Provisional text
OPINION OF ADVOCATE GENERAL
PIKAMÄE
delivered on 22 February 2024 (1)
Case C‑693/22
I. sp. z o. o.
v
M.W.
(Request for a preliminary ruling from the Sąd Rejonowy dla m.st. Warszawy w Warszawie (District Court, Warsaw, Poland))
(Reference for a preliminary ruling – Protection of personal data – Regulation (EU) 2016/679 – Sale of a database containing personal data in enforcement proceedings – Article 4(7) – Concept of ‘controller’ – Article 5(1)(b) – Purpose limitation – Article 6(1), (3) and (4) – Lawfulness of processing – Compliance with a legal obligation incumbent on the controller – Performance of a task carried out in the public interest – Article 23(1)(j) – Enforcement of civil law claims – Necessary and proportionate measure)
1. Can the sale, in enforcement proceedings, of a database which contains personal data be consistent with the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (‘the GDPR’), (2) if the data subjects have not given their consent to such a sale?
2. That is the main question referred to the Court of Justice by the Sąd Rejonowy dla m.st. Warszawy w Warszawie (District Court, Warsaw, Poland) in the present request for a preliminary ruling.
3. The Court will thus be required to examine a particular situation in the light of the GDPR and to adopt a position on certain key elements of that regulation, such as the concept of ‘controller’, the lawfulness of processing and the scope of the principle of purpose limitation.
Legal framework
European Union law
4. Article 4 of the GDPR provides:
‘For the purposes of this Regulation:
(1) “personal data” means any information relating to an identified or identifiable natural person (“data subject”); …
(2) “processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
…
(7) “controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
…’
5. Article 5 of that regulation, entitled ‘Principles relating to processing of personal data’, provides in paragraphs 1 and 2:
‘1. Personal data shall be:
(a) processed lawfully, fairly and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”);
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; …
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimisation”);
…
2. The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (“accountability”).’
6. Article 6 of the same regulation, entitled ‘Lawfulness of processing’, is worded as follows:
‘1. Processing shall be lawful only if and to the extent that at least one of the following applies:
(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
…
(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
…
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
…
3. The basis for the processing referred to in point (c) and (e) of paragraph 1 shall be laid down by:
(a) Union law; or
(b) Member State law to which the controller is subject.
The purpose of the processing shall be determined in that legal basis or, as regards the processing referred to in point (e) of paragraph 1, shall be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. … The Union or the Member State law shall meet an objective of public interest and be proportionate to the legitimate aim pursued.
4. Where the processing for a purpose other than that for which the personal data have been collected is not based on the data subject’s consent or on a Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard the objectives referred to in Article 23(1), the controller shall, in order to ascertain whether processing for another purpose is compatible with the purpose for which the personal data are initially collected, take into account, inter alia:
(a) any link between the purposes for which the personal data have been collected and the purposes of the intended further processing;
(b) the context in which the personal data have been collected, in particular regarding the relationship between data subjects and the controller;
(c) the nature of the personal data, in particular whether special categories of personal data are processed, pursuant to Article 9, or whether personal data related to criminal convictions and offences are processed, pursuant to Article 10;
(d) the possible consequences of the intended further processing for data subjects;
(e) the existence of appropriate safeguards, which may include encryption or pseudonymisation.’
7. Paragraph 1 of Article 23 of the GDPR, entitled ‘Restrictions’, provides:
‘1. Union or Member State law to which the data controller or processor is subject may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34, as well as Article 5 in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard:
…
(j) the enforcement of civil law claims.’
Polish law
8. Article 299 of the ustawa Kodeks spółek handlowych (Law establishing the Commercial Companies Code), of 15 September 2000 (Dziennik Ustaw of 2022, item 1467) (‘the Commercial Companies Code’), is worded as follows:
‘Paragraph 1. If enforcement against the company proves to be ineffective, the members of the management board shall be jointly and severally liable for its obligations.
Paragraph 2. A member of the management board may release him- or herself from the liability referred to in paragraph 1 if he or she demonstrates that, in due time, a petition for bankruptcy was filed, or that at the same time a decision was issued to commence restructuring proceedings or to approve an arrangement in proceedings regarding the approval of that arrangement, or that the failure to file a petition for bankruptcy was not his or her fault, or that, despite the failure to file a petition for bankruptcy and the failure to issue a decision to commence restructuring proceedings or the failure to approve an arrangement in proceedings regarding the approval of that arrangement, the creditor did not suffer any damage.’
9. Under Article 796(1) of the ustawa Kodeks postępowania cywilnego (Law establishing the Code of Civil Procedure), of 17 November 1964 (Dz. U. of 2021, item 1805), as amended (‘the Code of Civil Procedure’):
‘An application to commence enforcement proceedings shall be filed with the competent court or court enforcement officer. An application submitted to a court enforcement officer may be submitted on an official form.’
10. The first sentence of Article 799(1) of the Code of Civil Procedure provides:
‘An application to commence enforcement proceedings or a request that those proceedings be commenced ex officio shall allow for enforcements to be conducted in any manner permitted by law, except for enforcement against immovable property. …’
11. Article 824(1)(3) of that code is worded as follows:
‘The termination of judicial enforcement proceedings in full or in part shall be established ex officio:
…
(3) where it is clear that the enforcement will not yield an amount which is greater than the cost of implementing it.’
