On November 28, 2024, the Court of Justice of the European Union (CJEU) published its judgment in Case C‑169/23 regarding Information to be provided where personal data has not been obtained from the data subject.

Background to the judgment

The CJEU outlined that the issuing authority issued an immunity certificate confirming a complainant's vaccination against COVID-19. On April 30, 2021, the complainant launched a complaint based on Article 77(1) of the General Data Protection Regulation (GDPR) with the national authority, claiming that, among other things:

• the issuing authority did not publish a statement on the protection of personal data in relation to the issuing of immunity certificates; and
• there was no information concerning the purpose, the legal basis of the processing, the rights of data subjects, and how those rights could be exercised.

The national authority rejected the request by decision of November 15, 2021, claiming that processing of personal data was covered by the exception under Article 14(5)(c) of the GDPR. Following this, the complainant brought an administrative appeal against this decision before the Budapest High Court. The Budapest High Court ruled in favor of the complainant.

The CJEU further explained that the national authority brought an extraordinary appeal against that judgment before the Supreme Court of Hungary, which requested that the CJEU issue a preliminary ruling.

Findings of the CJEU

The CJEU found that Article 14(5)(c) of the GDPR 'must be interpreted as meaning that the exception to the controller's obligation to provide information to the data subject, laid down in that provision, concerns all personal data, without distinction, that have not been collected by the controller directly from the data subject, whether those data have been obtained by the controller from a person other than the data subject or whether they have been generated by the controller itself, in the performance of its tasks.'

Moreover, the CJEU held that Articles 14(5)(c) and 77(1) of the GDPR must be interpreted as meaning that, in a complaint procedure, the supervisory authority is competent to verify whether the Member State law to which the controller is subject provides appropriate measures to protect the data subject's legitimate interests, for the purposes of the application of the exception under Article 14(5)(c) of the GDPR. That verification does not, however, cover the appropriateness of the measures that the controller is required to implement under Article 32 of the GDPR to guarantee the security of processing of personal data.

You can read the judgment here.