In a ruling made on March 2, 2023, the European Court of Justice (ECJ) confirmed that the General Data Protection Regulation (GDPR) is applicable to national civil procedure laws of European Union (EU) member states. The question before the ECJ was whether personal data originally collected for tax purposes could be used as evidence in civil proceedings in compliance with data protection laws under Article 6(3), and whether processing has changed. The court confirmed the general applicability of GDPR provisions in national civil procedure laws of EU member states.
Background of the Judgment
The plaintiff had built an office building for the defendant, and people working at the construction site had recorded their presence using an electronic staff register. According to the Swedish Tax Procedures Act, those undertaking construction activities are obliged to maintain an electronic staff register, including all the information necessary to identify undeclared work and the persons involved in each economic activity. The plaintiff filed a lawsuit against the defendant seeking payment of the outstanding balance for the work performed, but the defendant alleged that the number of hours for which it was paid was less than the number of hours quantified in the plaintiff’s request.
The plaintiff argued that the procedure violated the purpose limitation principle of Article 5(1)(b) GDPR, as the personnel directory included personal data collected to enable the Swedish tax authorities to monitor the company’s activities. Disclosure of this data in the unredacted form in court was incompatible with this purpose. After the plaintiff was ordered to produce an unredacted version of the personnel list, the Court of Appeal referred the question of legality to the ECJ for a preliminary ruling.
Reason for Decision
The ECJ confirmed that the scope of Article 2(1) GDPR applies not only to processing operations carried out by individuals but also to processing operations carried out by public authorities, including judicial bodies such as courts. Both the creation and maintenance of an electronic personnel register for tax purposes and the creation of this document ordered in the context of court proceedings constitute the processing of personal data within the meaning of Article 4(2) of the GDPR. Therefore, the production of court-ordered documents as evidence requires a legal basis under Article 6 of the GDPR.
The ECJ considered Article 6(1)(e) of the GDPR applicable, according to which the processing of personal data is lawful if it is necessary for the performance of a task carried out in the public interest. The ECJ believes that the enforcement of civil claims, which is listed under Article 23(1)(j) of the GDPR, could be considered such a suitable purpose. However, the court emphasized that it is the referral court’s responsibility to check whether the requirements of Article 6(4) of the GDPR are met in conjunction with Article 23(1) of the GDPR, requiring a court decision on a case-by-case basis.
Conclusion
With this ruling, the ECJ provides legal certainty about the relationship between the GDPR and domestic codes of civil procedure. The true impact of the ruling is its generalizability, as the finding that GDPR principles bind courts is readily transferable to the processing of personal data by other litigants. Parties and attorneys should keep the requirements of the GDPR in mind when presenting evidence or processing personal data in connection with litigation, including receiving, using, or disclosing personal data, at all stages of litigation. It is also important to take into account other legal provisions such as Sec. 24(1) No. 2 Federal Data Protection Act (BDSG) from the German perspective when assessing the lawfulness of changing the purpose of data processing activities.
