Provisional text
OPINION OF ADVOCATE GENERAL
SZPUNAR
delivered on 11 July 2024 (1)
Case C‑394/23
Association Mousse
v
Commission nationale de l’informatique et des libertés (CNIL),
SNCF Connect
(Request for a preliminary ruling from the Conseil d’État (France))
(Reference for a preliminary ruling – Protection of natural persons with regard to the processing of personal data – Regulation (EU) 2016/679 – Article 6(1) – Principle of lawfulness of processing – Article 5(1)(c) – Principle of data minimisation – Title – Online purchase of a transport service – Article 21 – Right to object)
I. Introduction
1. Regulation (EU) 2016/679 (2) (‘the GDPR’) aims to ensure a high level of protection of natural persons with regard to the processing of their personal data. In order to do so, it places on controllers an obligation to respect a number of principles when they process personal data, including the principle of ‘data minimisation’ and the principle of lawfulness of processing.
2. Those two principles are at the heart of the present case, which relates to a dispute between an association and a national supervisory authority, concerning the processing by a transport undertaking of data relating to the customer’s title with the stated aim of using those data in its commercial communications, and which thus provides the Court with the opportunity to clarify the scope of those principles.
II. Legal framework
A. European Union law
3. Recitals 4, 10, 39, 40, 44, 47, 69 and 75 of the GDPR state:
‘(4) The processing of personal data should be designed to serve mankind. The right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality. This Regulation respects all fundamental rights and observes the freedoms and principles recognised in the Charter of Fundamental Rights of the European Union (‘the Charter’) as enshrined in the Treaties, in particular the respect for private and family life, home and communications, the protection of personal data, freedom of thought, conscience and religion, freedom of expression and information, freedom to conduct a business, the right to an effective remedy and to a fair trial, and cultural, religious and linguistic diversity.
…
(10) In order to ensure a consistent and high level of protection of natural persons and to remove the obstacles to flows of personal data within the Union, the level of protection of the rights and freedoms of natural persons with regard to the processing of such data should be equivalent in all Member States. Consistent and homogenous application of the rules for the protection of the fundamental rights and freedoms of natural persons with regard to the processing of personal data should be ensured throughout the Union. …
…
(39) … The personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed. … Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means. …
(40) In order for processing to be lawful, personal data should be processed on the basis of the consent of the data subject concerned or some other legitimate basis, laid down by law, either in this Regulation or in other Union or Member State law as referred to in this Regulation, including … the necessity for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
…
(44) Processing should be lawful where it is necessary in the context of a contract or the intention to enter into a contract.
…
(47) The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller. Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client … of the controller. At any rate the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place. … The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned. The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.
…
(69) Where personal data might lawfully be processed because processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, or on grounds of the legitimate interests of a controller or a third party, a data subject should, nevertheless, be entitled to object to the processing of any personal data relating to his or her particular situation. It should be for the controller to demonstrate that its compelling legitimate interest overrides the interests or the fundamental rights and freedoms of the data subject.
…
(75) The risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from personal data processing which could lead to physical, material or non-material damage, in particular: where the processing may give rise to discrimination …’
4. As set out in Article 2(1), the GDPR applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.
5. Article 4 of the GDPR, entitled ‘Definitions’, provides:
‘For the purposes of this Regulation:
(1) “personal data” means any information relating to an identified or identifiable natural person …
(2) “processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording …
…
(7) “controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; …
…
(11) “consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
…’
6. Article 5 of the GDPR, entitled ‘Principles relating to processing of personal data’, provides:
‘1. Personal data shall be:
(a) processed lawfully, fairly and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”);
…
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimisation”);
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (“accuracy”);
…’
7. Article 6 of the GDPR, entitled ‘Lawfulness of processing’, provides, in paragraph 1:
‘Processing shall be lawful only if and to the extent that at least one of the following applies:
(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
…’
8. Article 13 of the GDPR, entitled ‘Information to be provided where personal data are collected from the data subject’ provides:
‘1. Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information:
…
(d) where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party;
…’
9. Article 21 of the GDPR, entitled ‘Right to object’, provides, in paragraph 1:
‘The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.’
