with standing to bring proceedings, within the meaning of Paragraph 4 of that law, may, first, in accordance with Paragraph 1 of that law, seek an injunction against the use of invalid general terms and conditions under Paragraph 307 of the Bürgerliches Gesetzbuch (Civil Code) and, second, seek an injunction against infringements of consumer protection law, within the meaning of Paragraph 2(2) of that law.
Law against unfair competition
20 Paragraph 3(1) of the Gesetz gegen den unlauteren Wettbewerb (Law against unfair competition) of 3 July 2004 (BGB1. 2004 I, p. 1414), in the version applicable to the main proceedings (‘the Law against unfair competition’), provides:
‘Unfair commercial practices shall be prohibited.’
21 Paragraph 3a of the Law against unfair competition is worded as follows:
‘A person shall be considered to be acting unfairly where he or she infringes a statutory provision that is also intended to regulate market behaviour in the interests of market participants and the infringement is liable to have a significantly adverse effect on the interests of consumers, other market participants or competitors.’
22 Paragraph 8 of that law states:
‘(1) Any commercial practice which is unlawful under Paragraph 3 or Paragraph 7 may give rise to an order to cease and desist and, in the event of recurrence, an order to refrain or a prohibition order. …
…
(3) Applications for the injunctions referred to in subparagraph 1 may be made:
…
3. by qualified entities which provide evidence that they are included in the list of qualified entities, in accordance with Paragraph 4 of the [Law on injunctions] …’
The Law on Electronic Media
23 The Bundesgerichtshof (Federal Court of Justice) states that Paragraph 13(1) of the Telemediengesetz (‘the Law on Electronic Media’) of 26 February 2007 (BGB1. 2007 I, p. 179) was applicable until the GDPR came into force. As from that date, that provision has been replaced by Articles 12 to 14 of that regulation.
24 Under the first sentence of Paragraph 13(1) of the Law on Electronic Media:
‘From the outset of the use, the service provider shall inform the user in a universally comprehensible form of the mode, the extent and the purpose of the collection and use of personal data and of the processing of his or her data in States which do not come within the scope of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ 1995 L 281, p. 31), in so far as he or she has not already been so informed.’
The dispute in the main proceedings and the question referred for a preliminary ruling
25 Meta Platforms Ireland, which manages the provision of services of the online social network Facebook in the European Union, is the controller of the personal data of users of that social network in the European Union. Facebook Germany GmbH, which has its registered office in Germany, promotes the sale of advertising space at the internet address www.facebook.de. The Facebook internet platform contained, inter alia, at the internet address www.facebook.de, an area called ‘App-Zentrum’ (App Center) on which Meta Platforms Ireland made available to users free games provided by third parties. When consulting the App Center, the user was informed that, by using some of those applications, he or she allowed them to collect various personal data and that he or she gave them permission to publish on his or her behalf some of those data, such as his or her score and, for one of the games in question, his or her status and photographs. The user was also informed that, by using the applications concerned, he or she accepted the general conditions of those applications and their data protection policy.
26 The Federal Union, a body which has standing under Paragraph 4 of the Law on Injunctions, considered that the information provided by the games applications concerned in the App Center was unfair, in particular in terms of the failure to comply with the legal requirements to obtain valid consent from the user under the provisions governing the protection of personal data. Moreover, it considers that the information by means of which the applications were given permission to publish certain personal information on behalf of users constituted a general condition which unduly disadvantaged those users.
27 In that context, the Federal Union brought an action for an injunction before the Landgericht Berlin (Regional Court, Berlin, Germany), based on Paragraph 3a of the Law against unfair competition, first sentence, point 11 of Paragraph 2(2) of the Law on Injunctions and the Civil Code, seeking to prohibit Meta Platforms Ireland from featuring in the App Center games applications such as the applications concerned. It brought that action independently of a specific infringement of a data subject’s right to the protection of his or her data and without being mandated to do so by such a person.
28 The Landgericht Berlin (Regional Court, Berlin) upheld the form of order sought by the Federal Union. The appeal brought by Meta Platforms Ireland before the Kammergericht Berlin (Higher Regional Court, Berlin, Germany) was dismissed. Meta Platforms Ireland then brought an appeal on a point of law (Revision) before the referring court against the dismissal decision adopted by the Kammergericht Berlin (Higher Regional Court, Berlin).
