Language of document : ECLI:EU:C:2017:582

Provisional text

OPINION OF ADVOCATE GENERAL

KOKOTT

delivered on 20 July 2017 (1)

Case C434/16

Peter Nowak

v

Data Protection Commissioner

(Request for a preliminary ruling from the Supreme Court (Ireland))

‘Request for a preliminary ruling — Directive 95/46/EC — Processing of personal data — Concept of personal data — Access to one’s own examination script — Examiner’s corrections’






I.      Introduction

1.        Does an examination script consist of personal data in such a way that an examination candidate might therefore be entitled to ask the examination body for access to his own script on the basis of the Data Protection Directive? (2) This is the issue addressed by the present request for a preliminary ruling from the Irish Supreme Court. However, the main proceedings do not directly deal with access to an examination script, but concern the refusal of the former Irish Data Protection Commissioner to pursue a complaint made in response to the denial of access.

2.        The central question at issue here is whether the answers given by an examination candidate in an examination script may constitute personal data. Some subsidiary questions can also be discussed, such as whether it is significant that the script was handwritten and whether the examiner’s corrections on the script are also the personal data of the examination candidate.

3.        Although the Data Protection Directive will shortly be repealed by the General Data Protection Regulation, which is not yet applicable, (3) the latter will not affect the concept of personal data. Therefore, this request for a preliminary ruling is also of importance for the future application of the EU’s data protection legislation.

II.    Legal Framework

4.        Article 2(a) of the Data Protection Directive defines a numbers of concepts, in particular what is to be understood by ‘personal data’:

‘For the purposes of this Directive:

(a)      “personal data” shall mean any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;

(b)       “processing of personal data” (“processing”) shall mean any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction;

(c)      “personal data filing system” (“filing system”) shall mean any structured set of personal data which are accessible according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis’.

5.        The Directive’s scope is set out in Article 3:

‘1.      This Directive shall apply to the processing of personal data wholly or partly by automatic means, and to the processing otherwise than by automatic means of personal data which form part of a filing system or are intended to form part of a filing system.

2.      …’

6.        Article 12 of the Data Protection Directive provides for a right of access:

‘Member States shall guarantee every data subject the right to obtain from the controller:

(a)      without constraint at reasonable intervals and without excessive delay or expense:

–        confirmation as to whether or not data relating to him are being processed and information at least as to the purposes of the processing, the categories of data concerned, and the recipients or categories of recipients to whom the data are disclosed,

–        communication to him in an intelligible form of the data undergoing processing and of any available information as to their source,

–        knowledge of the logic involved in any automatic processing of data concerning him at least in the case of the automated decisions referred to in Article 15(1);

(b)      as appropriate the rectification, erasure or blocking of data the processing of which does not comply with the provisions of this Directive, in particular because of the incomplete or inaccurate nature of the data;’

7.        Recital 41 explains the purpose of the right of access:

‘… any person must be able to exercise the right of access to data relating to him which are being processed, in order to verify in particular the accuracy of the data and the lawfulness of the processing; ...’

8.        Article 13(1) of the Data Protection Directive is the basis for exceptions to specific provisions:

‘(1)      Member States may adopt legislative measures to restrict the scope of the obligations and rights provided for in Articles 6(1), 10, 11(1), 12 and 21 when such a restriction constitutes a necessary measure to safeguard:

(a)      national security;

(b)      defence;

(c)      public security;

(d)      the prevention, investigation, detection and prosecution of criminal offences, or of breaches of ethics for regulated professions;

(e)      an important economic or financial interest of a Member State or of the European Union, including monetary, budgetary and taxation matters;

(f)      a monitoring, inspection or regulatory function connected, even occasionally, with the exercise of official authority in cases referred to in (c), (d) and (e);

(g)      the protection of the data subject or of the rights and freedoms of others.’

