UZ – CJEU Judgment (Germany, 2023)

An applicant (data subject) lodged an application for international protection with the Federal Office for Migration and Refugees in Germany (‘the Federal Office’). The Federal Office rejected the application, relying on the electronic ‘MARIS’ file which it had compiled, and of which contained the personal data relating to the applicant. The applicant bought an action against the Federal Office before the Administrative Court in Wiesbaden, Germany (Verwaltungsgericht Wiesbaden). The electronic ‘MARIS’ file was sent to court in the context of a joint procedure under Article 26 GDPR, via the Electronic Court and Administration Mailbox. However, the lawfulness of such transfer was questioned by the Court as the Federal Office was unable to evidence an arrangement of the respective responsibilities of the joint controllership, despite a request made to that effect by the Court. Furthermore, the Court expressed doubt that the maintenance of the electronic MARIS file with the combined provisions of Article 5(1) and Article 30 GDPR due to the Federal Office failing to produce a complete record of processing activities relating to that file upon request. The Court decided to stay the proceedings and refer the following questions to the CJEU: (1) whether the failure of a controller to comply with the accountability principle (Article 5(2)) amounts to ‘unlawful processing’ which would enable an individual to exercise their right to erasure or rectification under Article 17(1)(d) and 18(1)(b) GDPR. In particular, the controller in this case failed to maintain a record of processing activities (ROPA) pursuant to Article 30 GDPR and lacked an arrangement for joint procedure in accordance with Article 26 GDPR. (2) whether the fact that the data subject has given his or her express consent or objects to the use of his or her personal data in the context of judicial proceedings can affect the possibility of those data being taken into account. If that court were unable to consi