Association Mousse – Court Ruling (France, 2025)

Association Mousse (referred to as “Mousse”) filed a complaint with the DPA against SNCF Connect (a platform allowing people to purchase rail travel documents, the controller). The controller required data subjects to choose between “Mr” or “Ms” when purchasing tickets on its website. Mousse argued that this was unlawful under Article 5(1)(a) GDPR, as the controller did not have a legal basis to process this data. In addition, requiring this information violated the principle of data minimisation (Article 5(1)(c) GDPR), as well as the controller’s transparency obligations (Article 13 GDPR). The DPA dismissed the complaint, stating that the controller had not violated the GDPR. Furthermore, the controller had a valid legal basis to process data subject’s genders under necessity for the performance of a contract (Article 6(1)(b) GDPR). Finally, processing this data complied with the principle of data minimisation, as addressing data subjects in a personalised manner was an accepted practice in commercial, civil and administrative communications. Mousse appealed the decision to the Court, arguing that an accepted practice does not mean it is necessary for the performance of a contract. Furthermore, the obligation to disclose one’s gender is a violation of the right to respect for private life, and risked potential discrimination against the data subject. The Court decided to stay its proceedings and refer a preliminary question to the CJEU. In its decision (C-394/23 Mousse), the CJEU found that the generalised processing of passengers’ genders was not necessary for the performance of a contract or for the legitimate interest of personalised commercial communication. Following the CJEU decision, Mousse requested the Court to issue guidelines regarding the issue, and argued that the CJEU decision implied the DPA decision should be overturned. The controller requested the Court to clarify whether it could still process the data for specific services, or offer a choice