III. Facts and reference for a preliminary ruling

9.        Mr Nowak was a trainee accountant who had undertaken and passed a number of examinations set by the Institute of Chartered Accountants of Ireland (‘CAI’). However, he attempted without success to pass the Strategic Finance and Management Accounting examination on four separate occasions. This was an open book examination to which the candidate was allowed to bring his own reference material.

10.      After the fourth attempt, in the autumn of 2009, Mr Nowak questioned the result, but ultimately, in May 2010, he decided to submit a data access request under Irish data protection legislation seeking all ‘personal data’ held by the CAI.

11.      The CAI released 17 items to Mr Nowak by letter of 1 June 2010, but declined to release his examination script on the basis that the CAI had been advised that the script did not constitute ‘personal data’ within the meaning of the data protection legislation.

12.      Mr Nowak then contacted the Office of the Data Protection Commissioner, the data protection supervision body in Ireland, asked for its assistance and argued that his script was personal data. In June 2010 the Data Protection Commissioner sent an email to Mr Nowak to advise him, inter alia, that ‘exam scripts do not generally fall to be considered [for data-protection purposes] ... because this material would not generally constitute personal data.’

13.      There followed further correspondence between Mr Nowak and the then Data Protection Commissioner, culminating in Mr Nowak’s submission of a formal complaint on 1 July 2010. By a letter of 21 July 2010, the Data Protection Commissioner stated to Mr Nowak that, having reviewed the information, he had identified no substantive contravention of the data protection legislation. Further, that letter also indicated that the material over which Mr Nowak sought to exercise ‘a right of correction is not personal data to which [data protection legislation] applies.’ The Data Protection Commissioner therefore did not examine the complaint any further.

14.      Mr Nowak brought an action against this decision before the Irish courts, where the proceedings are now pending at the Supreme Court. The latter has referred the following questions to the Court of Justice:

‘(1)      Is information recorded in/as answers given by a candidate during a professional examination capable of being personal data within the meaning of Data Protection Directive?

(2)      If the answer to Question 1 is that all or some of such information may be personal data within the meaning of the Directive, what factors are relevant in determining whether in any given case such script is personal data, and what weight should be given to such factors?’

15.      In the proceedings before the Court, Mr Nowak and the present Irish Data Protection Commissioner have made written submissions as parties to the main proceedings, while the Hellenic Republic, Ireland, the Republic of Poland, the Portuguese Republic, the Republic of Austria, Hungary, the Czech Republic and the European Commission have also made written submissions. At the hearing on 22 June 2017, as well as Mr Nowak and the Irish Data Protection Commissioner, Ireland and the European Commission were also represented.

IV.    Legal assessment

16.      The question at the heart of the request for a preliminary ruling is whether examination scripts are to be regarded as personal data (see A below). In addition, some of the parties also raise the issue of whether any corrections by an examiner are personal data of the examination candidate (see B below). Finally, the Commission in particular has expressed its view regarding additional requirements for there to be a right to access under data protection legislation (see C below).

A.      The examination script

17.      By the two questions, which can be answered together, the Supreme Court seeks to ascertain whether a written examination script may fall under the definition of personal data in Article 2(a) of the Data Protection Directive. The background to that issue is that Mr Nowak, the candidate in the examination concerned, is seeking access to his examination script on the basis of the right of access provided under data protection legislation, as laid down in Article 12 of the Data Protection Directive, and had unsuccessfully submitted a complaint in that regard to the then Irish Data Protection Commissioner.

1.      Definition of personal data

18.      The scope of the Data Protection Directive is very wide and the personal data covered by the Directive is varied. (4) In accordance with Article 2(a) ‘personal data’ means any information relating to an identified or identifiable individual.

(a)    The classification of examination scripts

19.      The present Irish Data Protection Commissioner takes the view that an examination script, in particular when the use of one’s own reference material is allowed, does not constitute personal data. That view may be correct, in general, when an assessment is made, in isolation, of the solution to examination exercises. Since examination exercises are normally formulated in abstract terms or relate to hypothetical situations, (5) answers to them are not liable to contain any information relating to an identified or identifiable individual.