12. Article 831 of that code provides:
‘Paragraph 1 The following shall be exempt from enforcement:
…
(3) non-transferable rights, unless the possibility to transfer them is contractually excluded and the object of performance may be enforced, or the exercise of a right may be entrusted to another person.’
13. The ustawa o komornikach sądowych (Law on Court Enforcement Officers), of 22 March 2018 (Dz. U. of 2022, item 1168), as amended (‘the Law on Court Enforcement Officers’), governs the status and activities of court enforcement officers. In accordance with Article 3(1) and (3) thereof:
‘A court enforcement officer is a public authority in the sphere of the performance of activities in enforcement and security proceedings. Those activities are to be performed by the court enforcement officer, taking into account the exceptions provided for in the laws.
…
The court enforcement officer is responsible for the following tasks:
(1) the enforcement of court decisions in cases involving pecuniary and non-pecuniary claims and security deposits, including European Account Preservation Orders, subject to the exceptions provided for in [the Code of Civil Procedure];
…’
14. Article 9(1) of that law provides:
‘A court enforcement officer may not refuse to accept an application to:
(1) commence enforcement proceedings,
…
in respect of whose conduct he or she is competent in accordance with the provisions of [the Code of Civil Procedure].’
15. The first sentence of Article 31(1) of that law is worded as follows:
‘Receivables enforced from a bank account, an account held with a cooperative savings and credit union, or an account held with an entity conducting brokerage activities, obtained as a result of the first payment made by the debtor of the attached claim, shall be transferred by the court enforcement officer to the creditor not earlier than 7 days and not later than 14 days from the date of receipt thereof. …’
16. The ustawa o ochronie baz danych (Law on Database Protection), of 27 July 2001 (Dz. U. of 2021, item 386) (‘the Law on Database Protection’) provides, in Article 2(1)(1):
‘For the purposes of the present law:
1. “database” means a set of data or any other materials and elements collected using specific systematics or methods, individually accessible in any way, including via electronic means, requiring a significant investment in terms of quality or quantity to prepare, verify or present its content.’
17. Article 6(1) of the Law on Database Protection provides:
‘The maker of the database has the exclusive and transferable right to extract data and reuse them in full or in a significant part, in terms of quality or quantity.’
The dispute in the main proceedings, the question referred for a preliminary ruling and the procedure before the Court
18. Company I. (‘the applicant’ or ‘the creditor company’), which is established in Poland, has a claim, confirmed by a final court judgment, against the company NMW, which specialises in online sales and of which M.W. is a member of the management board.
19. At the request of the applicant, enforcement proceedings to satisfy that claim were initiated against NMW. Those proceedings resulted in a decision by the court enforcement officer to terminate that enforcement on the ground that NMW had no assets that could be the subject of the enforcement. In those circumstances, the applicant brought an action against M.W. before the Sąd Rejonowy dla m.st. Warszawy w Warszawie (District Court, Warsaw) on the basis of Article 299(1) of the Commercial Companies Code, which provides that a member of the management board of a debtor company may be liable for damages where there is no possibility of recovering a debt using that company’s assets.
20. M.W. requested that that action be dismissed on the ground that NMW had assets each of greater value than the applicant’s claim, namely a source code for software for online shopping connected to a quasi-cashback service (‘Platform M.’) and two databases of users of that platform.
21. The referring court nevertheless states that the sale of Platform M. on its own without those databases would not be as attractive on the market as selling the entire ‘package’.
22. It is therefore necessary, according to that court, to obtain an answer to the question whether the databases created by NMW can be transferred in the context of judicial enforcement proceedings. If the answer to that question is yes, this would lead to the dismissal of the action in the main proceedings.
23. In that regard, the referring court states that, while it is not bound by the assessment of the value of the assets at issue on which M.W. relied – particularly as that assessment was not carried by a legal expert – the answer to the abovementioned question remains necessary for the resolution of the dispute in the main proceedings in so far as the provisions governing Polish civil procedure do not allow such evidence to be adduced without first determining that the evidence is relevant.
24. That court considers that the databases concerned come within the concept of a ‘database’, within the meaning of Article 1 of Directive 96/9/EC of the European Parliament and of the Council of 11 March 1996 on the legal protection of databases, (3) with the result that their proprietor, NMW, has the economic right to transfer those databases under Article 7 of that directive. Enforcement proceedings could be carried out on any economic right, unless a provision expressly excluded such a possibility. The Polish legislature has not laid down any rule prohibiting enforcement by means of a database such as that at issue in the main proceedings.
25. The referring court has doubts as to whether such databases may be the subject of judicial enforcement since they contain the personal data of hundreds of thousands of users of Platform M. and there is no evidence that the users of that platform have consented to the processing of their personal data in the form of making those data available to third parties outside that platform. In that regard, it has specified that the data in question do not fall within the scope of special categories of personal data within the meaning of Article 9 of the GDPR.
26. That court also raises the question of the relationship between the restrictions on the processing of personal data established by the GDPR and the right freely to dispose of a database deriving from Directive 96/9 and national law, including, in its view, the right to transfer the database in the course of enforcement proceedings.
27. It is in that context that the Sąd. Rejonowy dla m.st. Warszawy w Warszawie (District Court, Warsaw) decided to stay the proceedings and to refer the following question to the Court of Justice for a preliminary ruling:
‘Should Article 5(1)(a) of [the GDPR] in conjunction with Article 6(1)(a), (c) and (e) of that regulation, as well as Article 6(3) thereof, be interpreted as precluding a provision of national law that permits the sale, in enforcement proceedings, of a database, within the meaning of Article 1(2) of Directive [96/9], which contains personal data, if the data subject did not consent to such a sale?’
28. Written observations have been submitted by the Polish Government and the European Commission. Those interested parties and I. presented oral argument at the hearing on 16 November 2023.
Analysis
Admissibility
29. Two issues relating to the admissibility of the question referred for a preliminary ruling in the present case must first be addressed.
30. First, at the hearing, the applicant in the main proceedings expressed doubts as to the relevance of that question. According to the applicant, NMW had already ceased its economic activity several years previously. More specifically, that company no longer has a board of directors or management board and has not provided a service to users of Platform M. since April 2019. (4) Accordingly, it necessarily ceased all processing of personal data connected with the exercise of its activity. In those circumstances, the principles of purpose limitation and storage limitation required the erasure of the data concerned, failing which the very existence of the databases at issue in the main proceedings would be unlawful. With that in mind, the question referred by the national court, which concerns the lawfulness of the sale of those databases in enforcement proceedings, is not relevant to the resolution of the dispute in the main proceedings.
31. It should be noted that, under Article 5(1)(e) of the GDPR, personal data (5) must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. It follows that even initially lawful processing of data may over time become incompatible with the GDPR where those data are no longer necessary for such purposes. (6) In such a situation, those data must be erased. (7) In the present case, the data in question were undoubtedly collected for the purposes of NMW’s online sales activity. If NMW had ceased that activity in April 2019, there is no doubt that those data would no longer have been necessary to carry out that activity and would thus have had to be erased. If those data have not been erased, the existence of the databases in question does not comply with the GDPR and it is clear that the question referred for a preliminary ruling in the present case is irrelevant to the resolution of the dispute in the main proceedings.
32. That said, it should be borne in mind that, according to settled case-law, the Court is empowered only to give rulings on the interpretation of EU law in the light of the factual and legal context defined by the national court under its responsibility, without being able to call that into question or verify its accuracy. (8)
33. However, there is nothing in the order for reference which indicates that NMW ceased its activity in April 2019, as the applicant maintains.
34. Secondly, the referring court has doubts as to the applicability of the GDPR in the light of the provisions of Directive 96/9.
35. It should be recalled, as a preliminary point, that the objective of Directive 96/9 is, by approximating national laws, to remove the differences which existed between them in relation to the legal protection of databases, and which adversely affected the functioning of the internal market, the free movement of goods and services within the European Union and the development of an information market within the European Union. (9) In accordance with Article 1(1) thereof, that directive concerns the legal protection of databases in any form, and Article 1(2) thereof defines ‘database’ as ‘a collection of independent works, data or other materials arranged in a systematic or methodical way and individually accessible by electronic or other means’.
36. That directive requires all the Member States to make provision in their national law for the protection of databases by a sui generis right. More specifically, Article 7(1) of Directive 96/9 reserves to the maker of a database which has required a substantial investment from a qualitative and quantitative point of view the right to prevent extraction and/or re-utilisation in respect of the whole or of a substantial part of the content of that database. That right is transferable under Article 7(3) of that directive.
37. According to the referring court, the databases belonging to NMW satisfy the conditions under which protection is to be granted by the Law on Database Protection and Directive 96/9, the former of which transposes the latter into Polish law. Article 6 of that law provides, inter alia, that the maker has the exclusive and transferable right to extract data and reuse them in full or in a significant part. It is therefore, according to the referring court, an economic right which is absolute in nature and produces effects erga omnes. Under Polish law, any economic right may be the subject of enforcement proceedings, unless otherwise expressly provided for by law. The Polish legislature has not laid down any rule prohibiting enforcement against databases. It follows that, in the present case, the court enforcement officer holds the right to transfer the databases on behalf of the creditor, which derives from the right of the maker concerned by the enforcement proceedings freely to dispose of them. The exercise of that right could prevent the application of the rules of the GDPR in a case such as the present case and thus render the question referred for a preliminary ruling inadmissible.
38. First of all, it should be noted that the sui generis right recognised in Article 7 of that directive is not correctly identified by the referring court. It is in fact a right to object to acts consisting, inter alia, in rebuilding a database or a substantial part of it at a fraction of the cost needed to design it independently, (10) since the objective thus pursued by the EU legislature is to ensure that the person who has taken the initiative and assumed the risk of making a substantial investment in obtaining, verifying or presenting the content of a database receives a return on his investment by protecting him against the unauthorised appropriation of the results of that investment. (11)
39. In addition and above all, as regards the relationship between Directive 96/9 and the GDPR, it follows from Article 13 of that directive that the latter is without prejudice to provisions concerning in particular data protection and privacy, and from recital 48 of that directive that the provisions of that directive are without prejudice to the application of the data protection rules laid down in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, (12) which was succeeded by the GDPR. (13)
40. I therefore consider that the Court should rule on the substance of the present case.
Substance
41. By its question, the referring court seeks to ascertain, in essence, whether Article 5(1)(a), points (a), (c) and (e) of the first subparagraph of Article 6(1), and Article 6(3), of the GDPR must be interpreted as precluding a provision of national law that permits the sale, by a court enforcement officer, in enforcement proceedings, of a database which contains personal data, if the data subjects did not consent to such a sale.
42. My legal analysis will be as follows. As regards the GDPR, the question of the applicability of that regulation in the present case and the issue of identifying the controller in question will be addressed before focusing on the interpretation of the rules governing the lawfulness of such processing.
