On January 9, 2025, the Court of Justice of the European Union (“CJEU”) issued a decision on the GDPR’s lawfulness and data minimization principles.

The case arose after a French association (“Mousse”) complained to the French Supervisory Authority (“CNIL”) about the fact that France’s main train company SNCF requires customers to indicate their title and gender identity by ticking either “Sir” or “Madam” when purchasing a train ticket online.  Mousse considered that such a mandatory requirement could not be justified under the “contractual performance” or “legitimate interests” legal bases set out in Article 6 GDPR, and infringed the GDPR’s principles of lawfulness, data minimization and transparency. 

The CNIL dismissed the complaint, and Mousse appealed the CNIL’s decision before the French Administrative Supreme Court (“Conseil d’Etat”), which stayed the proceedings to refer some questions to the CJEU.

  1. Is the processing necessary for the performance of a contract?

As a preliminary remark, the CJEU emphasized that the necessity requirement for relying on either contractual performance or legitimate interests is not met where the objective pursued by the processing could reasonably be achieved just as effectively by other, less intrusive means. 

In order to be able to rely on the legal basis of performance of a contract (Art. 6(1)(b) GDPR), the controller must be able to demonstrate that it would not be able to properly perform the contract at stake without implementing the processing.  To this end, the CJEU clarified that the controller could take into account not only the main subject matter of the contract, but also other objectives forming an integral part of the contract.

While the main subject matter of the contract was the provision of a rail transport service, the CJEU considered that commercial communications may constitute a purpose forming an integral part of such contract.  Indeed, the contract deriving from the purchase of train tickets would typically involve sending the customer a travel document by electronic means, informing the customer of any changes affecting their journey, allowing communications for after-sale services, etc. 

However, the CJEU found that such communications did not objectively need to be personalized based on the customer’s gender identity – SNCF could have just used generic, inclusive expressions instead of titles.  As a result, the CJEU found that processing customers’ titles and gender identities was not necessary for personalizing commercial communications, and therefore could not be justified under the GDPR’s contractual performance legal basis.

SCNF mentioned there was a second purpose for the collection and use of customer’s gender identity, namely to provide carriages reserved for persons with the same gender identity in night trains and to assist passengers with disabilities.  According to the CJEU, this second purpose could not justify the systematic and generalized processing of all customers’ titles.  Such processing would be disproportionate and contrary to the principle of data minimization.  

  1. Is the processing necessary for the purposes of legitimate interests?

Building on its previous case-law,[1] the CJEU reiterated that a controller must meet three cumulative conditions in order to rely on this legal basis (Art. 6(1)(f) GDPR), namely:

  1. The controller or a third party must have a legitimate interest in the processing;
  2. Processing the personal data is necessary to pursue said legitimate interest; and
  3. Data subjects’ fundamental rights and freedoms do not override the pursued legitimate interest.

While the CJEU left it to the referring court to assess whether these conditions are met in the case at hand, it did flag a few points for consideration:

  1. The CJEU indicated that a legitimate interest could exist, for example, where there is a relevant and appropriate relationship between the data subject and the controller.
  2. On the second condition, the CJEU tentatively concluded that the processing of customers’ titles or gender identities does not appear necessary to personalize commercial communications, and that common practices and social conventions should not be taken into account when assessing this necessity condition.
  3. On the third condition, the CJEU recalled that when balancing the pursued legitimate interest with the data subjects’ rights and freedoms, account should be taken in particular of data subjects’ reasonable expectations.  In the case at hand, the CJEU considered that SNCF customers should not have to expect the SNCF to process their title or gender identity as they purchase train tickets.  The CJEU also highlights there may be a risk of discrimination based on gender identity, although this will ultimately be for the referring court to determine.

Finally, the Conseil d’Etat had asked the CJEU whether, when assessing if a controller may lawfully rely on legitimate interests to process personal data, the fact that data subjects may have a right to object to the processing should be taken into account.  Unsurprisingly, the CJEU considered that the right to object presupposed that the processing is lawful (i.e., that there is a legal basis).  In other words, the lawfulness of such processing should not depend on the existence of a right to oppose.

*                       *                      *

Covington’s Data Privacy and Cybersecurity Practice monitors CJEU cases closely and reports on relevant Court decisions and Advocate General opinions.  If you have any questions about the interaction between data protection and local laws, we are happy to assist.


[1] See in particular, CJEU, July 4, 2023, Meta Platforms and Others, C-252/21; CJEU, October 4, 2024, Koninklijke Nederlandse Lawn Tennisbond, C-621/22.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Kristof Van Quathem Kristof Van Quathem

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty…

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty years and developed particular experience in the life science and information technology sectors. He counsels clients on government affairs strategies concerning EU lawmaking and their compliance with applicable regulatory frameworks, and has represented clients in non-contentious and contentious matters before data protection authorities, national courts and the Court of the Justice of the EU.

Kristof is admitted to practice in Belgium.

Photo of Alix Bertrand Alix Bertrand

Alix advises clients on EU data protection and technology law, with a particular focus on French privacy and data protection requirements. She regularly assists clients in relation to international data transfers, direct marketing rules as well as IT and data protection contracts. Alix…

Alix advises clients on EU data protection and technology law, with a particular focus on French privacy and data protection requirements. She regularly assists clients in relation to international data transfers, direct marketing rules as well as IT and data protection contracts. Alix is a member of the Paris and Brussels Bars.