29 The referring court considered that the action brought by the Federal Union was well founded, in so far as Meta Platforms Ireland had infringed Paragraph 3a of the Law against unfair competition and Paragraph 2(2), first sentence, point 11, of the Law on Injunctions and had used an invalid general term or condition, within the meaning of Paragraph 1 of the Law on Injunctions.
30 However, that court had doubts as to the admissibility of the action brought by the Federal Union. It considered that it could not be ruled out that the Federal Union, which did indeed have standing to bring proceedings on the date on which it brought the action – on the basis of Paragraph 8(3) of the Law against unfair competition and point 1 of the first sentence of Paragraph 3(1) of the Law on Injunctions – had lost that status during the proceedings, following the entry into force of the GDPR and, in particular, Article 80(1) and (2) and Article 84(1) thereof. If that were the case, the referring court would have had to uphold the appeal on a point of law brought by Meta Platforms Ireland and dismiss the action for an injunction of the Federal Union, since, under German procedural law, standing to bring proceedings must endure until the end of the proceedings at last instance.
31 Thus, by decision of 28 May 2020, the Bundesgerichtshof (Federal Court of Justice) decided to stay the proceedings and to refer a question to the Court of Justice for a preliminary ruling on the interpretation of Article 80(1) and (2) and Article 84(1) of the GDPR.
32 By its judgment of 28 April 2022, Meta Platforms Ireland (C‑319/20, EU:C:2022:322) the Court answered that question to the effect that Article 80(2) of the GDPR must be interpreted as not precluding national legislation which allows a consumer protection association to bring legal proceedings, in the absence of a mandate conferred on it for that purpose and independently of the infringement of specific rights of the data subjects, against the person allegedly responsible for an infringement of the laws protecting personal data, on the basis of the infringement of the prohibition of unfair commercial practices, a breach of a consumer protection law or the prohibition of the use of invalid general terms and conditions, where the data processing concerned is liable to affect the rights that identified or identifiable natural persons derive from that regulation.
33 In the light of that judgment, the referring court considers that an entity’s standing within the meaning of Article 80(2) of the GDPR is not subject to a requirement that such an entity carry out a prior individual identification of the subject of a data processing operation that is allegedly contrary to the provisions of the GDPR. The concept of ‘data subject’, within the meaning of Article 4(1) of the GDPR, thus covers not only an ‘identified natural person’, but also an ‘identifiable natural person’, namely, a natural person ‘who can be identified’, directly or indirectly, by reference to an identifier such as, inter alia, a name, an identification number, location data or an online identifier. In those circumstances, the designation of a category or group of persons affected by such processing may be sufficient for the purpose of bringing such representative action. In the present case, the Federal Union identified such a group or category.
34 However, according to the referring court, the abovementioned judgment of the Court of Justice did not examine the condition laid down in Article 80(2) of the GDPR, according to which, in order to make use of the remedies provided for by that regulation, a consumer protection association must consider that the rights of a data subject provided for in that regulation have been infringed ‘as a result of the processing’.
35 First, the referring court considers that it is not clear from that judgment whether an infringement of the obligation under the first sentence of Article 12(1) and Article 13(1)(c) and (e) of the GDPR to provide the data subject, in a concise, transparent, intelligible and easily accessible form, using clear and plain language, with information relating to the purposes of the processing of personal data and to the recipients of that data constitutes an infringement ‘as a result of the processing’, and whether the concept of ‘processing’, within the meaning of Article 4(2) of that regulation, encompasses situations preceding the collection of such data.
36 Second, that court considers that it is not clearly established whether, in a situation such as that in the present case, the infringement of the information obligation occurred ‘as a result of’ the processing of personal data within the meaning of Article 80(2) of the GDPR. In that regard, it points out that if such wording can suggest that the entity which brings a representative action must, in order for that action to be admissible, rely on the infringement of the rights of a data subject resulting from a personal data processing operation, within the meaning of Article 4(2) of that regulation, and which therefore takes place following such an operation, the objective of that regulation of ensuring, inter alia, a high level of protection of personal data could militate in favour of extending that entity’s standing to bring proceedings in the case of an infringement of the obligation to provide information, even though that obligation must be fulfilled before any processing of personal data.
37 In those circumstances, the Bundesgerichtshof (Federal Court of Justice) decided to stay the proceedings and to refer the following question to the Court of Justice for a preliminary ruling:
‘Is an infringement of [the rights of a data subject] “as a result of the processing” within the meaning of Article 80(2) of the GDPR asserted when a consumer protection association invokes, in support of its action, infringement of a data subject’s rights on the ground of non-compliance with the information obligations laid down in the first sentence of Article 12(1) of the GDPR, read in conjunction with Article 13(1)(c) and (e) of the GDPR, relating to the purpose of the data processing and the recipient of the personal data?’