43. The reasoning developed in this Opinion will show that the provisions of EU law which the Court must take into account coincide only in part with those referred to in the question referred for a preliminary ruling. The proposed response will therefore relate to those provisions. (14)
The existence of processing and identifying the controller
44. As is apparent from recital 10 thereof, the GDPR aims, inter alia, to ensure a high level of protection of natural persons within the European Union and, to that end, to ensure consistent and homogenous application of the rules for the protection of the fundamental rights and freedoms of those persons with regard to the processing of personal data throughout the European Union. (15)
45. Pursuant to Article 2(1) thereof, that regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.
46. Article 2(2) provides for a series of exceptions to the scope of that regulation, based on the type of activity in the context of which the processing is carried out. It follows from the Court’s case-law that, having regard to the need to interpret those exceptions restrictively, that activity must be one of the activities that are explicitly referred to in Article 2(2) of the GDPR or can be classified in the same category as those activities. Thus, the classification of an activity as being characteristic of the State or of a public authority is not sufficient for the processing in question to be regarded as being carried out in the course of an activity which falls outside the scope of Union law within the meaning of the exception in Article 2(2)(a) of the GDPR. (16)
47. For the purposes of these proceedings, it is important to note that the processing carried out in the context of the enforcement of a civil law claim does not fall outside the scope of that regulation.
48. The scope of the GDPR is defined by the concept of ‘processing’. Under Article 4(2) of that regulation, that concept includes any operation which is performed on personal data or on sets of personal data, whether or not by automated means, such as, inter alia, ‘retrieval’, ‘consultation’, ‘use’ and ‘otherwise making available’ of those data. The EU legislature thus intended to confer a broad scope on that concept. (17)
49. Is there processing of personal data in the present case?
50. A preliminary point must be made. The operations performed on the personal data by NMW for the purpose of carrying out its online sales activity by means of Platform M. do not fall within the scope of the question referred by the national court. That question relates exclusively to enforcement proceedings seeking the compulsory sale of the databases concerned. According to the referring court, such proceedings involve processing within the meaning of the GDPR in respect of which the court enforcement officer is the controller.
51. The clarifications provided at the hearing by the Polish Government with regard to the task entrusted to the court enforcement officer in such enforcement proceedings leave no doubt, in my view, that that interpretation is correct.
52. That government explained that the procedure in question begins with the seizure of the database, as a result of which the court enforcement officer obtains access to the personal data contained therein, in order to estimate the value of that database and enter it in the seizure report. In order to provide that estimate, the court enforcement officer carries out a series of operations, including the retrieval, consultation and use of those data. (18) The enforcement procedure ends with the sale of the database by public auction. Once the auction sale becomes final and the full price has been paid, the court enforcement officer makes that database available to the purchaser.
53. It follows that the personal data contained in databases such as those at issue are at the very least retrieved, consulted and used by the court enforcement officer to estimate the value of those data and then made available to the purchaser. In that regard, it should be noted that the processing of personal data may consist in one or a number of operations, each of which relates to one of the different stages that the processing may involve. (19) In the present case, those operations must therefore be regarded as constituting ‘processing’ within the meaning of the GDPR.
54. Next, it is necessary to identify the controller.
55. I would point out that, under Article 4(7) of the GDPR, the concept of ‘controller’ covers natural or legal persons, public authorities, agencies or other bodies which, alone or jointly with others, determine the purposes and means of the processing of personal data. (20) That provision also states that, where the purposes and means of such processing are determined, inter alia, by the law of a Member State, the controller may be nominated or the specific criteria for its nomination may be provided for by that law. Such a broad definition of the concept of ‘controller’ is intended, according to settled case-law, to ensure effective and complete protection of data subjects. (21)
56. Where the purposes and means of the processing are determined by national law, it must, according to the most recent case-law, be ascertained whether that law nominates the controller or provides for the specific criteria for its nomination. The nomination of that controller by national law may not only be explicit but also implicit. In the latter case, that determination must nevertheless be derived with sufficient certainty from the role, task and powers conferred on the person or entity concerned. (22)
57. In the present case, it follows from Article 3(1) of the Law on Court Enforcement Officers that a court enforcement officer is a public authority which, subject to the exceptions provided for by law, carries out acts inter alia in the context of enforcement proceedings. In addition and as mentioned above, it is apparent from the documents before the Court that, where the enforcement relates to databases, those acts consist inter alia of the retrieval, consultation and use of the personal data contained therein in order to estimate the value of those databases with a view to their sale by public auction and making them available to the purchaser once the auction sale has become final. It seems to me that Polish law has thus determined, at least implicitly, the purposes and means of the processing of personal data carried out by the court enforcement officer.
58. It follows that, in the present case, the court enforcement officer, as the public authority responsible for conducting all enforcement proceedings, including those concerning a database, may be regarded as being the controller of the personal data contained in those databases, within the meaning of Article 4(7) of the GDPR.
59. The national court does not refer to any provision of Polish law which imposes on the debtor company NMW any obligation to cooperate with the court enforcement officer in order to enable it to estimate the value of the databases concerned with a view to their compulsory sale.
