Joined Cases C‑26/22 and C‑64/22

UF
and
AB

v

Land Hessen

(Request for a preliminary ruling from the Verwaltungsgericht Wiesbaden (Administrative Court, Wiesbaden, Germany))

Judgment of the Court (First Chamber) of 7 December 2023

(Reference for a preliminary ruling – Protection of natural persons with regard to the processing of personal data – Regulation (EU) 2016/679 – Article 5(1)(a) – Principle of ‘lawfulness’ – Point (f) of the first subparagraph of Article 6(1) – Necessity of processing for the purposes of the legitimate interests pursued by the controller or by a third party – Article 17(1)(d) – Right to erasure where personal data have been unlawfully processed – Article 40 – Codes of conduct – Article 78(1) – Right to an effective judicial remedy against a supervisory authority – Decision taken by the supervisory authority on a complaint – Scope of judicial review of that decision – Credit information agencies – Storage of data from a public register relating to the discharge of remaining debts in favour of a person – Storage period)

1. Protection of natural persons with regard to the processing of personal data – Regulation 2016/679 – Remedies – Judicial remedy against a decision on a complaint by a supervisory authority – Judicial review – Scope – Limits – Absence

   (Charter of Fundamental Rights of the European Union, Arts 8(3) and 47; European Parliament and Council Regulation 2016/679, recitals 141 and 143 and Arts 52, 78(1) and 79(1))

   (see paragraphs 50-53, 58, 59, 62, 67-70, operative part 1)

2. Protection of natural persons with regard to the processing of personal data – Regulation 2016/679 – Conditions governing the lawfulness of the processing of personal data – Processing necessary for the purposes of the legitimate interests pursued by the controller or by a third party – Processing necessary for the activity of a private company consisting of supplying commercial information to its contractual partners for the purpose of assessing the solvency of their potential customers – Systematic retention of data from a public register relating to the discharge of remaining debts in favour of a person – Retention period exceeding the retention period for data in the public insolvency register – Not permissible

   (Charter of Fundamental Rights of the European Union, Arts 7 and 8; European Parliament and Council Regulations 2015/848, recital 76 and Art. 79(4) and (5), and 2016/679, Arts 5(1)(a) and 6(1), first subpara., point (f))

   (see paragraphs 75, 83, 88-100, 113, operative part 2)

3. Protection of natural persons with regard to the processing of personal data – Regulation 2016/679 – Conditions governing the lawfulness of the processing of personal data – Code of conduct drawn up by an association representing controllers or processors approved by the competent supervisory authority – Code laying down conditions for the lawfulness of processing which do not correspond to those laid down in Regulation 2016/679 – Failure to take into account

   (European Parliament and Council Regulation 2016/679, Arts 6(1), first subpara., point (f), and 40(1), (2) and (5))

   (see paragraphs 101-105)

4. Protection of natural persons with regard to the processing of personal data – Regulation 2016/679 – Right to erasure – Scope – Unlawful processing of personal data – Included

   (European Parliament and Council Regulation 2016/679, Art. 17(1)(d))

   (see paragraphs 107, 108, 113, operative part 4)

5. Protection of natural persons with regard to the processing of personal data – Regulation 2016/679 – Right to erasure – Scope – Right of the data subject to object to data processing – Included – Exception – Existence of legitimate and compelling grounds for the processing overriding the interests and rights and freedoms of that person – Burden of proof on the controller

   (European Parliament and Council Regulation 2016/679, Arts 17(1)(c) and 21(1))

   (see paragraphs 109-113, operative part 3)

Résumé

SCHUFA Holding AG, a private company incorporated under German law, records and stores information from public registers in its own databases, in particular information relating to the discharge from remaining debts, which it provides, where appropriate, to its contractual partners. It deletes that information three years after it was recorded, in accordance with the code of conduct drawn up in Germany by the association of agencies providing credit information.

After having benefited from decisions on the early discharge from remaining debts in the context of insolvency proceedings, UF and AB asked SCHUFA to erase the entries relating to those decisions. SCHUFA refused to accede to their requests, explaining that the six-month period for deleting the data from the public register, provided for under German law, ( 1 ) did not apply to it.

UF and AB each lodged a complaint against SCHUFA with the HBDI, ( 2 ) the competent supervisory authority, which rejected the complaint on the grounds that SCHUFA’s data processing was lawful.

Following actions brought by UF and AB against the HBDI’s decisions, the Verwaltungsgericht Wiesbaden (Administrative Court, Wiesbaden, Germany) asked the Court of Justice to interpret a number of provisions of the GDPR, ( 3 ) in particular those concerning the need to process data for the purposes of the interests pursued and the right to erasure. ( 4 )

In its judgment, the Court finds that the GDPR ( 5 ) precludes a practice by credit information agencies, which consists in retaining, in their own databases, information from a public register relating to the granting of a discharge from remaining debts in favour of natural persons for a longer period than that provided for by national law for the retention of such data in such a register. It also rules on the right of the data subject to obtain from that company the erasure of data concerning him or her.

Findings of the Court

In the first place, the Court points out that, under the GDPR, processing of personal data may be regarded as lawful in particular where three cumulative conditions are met, namely, first, that the controller or a third party is pursuing a legitimate interest, secondly, that the processing is necessary to achieve the legitimate interest pursued and, thirdly, that the interests or fundamental rights and freedoms of the data subject do not override the legitimate interest of the controller or a third party. ( 6 )

As regards the first condition, the Court points out that, while, in the present case, the processing of personal data serves the economic interests of a private company, it also serves to pursue the legitimate interests of that company’s contractual partners, who are required to assess the solvency of the persons with whom they intend to conclude credit agreements, and thus the interests of the credit sector from a socio-economic point of view.

