ECJ: Compulsory indication of gender for marketing purposes inadmissible
A requirement to specify gender for a marketing address is not legal under the General Data Protection Regulation. This has been clarified by the ECJ.
(Image: aslysun/Shutterstock.com)
On Thursday, the European Court of Justice (ECJ) interpreted the General Data Protection Regulation (GDPR) more precisely in two cases: Unnecessary mandatory information remains unlawful – and complaints must always be processed.
Mandatory gender inquiry not permitted
The first case: The French state railroad SNCF tried to be particularly polite in its marketing campaigns. To be able to choose the correct form of address for emails, it asked customers to state their gender when booking online via SNCF Connect. The judges of the European Court of Justice have now ruled that this is unlawful.
This is because the General Data Protection Regulation (GDPR) stipulates that data may only be collected if there is a basis for doing so. A polite salutation for marketing purposes is not a reason within the meaning of the GDPR: This information is not necessary for the performance of a contract. The French data protection supervisory authority CNIL had assessed this differently, against which the plaintiff had defended himself before French courts. They referred this issue to the ECJ for final clarification.
Videos by heise
The court has now ruled that polite marketing communication is of secondary importance as a legitimate interest when weighed against the fundamental rights of the person concerned – "in particular due to the risk of discrimination based on gender identity." In addition to the legal obligation, the need to fulfill a contract, or the consent of the data subject. The GDPR provides for the so-called legitimate interest as a permissible reason for the collection of personal data, which the judges now interpreted narrowly here.
Number of complaints may not be limited
In a further ruling, the judges of the European Court of Justice found that the number of complaints to the competent data protection supervisory authority may not be limited. The Austrian data protection supervisory authority had determined that more than two complaints about data protection violations per month and person were excessive and therefore did not have to be dealt with. The judges in Luxembourg took a different view – every submission must first be examined.
Whether submissions are abusive always depends on the specific circumstances. "However, the existence of an intention to abuse can be established if a person submits complaints without this being objectively necessary to protect their rights under the Regulation," it says in paragraph 50 des judgment. Only in such cases may the supervisory authorities then choose whether to demand a processing fee or not to process the case at all.
The ECJ judges gave a clear signal to the Member States: They are obliged to equip their supervisory authorities adequately – inadequate resources are not an argument for not fulfilling supervisory duties, even if this ties up considerable staff in individual cases: the resources must be "adapted to the use made by the persons concerned of their right to lodge complaints with the supervisory authorities." The question of sufficient resources has been the subject of dispute for years.
(vbr)
