The entry into force of the RGPD has transformed the way companies and public bodies process personal data, raising crucial questions about the communication of personal data. With concerns about privacy and data protection on the rise, it's essential to understand how the European legal framework is influencing data processing practices.
This article looks specifically at the implications of the RGPD for the communication of personal information, addressing fundamental questions such as: What really is personal data under the RGPD? What would be the definitions and concrete implementations through case law ? Get ready to explore the intricacies of this essential regulation and discover key elements shaping today's legal landscape.
If you are looking for a personal data lawyer, contact me!
How is personal data defined under the RGPD?
To grasp the issues involved in communicating personal data, it's crucial to understand what is meant by "personal data" under the RGPD. According to Article 4, point 1, of this regulation, data is considered personal if it can be associated with an identified or identifiable natural person. In other words, any information that can directly or indirectly identify a person, such as a first name, surname, address, or identification number, falls within this definition.
This notion has been broadened by case law, which affirms that the expression "any information" means that all data, whether objective or subjective, can be qualified as personal data, provided that it relates to an identifiable person. Thus, elements specific to the physical, cultural or social identity of an individual can also be considered personal data. As the case law points out in the Manni judgment of March 9, 2017 (C-398/15), such information does not lose this qualification, even when its use is in a professional context.
- The constituent elements of personal data include :
- Identifiers such as first or last names
- Identification numbers
- E-mail addresses
- Location data
- According to the IAB Europe ruling (C-604/22), the processing of personally identifiable information is a major legal issue.
It is essential to note that the mere fact that information is communicated in a professional context does not affect its status as personal data. The RGPD aims above all to guarantee the protection and confidentiality of personal information, regardless of the context in which it is used. This fundamentally broad approach ensures that even in a professional world, individuals' rights are safeguarded.
In short, understanding the legal definitions surrounding personal data leads us to recognize the health of individuals in the face of data processing practices. This leads us to further explore the scope of the notion of processing itself.
What is the scope of the notion of data processing under the RGPD?
To understand the implications of the RGPD on the communication of personal data, it is crucial to look at the concept of "data processing". Article 4(2) of the RGPD defines processing as any operation or set of operations performed on personal data, whether collection,recording, storage, alteration,use, or dissemination.
This definition is not exhaustive, and underlines the breadth of actions that can be considered as processing. Indeed, case law has clarified that even a simple consultation of data must be considered processing. It follows that almost all interactions with personal data, in any context, are governed by the RGPD.
- The different types of treatment include :
- Collecting information via online forms
- Data storage on servers
- Modifying data in a database
- Data sharing between several entities
- Based on the judgment of the Court of Justice of the European Union (CJEU) of July 29, 2021, a processing operation can also cover the publication of information that is personal in nature, even if this forms part of a broader analysis.
The notion of processing becomes all the more relevant when we consider the responsibility of those involved. The RGPD requires data controllers to adopt appropriate technical and organizational measures to protect personal data. This means that it is their responsibility not only to ensure the security of this data, but also to act in continual respect for the rights of data subjects, taking into account the confidentiality of their information.
Furthermore, as established by case law in "Google Spain SL and Google Inc. v Agencia Española de Protección de Datos and Mario Costeja González" (C-131/12), the notion of processing also includes the right to beforgotten, enabling individuals to request the deletion of their data in certain circumstances. This illustrates the importance of respecting the rights of individuals when it comes to data processing.
This exploration of the scope of processing prepares us to think about the legal requirements governing the communication of data, particularly in the context of access to public documents. But before we get there, it's essential to consider how these principles manifest themselves in the day-to-day practice of organizations.
What are the legal requirements for providing access to public documents?
The legal requirements around data communication are particularly relevant in the context of access to public documents. Article 6(1)(c) and (e) of the GDPR addresses the lawfulness of data processing, specifying that data processing may be justified by the legal obligation to which the controller is subject or by the performance of a task carried out in the public interest.
In this context, it is essential to consider the obligations incumbent on the public authorities responsible for communicating information. According to Article 86 of the GDPR, certain personal data may be communicated in official documents, provided that this complies with the relevant Union or national legislation.
- The main requirements can be summarized as follows:
- Personal data must be processed lawfully, fairly and transparently.
- Data controllers must ensure that the data is essential to the performance of the public interest mission.
- The data subject must beinformed and consulted before any communication is made.
- Member States may introduce specific provisions to ensure compliance with the RGPD.
- Furthermore, decisions taken by the authorities must be proportionate in order to avoid excessive restrictions on the right of access to public documents.
According to case law, including the January 9, 2025 Mousse case (C-394/23), compliance with the GDPR in data communication is considered an essential measure for the protection of personal data, taking into account the fundamental rights of individuals.
It is then notable that the implementation of obligations linked to the communication of data should not create disproportionate obstacles. As specified in case law, practical difficulties in informing data subjects may justify opportune choices when communicating data, as long as these decisions respect the framework established by the RGPD.
In conclusion, the interplay between data disclosure requirements and the RGPD framework represents a delicate balance between transparency for the public and the need to protect individual rights. This dynamic invites ongoing reflection on the application of data protection principles, especially in situations involving public documents.
For further information, please consult the European Court of Justice ruling at https://curia.europa.eu/juris/document/document.jsf?text=&docid=297537&pageIndex=0&doclang=fr&mode=lst&dir=&occ=first&part=1&cid=1737116.