20.      Although the questions raised by the Supreme Court actually appear to address only the solution, i.e. ‘information recorded ... by a candidate’, it would not be sensible to end the analysis there.

21.      That is because, as nearly all the other parties have rightly submitted, an examination script contains not only information about the solution to certain exercises but links that solution to the individual examination candidate who produces the script. The script is a documentary record that that individual has taken part in a given examination and how he performed. The personal connection to that performance is also shown in the fact that examination candidates often include their most important examination results in their CVs.

22.      Whether a script consists of one’s own composed answers or the selection of specified answers in a multiple choice procedure is of as little importance for the classification of an examination script as incorporating personal data as the possibility in the present case of being able to use certain material (an ‘open book examination’).

23.      It is true that the extent of the link between an examination candidate and his performance in an examination increases according to the extent to which he has to formulate the answers himself. That is because the formulation of one’s own solution is not confined merely to reproducing information that has been learned but also shows how the examination candidate thinks and works.

24.      However, in every case, the aim of an examination — as opposed, for example, to a representative survey — is not to obtain information that is independent of an individual. Rather, it is intended to identify and record the performance of a particular individual, i.e. the examination candidate. Every examination aims to determine the strictly personal and individual performance of an examination candidate. There is a good reason why the unjustified use in examinations of work that is not one’s own is severely punished as attempted deception.

25.      Consequently, an examination script incorporates information about the examination candidate and is in that sense a collection of personal data.

26.      That this is the correct conclusion is also shown, moreover, in the fact that an examination candidate has a legitimate interest, based on the protection of his private life, in being able to object to the processing outside the examination procedure of the examination script ascribed to him. An examination candidate does not have to accept that his script can be disclosed to third parties or published without his permission.

27.      Contrary to the argument of the Irish Data Protection Commissioner, the personal data incorporated in an examination script is not confined to the examination result, the mark achieved or even points scored for certain parts of an examination. That marking merely summarises the examination performance, which is recorded in detail in the examination script itself.

28.      The classification of an examination script as incorporating personal data is not affected if, instead of bearing the examination candidate’s name, the script has an identification number or bar code. Under Article 2(a) of the Data Protection Directive, it is sufficient for the existence of personal information that the data subject may at least be indirectly identified. (6) Thus, at least where the examination candidate asks for the script from the organisation that held the examination, that organisation can identify him by means of the identification number.

(b)    Importance of handwriting

29.      Mr Nowak, Poland and the Czech Republic also rightly argue that answers that are handwritten contain additional information about the examination candidate, namely about his handwriting. A script that is handwritten is thus, in practice, a handwriting sample that could at least potentially be used at a later date as evidence to determine whether another text was also written in the examination candidate’s writing. It may thus provide indications of the identity of the author of the script.

30.      The question whether such a handwriting sample is a suitable means of identifying the writer beyond doubt is of no importance for its classification as personal data. Many other items of personal data are equally incapable, in isolation, of allowing the identification of individuals beyond doubt. For that reason, neither is it necessary to determine whether the handwriting should be regarded as biometrical information.

2.      Purpose of the right of access

31.      Contrary to the view held by Ireland, neither does the purpose of the right of access to personal data set out in recital 41 of the Data Protection Directive preclude the classification of an examination script as personal data. It is stated there that any person must be able to exercise the right of access to data relating to him which is being processed, in order to verify in particular the accuracy of the data and the lawfulness of the processing. Ireland is concerned that, on this basis, in conjunction with the right of rectification laid down in Article 12(b), the examination candidate will seek the correction of incorrect examination answers.