10. Article 25 of the GDPR, entitled ‘Data protection by design and by default’, provides, in paragraph 2:
‘The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. …’
B. French law
11. Article 8 of Law No 78-17 on information technology, data files and freedoms of 6 January 1978 (3) provides:
‘The National Commission on information technology and freedoms [(CNIL)] is an independent administrative authority. It is the national supervisory authority for the purposes and the application of the [GDPR]. It shall carry out the following tasks:
…
2 It shall ensure that the processing of personal data is carried out in accordance with the provisions of this Law and the other provisions relating to the protection of personal data laid down by law and regulation, European Union law and the international commitments entered into by France.
On that basis:
…
(d) It shall deal with complaints and petitions lodged by a data subject or by a body, organisation or association, examine or investigate the subject matter of the complaint, to the extent necessary, and inform the complainant of the progress made and the outcome of the investigation within a reasonable time, in particular where further investigation or coordination with another supervisory authority is necessary. …’
III. The facts of the main proceedings, the proceedings before the Court and the questions referred for a preliminary ruling
12. SNCF Connect is a company which sells rail travel documents such as train tickets, season tickets and discount cards via its website and ‘apps’ (applications). When buying those travel documents, its customers are required to indicate their title, by clicking on ‘Monsieur’ or ‘Madame’ [‘Mr’ or ‘Ms’].
13. Taking the view that the conditions under which customers’ titles were collected and recorded when they purchased travel documents did not meet the requirements of the GDPR, the plaintiff in the main proceedings, the Association Mousse (‘Mousse’), lodged a complaint with the CNIL against SNCF Connect. In support of that complaint, Mousse claimed that the collection of the data concerned was not consistent with the principle of lawfulness, enshrined in Article 5(1)(a) of that regulation, since it was not based on any of the grounds set out in Article 6(1) of that regulation. In addition, such data collection constitutes a breach of the principle of data minimisation and the principle of accuracy, set out in Article 5(1)(c) and (d), respectively, of that regulation. In that context, Mousse maintained that SNCF Connect should not collect those data or that it should, at the very least, offer customers additional possibilities, such as ‘Neutre’ or ‘Autre’ [‘Neutral’ or ‘Other’].
14. By decision of 23 March 2021, the CNIL closed the complaint submitted to it, taking the view that the facts alleged against SNCF Connect did not constitute a breach of the relevant provisions of the GDPR. The CNIL found that the data processing was lawful, under point (b) of Article 6(1) of that regulation, on the ground that it was necessary for the performance of the contract for the supply of transport services. In addition, the CNIL observed that, in the light of its purposes, such processing was consistent with the principle of data minimisation, since addressing customers using their title corresponded to common practice in civil, commercial and administrative communications.
15. On 21 May 2021, Mousse brought an action for annulment of the CNIL’s decision of 23 March 2021 before the Conseil d’État (Council of State, France). In its application, Mousse claims, in particular, that the obligation to choose the indication ‘Monsieur’ or ‘Madame’ when purchasing online does not respect the principle of lawfulness or the principle of data minimisation, set out in Article 5(1)(a) and (c), respectively, of the GDPR, since that indication is not necessary for the performance of the contract, or for the purposes of the legitimate interests of SNCF Connect. The fact that that indication is used in commercial correspondence does not suffice to make the collection of those data necessary. Lastly, such an obligation is capable of infringing the right to travel without disclosing one’s title, the right to respect for private life and the freedom freely to define one’s gender expression. As regards, in particular, nationals of countries whose civil status recognises ‘non-binary’, that indication does not correspond to reality and may therefore prove contrary to the principle of accuracy, set out in Article 5(1)(d) of that regulation, while infringing their freedom of movement, guaranteed by EU law.
16. The CNIL contends that the action should be dismissed and claims that the processing of the data relating to title can also be classified as ‘necessary’ for the purposes of the legitimate interests pursued by SNCF Connect, within the meaning of point (f) of Article 6(1) of the GDPR, and that data subjects can – depending on their particular situation – rely on the right to object guaranteed in Article 21 of that regulation.
17. The referring court is uncertain, first, whether, for the purpose of assessing whether the collection of the data is adequate, relevant and limited to what is necessary, account may be taken of commonly accepted practices in civil, commercial and administrative communications, with the consequence that the collection of data relating to customers’ titles, limited to ‘Monsieur’ or ‘Madame’, may be regarded as ‘lawful and consistent’ with the principle of data minimisation. It is also uncertain, second, whether, for the purpose of assessing whether the compulsory collection and subsequent processing of data relating to customers’ titles, when some customers consider that they do not come under either of the two titles, account should be taken of the fact that those customers may, after having provided those data to the data controller in order to benefit from the service offered, exercise their right to object to the use of such data on grounds relating to their particular situation, within the meaning of Article 21 of the GDPR.