60. It cannot be ruled out that such obligations would involve other processing within the meaning of the GDPR, for which that company would be the controller. It is important to recall, in that regard, that, in the judgment in Valsts ieņēmumu dienests (Processing of personal data for tax purposes), the Court held that the disclosure and making available to the tax authorities of a Member State, by an economic operator, of personal data which that operator is under a legal obligation to provide involved such processing, in addition to the processing carried out by those authorities by means of the request by which they sought the disclosure and making available of those data. (23)
61. Less likely, although conceivable in the abstract, is that the court enforcement officer and the debtor company NMW may be regarded jointly as controllers of the personal data at issue for the purposes of the compulsory sale. According to the judgment in État belge (Data processed by an official journal), that conclusion may be reached where the various processing operations are linked by purposes and means determined by national law and that national law determines the respective responsibilities of each of the joint controllers. (24)
62. That said, the following analysis is based on the premiss, in the light of the evidence in the present case, that the court enforcement officer is the only controller at issue in the main proceedings.
63. As the controller, the court enforcement officer is not only responsible for compliance with the principles governing the processing of personal data, (25) but is also subject to a considerable number of obligations which correspond to the rights of data subjects. (26) Those obligations may only be limited by the national legislature to the conditions laid down in Article 23 of the GDPR. When questioned at the hearing about the existence of such legislative provisions in national law, the Polish Government referred only to Article 4 of the Law on Data Protection. However, that article limits only the scope of the obligations of the controller carrying out a public task arising from Article 14(1), (2) and (4) of the GDPR (‘Information to be provided where personal data have not been obtained from the data subject’).
The lawfulness of the processing of personal data at issue
64. As the Court has repeatedly held, any processing of personal data must, inter alia, comply with the principles relating to the processing of data set out in Article 5(1) of the GDPR and, having regard to the principle of lawfulness of processing, satisfy the conditions for lawfulness of processing listed in Article 6 of that regulation. (27)
65. The first subparagraph of Article 6(1) of that regulation sets out an exhaustive and restrictive list of the cases in which the processing of personal data can be classified as lawful. Such a classification implies that the processing falls under one of those cases. It should be recalled that the processing in question does not fall under the main situation provided for in that provision, namely where the data subject has given consent to the processing for one or more specific purposes. (28) As is clear from the order for reference, no evidence was adduced in the main proceedings to show that the data subjects whose personal data were collected in the databases at issue had consented to their data being transferred to third parties outside the activity connected with Platform M., and in particular to their sale following enforcement proceedings.
66. According to the referring court, the processing by the court enforcement officer may fall within the scope of point (c) of the first subparagraph of Article 6(1) of the GDPR (processing is necessary for compliance with a legal obligation to which the controller is subject), or point (e) of the first subparagraph of Article 6(1) of that regulation (processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller). (29)
67. As the referring court observes, Article 3 of the Law on Court Enforcement Officers confers on the court enforcement officer the status of public authority. It would be difficult, in my view, to maintain that the operations entrusted to it in the context of the implementation of enforcement proceedings with the aim of paying off the creditor do not reflect the performance of a task carried out in the exercise of official authority vested in that court enforcement officer.
68. In addition, it would not be easy to take the view that the situation referred to in point (c) of the first subparagraph of Article 6(1) of the GDPR applies to the present case. In that regard, it is important to note that the scope of that provision is strictly defined. As is clear from Opinion 6/2014 of the Article 29 Working Party, (30) the legal obligation to which the controller is subject must be sufficiently clear as to the processing of personal data it requires. That implies, in particular, the existence of legal provisions which expressly mention the nature and purpose of the processing. (31)
69. In the present case, I do not consider that the provisions invoked by the referring court, namely Article 3(1), Article 9(1)(1) and the first sentence of Article 31(1) of the Law on Court Enforcement Officers, and Article 796(1) and the first sentence of Article 799(1) of the Code of Civil Procedure, can be classified in that manner, since it is apparent from those provisions only that the court enforcement officer, in its capacity as a public authority, is required to comply with any request to commence enforcement proceedings in accordance with all authorised methods. More specifically, Polish law does not appear to impose on the court enforcement officer a legal obligation to sell a database containing personal data. In that regard, it should be noted that Article 831(1)(3) of the Code of Civil Procedure excludes ‘non-transferable rights’ from enforcement, which could be understood as a prohibition on the transfer of a database in the event that it is incompatible with the GDPR.
70. It is not necessary, in any event, to rule out the possibility that the latter situation may also be relevant in the present case. Although it is sufficient that a single situation of lawfulness may be applicable, as confirmed by the wording of the first subparagraph of Article 6(1) of the GDPR, the Court has accepted that the same processing might satisfy several of those situations. (32)
71. In my view, the processing at issue therefore falls under the situation of lawfulness laid down in point (e) of the first subparagraph of Article 6(1) of the GDPR.
72. It should be noted that that situation implies that another condition for the lawfulness of processing must be taken into account. Article 6(3) of the GDPR specifies that the basis for the processing referred to, inter alia, in point (e) of the first subparagraph of Article 6(1) of that regulation must be laid down by Union law or by Member State law to which the controller is subject, and must meet an objective of public interest and be proportionate to the legitimate aim pursued. (33)
73. The combined provisions of point (e) of the first subparagraph of Article 6(1) and Article 6(3) of the GDPR therefore require there to be a legal basis – including a national legal basis – for the processing of personal data by the relevant controllers acting in the performance of a task carried out, inter alia, in the exercise of official authority, such as those performed by a court enforcement officer in connection with enforcement action against the assets of a company. (34)
74. In my view, that legal basis consists of all the provisions of Polish law mentioned in the first sentence of point 69 of this Opinion, from which it follows that the court enforcement officer, in its capacity as a public authority, is required to comply with any request to commence enforcement proceedings in accordance with all authorised methods.
