DATA PROTECTION
EU Court of Justice: the customer's gender identity is not a necessary piece of data for the purchase of a ticket.
The Mousse association challenged before the French authority for the protection of personal data (the CNIL) the practice of the French railway undertaking SNCF Connect, which systematically obliges its customers to indicate their title ('Sir' or 'Madam') when purchasing tickets online. That association considers that that obligation infringes the General Data Protection Regulation (GDPR), in particular from the point of view of the principle of data minimisation, since the indication of the title, which corresponds to a gender identity, does not appear to be necessary for the purchase of a rail transport ticket. In 2021, the CNIL decided to reject that complaint, taking the view that the practice did not constitute a violation of the GDPR.
Disapproving of that decision, Mousse brought an action before the Conseil d'État (Council of State, France) for annulment. The Conseil d'État (Council of State) asks the Court of Justice, inter alia, whether the collection of data relating to the title of customers, limited to the terms 'Sir' and 'Madam', may be classified as lawful and compliant, inter alia, with the principle of data minimisation, where that collection is intended to enable personalised commercial communication to those customers, in accordance with the generally accepted customs in this area.
The Court recalls that, in accordance with the principle of data minimisation, which is an expression of the principle of proportionality, the data collected must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
In addition, the Court recalls that the GDPR provides for an exhaustive and exhaustive list of cases in which the processing of personal data may be considered lawful: this is the case, in particular, where (i) it is necessary for the performance of a contract to which the data subject is a party, or (ii) it is necessary for the pursuit of the legitimate interest of the controller or of a third party.
As regards the first of those two justifications, the Court recalls that, in order for data processing to be regarded as necessary for the performance of a contract, that processing must be objectively indispensable in order to enable the proper performance of that contract. In that context, the Court considers that the personalisation of commercial communication based on a presumed gender identity on the basis of the customer's title does not appear to be objectively indispensable in order to enable a rail transport contract to be properly performed. The railway undertaking could opt for communication based on generic politeness formulas, inclusive and unrelated to the presumed gender identity of customers, which would be a viable and less intrusive solution.
As regards the second justification, the Court, while recalling its settled case-law on the subject, states that the processing of data relating to the title of the customers of a transport company, with the aim of personalising commercial communication based on their gender identity, cannot be considered necessary (i) where the legitimate interest pursued was not indicated to those customers at the time of collection of those data; (ii) if the processing is not carried out within the limits strictly necessary for the realization of such legitimate interest; or (iii) where, in the light of all the relevant circumstances, the fundamental rights and freedoms of those customers may override that legitimate interest, in particular because of a risk of discrimination on grounds of gender identity.
Disapproving of that decision, Mousse brought an action before the Conseil d'État (Council of State, France) for annulment. The Conseil d'État (Council of State) asks the Court of Justice, inter alia, whether the collection of data relating to the title of customers, limited to the terms 'Sir' and 'Madam', may be classified as lawful and compliant, inter alia, with the principle of data minimisation, where that collection is intended to enable personalised commercial communication to those customers, in accordance with the generally accepted customs in this area.
The Court recalls that, in accordance with the principle of data minimisation, which is an expression of the principle of proportionality, the data collected must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
In addition, the Court recalls that the GDPR provides for an exhaustive and exhaustive list of cases in which the processing of personal data may be considered lawful: this is the case, in particular, where (i) it is necessary for the performance of a contract to which the data subject is a party, or (ii) it is necessary for the pursuit of the legitimate interest of the controller or of a third party.
As regards the first of those two justifications, the Court recalls that, in order for data processing to be regarded as necessary for the performance of a contract, that processing must be objectively indispensable in order to enable the proper performance of that contract. In that context, the Court considers that the personalisation of commercial communication based on a presumed gender identity on the basis of the customer's title does not appear to be objectively indispensable in order to enable a rail transport contract to be properly performed. The railway undertaking could opt for communication based on generic politeness formulas, inclusive and unrelated to the presumed gender identity of customers, which would be a viable and less intrusive solution.
As regards the second justification, the Court, while recalling its settled case-law on the subject, states that the processing of data relating to the title of the customers of a transport company, with the aim of personalising commercial communication based on their gender identity, cannot be considered necessary (i) where the legitimate interest pursued was not indicated to those customers at the time of collection of those data; (ii) if the processing is not carried out within the limits strictly necessary for the realization of such legitimate interest; or (iii) where, in the light of all the relevant circumstances, the fundamental rights and freedoms of those customers may override that legitimate interest, in particular because of a risk of discrimination on grounds of gender identity.