18. In that context, the Conseil d’État (Council of State, France) decided to stay the proceedings and to refer the following questions to the Court of Justice for a preliminary ruling:
‘(1) In order to assess whether data collection is adequate, relevant and limited to what is necessary, within the meaning of Article 5(1)(c) of the GDPR and the need for processing in accordance with points (b) and (f) of Article 6(1) of that regulation, may account be taken of commonly accepted practices in civil, commercial and administrative communications, with the result that the collection of data relating to customers’ titles, which is limited to “Monsieur” or “Madame”, may be regarded as necessary, without this being precluded by the principle of data minimisation?
(2) In order to assess the need for the compulsory collection and processing of data relating to customers’ titles, even though some customers consider that they do not come under either of the two titles and that the collection of such data is not relevant in their case, should account be taken of the fact that those customers may, after having provided those data to the data controller in order to benefit from the service offered, exercise their right to object to the use and storage of those data by relying on their particular situation, in accordance with Article 21 of the GDPR?’
19. Mousse, SNCF Connect, the French Government and the European Commission lodged written observations. Those parties took part in the hearing on 29 April 2024.
IV. Analysis
A. The first question
20. By its first question, the referring court asks, in essence, whether Article 5(1)(c) and points (b) and (f) of Article 6(1) of the GDPR must be interpreted as meaning that the processing of personal data relating to the titles of the customers of a transport undertaking must be regarded as necessary for the performance of a contract or for taking steps prior to entering into a contract or necessary for the purposes of the legitimate interests pursued by the controller or by a third party, where that processing aims to allow personalised commercial communication while ensuring respect for commonly accepted practices in commercial communications.
21. I must make, at the outset, two preliminary observations in that respect.
22. First, I note that the parties are agreed, and that there is no doubt, that the data relating to the title of customers of a transport undertaking constitute personal data, within the meaning of Article 4(1) of the GDPR, and that, in addition, the collection and recording of those data by SNCF Connect must be regarded as ‘processing’, within the meaning of Article 4(2) of that regulation, and must therefore be examined in the light of the provisions of that regulation.
23. Second, SNCF Connect and the French Government defend the notion that if the answer to the first question is in the negative, the consequence would be that the GDPR would be applied in a context alien to it, in so far as, in adopting that regulation, the legislature did not intend to regulate practices employed in communications or the issue of gender. While I am willing to accept, like Advocate General Bobek, that the rules on the protection of private life may sometimes be ‘employed in rather surprising circumstances’, (4) it nevertheless seems to me that the present situation is not among them. The fact that data relating to civil identity are at issue and that discussions in the national legal orders of the question of the binary nature of gender are thus indirectly concerned cannot conceal the fact that, in the present case, the issue is indeed the automatic processing by a transport company of the personal data of its customers, which not only comes, objectively, within the scope of the GDPR, but is indeed a data processing operation which the EU legislature intended to regulate. (5)
24. I shall therefore begin my analysis of the first question with some general observations on the condition relating to the lawfulness of the data processing, to which, under the GDPR, controllers are subject, before determining whether, in the light of established principles, that condition must be deemed to be satisfied in the case of the processing of data relating to the title of the customers of a transport undertaking with the aim of communicating with those customers by employing practices commonly accepted in commercial communications.
1. The lawfulness of the processing of personal data
25. Article 5 of the GDPR establishes a number of principles relating to the processing of personal data. In particular, it provides that such data ‘shall be processed lawfully’ (6) and be ‘adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed’. (7) In other words, all data processing must comply, in particular, with the principle of lawfulness and the principle of data minimisation.
26. Article 6 of the GDPR defines the scope of the principle of the lawfulness of data processing. In that it permits a limitation of the right to the protection of personal data, (8) Article 6(1) of that regulation satisfies the conditions set out in Article 52(1) of the Charter: the limitation in question is provided for by law and respects the essence of that right. Furthermore, that limitation is necessary and meets an objective of general interest recognised by the European Union or the need to protect the rights and freedoms of others. (9)
27. Thus the legislature laid down six grounds on which data processing is lawful, explaining the objectives of general interest and the rights and freedoms requiring protection that may justify a limitation of the right to the protection of personal data. Article 6(1) of the GDPR thus sets out ‘an exhaustive and restrictive list of the cases in which processing of personal data can be regarded as lawful’. (10)
28. Article 6(1) of the GDPR does not establish a strict hierarchy (11) between the grounds on which data processing must be regarded as lawful. The Court has thus clarified, in its case-law, the relationship between those grounds.