(a)    Teleological interpretation of the concept of ‘personal data’

32.      First, it must be remembered that the issue of right of access is only secondary in this case, where the main issue is in fact the interpretation of the concept of ‘personal data’. As the Commission rightly pointed out at the hearing, a number of additional requirements of the Data Protection Directive are linked to this concept. Thus, for example, Article 6(1)(a) requires that personal data be processed fairly and lawfully and Article 6(1)(b) provides that personal data is only collected and processed for specific purposes.

33.      In the context of the present case, it is of particular interest that under Article 8(3) of the Charter of Fundamental Rights, Article 16(2) TFEU and Article 28 of the Data Protection Directive, supervisory authorities, acting in complete independence, are to monitor compliance with EU provisions dealing with the protection of individuals with regard to the processing of personal data. (7) In that connection, Article 8(1) and (3) of the Charter and Article 28(4) of the Data Protection Directive guarantee to the individuals to which the data in question relates the right that their claims regarding the protection of their fundamental rights should be heard by the national supervisory authorities. (8)

34.      Therefore, the classification of information as personal data cannot be dependent on whether there are specific provisions about access to this information which might apply in addition to the right of access or instead of it. Further, neither can problems connected with the right of rectification be decisive in determining whether there exists personal data. If those factors were regarded as determinative, certain personal data could be excluded from the entire protective system of the Data Protection Directive, even though the rules applicable in their place do not ensure equivalent protection but fragmentary protection at best.

(b)    Rectification of data

35.      However, if one concentrates on the right of access and the issue of rectification, it must be recognised that in relation to an examination script this right clearly cannot be claimed in order, subsequent to obtaining that access, to demand rectification, pursuant to Article 12(b) of the Data Protection Directive, of the contents of the script, i.e. the solution written down by the examination candidate. (9) As Poland has rightly emphasised, the accuracy and completeness of personal data pursuant to Article 6(1)(d) must be judged by reference to the purpose for which the data was collected and processed. The purpose of an examination script is to determine the knowledge and skills of the examination candidate at the time of the examination, which is revealed precisely by his examination performance and particularly by the errors in the examination. The existence of errors in the solution does not therefore mean that the personal data incorporated in the script is inaccurate.

36.      However, rectification would be conceivable if it were the case that the script inaccurately or incompletely recorded the examination performance of the data subject. For example, such a situation would arise if — as observed by Greece — the script of another examination candidate had been ascribed to the data subject, which could be shown by means of, inter alia, the handwriting, or if parts of the script had been lost.

37.      Furthermore, the possibility cannot be excluded that an examination candidate may have a legitimate interest at a later date in having personal data incorporated in the script erased under Article 12(b) of the Data Protection Directive, i.e. in having the script destroyed. Such an interest might be assumed at the latest when the script has lost any probative value in terms of checking the examination result because the relevant time limits have expired. This right of erasure again presupposes recognition of the incorporation of personal data in the script.

38.      Finally, rectification and the other rights set out under Article 12(b) of the Data Protection Directive, namely blocking and erasure, are not the sole aims of the right of access.

39.      Recital 41 does indeed describe the purpose of access as being that the data subject may verify in particular the accuracy of the data and the lawfulness of the processing. By using ‘in particular’ in most language versions, (10) however, the legislature has indicated that the purpose goes further. For even irrespective of rectification, erasure or blocking, data subjects generally have a legitimate interest in finding out what information about them is processed by the controller.

40.      It is indeed true that an examination candidate’s need for information is initially likely to be extremely limited with respect to an examination script. He will generally still have a relatively good recollection of the contents of his answers and also assume that the examination body is still retaining his script.

41.      A few years later, that recollection is likely to be considerably weaker, so that a genuine need for information, for whatever reasons, will be reflected in a possible request for access. In addition, there is greater uncertainty with the passing of time — in particular, once any time limits for complaints and checks have expired — about whether the script is still being retained. In such circumstances the examination candidate must at least be able to find out whether his script is still being retained. That right, too, presupposes that the incorporation of the examination candidate’s personal data in the script is recognised.