75. Finally, the question whether the processing at issue complies with the GDPR requires an additional legal issue to be addressed, which lies at the heart of the present case.
76. I note that the purpose of the processing of personal data carried out by the court enforcement officer, namely the compulsory sale of databases of users of Platform M. in order to pay off the creditors of NMW, differs from the initial purpose of the processing of personal data by that company, namely to enable the use of Platform M. for that company’s online sales.
77. In that regard, it should be recalled that, under Article 5(1)(b) of the GDPR, which sets out the principle of ‘purpose limitation’, personal data must be, first, collected for specified, explicit and legitimate purposes and, secondly, not further processed in a manner that is incompatible with those purposes. That provision does not, however, contain any indication of the circumstances in which further processing of personal data may be regarded as compatible with the purposes of the initial collection of those data. (35)
78. It follows from Article 6(4) of the GDPR, read in the light of recital 50 of that regulation, (36) that the examination of such compatibility involves taking into consideration a series of non-exhaustive criteria listed therein.
79. It is clear that taking those criteria into consideration in the present case could not lead to an affirmative answer as to the compatibility of the purposes in question. As the Court has recently stated, those criteria reflect the need for a specific, logical and sufficiently close link between the purposes for which the personal data were initially collected and the further processing of those data, and ensure that such further processing does not deviate from the legitimate expectations of the data subjects as to the subsequent use of their data. (37) However, such a link cannot be established in the present case.
80. In any event, it is clear from the first sentence of Article 6(4) of the GDPR that the assessment of the compatibility of purposes becomes necessary only ‘where the processing for a purpose other than that for which the personal data have been collected is not based on the data subject’s consent or on a Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard the objectives referred to in Article 23(1) [of the GDPR]’.
81. It is established in the present case that the users of Platform M. did not give their consent to processing for a purpose other than that for which their personal data had been collected. The question then arises whether such processing is based on national or EU law and whether it can be considered to be a necessary and proportionate measure in a democratic society to achieve one of the objectives listed in Article 23(1) of the GDPR.
82. In that regard, I think it is necessary to point out that that situation has been interpreted by the Court as constituting a genuine derogation from the principle of purpose limitation. Relying on recital 50 of the GDPR, the Court held that the controller is allowed to further process the data concerned irrespective of the compatibility of that processing with the purposes for which those data were initially collected, in order to safeguard the important objectives of general public interest set out in Article 23(1) of the GDPR. It thus concluded that the first sentence of Article 6(4) of that regulation applies to the production as evidence of a document containing the personal data of third parties collected principally for the purposes of tax inspection, where that production has been ordered by a court in the context of civil court proceedings. (38)
83. Although that interpretation may not please those who take the view that the right to the protection of personal data ought to be restricted only by national legislative measures, it is, in my view, fully consistent with the intentions of the EU legislature. It is important to recall that the statement of reasons relating to the Council’s position in the travaux préparatoires of the GDPR expresses, perhaps even more clearly than recital 50 of that regulation, the choice to allow the controller a carefully circumscribed margin of discretion to carry out processing which is incompatible with the purposes indicated at the time when the personal data which are the subject of the processing were collected. (39)
84. Since the existence of a legal basis for the processing at issue in the present case has already been established, it must next be determined whether that processing is intended to safeguard the objectives set out in Article 23 of the GDPR.
85. I note that those objectives include, in accordance with Article 23(1)(j), ‘the enforcement of civil law claims’. It seems to me that the processing of the personal data at issue is appropriate for ensuring that that objective is achieved. In that regard, it is important to observe that, according to the referring court, the purpose of that processing follows from a combined reading of Article 911 of the Code of Civil Procedure and the first sentence of Article 31(1) of the Law on Court Enforcement Officers, which authorise the court enforcement officer to sell the database and, as a consequence, to transfer the sum obtained from that compulsory sale to the creditor.
86. The question whether the processing carried out by the court enforcement officer in the context of enforcement proceedings takes the form of a necessary and proportionate measure in a democratic society to achieve the objective of ensuring the enforcement of civil law claims falls within the jurisdiction of the referring court. It is, however, for the Court to provide that court, on the basis of the information available, with all the necessary indications for that purpose from the point of view of EU law. (40)
87. So far as necessity is concerned, it is common ground that a measure is necessary where the legitimate objective pursued cannot be attained by an equally appropriate but less restrictive measure. In other words, is it possible to enforce the creditor’s claim by other means that are just as efficient but less restrictive of the rights of the users of Platform M. to respect for their private life and to the protection of their personal data? In that regard, I would simply note that, according to the referring court, it is not possible to pay off the creditor company from the debtor company’s assets without the compulsory sale of the databases concerned.
88. As for proportionality, the assessment of that condition requires a balancing of the opposing interests involved in the light of the specific circumstances of the particular case under consideration.
89. In the present case, the first of those interests, which is a fundamental right enshrined in Article 8(1) of the Charter of Fundamental Rights of the European Union (‘the Charter’) and in Article 16 TFEU, consists in the protection of the users of Platform M. with regard to the processing of personal data. Closely linked to that is the right to respect for private life, enshrined in Article 7 of the Charter. As is stated in recital 4 of the GDPR, the right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality. One of those rights is the right to property, set out in Article 17 of the Charter. The sale of a database belonging to the debtor in the context of enforcement proceedings contributes, in my view, to respect for the right to property of the holder of a claim established by a court.
