Inferring things about people? Make sure you treat this as indirectly collected personal data

Thanks to Digibeetle , for flagging an interesting case on privacy notices just before Christmas (Case C?169/23 Másdi). For anyone who missed it, there's a quick summary + action point below.

GDPR contains two provisions on privacy notices – 1) art.13 (information to be provided where personal data are collected from the data subject) and 2) art.14 (information to be provided where personal data have not been obtained from the data subject).

It’s clear that art.14 is relevant when a controller collects data from another organisation, but which article should apply if the controller creates the personal data itself? Logically, you'd assume this should be art.14 (as the information to be provided to the data subject under art.14 is slightly different to that under art.13, reflecting the fact that the data subject wouldn’t be aware of the same things as they are when they provide information to the controller). However, the point wasn’t entirely clear – until this case!

Másdi confirms that art.14 applies to all situations when the data subject doesn’t provide the information –including when the controller generates the data itself, for example, if a controller infers information about what may be of interest to the data subject. Sometimes privacy notices are structured so that direct and indirectly collected data are described separately. Action point: organisations who have notices set out in this way should check they include data they generate in the “indirectly collected” part of the notice.

If you want the fuller background, the case related to Covid immunity certificates issued by a Hungarian public authority. A data subject complained that the body had not complied with GDPR, i.a. because it had not provided him with a privacy notice.

The public body was required by law to carry out this processing. Art.14(5)c says that there is no obligation to provide a privacy notice where the obtaining or disclosure of personal data is expressly laid down by Union or Member State law applicable to the controller & where this law provides appropriate measures to protect the data subject’s legitimate interests. On this basis the public body argued that it was exempt from the obligation to provide a privacy notice (save in respect of data the individual provided) – and this led to a referral to the CJEU. In addition to clarifying the distinction between arts.13 & 14 mentioned above, the Court also confirmed that the exception at 14(5)(c) would apply to personal data generated by the controller itself, as well as personal data obtained from others.

The CJEU also noted that the rationale for the exception was to avoid a controller being subject to a separate legal obligation to provide notice to individuals and to an obligation to do this under GDPR [44]. ?According to the CJEU, the appropriate protections to be provided for under Union or Member State law must include at least similar protections to those set out at GDPR arts.14(1)- (4) [54]. Supervisory authorities are competent to assess whether Member State law does, in fact, provide these protections. ?There is no suggestion in art.14 – or the associated recital – that this derogation should be limited to situations when member state or EU law has essentially the same transparency requirements as GDPR, so this finding narrows the scope of the exemption. ?