Privacy & Information Security Law Blog

On March 7, 2024, the Court of Justice of the European Union (“CJEU”) issued its judgment in the case of Endemol Shine (Case C‑740/22). In this case, the CJEU was called upon to assess whether oral disclosure of information could be considered as processing of personal data under the EU General Data Protection Regulation (“GDPR”) and to clarify the relationship between personal data protection and public access to documents.

Background

The case arises from an oral request by Endemol Shine to a Finish District Court concerning information on criminal proceedings against an individual involved in a competition organized by Endemol Shine. The District Court refused to orally disclose the information, taking the view that it did not have a legal basis to carry out a search for the requested information in its systems.

Endemol Shine challenged this refusal by filing an appeal with the Court of Appeal – Eastern Finland, which requested the CJEU’s opinion on the following questions: (1) whether the oral transfer of personal data should be considered as data processing; and (2) whether data relating to criminal convictions of a natural person contained in a court’s filing system can be disclosed orally to any person for the purpose of ensuring public access to official documents.

The CJEU’s Decision

In response to these questions, the CJEU took the view that the concept of “processing” under the GDPR should be interpreted broadly and includes oral disclosure. According to the CJEU, Article 4(2) of the GDPR does not contain any restrictions that would prevent the court from considering oral disclosure as “processing” and this broad interpretation is aligned with the legislator’s objective of ensuring a high level of protection for personal data. In the CJEU’s view, “the possibility of circumventing the application of [the GDPR] by disclosing personal data orally rather than in writing would be manifestly incompatible with [its objective].”

The CJEU notes that the oral disclosure of personal data may still fall out of scope of the GDPR when the processing is manual and the data processed do not form part of a filing system, nor are intended to. However, the CJEU considers that this is not applicable to the Endemol Shine case as the personal data requested by the company are contained in a court’s register, which is a filing system.

With respect to the question on the relationship between the GDPR and the right of public access to official documents, taking into account the sensitivity of data relating to criminal convictions and of the seriousness of the interference with the individual’s fundamental rights, the CJEU considered that the disclosure of this information to any person who requests it, without requiring the requestor establish a specific interest, is not compatible with the GDPR.

Read the CJEU’s decision.