90. In that regard, it should be borne in mind that Article 17 of the Charter corresponds to Article 1 of the Additional Protocol to the Convention for the Protection of Human Rights and Fundamental Freedoms, signed in Rome on 4 November 1950 (‘the ECHR’), and therefore, under Article 52(3) of the Charter, its meaning and scope are the same as those laid down by the ECHR in Article 1.
91. According to the case-law of the European Court of Human Rights, the right to property means that the States are under a positive obligation to organise a system for enforcement of judgments that is effective both in law and in practice and that ensures that the procedures enshrined in the legislation for the enforcement of final judgments are implemented without any undue delay. (41) Where the creditor is a private entity, the State is obliged to provide the necessary assistance to creditors in enforcing the court decisions in question, for example through the services of a court enforcement officer. (42) In that context, where the authorities are required to act to enforce a judgment and they do not do so, their inertia may give rise to liability on the part of the State on the basis of, inter alia, Article 1 of Additional Protocol No 1 to the ECHR. (43)
92. To assess that balance between the right to property, on the one hand, and the rights to the protection of personal data and to respect for private life, on the other, a specific factor which is apparent from the case file could, in my view, be taken into account.
93. According to the order for reference, no provision of Polish law introduces subjective restrictions as to the purchaser of a database, the only condition being the possession of legal capacity. That lacuna means that the third-party purchaser may also be an entity established outside the European Union which is not bound, as such, to comply with the rules on the processing of personal data laid down by the GDPR.
94. In such a situation, it seems to me that the processing at issue would entail an excessive sacrifice of the right to the protection of personal data and could not therefore be regarded as a proportionate measure. Such an outcome could be avoided, by way of illustration, by a rule under national law requiring the court enforcement officer to include in the terms drawn up for the purposes of an auction a clause requiring the third-party purchaser to comply with the rules of the GDPR.
Conclusion
95. In the light of the foregoing considerations, I propose that the Court should answer the question referred for a preliminary ruling by the Sąd Rejonowy dla m.st. Warszawy w Warszawie (District Court, Warsaw, Poland) as follows:
Point (e) of the first subparagraph of Article 6(1), Article 6(3) and the first sentence of Article 6(4) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation),
must be interpreted as meaning that it does not preclude a provision of national law that permits the sale, by a court enforcement officer, in enforcement proceedings, of a database which contains personal data, if the data subjects did not consent to such a sale, provided that the processing carried out by that court enforcement officer with regard to those data constitutes a necessary and proportionate measure in a democratic society to ensure the enforcement of a civil law claim.
1 Original language: French.
2 OJ 2016 L 119, p. 1.
3 OJ 1996 L 77, p. 20.
4 The users of Platform M. are said to have received an email on 30 April 2019 informing them that NMW had ceased its activities linked to such a platform.
5 No doubt has been raised that the data contained in the databases at issue in the main proceedings must be classified as ‘personal data’ within the meaning of Article 4(1) of the GDPR.
6 Judgment of 20 October 2022, Digi (C‑77/21, EU:C:2022:805, paragraph 54).
7 Judgment of 7 May 2009, Rijkeboer (C‑553/07, EU:C:2009:293, paragraph 33).
8 See judgment of 3 June 2021, Ministero dell’Istruzione, dell’Università e della Ricerca – MIUR and Others (Academic researchers) (C‑326/19, EU:C:2021:438, paragraph 36 and the case-law cited).
9 See judgment of 18 October 2012, Football Dataco and Others (C‑173/11, EU:C:2012:642, paragraph 25 and the case-law cited).
10 See recital 7 of Directive 96/9.
11 See recitals 39 and 40 of Directive 96/9. See, also, judgment of 19 December 2013, Innoweb (C‑202/12, EU:C:2013:850, paragraph 36).
12 OJ 1995 L 281, p. 31.
13 Contrary to the view taken by the Commission in its written observations, Article 7(4) of Directive 96/9 (‘protection of databases under the right provided for in paragraph 1 shall be without prejudice to rights existing in respect of their contents’) does not govern the relationship between that directive and the GDPR. See, in that regard, recital 18 of that directive.
14 According to settled case-law, in order to provide the national court with an answer which will be of use to it and enable it to determine the case before it, the Court may find it necessary to consider provisions of EU law to which the national court has not referred in its question. See judgment of 21 December 2023, Infraestruturas de Portugal and Futrifer Indústrias Ferroviárias (C‑66/22, EU:C:2023:1016, paragraph 41 and the case-law cited).
15 Judgment of 20 October 2022, Digi (C‑77/21, EU:C:2022:805, paragraph 48).
16 See judgment of 9 July 2020, Land Hessen (C‑272/19, EU:C:2020:535, paragraph 70), in which the Court was called upon to rule on the categorisation of the Petitions Committee of the Parliament of that Land as ‘controller’. See, also, judgments of 22 June 2021, Latvijas Republikas Saeima (Penalty points) (C‑439/19, EU:C:2021:504, paragraph 66), and of 20 October 2022, Koalitsia ‘Demokratichna Bulgaria – Obedinenie’ (C‑306/21, EU:C:2022:813, paragraph 39).
17 That interpretation follows, in the Court’s view, from the wording of that provision, in particular the expression ‘any operation’ and the non-exhaustive nature, expressed by the phrase ‘such as’, of the operations listed therein. See judgment of 24 February 2022, Valsts ieņēmumu dienests (Processing of personal data for tax purposes) (C‑175/20, EU:C:2022:124, paragraph 35).