Consideration of the question referred
38 By its question, the referring court asks, in essence, whether Article 80(2) of the GDPR must be interpreted as meaning that the condition that an authorised entity, in order to be able to bring a representative action under that provision, must assert that it considers the rights of a subject of a personal data processing operation to have been infringed ‘as a result of the processing’, within the meaning of that provision, is satisfied where such an action is based on an infringement of the controller’s obligation under the first sentence of Article 12(1) and Article 13(1)(c) and (e) of that regulation, to provide the data subject, in a concise, transparent, intelligible and easily accessible form, in clear and plain language, with information relating to the purposes of that data processing and to the recipients of such data, at the latest when they are collected.
39 In order to answer this question, it is important, as a preliminary point, to recall that the GDPR governs, inter alia, the legal remedies enabling the protection of the data subject’s rights where his or her personal data have been the subject of processing that is allegedly contrary to the provisions of that regulation. The protection of those rights may thus be sought either directly by the data subject, who has the right to lodge a complaint himself or herself with a supervisory authority of a Member State, in accordance with Article 77 of the GDPR, or to bring an action before the national courts, pursuant to Articles 78 and 79 of that regulation, or by an authorised entity, whether or not it has a mandate for that purpose, under Article 80 of that regulation.
40 In particular, Article 80(2) of the GDPR allows Member States to provide for a representative action mechanism against the person allegedly responsible for an infringement of the laws protecting personal data, in the absence of a mandate from the data subject, while setting out a number of requirements at the level of the personal and material scope which must be complied with for that purpose (judgment of 28 April 2022, Meta Platforms Ireland, C‑319/20, EU:C:2022:322, paragraph 63).
41 In that respect, as regards, in the first place, the personal scope of that mechanism, standing to bring proceedings is conferred on a body, organisation or association which meets the criteria set out in Article 80(1) of the GDPR. In particular, as the Court has already held, a consumer protection association, such as the Federal Union, may fall within the scope of that concept in that it pursues a public interest objective consisting in safeguarding the rights and freedoms of data subjects in their capacity as consumers, since the attainment of such an objective is likely to be related to the protection of the personal data of those persons (judgment of 28 April 2022, Meta Platforms Ireland, C‑319/20, EU:C:2022:322, paragraphs 64 and 65).
42 As regards, in the second place, the material scope of that mechanism, the exercise of the representative action provided for in Article 80(2) of the GDPR by an entity meeting the conditions referred to in paragraph 1 of that article presupposes that that entity, independently of any mandate conferred on it, ‘considers that the rights of a data subject under [that] regulation have been infringed as a result of the processing’ of his or her personal data (judgment of 28 April 2022, Meta Platforms Ireland, C‑319/20, EU:C:2022:322, paragraph 67).
43 In that regard, the Court has clarified that the bringing of a representative action is not, in particular, subject to the existence of a ‘specific infringement’ of the rights which a person derives from the personal data protection rules, with the result that, in order to recognise that such an entity has standing to bring proceedings, it is sufficient to claim that the processing of data concerned is liable to affect the rights which identified or identifiable natural persons derive from that regulation, without it being necessary to prove actual harm suffered by the data subject, in a particular situation, by the infringement of his or her rights (judgment of 28 April 2022, Meta Platforms Ireland, C‑319/20, EU:C:2022:322, paragraphs 70 and 72).
44 Thus, as the Court has already held, the lodging of a representative action presupposes that the entity concerned ‘considers’ that the rights of a data subject laid down in that regulation have been infringed as a result of the processing of his or her personal data and therefore alleges the existence of data processing that it considers contrary to the provisions of that regulation (see, to that effect, judgment of 28 April 2022, Meta Platforms Ireland, C‑319/20, EU:C:2022:322, paragraph 71), while such processing cannot be purely hypothetical, as the Advocate General noted in point 48 of his Opinion.
45 Specifically, as is apparent from the wording of Article 80(2) of the GDPR, the bringing of a representative action on the basis of that provision implies that the infringement of the rights which the data subject derives from that regulation occurs in the course of the processing of personal data.
