MK – CJEU Judgment (Germany, 2024)
CJEU judgment — not a DPA enforcement action
This is a Court of Justice ruling, not an enforcement action by a data protection authority. It is not included in cookie statistics or the Risk Calculator.
The Court of Justice ruled that a professional guardian is considered a data controller under GDPR. This means they must follow rules about handling personal data, even if they are part of the person's close circle. This decision clarifies the responsibilities of guardians in managing personal data.
What happened
The Court ruled that a professional guardian is a data controller under GDPR.
Who was affected
Individuals under guardianship whose personal data is managed by their professional guardian.
What the authority found
The Court held that the guardian must provide information about data processing, as they are considered a data controller.
Why this matters
This ruling sets a precedent for how guardians handle personal data, emphasizing that even trusted individuals must comply with data protection laws. It reminds service providers to understand their roles and responsibilities regarding personal data.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
A data subject was under guardianship, duly appointed under German law ([https://www.gesetze-im-internet.de/bgb/ Article 1896 and 1897 BGB]). The guardian was a lawyer acting in a professional manner and belonging to the personal circle of the data subject. They, performed their duties for a certain time and was later replaced by another person. The data subject referred to the Local Court of Hannover (Amtsgericht Hannover – AG Hannover) for legal aid to access the data collected by the guardian when performing their duties. The AG Hannover rejected the application of the data subject. According to the court, since the guardian performed their duties in context of their professional activity it was not a data controller within the meaning of Article 4(7) GDPR. Hence, they were not obliged to respond to access request under Article 15 GDPR. Also, the court emphasised that the guardian was a legal representative of data subject under German law. That meant the guardian could process the personal data on behalf of data subject. The data subject appealed against the decision of the AG Hannover to the Regional Court of Hannover (Landgericht Hannover - LG Hannover). The appeal raised the court’s doubts whether a professional guardian was covered by the definition of controller in Article 4(7) GDPR. Also, the court deliberated about the problem of the guardian being a part of the data subject’s personal circle. As a result, LG Hannover decided to refer the following preliminary questions to the CJEU: # Is a legally appointed guardian who performs that activity in a professional capacity a controller within the meaning of Article 4(7) GDPR? # Is he or she required to provide information in accordance with Article 15 GDPR?’ The CJEU answered both question positively. The CJEU found the guardian as such to be a controller within the meaning of Article 4(7) GDPR. Firstly, the CJEU excluded the application of Article 2(2)(c) GDPR to guardian’s activity, namely the exception
Outcome
CJEU Judgment
A judgment by the Court of Justice of the European Union, typically on a preliminary reference from a national court.
Related Cases (1)
Other cases involving MK in DE
Details
About this data
Cite as: Cookie Fines. MK - Germany (2024). Retrieved from cookiefines.eu
Last updated: