March 20, 2023
Swedish company Norra Stockholm Bygg AB (known as Fastec) was engaged by Per Nycander AB to construct an office building. During construction, people working on the building site were recorded in an electronic staff register, provided by Entral AB acting on behalf of Fastec.
Fastec issued proceedings against Nycander in the Swedish court seeking outstanding payments for works carried out. Nycander said that Fastec’s staff had worked fewer hours than claimed by Fastec and declined to pay.
Nycander asked the Swedish court to order Entral to disclose Fastec’s staff register for the relevant period without redaction or, alternatively, with the personal identity numbers of the staff redacted, so that the number of hours worked could be proved.
Fastec objected, claiming that it was contrary to Article 5(1)(b) of the GDPR. Fastec said that the staff register contained personal data that had been collected for tax purposes and disclosing it in this case was not consistent with that purpose.
At first instance, the court ordered Entral to disclose the staff register and that decision was upheld on appeal. Fastec appealed to the Swedish Supreme Court, which asked the CJEU whether Articles 6(3) and (4) of the GDPR (on the lawfulness and purposes of processing) applies to the production, as evidence in civil proceedings, of a staff register containing personal data of third parties collected principally for the purposes of tax inspection.
The CJEU noted that the production of a document as evidence is included in the definition of “processing” of personal data in the GDPR and that processing carried out by public authorities, such as the courts, must satisfy the conditions of lawfulness under Article 6. Further, under Article 6(1)(e), the processing of personal data is lawful if it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller and the basis for this processing must be defined by an EU or national law that is in the public interest and is proportionate to the legitimate aim pursued.
Therefore, reading Article 6(1)(e) and 6(3) together, there must be a national legal basis for processing by the controller acting in the public interest or as an official authority, such as a court acting in its judicial capacity.
Further, the CJEU said, where the processing is carried out for a purpose other than that for which the data was initially collected, under Article 6(4), such processing is allowed if it is based on national law and constitutes a necessary and proportionate measure in a democratic society to safeguard one of the objectives referred to in Article 23(1) of the GDPR. Those objectives include “the protection of judicial independence and judicial proceedings” (Article 23(1)(f)), which refers to the proper administration of justice, and “the enforcement of civil law claims” (Article 23(1)(j)).
However, the CJEU said, it was for the referring court to decide whether the relevant provisions of Swedish law on the production of documents in legal proceedings met one and/or other of those objectives and were necessary and proportionate to those objectives, such that the processing would fall within the lawful processing of personal data under Articles 6(3) and (4) of the GDPR, read in conjunction with Article 23(1)(f) and (j).
Therefore, the CJEU ruled that Articles 6 (3) and (4) do indeed apply in the situation in question.
The Swedish Supreme Court also asked whether Articles 5 and 6 of the GDPR mean that, when assessing whether the production of a document containing personal data should be ordered in civil proceedings, the court is required to consider the interests of the data subjects in question. If so, the court asked whether there are any specific requirements as to how that assessment should be made.
Given the finding that, under Article 6(4), the processing of personal data will be lawful if it constitutes a necessary and proportionate measure in a democratic society and safeguards the objectives in Article 23, in order to verify those requirements, a national court must consider the opposing interests involved. The court must, therefore, consider the data subject’s right to the protection of his/her personal data and the right to respect for private life and balance them against the right to effective judicial protection, all of which are fundamental rights.
As part of this balancing exercise, consideration should also be given to Article 5(1) of the GDPR, particularly Article 5(1)(c), which states that the processing must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed. The national court must therefore determine whether the disclosure of personal data meets those objectives and whether it could be achieved by other less intrusive means.
If the court finds that disclosure is justified, it must also consider taking additional data protection measures, such as pseudonymisation or other measures that would minimise the interference with the data subject’s fundamental rights, e.g. limiting public access to the court file.
Accordingly, the CJEU held that Articles 5 and 6 of the GDPR must be interpreted as meaning that, in the situation in question, the national court must consider the interests of the data subjects concerned and balance them according to the circumstances of each case, the type of proceedings and considering the requirements of proportionality and data minimisation under Article 5(1)(c). (Case C-268/21 Norra Stockholm Bygg AB v Per Nycander AB EU:C:2023:145 (2 March 2023) — to read the judgment in full, click here).