46 That interpretation is supported by a comparison of the different language versions of Article 80(2) of the GDPR and by recital 142 thereof, which states that entities meeting the conditions referred to in Article 80(1) of that regulation must have reasons to consider that the rights of a data subject under that regulation have been infringed as a result of ‘the processing of personal data which infringes [that] Regulation’.
47 Having clarified that, in order to answer the question referred for a preliminary ruling, it is still necessary to ascertain whether the infringement of the controller’s obligation under the first sentence of Article 12(1) and Article 13(1)(c) and (e) of the GDPR to provide the data subject, in a concise, transparent, intelligible and easily accessible form, in clear and plain language, with information relating to the purposes of the processing of personal data and to the recipients of such data, at the latest when those data are collected, constitutes an infringement of that data subject’s rights ‘as a result of the processing’, within the meaning of Article 80(2) of the GDPR.
48 As a preliminary point, it should be borne in mind that the objective pursued by the GDPR, as is set out in Article 1 and recital 10 thereof, consists, inter alia, in ensuring a high level of protection of the fundamental rights and freedoms of natural persons, in particular their right to privacy with respect to the processing of personal data (see, to that effect, judgment of 7 March 2024, IAB Europe, C‑604/22, EU:C:2024:214, paragraph 53).
49 To that end, Chapters II and III of that regulation set out the principles governing the processing of personal data and the rights of the data subject that any processing of personal data must observe, respectively. In particular, subject to the exceptions provided for in Article 23 of that regulation, any processing of personal data must, first, observe with the principles relating to the processing of such data set out in Article 5 of that regulation and satisfy the lawfulness conditions listed in Article 6 thereof and, second, respect the rights of the data subject set out in Articles 12 to 22 of the GDPR. (see, to that effect, judgments of 6 October 2020, La Quadrature du Net and Others, C‑511/18, C‑512/18 and C‑520/18, EU:C:2020:791, paragraph 208, and of 24 February 2022, Valsts ieņēmumu dienests (Processing of personal data for tax purposes), C‑175/20, EU:C:2022:124, paragraphs 50 and 61 and the case-law cited).
50 In that regard, it should be noted that, under Article 5(1)(a) of the GDPR, personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject. Furthermore, in accordance with point (b) of Article 5(1), such data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
51 As regards the interpretation of Article 5(1)(b) of the GDPR, the Court has held that that provision requires, inter alia, that the purposes of the processing be stated clearly and identified, at the latest, when personal data are collected (judgment of 24 February 2022, Valsts ieņēmumu dienests (Processing of personal data for tax purposes), C‑175/20, EU:C:2022:124, paragraphs 64 and 65).
52 Furthermore, in accordance with Article 5(2) of the GDPR, it is for the controller to prove that those data are collected for specified, explicit and legitimate purposes and that they are processed lawfully, fairly and in a transparent manner in relation to the data subject.
53 It therefore follows from Article 5 of the GDPR that the processing of personal data must, inter alia, satisfy specific requirements of transparency with regard to the data subject concerned by such processing. To that end, in Chapter III, the GDPR, first, lays down precise obligations for the controller and, second, recognises a whole range of rights for a subject of a personal data processing operation, including, inter alia, the right to obtain from the controller information about the purposes of that processing and about the specific recipients to whom the personal data concerning him or her have been or will be disclosed (judgment of 22 June 2023, Pankki S, C‑579/21, EU:C:2023:501, paragraph 48).
54 In particular, Article 13(1)(c) and (e) of the GDPR imposes an obligation on the controller, where personal data are collected from the data subject, to inform the data subject of the purposes of the processing for which those data are intended along with the legal basis for that processing and of the recipients or categories of recipients of those data, respectively.
55 In addition, Article 12(1) of that regulation requires the controller to take appropriate measures to ensure, inter alia, that the information referred to in the preceding paragraph with which the data subject is provided is concise, transparent, comprehensible, easily accessible, and formulated in clear and plain language.
56 As the Court has held, the purpose of Article 12(1) of the GDPR, which is an expression of the principle of transparency, is to ensure that the data subject is able fully to understand the information sent to him or her (judgment of 4 May 2023, Österreichische Datenschutzbehörde and CRIF, C‑487/21, EU:C:2023:369, paragraph 38).
57 The importance of compliance with such an information obligation is also confirmed by recital 60 of the GDPR, which states that the principles of fair and transparent processing require that the data subject be informed of the existence of the processing operation and its purposes, it being stressed that the controller should provide any other information necessary to ensure fair and transparent processing, taking into account the specific circumstances and context in which the personal data are processed (judgment of 4 May 2023, Österreichische Datenschutzbehörde and CRIF, C‑487/21, EU:C:2023:369, paragraph 36).