As regards the second condition, the Court points out that data processing may be regarded as ‘necessary’ only if it is carried out in so far as is strictly necessary for the purposes of a legitimate interest pursued by the controller or by a third party.

As regards the third condition, the Court finds that, in the present case, the examination of that condition merges with the examination of the second condition and requires a balancing of the opposing rights and interests in order to assess whether the legitimate interests pursued cannot reasonably be achieved by a shorter period for storing the data.

Thus, with regard to the balancing of the legitimate interests pursued, the Court notes that, in so far as the analysis provided by a credit information agency makes it possible to assess objectively and reliably the creditworthiness of the potential customers of that agency’s contractual partners, it makes it possible to compensate for disparities in information and thus to reduce the risks of fraud and other uncertainties.

As regards, on the other hand, the rights and interests of the data subject, the Court considers that the processing by that company of data relating to the granting of a discharge from remaining debts, such as the storage, analysis and communication of those data to a third party, constitutes a serious interference with the fundamental rights of the data subject. ( 7 ) Such data is used as a negative factor when assessing the data subject’s creditworthiness and therefore constitutes sensitive information about his or her private life, the processing of which is likely to be considerably detrimental to his or her interests. Furthermore, the longer such data is stored, the greater the impact on the interests and private life of the data subject and the greater the requirements relating to the lawfulness of the storage of that information.

Furthermore, as regards the retention of data in the public insolvency registers, the Court points out that the Member States are responsible for the collection and storage of data in national databases ( 8 ) and, consequently, they must also set the time limit for the retention of such data. In this case, the national legislature took the view that, once the six-month period had expired, the rights and interests of the data subject take precedence over those of the public in obtaining that information.

In addition, the discharge from remaining debts is intended to allow the person who benefits from it to re-enter economic life and is generally of existential importance to that person. However, the attainment of that objective would be jeopardised if the information relating to it could be retained and used after it has been deleted from the public insolvency register.

Consequently, the Court concludes that the interests of the credit sector in having access to information on a discharge from remaining debts cannot justify the retention of data beyond the period for which it must be kept in the public insolvency register.

The Court adds that the retention of the data for the six-month period also constitutes an interference with the data subject’s fundamental rights. In that regard, it is for the national court to assess whether the parallel storage of such data by private agencies can be regarded as being limited to what is strictly necessary.

Finally, as regards the existence of a code of conduct providing for the deletion of data after a period of three years, the Court notes that, while such a code is intended to contribute to the proper application of the GDPR, ( 9 ) the fact remains that the conditions of lawfulness of processing of personal data which it lays down cannot differ from the conditions laid down by the GDPR. Thus, a code of conduct that leads to an assessment different from that obtained pursuant to the GDPR cannot be taken into account.

In the second place, as regards the data controller’s obligations to erase personal data, the Court notes, first, that the data controller must erase data which have been processed unlawfully, such as, in the present case, the processing of data carried out by the company concerned beyond the six-month retention period in the public register. ( 10 ) Secondly, even if the national court were to conclude that the processing of the data during the six-month period was lawful, the data subject would have the right to object to such processing ( 11 ) and to obtain the erasure of the data concerning him or her, if that company still fails to demonstrate the existence of overriding legitimate grounds which prevail over the interests and the rights and freedoms of that person. ( 12 )

( 1 ) Paragraph 3(1) of the Verordnung zu öffentlichen Bekanntmachungen in Insolvenzverfahren im Internet (Regulation on public notifications in insolvency proceedings on the internet) of 12 February 2002 (BGBl. I, p. 677).

( 2 ) Hessischer Beauftragter für Datenschutz und Informationsfreiheit (Data Protection and Freedom of Information Commissioner for the Federal State of Hesse, Germany).

( 3 ) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016 L 119, p. 1, and corrigendum OJ 2018 L 127, p. 2, ‘the GDPR’).

( 4 ) Point (f) of the first subparagraph of Article 6(1) and Article 17(1)(c) and (d) of that regulation respectively.

( 5 ) Article 5(1)(a), read in conjunction with point (f) of the first subparagraph of Article 6(1) of the GDPR.

( 6 ) Pursuant to point (f) of the first subparagraph of Article 6(1) of the GDPR, applicable in this case.

( 7 ) Rights enshrined in Articles 7 and 8 of the Charter of Fundamental Rights of the European Union, concerning respect for private life and the protection of personal data respectively.

( 8 ) Under Article 79(4) of Regulation (EU) 2015/848 of the European Parliament and of the Council of 20 May 2015 on insolvency proceedings (recast) (OJ 2015 L 141, p. 19). Article 79(5) of that regulation merely states that Member States are to inform data subjects of the accessibility period set for personal data stored in insolvency registers, without setting a time limit for the retention of such data.

( 9 ) Pursuant to Article 40(1) and (2) of the GDPR.

( 10 ) In accordance with Article 17(1)(d) of the GDPR.

( 11 ) Pursuant to Article 21(1) of the GDPR.

( 12 ) Under Article 17(1)(c) of the GDPR.