(c)    Abuse of the right of access

42.      Further, the question of abuse of the rights laid down by data protection legislation must be examined, because the complaint lodged by Mr Nowak was classed as abusive by the Data Protection Commissioner in Ireland and his claim to access considered abusive in the present proceedings by the Czech Republic. That criticism appears to refer to the fact that Mr Nowak did not use the procedure established for checking the examination result but claimed a right of access under data protection legislation.

43.      In that regard, it is true that it is not permitted improperly or fraudulently to take advantage of provisions of EU law. (11)

44.      A finding of an abusive practice requires a combination of objective and subjective elements. First, with regard to the objective element, such a finding requires that it must be apparent from a combination of objective circumstances that, despite formal observance of the conditions laid down by EU rules, the purpose of those rules has not been achieved. Second, such a finding requires a subjective element, namely that it must be apparent from a number of objective factors that the essential aim of the transactions concerned is to obtain an undue advantage. The prohibition of abuse is not relevant where the activity carried out may have some explanation other than the mere attainment of an (undue) advantage. (12)

45.      If examination scripts incorporate personal data, according to the pleadings of the Data Protection Commissioner and Ireland, a misuse of the aim of the Data Protection Directive would arise in so far as a right of access under data protection legislation would allow circumvention of the rules governing the examination procedure and objections to examination decisions.

46.      However, any alleged circumvention of the procedure for the examination and objections to the examination results via the right of access laid down by data protection legislation would have to be dealt with using the provisions of the Data Protection Directive. In that regard, Article 13 in particular comes to mind, which allows for exceptions to the right of access to be established to protect certain interests specified therein.

47.      To the extent that these grounds do not justify exceptions in certain situations, as may be the case in connection with examinations, it must be recognised that the legislature has given precedence to the data protection requirements which are anchored in fundamental rights over any other interests affected in a specific instance.

48.      However, it should be pointed out that the General Data Protection Regulation, which will apply in the future, resolves this tension. First, under Article 15(4) of the regulation, the right to obtain a copy of personal data is not to adversely affect the rights and freedoms of others. Second, Article 23 of the regulation sets out the grounds for a restriction of data protection guarantees in slightly broader terms than Article 13 of the Directive, since, in particular, protection of other important objectives of general public interest of the Union or of a Member State pursuant to Article 23(1)(e) of the regulation may justify restrictions.

49.      On the other hand, the mere existence of other national legislation that also deals with access to examination scripts is not sufficient to allow the assumption that the purpose of the Directive is being misused.

50.      However, even if one wished to assume misuse of purpose, it is still not apparent where the undue advantage lies if an examination candidate were to obtain access to his script via his right of access. In particular, no abuse can be identified in the fact that someone obtains information via the right of access which he could not otherwise have obtained. If there were already access to personal information, the introduction of a right of access under data protection law would not have been required. It is instead the task of the right to access under data protection legislation to make available to the person concerned — subject to the exceptions provided for in Article 13 of the Data Protection Directive — access to his own data, where otherwise no right of access exists.

3.      Interim conclusion

51.      In brief, it can be concluded that a handwritten examination script capable of being ascribed to an examination candidate constitutes personal data within the meaning of Article 2(a) of the Data Protection Directive.

B.      Examiner’s corrections on the examination script

52.      Some of the parties and in particular Mr Nowak raise the question of whether any corrections made by the examiner on the examination script are also personal data with respect to the examination candidate.

53.      However, an answer to this question is not necessary for a decision in the main proceedings since it is not at issue whether any such corrections constitute information about Mr Nowak. Rather, the subject matter of the proceedings is whether the then Irish Data Protection Commissioner was entitled to dismiss the complaint submitted by Mr Nowak on the ground that his examination script was a priori not personal data. The extent to which corrections should also be regarded as data relating to the examination candidate would have to be ruled upon not by the Supreme Court but rather, should the action be successful, at first instance by the present Irish Data Protection Commissioner. I will however discuss this point in case the Court should nonetheless decide to address it.