29. First, it has observed that, under point (a) of Article 6(1) of the GDPR, ‘the processing of personal data is lawful if and to the extent that the data subject has given consent for one or more specific purposes’. The Court further observed that ‘in the absence of such consent, … such processing is nevertheless justified where it meets one of the requirements of necessity mentioned in [points (b) to (f) of Article 6(1)] of that regulation’. (12) In addition, it held that ‘the justifications [in question], in so far as they allow the processing of personal data carried out in the absence of the data subject’s consent to be made lawful, must be interpreted restrictively’. (13) The grounds of the processing of personal data set out in Article 6(1) of that regulation are therefore equivalent and none of them must be regarded as subsidiary in relation to another.
30. Second, the Court has made clear that the justifications set out in Article 6(1) of the GDPR are non-cumulative in nature. It thus stated that ‘where it can be found that the processing of personal data is necessary in respect of one of the justifications provided for in points (b) to (f) of the first subparagraph of Article 6(1) of the GDPR, it is not necessary to determine whether that processing also falls within the scope of another of those justifications’. (14) In other words, as I had already stated, (15) the processing of personal data is lawful where it is justified on a single ground, and one ground cannot be regarded as subsidiary in relation to another.
31. The principle of lawfulness set out in detail in Article 6(1) of the GDPR cannot however be analysed in isolation. The Court thus consistently holds that that condition ‘must be examined in conjunction with the “data minimisation” principle enshrined in Article 5(1)(c) [of that regulation]’. (16) That principle, according to the Court’s case-law, and as I have already emphasised, (17) is an expression of the principle of proportionality, (18) which, as the French Government maintains in its written observations, requires that the means employed are appropriate for attaining the objective pursued and do not go beyond what is necessary to achieve it. (19)
32. In other words, the principle of data minimisation entails ascertaining that the data processed are appropriate for attaining the objective pursued by their processing – according to the grounds set out in Article 6(1) of the GDPR – and that the data processed are processed only if the purpose of the processing cannot reasonably be achieved by other means. The scope of the data thus processed, from both a quantitative and a substantive viewpoint, is no wider than is necessary to achieve that purpose. (20)
33. In that regard, I shall make a further remark. I note that the Court has interpreted the principle of data minimisation in conjunction with the principle of the lawfulness of the processing only in situations in which the processing in question was based on one of the grounds set out in points (b) to (f) of Article 6(1) of the GDPR. In other words, the Court has not made clear whether the principle of data minimisation is also applicable where the data subject has given consent to the processing of his or her personal data. It is indeed arguable that, in so far as the data subject gives his or her consent, the controller may process all data, without the principle of minimisation precluding such processing.
34. However, such an interpretation does not seem to me to be compatible with either the objective of the GDPR of ensuring a high level of the protection of personal data or with the wording of the provisions in question.
35. I note that point (a) of Article 6(1) of the GDPR provides that the processing shall be lawful only if the data subject has ‘given consent to the processing of his or her personal data for one or more specific purposes’. (21) In that regard, I emphasise that consent extends to ‘any freely given, specific, informed and unambiguous indication’. (22) In other words, it does not mean general consent to the processing of all data. In addition, the purpose for which consent has been given to the processing of the data must be communicated to the data subject. Article 5(1)(c) of that regulation itself provides that the data processed are to be ‘adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed’. (23) In those circumstances, the principle of data minimisation seems to me to apply even where those data are processed with the consent of the data subject and requires verification that the data in question are indeed limited to what is necessary to attain the specific purpose of the processing.
36. It is in the light of those considerations that I shall examine the processing by SNCF Connect of the data relating its customers’ titles in the light of points (b) and (f) of Article 6(1) of the GDPR, it being noted that the referring court refers exclusively to those two purposes of the processing.
2. Point (b) of Article 6(1) of the GDPR: the processing must be necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
37. Point (b) of Article 6(1) of the GDPR provides that the processing of personal data shall be lawful if it is ‘necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract’.
