Language of document : ECLI:EU:T:2015:926

Case T‑343/13

CN

v

European Parliament

(Non-contractual liability — Petition addressed to the Parliament — Dissemination of certain personal data on the Parliament’s website — Absence of a sufficiently serious breach of a rule of law conferring rights on individuals)

Summary — Judgment of the General Court (Sixth Chamber), 3 December 2015

1.      Non-contractual liability — Conditions — Unlawfulness — Sufficiently serious breach of EU law — Requirement that the institutions manifestly and seriously disregard the limits of their discretion — Infringement of rules concerning the protection of personal data — Included

(Art. 340, second para., TFEU; Charter of Fundamental Rights of the European Union, Art. 8; European Parliament and Council Regulation No 45/2001)

2.      EU institutions — Protection of individuals with regard to the processing of personal data — Regulation No 45/2001 — Data relating to health — Concept — Broad interpretation — Limits

(European Parliament and Council Regulation No 45/2001, Art. 10(1))

3.      EU institutions — Protection of individuals with regard to the processing of personal data — Regulation No 45/2001 — Need for processing to be lawful — Consent of the person concerned — Concept — Lodging of a petition containing sensitive information on the European Parliament’s website — Information provided to the petitioner before the lodging of the petition enabling him to appreciate the accessibility to the public of his petition — Lawfulness of the processing

(European Parliament and Council Regulation No 45/2001, Arts 2(h), 5(d), and 10(2)(a))

4.      Non-contractual liability — Conditions — Unlawfulness — Sufficiently serious breach of EU law — Invocation of illegalities arising from an infringement of the rights of third parties — Not permissible

(Art. 340, second para., TFEU)

5.      EU institutions — Protection of individuals with regard to the processing of personal data — Regulation No 45/2001 — Right to the erasure of data — Condition — Unlawful processing of the data concerned — Erasure as a courtesy of data processed lawfully — Duty to act within a reasonable time

(European Parliament and Council Regulation No 45/2001, Art. 16)

6.      Fundamental rights — Respect for private life — Protection of personal data — Disclosure of data with the consent of the person concerned — No interference in private life

7.      Non-contractual liability — Conditions — Unlawfulness — Damage — Causal link — Cumulative conditions — One of the conditions not satisfied — Claim for compensation dismissed in its entirety

(Art. 340, second para., TFEU)

8.      Non-contractual liability — Conditions — Real and certain damage caused by an illegal measure — Material and non-material damage — Burden of proof

(Art. 340, second para., TFEU)

9.      Non-contractual liability — Conditions — Causal link — Damage constituted by costs in relation to the pre-litigation procedure — Costs arising from the free choice of the applicant — No causal link between the damage and the conduct of the institution

(Art. 340, second para., TFEU)

1.      For the Union to incur non-contractual liability, the condition of unlawful conduct of the Union’s institutions requires a sufficiently serious breach of a rule of law intended to confer rights on individuals. The decisive test for finding that a breach of EU law is sufficiently serious is whether the EU institution manifestly and gravely disregarded the limits on its discretion.

In that regard, since the right to the protection of personal data enshrined in Article 8 of the Charter of Fundamental Rights is developed by Regulation No 45/2001 on the protection of individuals with regard to the processing of personal data by the EU, as regards the acts of the institutions and organs of the Union and by the implementing rules for the said regulation adopted by each institution, those various provisions are intended to confer rights on individuals. They may therefore be relied on by an applicant in his action for compensation.

(see paras 44, 47)

2.      The expression ‘data concerning health’ contained in Article 10(1) of Regulation No 45/2001 must be given a wide interpretation so as to include information concerning all aspects, both physical and mental, of the health of an individual. However, that notion cannot be extended to include expressions which do not give rise to the disclosure of any data regarding a person’s health or medical condition.

(see para. 50)

3.      Since Article 2(h) of Regulation No 45/2001 does not lay down any conditions as to the form of a person’s consent to the processing of personal data, the lodging of the petition may be regarded as an indication of the wishes of the person concerned.

A careful reading of the information provided by the Parliament on its website concerning the publicity of the petition should have enabled a reasonably observant petitioner to assess the full significance and consequences of his action. In that regard, in the case of a petition referring to the fact that an EU institution has not taken into due account, for the purposes of his career, the state of health of a petitioner who is an EU official and that of his son, that indication of wishes was specific where the Parliament has informed the petitioner, at the time of lodging, that his complaint would be accessible on the internet and the latter has given his express consent by ticking the boxes on the form relating to public consideration and recording on a register accessible on the internet, without the need for his consent to be inferred implicitly from any action. In those circumstances, the petitioner must be regarded as having given his express consent to the disclosure of sensitive information concerning his health, within the meaning of Article 10(2)(a) of Regulation No 45/2001. Those considerations apply, mutatis mutandis, to the processing of personal data other the sensitive personal data of the petitioner.

Moreover, with regard to personal data not mentioned in Article 10(1) of Regulation No 45/2001, such as data relating to the petitioner’s career, processing is subject to the rules in Article 5 of Regulation No 45/2001. Under Article 5(d) of the regulation, data may be processed, inter alia, where the data subject has unambiguously given his or her consent. In other words, data may be processed where the data subject has given his or her consent with certainty and without ambiguity. In that regard, whereas Article 10(2)(a) of Regulation No 45/2001 requires the consent to be express, under Article 5(d) of that regulation consent must be unambiguously given. It is logical, given the nature of sensitive personal data, that the conditions required for consent under Article 5(d) of Regulation No 45/2001 cannot be stricter than those provided for in Article 10(2)(a) of that regulation.

(see paras 59, 70, 74, 76-79)

4.      In the matter of non-contractual liability of the EU, in order to ensure the effectiveness of the condition relating to the breach of a rule of law conferring rights on individuals, the protection offered by the rule invoked must be effective vis-à-vis the person who invokes it and that person must therefore be among those on whom the rule in question confers rights. A rule which does not protect the individual against the unlawfulness invoked by him, but protects another individual, cannot be accepted as a source of compensation. It follows that, in his action for compensation, an applicant cannot invoke unlawfulness resulting from the alleged breach of rights of a third party.

(see para. 86)

5.      Article 16 of Regulation No 45/2001 confers the right to seek the erasure of personal data only if the processing is unlawful. That provision cannot therefore be relied on in support of request for erasure where the processing is lawful. The fact that the EU institution concerned has decided to grant a request for erasure does not in itself imply recognition of the unlawfulness of the initial processing.

In that regard, Article 12(3) of the Implementing rules relating to Regulation No 45/2001 provides that, where a request for erasure of personal data is accepted, it must be acted upon immediately. That provision applies to situations in which the request is accepted because it is justified, namely because the processing is unlawful. In those circumstances, it is logical that it must be acted upon immediately. However, where the request is not justified, but is accepted as a courtesy, there is no reason to impose an obligation to act immediately. In that case the Parliament is required only to act upon its undertaking within a reasonable period.

(see paras 90, 100)

6.      Concerning the disclosure of personal information by an EU institution, a public authority cannot be regarded as having interfered in a person’s private life within the meaning of Article 8 of the ECHR where the person concerned gives his consent to that disclosure.

(see para. 107)

7.      See the text of the decision.

(see para. 110)

8.      See the text of the decision.

(see paras 118, 119)

9.      See the text of the decision.

(see paras 123, 124)