The March 21, 2024 Bulletin had given an overview of three CJEU rulings that clarified some important aspects of the general concepts of “processing” and “personal data.”
Some of the Court’s considerations are of general significance, while others should be put in context to the case before the Luxembourg judges.
The rulings were all issued on March 7, 2024; two are in response to references for preliminary rulings, specifically:
- c-740/22 on the Shine Finland Oy case on the notion of “processing of personal data”
- the c-604/22 IAB Europe on the notion of “personal data”, “controller”, and “joint controllers”
The third – a decision on the appeal regarding a European court judgment – is c-479/22 P, on the OC case on the notion of “personal data” and “identifiable natural person,” referring to Regulation (EU) 2018/1725 but whose analysis is also applicable to the GDPR.
In the previous Bulletin we focused precisely on the latter decision c-479/22 and on the notions of “personal data” and “identifiable natural person,” the subject of that ruling.
In this Bulletin, however, we examine the other two cited decisions – c-740/22 and c-604/22 – focusing on the notions of “processing” and “file” as well as “controller” and “joint controllers,” the subject of the pronouncements now referred to.
CJEU c-740/22 processing of personal data
La Corte di Giustizia, nella causa c-740/22, è intervenuta sulla portata della definizione del concetto di “trattamento”.
La domanda di pronuncia pregiudiziale verte sulla riconducibilità alla nozione di “trattamento di dati personali” ai sensi degli articoli 2(1) e 4(2) del GDPR, della comunicazione orale di informazioni su eventuali condanne penali in corso o già scontate a carico di una persona fisica.
The Court of Justice, in case c-740/22, intervened on the scope of the definition of the concept of “processing.”
The reference for a preliminary ruling concerns whether the oral communication of information about any pending or already served criminal convictions against a natural person falls under the concept of “processing of personal data” within the meaning of Articles 2(1) and 4(2) of the GDPR.