38. The Court clarified the scope of that provision in the judgment in Meta Platforms and Others. It thus held that ‘in order for the processing of personal data to be regarded as necessary for the performance of a contract, within the meaning of that provision, it must be objectively indispensable for a purpose that is integral to the contractual obligation intended for the data subject. The controller must therefore be able to demonstrate how the main subject matter of the contract cannot be achieved if the processing in question does not occur’. (24)
39. The parties are agreed that the main subject matter of the contract is defined as the supply of a travel document and, ultimately, the carriage of customers by rail. It must therefore be ascertained, first, whether the data relating to the customer’s title are processed in order to achieve a purpose forming an integral part of the supply of transport and, second, whether that processing is objectively indispensable for achieving that purpose.
(a) Identification of the purpose of the processing
40. SNCF Connect and the French Government claim that the performance of the transport contract entails communication with the customer, both when the reservation is made and during and after the journey in question, which means that SNCF Connect needs to know the customer’s title in order to be able to communicate in a personalised fashion with the customer in accordance with commonly accepted practices in commercial communications.
41. SNCF Connect further claims that it is important, for the performance of the transport contract, to know the sex of the data subject in order to able to adapt the service provided in individual cases, such as when providing assistance to persons with reduced mobility or providing access to women-only carriages on night trains. In that regard, I observe that such an objective is not, strictly speaking, the subject matter of the first question as formulated by the referring court, which refers expressly to commonly accepted practices in commercial communications. However, in so far as the referring court asks the Court more generally about the collection of data relating to title in the light of the principles of data minimisation and lawfulness of processing, I shall nonetheless examine such an argument.
42. As regards the purpose of communication with the customer, I am of the view that such communication should be considered to form an integral part of the transport contract. Such a contract entails the supply of a travel document and therefore being in contact with the customer for the purpose of sending the ticket to him or her. The need to communicate with the customer seems to me, moreover, to last for the duration of travel in order, inter alia, to advise the customer of any incident having an impact on his or her journey, and post travel, in particular in the event of exchanges with customer services regarding the journey.
43. In that regard, I must make clear that the French Government’s argument that the purpose of the processing is not only communication with the customer, but more specifically still communication with the customer in accordance with commonly accepted practices in commercial communications, must be rejected. On the one hand, a purpose as thus defined does not seem to me to form an integral part of the supply of a transport service: there is nothing to indicate that that service could not be performed in the absence of communication in accordance with commonly accepted practices in commercial communications. On the other hand, that argument is the result of circular reasoning. The purpose of the data processing as thus defined – to communicate in accordance with commonly accepted practices in commercial communications – is in fact confused with the means employed to attain that purpose – the use of commonly accepted practices in commercial communications.
44. As regards adapting the transport service to individual cases, as referred to by SNCF Connect, to my mind it is also difficult to dispute that it forms an integral part of that supply, since it is specifically intended to ensure its achievement.
45. However, even though the purposes of the processing at issue are in my view inherent in the supply of a transport service and may be accepted under point (b) of Article 6(1) of the GDPR, the processing of the personal data must also be indispensable for the achievement of the purpose relied on, so that the main object of the contract could not be achieved without that processing, and there must be no other practicable and less intrusive means of achieving the same purpose.
46. Indeed, I am of the view that the processing of data relating to title goes beyond what is necessary to permit the proper performance of the contract.
(b) The necessity of the processing for attaining the purposes identified
47. In the first place, as regards the purpose of the communication, the proper performance of the transport contract does not depend on the use of a title in the transport company’s communications with its customer, even where the controller intends to communicate with its customers in a personalised fashion. A transport company can easily communicate with its customers in a personalised fashion without using their title.
48. In addition, although SNCF Connect emphasised at the hearing the need to preserve a brand image by using expressions commonly accepted in commercial communications, other expressions showing respect for the customer that are not dependent on the customer’s title can allow that result to be attained.
49. That is a fortiori the case since, as Mousse maintains, and subject to verification by the referring court, SNCF Connect does not systematically employ, in practice, commonly accepted practices in commercial communications that require knowledge of the customer’s title, but uses other, more general, expressions, such as ‘Merci, bon voyage’ or ‘Bonjour’ [‘Thank you, have a good journey’ or ‘Hello’]. To my mind, the fact that customers’ titles are not systematically used in SNCF Connect’s communications clearly indicates not only that the processing of those data is not necessary for the performance of the contract in question but also, in the light of the principle of data minimisation, that the processing covers a broader range of data than is necessary.
50. In a similar vein, I note that, questioned on that point at the hearing, SNCF Connect agreed that the intentional communication of a title other than the data subject’s real title in reality has no impact on the supply of the transport service. In those circumstances, it must be stated that the main object of the contract can still be achieved in the absence of the processing of the data at issue.
