The Court of Justice of the European Union has published a judgement that could change the way in which companies carry out data processing.
The High Court issued a judgement this week on a Lithuanian case regarding national legislation aimed at preventing corruption.
One of the elements analysed by the CJEU as part of their judgement was the interpretation of special categories of personal data in accordance with the General Data Protection Regulation, or GDPR. In this way, the CJEU evaluated whether the data that can indirectly reveal the sexual orientation of a person are protected under privacy law.
The Court evaluated whether the protection offered under Article 9 of the GDPR covered “data that may reveal the sexual orientation of a natural person via the mental process of deduction or comparison.” In the case we are discussing here, the data in question included the name of one´s spouse or partner.
Lithuanian Law provides that: “The declaring person must record in their declaration the following data related to the declaring person and their spouse, cohabitant or partner”, amongst which appeared the name of the spouse.
The Court based its decision on the definition of “health-related data” of Article 4 (15) of the GDPR, recital 35, to determine that one must bear in mind the context when it comes to interpreting what constitutes “special data categories”, in order to extrapolate sexual orientation from the data.
The High Court highlighted that the general objective of the GDPR is to guarantee a high level of protection of fundamental rights, and that the end goal of Article 9 of the GDPR is to guarantee a greater degree of protection due to the nature or “special sensitive nature of the data considered therein”.
As a consequence, the CJEU considered that personal data which can indirectly reveal the sexual orientation of a person constitute data of a special category, according to the General Regulation for Data Protection, and that, therefore, they deserve special protection.
This latest verdict of the Court of Justice of the European Union, concerning data protection, can drastically change the current model of data processing for a multitude of companies, including online publication, dating applications, and applications or webpages that use geo-localisation, as well as others.
The infringements upon the General Regulation of Data Protection carry with them heavy sanctions, that may amount to 4% of the total income of companies that are faced with this fine, or 20 million euros, according to whichever figure is larger.
Let us not forget that this latest decision entailed a fine of 6.5 million euros for the platform Grindr on behalf of the Agency of Data Protection of Norway, upon consideration that the sharing of information which indicated the users that were registered on Grinder, to third parties, allowed them to process users´ data to infer the sexual orientation of those affected persons, and, therefore, this information had to be considered as data of a special category, deserving a higher or particular degree of protection.
Aleix Cuadrado
Vilá Abogados
For more information, please contact:
On the 12th of August 2022