54.      As opposed to the examination script overall, it is hard to imagine a right of rectification, erasure or blocking of inaccurate data, under data protection legislation, in relation to corrections made by the examiner. It appears inconceivable that comments made on the script could in fact refer to another script or not reflect the examiner’s opinion. It is precisely that opinion that the comments are meant to record. Therefore, in the context of the Data Protection Directive, such comments would not be wrong or in need of correction even if the evaluation recorded in them were not objectively justified.

55.      Any objections to the comments would consequently have to be dealt with as part of a challenge to the evaluation of the script.

56.      It would of course be conceivable that the right of erasure mentioned above in connection with the script might extend also to the corrections.

57.      The primary purpose however of a right of access to the corrections made by the examiner would be to inform the examination candidate about the evaluation of particular sections of his script.

58.      In that respect, the present case resembles one in which the Court refused extension of the right of access to the draft legal analysis of an asylum application on the grounds that that did not serve the purpose of the Data Protection Directive but would establish a right of access to administrative documents. (13) In this case, it could be assumed that access to information about the evaluation of an examination script should be obtained primarily through the examination procedure or a special procedure for challenging examination decisions and not on the basis of data protection legislation. Where such an examination procedure is not determined by EU law, any claims to information made in connection with it would depend on national legislation alone.

59.      Furthermore, in the aforementioned judgment the Court ruled that such a legal analysis is not information relating to the applicant for a residence permit, but at most information about the assessment and application by the competent authority of the law to the applicant’s situation. (14) At first glance, this finding could also be transposed to the examiner’s corrections. They would therefore merely show how the examiner assessed the answers.

60.      In fact, it is not at all necessary that an examiner knows who produced a script when marking it. On the contrary, in many written examination procedures, such as is the case in the main proceedings, importance is placed on examiners not finding out the identity of the candidates, in order to exclude conflicts of interest or bias. Their comments initially bear no relation to the identity of the examination candidate, as indeed is the case with the examination at issue here.

61.      Nonetheless, the purpose of comments is the evaluation of the examination performance and thus they relate indirectly to the examination candidate. The organisation holding the examination is also able to identify the candidate without difficulty and link him with the corrections once it receives the marked script back from the examiner.

62.      Moreover, as Austria has submitted, in general, comments on an examination script are typically inseparable from the script itself — as opposed, for example, to a short appraisal report concerning the script — because they would not have any informative value without it. However, the script itself incorporates, as previously stated, personal data of the examination candidate. The purpose of collecting and processing this data is precisely to permit the evaluation of the examination candidate’s performance as incorporated in the examiner’s corrections.

63.      Precisely because of that close link between the examination script and any corrections made on it, the latter also are personal data of the examination candidate pursuant to Article 2(a) of the Data Protection Directive.

64.      The possibility of circumventing the examination complaint procedure is not, by contrast, a reason for excluding the application of data protection legislation. The fact that there may, at the same time, be additional legislation governing access to certain information is not capable of superseding data protection legislation. At most it would be admissible for the individuals concerned to be directed to the simultaneously existing rights of information, provided that these could be effectively claimed.

65.      It should be mentioned for the sake of completeness that corrections made by the examiner are, at the same time, his personal data. His rights are an appropriate basis in principle for justifying restrictions to the right of access pursuant to Article 13(1)(g) of the Data Protection Directive if they outweigh the legitimate interests of the examination candidate. However, the definitive resolution to this potential conflict of interests is likely to be the destruction of the corrected script once it is no longer possible to carry out a subsequent check of the examination procedure because of the lapse of time.

C.      Additional requirements for the application of the Data Protection Directive

66.      The Commission rightly points out that the application of the Data Protection Directive and of the right to access is subject to additional requirements, beyond the existence of personal data, and also allows restrictions on the right to information.