51. In the second place, as regards the purpose of the adaptation of the provision of transport, there again, I am of the view that the processing of the data relating to title goes beyond what is necessary to allow it to be achieved. First, the relevant personal data that would allow such an adaptation do not seem to me to be the data relating to title, which, in the French Government’s opinion, do not constitute an element of an individual’s civil status, but the data relating to the customer’s sex, as stated in the individual’s civil status. Second, that objective could be achieved by collecting and processing those data not for all travel document orders, but only for the particular cases which require it, such as an order for a travel document to travel in a women-only carriage in a night train or a request for assistance for a person of reduced mobility.
52. In those circumstances, I am of the view that point (b) of Article 6(1) of the GDPR and Article 5(1)(c) of that regulation must be interpreted as meaning that the systematic processing of data relating to title cannot be regarded as necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract, where that processing is intended to permit personalised commercial communication by ensuring compliance with commonly accepted practices in commercial communications or adapting the manner in which the travel service is supplied because of the sex of the data subject.
3. Point (f) of Article 6(1) of the GDPR: the necessity of the processing for the purposes of the legitimate interests pursued by the controller or by a third party
53. Point (f) of Article 6(1) of the GDPR provides that the processing of personal data shall be lawful if it is ‘necessary for the purpose of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child’.
54. The Court has consistently held that it follows from that provision that three cumulative conditions must be satisfied in order for the processing of personal data which it covers to be lawful. First, the controller or a third party must pursue a legitimate interest. Second, the processing of personal data is necessary in order to achieve the legitimate interest. Third, the interests or the fundamental freedoms and rights of the person concerned by the data protection do not override the legitimate interest of the controller or of a third party. (25)
55. As regards the first condition, relating to the pursuit of a legitimate interest, the Court made clear, in the judgment in Meta Platforms and Others, that, ‘according to Article 13(1)(d) of the GDPR, it is the responsibility of the controller, at the time when personal data relating to a data subject are collected from that person, to inform him or her of the legitimate interests pursued where that processing is based on point (f) of the first subparagraph of Article 6(1) of that regulation’ (26) The Court thus ruled, in that judgment, that point (f) of the first subparagraph of Article 6(1) of the GDPR must be interpreted as meaning that the processing of personal data ‘can be regarded as necessary for the purposes of the legitimate interests pursued by the controller or by a third party, within the meaning of that provision, only on condition that the operator has informed the users from whom the data have been collected of a legitimate interest that is pursued by the data processing’. (27)
56. In other words, failure to fulfil the obligation to provide information laid down in Article 13(1)(d) of the GDPR means that the processing of the personal data in question is unlawful.
57. As the Commission claims, and subject to verification by the referring court, it seems to me that SNCF Connect did not fulfil that obligation.
58. As the Commission contends, SNCF Connect refers, in the ‘privacy statement’ available on its website, to the legal basis of the processing of the data relating to title as being ‘legitimate interest’. I shall make two observations in that respect. First, the mere reference to ‘legitimate interest’, without any indication of precisely what that legitimate interest is, cannot satisfy the obligation to provide information laid down in Article 13(1)(d) of the GDPR, which requires the controller to state the legitimate interest pursued. Second, and in any event, the general reference to a legitimate interest in a ‘privacy statement’, which admittedly is available on the controller’s website, but which the customer must make a conscious effort to look up, is also inconsistent with Article 13(1)d) of that regulation. Under that provision, the controller is required to inform the data subject of the legitimate interest pursued at the time when personal data are collected, which in my view assumes that such information is brought directly to the customer’s attention when he or she provides the data in question relating to him or her.
59. Furthermore, questioned at the hearing on the obligation to provide information, SNCF Connect was unable to state that the legitimate interest pursued by the data processing is actually communicated to its customers at the time when the data relating to title are collected.
60. Accordingly, the first condition in point (f) of Article 6(1) of the GDPR, concerning the existence of a legitimate interest, interpreted in the light of the obligation to provide information about that interest laid down in Article 13(1)(d) of that regulation, is not satisfied. The processing of the data relating to title in such a situation cannot therefore be regarded as lawful within the meaning of that provision, without there being any need to examine whether the other two conditions laid down in point (f) of Article 6(1) of that regulation are satisfied.
