The Court of Justice of the European Union (CJEU) addressed the question of whether a verbal disclosure constitutes the processing of personal data within the meaning of Article 4(2) of the GDPR and thus falls within the material scope of the Regulation. For the judges, the decisive factor was whether this information is stored or is intended to be stored in a filing system (judgment of 7 March 2024, Case C-740/22).
Background to the judgement
In the present case, the claimant, Endemol Shine Finland, applied to the Finnish court of first instance for verbal disclosure regarding any penalties that may have been imposed or already served by a natural person who had taken part in a competition organised by the company. The aim was to assess the individual’s criminal background.
The South Savo District Court rejected the claimant’s request, even though it considered the information in question to constitute a decision or public information under the Finnish Act on the Publicity of Court Proceedings. However, the purpose stated by the claimant did not meet the requirements of the Finnish Data Protection Act for the processing of criminal data. As a result, the requested information could not be disclosed orally by the court.
The claimant lodged an appeal, arguing that the verbal disclosure of the requested information did not constitute the processing of personal data within the meaning of Article 4(2) GDPR.
In response, the court of appeal referred the matter to the CJEU for a preliminary ruling, asking whether a verbal disclosure of potentially imposed or already served criminal penalties concerning a natural person constitutes processing of personal data within the meaning of the GDPR.
Current judgements on the GDPR
Read our regular reviews of data protection law rulings to stay up to date!
The judgement
In its ruling, the CJEU emphasised that the interpretation of the GDPR must take into account not only the wording of the regulation, but also its context and the objectives pursued by the respective provisions. The Court also confirmed that the information the claimant had requested constitutes personal data within the meaning of Article 4(1) GDPR.
The CJEU holds that the term “processing” is to be interpreted broadly, as it includes “any operation” according to the definition in Article 4(2) GDPR. Furthermore, the list of operations in Article 4(2) GDPR is not exhaustive, as indicated by the use of the word “such as”.
In the Court’s view, this list includes, among other things, disclosure by transmission and “any other form of making available”, and these operations may take place either by automated means or non-automated means. Article 4(2) GDPR does not impose specific requirements regarding the form of “non-automated processing”; therefore, verbal disclosures are in principle also covered.
The CJEU further explained that this interpretation of the term “processing” is consistent with the objective of the GDPR to ensure a high level of protection for the fundamental rights of natural persons especially their right to privacy in the processing of personal data. Circumventing this objective by disclosing personal data verbally instead of in writing would be clearly contradictory. As a result, the concept of “processing” necessarily includes the verbal disclosure of personal data.
The CJEU also found that Article 4 of the GDPR, as well as Recital 15, make it clear that the Regulation applies to both automated and manual processing of data. This is to ensure that the protection of data subjects does not depend on the technology used and cannot be circumvented. At the same time, it is clarified that the Regulation applies to manual data processing only if the data are “part of a filing system or are intended to be part of a filing system.”
The Court had previously clarified that the concept of a “filing system” is to be interpreted broadly in line with this objective, as it includes “any” structured collection of personal data (see judgment of 10 July 2018, Case C 25/17 ).
The requirement that the data must be “structured according to specific criteria” refers to the ability to easily retrieve data relating to a specific individual. However, Article 4(6) GDPR does not prescribe how a filing system must be structured or what form it should take. In particular, it is not necessary for personal data to be stored in dedicated libraries, directories, or search systems for them to qualify as a “filing system” within the meaning of the GDPR.
The CJEU explains that in the present case, the requested data are stored in a “court’s register of persons”. The judges noted that these data constitute a filing system within the meaning of Article 4(6) GDPR. However, it is for the referring court to assess this, regardless of whether the data are kept in electronic databases or physical files.
Data protection assessment
In its judgement, the CJEU made it clear that the term “processing” is to be interpreted broadly and includes verbal disclosure. Provided that the data are stored, or intended to be stored, in a filing system, the material scope of the GDPR also extends to verbal disclosures.
Exceptions to the requirement that data be stored in a filing system may be provided for under national legal systems. One example is Section 26(7) of the German Federal Data Protection Act (BDSG), which states that the provisions of Section 26 BDSG also apply when employee data are processed without being stored or intended to be stored in a filing system. This means that all forms of processing employee data are covered, including the verbal transmission of personal data, for example in the context of telephone conversations.
Conclusion
The broad interpretation of the material scope of data protection law is consistent with the objectives of the GDPR. The protection of fundamental rights concerns potential violations of an individual’s right to privacy, which can, of course, also occur through verbal processing.
However, since data transmitted exclusively verbally cannot generally lead to subsequent misuse such as unauthorised disclosure the limitation via the material scope is also logical. It is different when the risk of misuse is reintroduced through the recording of verbal data.
When assessing the lawfulness of the verbal disclosure of personal data, a two-step mental check must always be carried out: Namely, first, whether the situation involves relevant data processing at all; and second, whether this processing takes place by means of a structured filing system.
In most cases, the material scope of the Regulation will not fail due to the presence of data processing, but rather due to the lack of storage in a filing system.
