MK – CJEU Judgment (Germany, 2024)

A data subject was under guardianship, duly appointed under German law ([https://www.gesetze-im-internet.de/bgb/ Article 1896 and 1897 BGB]). The guardian was a lawyer acting in a professional manner and belonging to the personal circle of the data subject. They, performed their duties for a certain time and was later replaced by another person. The data subject referred to the Local Court of Hannover (Amtsgericht Hannover – AG Hannover) for legal aid to access the data collected by the guardian when performing their duties. The AG Hannover rejected the application of the data subject. According to the court, since the guardian performed their duties in context of their professional activity it was not a data controller within the meaning of Article 4(7) GDPR. Hence, they were not obliged to respond to access request under Article 15 GDPR. Also, the court emphasised that the guardian was a legal representative of data subject under German law. That meant the guardian could process the personal data on behalf of data subject. The data subject appealed against the decision of the AG Hannover to the Regional Court of Hannover (Landgericht Hannover - LG Hannover). The appeal raised the court’s doubts whether a professional guardian was covered by the definition of controller in Article 4(7) GDPR. Also, the court deliberated about the problem of the guardian being a part of the data subject’s personal circle. As a result, LG Hannover decided to refer the following preliminary questions to the CJEU: # Is a legally appointed guardian who performs that activity in a professional capacity a controller within the meaning of Article 4(7) GDPR? # Is he or she required to provide information in accordance with Article 15 GDPR?’ The CJEU answered both question positively. The CJEU found the guardian as such to be a controller within the meaning of Article 4(7) GDPR. Firstly, the CJEU excluded the application of Article 2(2)(c) GDPR to guardian’s activity, namely the exception