(a) Conclusion on the interpretation of point (f) of Article 6(1) of the GDPR
61. It follows from the foregoing that, in my view, point (f) of Article 6(1) of the GDPR and Article 5(1)(c) of that regulation must be interpreted as meaning that processing of data relating to title of the customers of a transport company cannot be regarded as necessary for the purposes of the legitimate interests pursued by the controller or by a third party, within the meaning of that provision, in so far as that company has not informed the users from whom those data were collected of a legitimate interest pursued by the processing of those data.
(b) Additional remarks
62. In the interest of completeness, and should the Court conclude that the legitimate interest in question was communicated in accordance with Article 13(1)(d) of the GDPR, I shall nonetheless proceed to analyse the conditions that must be satisfied in order for the processing of personal data to be regarded as lawful on the basis of point (f) of Article 6(1) of that regulation.
63. As regards, in the first place, the condition relating to the existence of a legitimate interest, SNCF Connect and the French Government claim that the legitimate interest pursued is communication with the customer.
64. I note that the Court has held, concerning the concept of ‘legitimate interest’, that, ‘in the absence of a definition of that concept in the GDPR, it should be emphasised … that a wide range of interests is, in principle, capable of being regarded as legitimate’. (28)
65. On that point, I recall that SNCF Connect is an undertaking offering online sales of rail travel documents. As I have stated, (29) that service entails making contact with the customer, at least in order to send him or her the travel document. It therefore seems to me that the purpose of communication with the customer may constitute a legitimate interest for that undertaking, within the meaning of point (f) of Article 6(1) of the GDPR, so that the first condition, relating to the existence of such a legitimate interest, should in my view be considered satisfied.
66. As regards, in the second place, the condition that processing of the personal data must be necessary for the achievement of the legitimate interest, to my mind it is not satisfied. As I demonstrated in my analysis of point (b) of Article 6(1) of the GDPR, the processing of the data relating to title goes beyond what is necessary to attain the purpose of communication with the customer, as that communication can be effected without using those data. (30)
67. As regards, in the third and last place, the condition that the interests or fundamental rights and freedoms of the data subject do not override the legitimate interest of the controller or of a third party, it should be emphasised that the Court has held that ‘that condition entails a balancing of the opposing rights and interests at issue which depends in principle on the specific circumstances of the particular case and that, consequently, it is for the referring court to carry out that balancing exercise, taking account of those specific circumstances’. (31) I shall make certain observations, however, in order to provide guidance to the referring court in carrying out that assessment.
68. The Court has thus held that, ‘in the context of that balancing of the opposing rights at issue, namely, those of the controller, on the one hand, and those of the data subject, on the other, account must be taken … in particular of the reasonable expectations of the data subject as well as the scale of the processing at issue and its impact on that person’. (32)
69. In addition, it follows from recital 47 of the GDPR that ‘the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place’.
70. In that regard, I do not see to what extent the customer of a transport undertaking could reasonably have expected that his or her data relating to his or her title would be processed by that undertaking, with the aim of communicating with the customer in the context of the supply involving the purchase of a travel document.
71. In any event, I do not believe that the existence of reasonable expectations is sufficient on its own to ensure that the legitimate interest of the controller overrides the fundamental rights and freedoms of the data subject. While such an element is undoubtedly relevant in the context of the balancing exercise to be carried out, it cannot, on the other hand, systematically lead to the legitimate interest of the controller being held to take precedence, in particular where the processing of the personal data at issue is capable of impinging on a freedom or fundamental right of the data subject, as guaranteed by the Charter.
72. As Mousse maintains, that seems to me to be the case here. Mousse asserts that there is a risk of discrimination on the ground of gender as a result of the processing of the data relating to title, in particular in the case of transgender persons or persons having the nationality of a State that recognises non-binary gender.
73. In those circumstances, and subject to the verifications to be carried out by the referring court, I am of the view that the legitimate interest in communication with the customer cannot override the fundamental rights and freedoms of the data subject.
B. The second question
74. By its second question, the referring court seeks to ascertain, in essence, whether point (f) of Article 6(1) of the GDPR must be interpreted as meaning that, for the purpose of assessing the necessity of the processing of personal data within the meaning of that provision, account should be taken of the possible existence of a right for the data subject to object, on the basis of Article 21(1) of that regulation.
