Article 23 - Restrictions
3 pending referralsReferral C-222/25 (Rahapesu Andmebüroo, 21 Mar 2025) 
Referral C-222/25 (Rahapesu Andmebüroo, 21 Mar 2025)
Referral C-205/25 (Bayerisches Landesamt für Datenschutzaufsicht, 17 Mar 2025)
7 preliminary rulings
Judgment of 26 Oct 2023, C-307/22 (FT)
Article 23(1)(i) of Regulation 2016/679 must be interpreted as meaning that a piece of national legislation adopted prior to the entry into force of that regulation is capable of falling within the scope of that provision. However, such a possibility does not permit the adoption of a piece of national legislation which, with a view to protecting the economic interests of the controller, makes the data subject bear the costs of a first copy of his or her personal data undergoing processing.
Judgment of 21 Jun 2022, C-817/19 (Ligue des droits humains)
Article 2(2)(d) and Article 23 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), must be interpreted as meaning that that regulation applies to the processing of personal data envisaged by national legislation intended to transpose, into domestic law, the provisions of Council Directive 2004/82/EC of 29 April 2004 on the obligation of carriers to communicate passenger data, those of Directive 2010/65/EU of the European Parliament and of the Council of 20 October 2010 on reporting formalities for ships arriving in and/or departing from ports of the Member States and repealing Directive 2002/6/EC and also those of Directive (EU) 2016/681 of the European Parliament and of the Council of 27 April 2016 on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime, in respect of, on the one hand, data processing operations carried out by private operators and, on the other hand, data processing operations carried out by public authorities covered, solely or in addition, by Directive 2004/82 or Directive 2010/65. By contrast, the said regulation does not apply to the data processing operations envisaged by such legislation which are covered only by Directive 2016/681 and are carried out by the passenger information unit (PIU) or by the authorities competent for the purposes referred to in Article 1(2) of that directive.
Judgment of 24 Feb 2022, C-175/20 (Valsts ieņēmumu dienests)
The provisions of Regulation 2016/679 must be interpreted as meaning that the tax authorities of a Member State may not derogate from the provisions of Article 5(1) of that regulation where such a right has not been granted to them by a legislative measure within the meaning of Article 23(1) thereof.
Judgment of 10 Dec 2020, C-620/19 (J & S Service)
The Court does not have jurisdiction to answer the questions referred by the Bundesverwaltungsgericht (Federal Administrative Court, Germany) by decision of 4July 2019.
Judgment of 9 Mar 2017, C-398/15 (Manni)
Article 6(1)(e), Article 12(b) and subparagraph (a) of the first paragraph of Article 14 of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, read in conjunction with Article 3 of the First Council Directive 68/151/EEC of 9 March 1968 on co-ordination of safeguards which, for the protection of the interests of members and others, are required by Member States of companies within the meaning of the second paragraph of Article 58 of the Treaty, with a view to making such safeguards equivalent throughout the Community, as amended by Directive 2003/58/EC of the European Parliament and of the Council of 15 July 2003, must be interpreted as meaning that, as EU law currently stands, it is for the Member States to determine whether the natural persons referred to in Article 2(1)(d) and (j) of that directive may apply to the authority responsible for keeping, respectively, the central register, commercial register or companies register to determine, on the basis of a case-by-case assessment, if it is exceptionally justified, on compelling legitimate grounds relating to their particular situation, to limit, on the expiry of a sufficiently long period after the dissolution of the company concerned, access to personal data relating to them, entered in that register, to third parties who can demonstrate a specific interest in consulting that data.
Judgment of 7 Nov 2013, C-473/12 (IPI)
Article 13(1) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data must be interpreted as meaning that Member States have no obligation, but have the option, to transpose into their national law one or more of the exceptions which it lays down to the obligation to inform data subjects of the processing of their personal data. The activity of a private detective acting for a professional body in order to investigate breaches of ethics of a regulated profession, in this case that of estate agent, is covered by the exception in Article 13(1)(d) of Directive 95/46.
Judgment of 7 May 2009, C-553/07 (Rijkeboer)
Article 12(a) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data requires Member States to ensure a right of access to information on the recipients or categories of recipient of personal data and on the content of the data disclosed not only in respect of the present but also in respect of the past. It is for Member States to fix a time-limit for storage of that information and to provide for access to that information which constitutes a fair balance between, on the one hand, the interest of the data subject in protecting his privacy, in particular by way of his rights to object and to bring legal proceedings and, on the other, the burden which the obligation to store that information represents for the controller. Rules limiting the storage of information on the recipients or categories of recipient of personal data and on the content of the data disclosed to a period of one year and correspondingly limiting access to that information, while basic data is stored for a much longer period, do not constitute a fair balance of the interest and obligation at issue, unless it can be shown that longer storage of that information would constitute an excessive burden on the controller. It is, however, for national courts to make the determinations necessary.