67.      However, no questions have been raised about these additional requirements and restriction options and therefore the Court need not address them. It would also appear that their consideration is not necessary in order for the Supreme Court to be able to rule on whether the then Irish Data Protection Commissioner was right to refuse further examination of the complaint made by Mr Nowak.

68.      Should the Court nonetheless wish to comment on these questions, Article 3(1) of the Data Protection Directive in particular would initially appear of interest. This states that the Directive is to apply only to the processing of personal data wholly or partly by automatic means, and to the processing otherwise than by automatic means of personal data which form part of a filing system or are intended to form part of a filing system.

69.      It does not seem obvious that Mr Nowak’s examination script was processed by automatic means, such as being entered and saved in an electronic data processing system. It can nevertheless be assumed that it is at least part of a ‘filing system’. For, according to Article 2(c) of the Data Protection Directive, a filing system does not necessarily have to be saved in an electronic data processing system. Rather, this concept covers any structured set of personal data which is accessible according to specific criteria. A physical set of examination scripts in paper form ordered alphabetically or according to other criteria meets those requirements.

V.      Conclusion

70.      I therefore propose that the Court should rule as follows:

A handwritten examination script capable of being ascribed to an examination candidate, including any corrections made by examiners that it may contain, constitutes personal data within the meaning of Article 2(a) of Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data.


1      Original language: German.


2      Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ 1995 L 281, p. 31), as amended by Regulation (EC) No 1882/2003 of the European Parliament and of the Council of 29 September 2003 (OJ 2003 L 284, p. 1).


3      Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (OJ 2016 L 119, p. 1).


4      Judgments of 6 November 2003, Lindqvist (C‑101/01, EU:C:2003:596, paragraph 88), and of 7 May 2009, Rijkeboer (C‑553/07, EU:C:2009:293, paragraph 59).


5      This appears to be the format of the examination that led to the current proceedings. See Strategic Finance and Management Accounting (SFMA), Interim Assessment — January 2017, Final Exam Version, Paper and Suggested Solution with Examiner’s Comments (https://www.charteredaccountants.ie/docs/default-source/dept-exams/cap2-sfma-2017-ia1-prs-final037b534808b3649fa7d8ff000079c5aa.pdf?sfvrsn= 0), retrieved on 8 June 2017.


6      See, as an illustration, the judgment of 19 October 2016, Breyer (C‑582/14, EU:C:2016:779, paragraphs 40 to 44).


7      For example, in the judgment of 6 October 2015, Schrems (C‑362/14, EU:C:2015:650, paragraph 40 et seq.).


8      Judgment of 6 October 2015, Schrems (C‑362/14, EU:C:2015:650, paragraphs 58 and 59).


9      This is the essence, itself correct, of the otherwise unconvincing statements in the judgment of the Civil Service Tribunal of 12 February 2014, De Mendoza Asensi v Commission (F‑127/11, EU:F:2014:14, paragraph 101).


10      This applies to the German, English, French, Spanish, Italian, Portuguese, Romanian, Bulgarian, Croatian, Latvian, Lithuanian, Polish, Slovenian, Slovakian, Czech, Estonian, Greek, Hungarian, Maltese and Finnish versions. However, the expression appears to be absent in the Danish, Swedish or Dutch versions, for example.


11      Judgments of 9 March 1999, Centros (C‑212/97, EU:C:1999:126, paragraph 24), and of 2 June 2016, Bogendorff von Wolffersdorff (C‑438/14, EU:C:2016:401, paragraph 57).


12      Judgment of 28 July 2016, Kratzer (C‑423/15, EU:C:2016:604, paragraphs 38 to 40) and the case-law cited.


13      Judgment of 17 July 2014, YS and Others (C-141/12 and C-372/12, EU:C:2014:2081, paragraph 46).


14      Judgment of 17 July 2014, YS and Others (C-141/12 and C-372/12, EU:C:2014:2081, paragraph 40).