75. Article 21(1) of the GDPR provides that the data subject is to have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her based on point (e) or (f) of Article 6(1) of that regulation, including profiling based on those provisions. The controller is no longer to process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
76. According to settled case-law, for the interpretation of a provision of EU law, it is necessary to consider not only its wording, but also its context and the objectives pursued by the rules of which it is part. (33)
77. As regards the wording of Article 21(1) of the GDPR, I note that the EU legislature emphasises that the right to object concerns the processing of personal data based, inter alia, on point (f) of Article 6(1) of that regulation. In other words, as Mousse and the Commission maintain, the right to object assumes the existence of lawful processing, on the basis, in particular, of the legitimate interest of the controller. That right is therefore intended to be relied on only when the lawful processing has taken place, in order to bring it to an end.
78. That, in my view, is confirmed by the second part of Article 21(1) of the GDPR, which provides that, in the event of an objection on the basis of that provision by the data subject, the controller ‘shall no longer process the … data’. (34) Such a formulation clearly implies, in my view, that the processing of the data in question is lawful according to the conditions set out in point (f) of Article 6(1) of that regulation, but that, once the objection has been lodged, those data can no longer be processed.
79. In other words, Article 21(1) of the GDPR is intended to apply only when it has been established that the processing is lawful.
80. It therefore follows from the wording of Article 21(1) of the GDPR that the existence of a right to object is of no relevance whatsoever for the assessment of whether such processing is necessary under point (f) of Article 6(1) of that regulation, since the application of Article 21(1) of that regulation assumes that the conditions of point (f) of Article 6(1) of that regulation are already satisfied.
81. Such a literal interpretation of Article 21(1) of the GDPR is confirmed, moreover, when that provision is analysed in the light of the context and the objectives of that regulation.
82. As regards the contextual interpretation of that provision, I note that the reasons that can form the basis of the processing of personal data are set out in Article 6 of the GDPR, which concerns the principle of lawfulness and is found in Chapter II of that regulation, relating to the principles that govern the processing of personal data. Article 21 of that regulation is in Chapter III on the rights of the data subject. In addition, as I have already emphasised, the grounds set out in Article 6 of that regulation are, according to consistent case-law, exhaustive. (35) In those circumstances, the two provisions in question fulfil two different functions and it cannot be considered that Article 21 of the GDPR may be taken into consideration in the examination of the lawfulness of the processing, which is governed solely by Article 6 of that regulation.
83. As regards the teleological interpretation of point (f) of Article 6(1) and Article 21 of the GDPR, if the existence of a right to object were to be taken into account for the purpose of assessing the lawfulness of data processing on the basis of Article 6 of that regulation, that would amount to the data processing being accepted as lawful on the sole ground that the data subject might subsequently object to that processing. It would therefore have the effect of extending the grounds of the lawfulness of the processing beyond the only cases provided for in Article 6 of that regulation and making the level of protection of data subjects depend on their diligence in objecting to the processing of their personal data, failing which the processing might be deemed lawful. Such an interpretation therefore seems to me to be capable of undermining the objective of ensuring a high level of the protection of natural persons with regard to the processing of their personal data.
84. Accordingly, I am of the view that the answer to the second question should be that point (f) of Article 6(1) of the GDPR must be interpreted as meaning that, for the purpose of assessing the necessity of the processing of personal data within the meaning of that provision, it precludes the right of the data subject to object, pursuant to Article 21(1) of that regulation, being taken into account.
V. Conclusion
85. In the light of the foregoing considerations, I propose that the questions for a preliminary ruling referred by the Conseil d’État (Council of State, France) should be answered as follows:
Point (b) of Article 6(1) and Article 5(1)(c) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation),
must be interpreted as meaning that the systematic processing of data relating to title cannot be regarded as necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract, where that processing is intended to permit personalised commercial communication by ensuring compliance with commonly accepted practices in commercial communications or adapting the manner in which the transport service is supplied because of the sex of the data subject.
Point (f) of Article 6(1) and Article 5(1)(c) of Regulation 2016/679
must be interpreted as meaning that the processing of data relating to the title of customers of a transport company cannot be regarded as necessary for the purposes of the legitimate interests pursued by the controller or by a third party, within the meaning of that provision, in so far as that company has not informed the users from whom those data were collected of a legitimate interest pursued by the processing of those data.
Point (f) of Article 6(1) of Regulation 2016/679
must be interpreted as meaning that, for the purpose of assessing the necessity of the processing of personal data within the meaning of that provision, it precludes the right of the data subject to object, pursuant to Article 21(1) of that regulation, being taken into account.