18 An expert may be appointed if the court enforcement officer considers that estimating the value of that database requires specialised knowledge on account of the specific properties of the database. In that situation, the database would be made available to the expert by the court enforcement officer.
19 Judgment of 29 July 2019, Fashion ID (C‑40/17, EU:C:2019:629, paragraph 72). For the sake of completeness, I would point out that the judgment referred to concerned the interpretation of the concept of ‘processing’ as defined in Article 2(b) of Directive 95/46. Although that directive is no longer in force and has been replaced by the GDPR, the interpretation given by the Court remains relevant within the context of the application of the GDPR, given that the definition of that concept remains identical in both instruments, save for minor formal amendments. Thus, I will refer to judgments relating to one or the other instrument without making a distinction.
20 As the Court has held, the objective of Article 4(7) of the GDPR is to ensure, through a broad definition of the concept of ‘controller’, effective and complete protection of data subjects. See judgment of 5 December 2023, Nacionalinis visuomenės sveikatos centras (C‑683/21, EU:C:2023:949, paragraph 29 and the case-law cited).
21 Judgment of 8 December 2022, Google (De-referencing of allegedly inaccurate content) (C‑460/20, EU:C:2022:962, paragraph 51 and the case-law cited).
22 Judgment of 11 January 2024, État belge (Data processed by an official journal) (C‑231/22, EU:C:2024:7, paragraphs 29 and 30). See, also, Guidelines 07/2020 on the concepts of controller and processor in the GDPR, adopted on 7 July 2021, available at: https://edpb.europa.eu/system/files/2023-10/EDPB_guidelines_202007_controllerprocessor_final_en.pdf, paragraph 24, according to which ‘more commonly, rather than directly appointing the controller or setting out the criteria for its appointment, the law will establish a task or impose a duty on someone to collect and process certain data. In those cases, the purpose of the processing is often determined by the law. The controller will normally be the one designated by law for the realisation of this purpose, this public task’.
23 Judgment of 24 February 2022, Valsts ieņēmumu dienests (Processing of personal data for tax purposes) (C‑175/20, EU:C:2022:124, in particular paragraphs 37, 38 and 60).
24 Judgment of 11 January 2024, (C‑231/22, EU:C:2024:7, paragraph 49). I would point out that, according to the case-law, the existence of joint responsibility does not necessarily imply equal responsibility of the various operators involved in the processing of personal data. On the contrary, those operators may be involved at different stages of that processing of personal data and to different degrees, so that the level of responsibility of each of them must be assessed with regard to all the relevant circumstances of the particular case. See, to that effect, judgment of 5 December 2023, Nacionalinis visuomenės sveikatos centras (C‑683/21, EU:C:2023:949, paragraph 42 and the case-law cited).
25 See Chapter II of the GDPR. Under Article 5(2) of the GDPR: ‘the controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (“accountability”)’.
26 See Chapter III of the GDPR.
27 Judgment of 6 October 2020, La Quadrature du Net and Others (C‑511/18, C‑512/18 and C‑520/18, EU:C:2020:791, paragraph 208 and the case-law cited).
28 See point (a) of the first subparagraph of Article 6(1) and recital 40 of the GDPR, which translates the Latin maxim ‘volenti non fit iniuria’ (there is no injury where consent has been given).
29 That doubt is not surprising since there is a clear overlap between the respective scopes of those two situations, since tasks carried out in the public interest or in the exercise of official authority are generally based on a legal provision.
30 This is an independent advisory body established under Article 29 of Directive 95/46 and replaced after the adoption of the GDPR by the European Data Protection Board.
31 By way of illustration, reference is made to an obligation on a local authority to collect personal data for the purposes of processing fines for parking in unauthorised locations.
32 Judgment of 9 March 2017, Manni (C‑398/15, EU:C:2017:197, paragraph 42).
33 See, also, recital 45 of the GDPR.
34 See judgment of 2 March 2023, Norra Stockholm Bygg (C‑268/21, EU:C:2023:145, paragraph 32).
35 See judgment of 20 October 2022, Digi (C‑77/21, EU:C:2022:805, paragraph 32).
36 According to that recital, ‘where the data subject has given consent or the processing is based on Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard, in particular, important objectives of general public interest, the controller should be allowed to further process the personal data irrespective of the compatibility of the purposes’.
37 Judgment of 20 October 2022, Digi (C‑77/21, EU:C:2022:805, paragraph 36).
38 Judgment of 2 March 2023, Norra Stockholm Bygg (C‑268/21, EU:C:2023:145, paragraphs 33 to 41).
39 Statement of the Council’s reasons: Position (EU) No 6/2016 of the Council at first reading with a view to the adoption of a Regulation of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) adopted on 8 April 2016 (point 3.3).
40 Judgment of 7 September 2016, ANODE (C‑121/15, EU:C:2016:637, paragraph 54 and the case-law cited).
41 ECtHR, 7 June 2005, Fuklev v. Ukraine (CE:ECHR:2005:0607JUD007118601, § 91).
42 See, inter alia, ECtHR, 19 October 2006, Kesyan v. Russia (CE:ECHR:2006:1019JUD003649602, § 80).
43 See inter alia, ECtHR, 28 September 1995, Scollo v. Italy (CE:ECHR:1995:0928JUD001913391, § 44).