58 It follows from the foregoing, in the first place, that the controller’s obligation to provide information to subjects of the processing of personal data is the corollary of the right to information which is conferred on those data subjects by Articles 12 and 13 of the GDPR and which thus forms part of the rights which the representative action provided for in Article 80(2) of that regulation seeks to protect. Furthermore, as is apparent from paragraphs 56 and 57 of the present judgment, observance of that obligation ensures, more generally, observance of the principles of transparency and fairness, laid down in Article 5(1) of that regulation.
59 In the second place, as the Advocate General noted in point 47 of his Opinion, the alleged infringement of the data subjects’ right to be sufficiently informed of all the circumstances surrounding processing of personal data, in particular the purpose of that processing and the recipient of those data, is liable to preclude the expression of ‘informed’ consent within the meaning of point 11 of Article 4 of the GDPR, which may render that treatment unlawful, within the meaning of Article 5(1), of that regulation.
60 The validity of the consent given by the data subject depends, inter alia, on whether that person has previously obtained the information in the light of all the circumstances surrounding the processing of the data in question to which he or she was entitled, under Article 12 and 13 of the GDPR, and which allow him or her to give consent in full knowledge of the facts.
61 In so far as processing of personal data carried out in breach of the data subject’s right to information under Articles 12 and 13 of the GDPR infringes the requirements laid down in Article 5 of that regulation, the infringement of that right to information must be regarded as an infringement of the data subject’s rights ‘as a result of the processing’, within the meaning of Article 80(2) of that regulation.
62 It follows that the right of the subject of a personal data processing operation, under the first sentence of Article 12(1) and Article 13(1)(c) and (e) of the GDPR, to obtain from the controller, in a concise, transparent, intelligible and easily accessible form, using clear and plain language, information relating to the purpose of such processing and to the recipients of such data, constitutes a right whose infringement allows recourse to the representative action mechanism provided for in Article 80(2) of that regulation.
63 That interpretation is confirmed, first, by the objective of the GDPR, recalled in paragraph 48 above, of ensuring effective protection of the fundamental rights and freedoms of natural persons and, in particular, a high level of protection of the right of every person to privacy with respect to the processing of personal data concerning him or her.
64 Second, such an interpretation is also consistent with the preventive function of the representative action provided for in Article 80(2) of the GDPR carried out by consumer protection associations, such as, in the present case, the Federal Union (judgment of 28 April 2022, Meta Platforms Ireland, C‑319/20, EU:C:2022:322, paragraph 76).
65 In the light of the foregoing, the answer to the question referred for a preliminary ruling is that Article 80(2) of the GDPR must be interpreted as meaning that the condition that an authorised entity, in order to be able to bring a representative action under that provision, must assert that it considers the rights of a data subject provided for in that regulation to have been infringed ‘as a result of the processing’, within the meaning of that provision, is satisfied where that entity asserts that the infringement of the data subject’s rights occurs in the course of the processing of personal data and results from the controller’s infringement of its obligation, under the first sentence of Article 12(1) and Article 13(1)(c) and (e) of that regulation, to provide the data subject, in a concise, transparent, intelligible and easily accessible form, in clear and plain language, with information relating to the purposes of that data processing and to the recipients of such data, at the latest when they are collected.
Costs
66 Since these proceedings are, for the parties to the main proceedings, a step in the action pending before the referring court, the decision on costs is a matter for that court. Costs incurred in submitting observations to the Court, other than the costs of those parties, are not recoverable.
On those grounds, the Court (Fourth Chamber) hereby rules:
Article 80(2) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
must be interpreted as meaning that the condition that an authorised entity, in order to be able to bring a representative action under that provision, must assert that it considers the rights of a data subject provided for in that regulation to have been infringed ‘as a result of the processing’, within the meaning of that provision, is satisfied where that entity asserts that the infringement of the data subject’s rights occurs in the course of the processing of personal data and results from the controller’s infringement of its obligation, under the first sentence of Article 12(1) and Article 13(1)(c) and (e) of that regulation, to provide the data subject, in a concise, transparent, intelligible and easily accessible form, in clear and plain language, with information relating to the purposes of that data processing and to the recipients of such data, at the latest when they are collected.
[Signatures]
* Language of the case: German.