JUDGMENT OF THE COURT (Grand Chamber)
30 January 2024 (*)
(Reference for a preliminary ruling – Protection of natural persons with regard to the processing of personal data for the purpose of combating crime – Directive (EU) 2016/680 – Article 4(1)(c) and (e) – Data minimisation – Limitation of storage – Article 5 – Appropriate time limits for erasure or for a periodic review of the need for the storage – Article 10 – Processing of biometric and genetic data – Strict necessity – Article 16(2) and (3) – Right to erasure – Restriction of processing – Article 52(1) of the Charter of Fundamental Rights of the European Union – Natural person convicted by final judgment and subsequently legally rehabilitated – Storage of data until death – No right to erasure or restriction of processing – Proportionality)
In Case C-118/22,
REQUEST for a preliminary ruling under Article 267 TFEU from the Varhoven administrativen sad (Supreme Administrative Court, Bulgaria), made by decision of 10 January 2022, received at the Court on 17 February 2022, in the proceedings
NG
v
Direktor na Glavna direktsia ‘Natsionalna politsia’ pri Ministerstvo na vatreshnite raboti – Sofia,
intervening parties:
Varhovna administrativna prokuratura,
THE COURT (Grand Chamber),
composed of K. Lenaerts, President, L. Bay Larsen, Vice-President, A. Arabadjiev, A. Prechal, K. Jürimäe, N. Piçarra and O. Spineanu-Matei, Presidents of Chambers, M. Ilešič, J.-C. Bonichot, L.S. Rossi, I. Jarukaitis, A. Kumin, N. Jääskinen, N. Wahl and D. Gratsias (Rapporteur), Judges,
Advocate General: P. Pikamäe,
Registrar: R. Stefanova-Kamisheva, Administrator,
having regard to the written procedure and further to the hearing on 7 February 2023,
after considering the observations submitted on behalf of:
– NG, by P. Kuyumdzhiev, advokat
– the Bulgarian Government, by M. Georgieva, T. Mitova and E. Petranova, acting as Agents,
– the Czech Government, by O. Serdula, M. Smolek and J. Vláčil, acting as Agents,
– Ireland, by M. Browne, A. Joyce and M. Tierney, acting as Agents, and by D. Fennelly, Barrister-at-Law,
– the Spanish Government, by A. Ballesteros Panizo and J. Rodríguez de la Rúa Puig, acting as Agents,
– the Netherlands Government, by A. Hanje, acting as Agent,
– the Polish Government, by B. Majczyna, D. Łukowiak and J. Sawicka, acting as Agents,
– the European Commission, by A. Bouchagiar, C. Georgieva, H. Kranenborg and F. Wilman, acting as Agents,
after hearing the Opinion of the Advocate General at the sitting on 15 June 2023,
gives the following
Judgment
1 This request for a preliminary ruling concerns the interpretation of Article 5 of Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (OJ 2016 L 119, p. 89), read in conjunction with Article 13(2)(b) and (3) of that directive.
2 The request has been made in proceedings between NG and the Direktor na Glavna direktsia ‘Natsionalna politsia’ pri Ministerstvo na vatreshnite raboti – Sofia (Director of the ‘National Police’ Directorate-General at the Bulgarian Ministry of the Interior) (‘the DGPN’) concerning the latter’s refusal of NG’s request – based on his legal rehabilitation after having been convicted by final judgment – to be removed from the national records in which the Bulgarian police authorities register persons prosecuted for an intentional criminal offence subject to public prosecution (‘the police records’).
Legal context
European Union law
3 Recitals 11, 14, 26, 27, 37, 47 and 104 of Directive 2016/680 state:
‘(11) It is … appropriate for [the fields of judicial cooperation in criminal matters and police cooperation] to be addressed by a directive that lays down the specific rules relating to the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security, respecting the specific nature of those activities. …
…
(14) Since this Directive should not apply to the processing of personal data in the course of an activity which falls outside the scope of Union law, activities concerning national security … should not be considered to be activities falling within the scope of this Directive.
…
(26) … It should … be ensured that the personal data collected are not excessive and not kept longer than is necessary for the purpose for which they are processed. Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means. In order to ensure that the data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review. …
(27) For the prevention, investigation and prosecution of criminal offences, it is necessary for competent authorities to process personal data collected in the context of the prevention, investigation, detection or prosecution of specific criminal offences beyond that context in order to develop an understanding of criminal activities and to make links between different criminal offences detected.
…
(37) Personal data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms. …
…
(47) … A natural person should also have the right to restriction of processing … where the personal data have to be maintained for purpose of evidence. In particular, instead of erasing personal data, processing should be restricted if in a specific case there are reasonable grounds to believe that erasure could affect the legitimate interests of the data subject. In such a case, restricted data should be processed only for the purpose which prevented their erasure. …
…
(104) This Directive respects the fundamental rights and observes the principles recognised in the [Charter of Fundamental Rights of the European Union (‘the Charter’)] as enshrined in the TFEU, in particular the right to respect for private and family life, the right to the protection of personal data, the right to an effective remedy and to a fair trial. Limitations placed on those rights are in accordance with Article 52(1) of the Charter as they are necessary to meet objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others.’
4 Article 1 of that directive, entitled ‘Subject-matter and objectives’, provides, in paragraph 1:
‘This Directive lays down the rules relating to the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.’
5 Article 2 of Directive 2016/680, headed ‘Scope’, provides in paragraphs 1 and 3:
1. This Directive applies to the processing of personal data by competent authorities for the purposes set out in Article 1(1).
…
3. This Directive does not apply to the processing of personal data:
(a) in the course of an activity which falls outside the scope of Union law;
…’
6 Article 3 of Directive 2016/680, headed ‘Definitions’, states:
‘For the purposes of this Directive:
…
(2) “processing” means any operation or set of operations which is performed on personal data or on sets of personal data … such as … storage …;
…’
7 Article 4 of Directive 2016/680, headed ‘Principles relating to processing of personal data’, provides in paragraph 1:
‘Member States shall provide for personal data to be:
…
(c) adequate, relevant and not excessive in relation to the purposes for which they are processed;
…
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which they are processed;
…’
8 Article 5 of that directive, entitled ‘Time-limits for storage and review’, is worded as follows:
‘Member States shall provide for appropriate time limits to be established for the erasure of personal data or for a periodic review of the need for the storage of personal data. Procedural measures shall ensure that those time limits are observed.’
9 Article 10 of that directive, entitled ‘Processing of special categories of personal data’, is worded as follows:
‘Processing of … genetic data [and] biometric data for the purpose of uniquely identifying a natural person … shall be allowed only where strictly necessary, subject to appropriate safeguards for the rights and freedoms of the data subject …’
10 Article 13 of that directive, entitled ‘Information to be made available or given to the data subject’, provides, in paragraph 2, that, in addition to the information referred to in paragraph 1 thereof, Member States are to provide by law for the data controller to give to the data subject, in specific cases, the further information listed in that paragraph 2 to enable that person to exercise his or her rights. That additional information includes, inter alia, in point (b) of that paragraph 2, the period for which the personal data will be stored, or, where that is not possible, the criteria used to determine that period. In addition, Article 13(3) of Directive 2016/680 sets out the grounds on which Member States may adopt legislative measures delaying, restricting or omitting the provision of the information to the data subject pursuant to paragraph 2 of that article.
11 Article 14 of Directive 2016/680, headed ‘Right of access by the data subject’, provides:
‘Subject to Article 15, Member States shall provide for the right of the data subject to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
…
(d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
…’
12 Article 16 of that directive, headed ‘Right to rectification or erasure of personal data and restriction of processing’, provides, in paragraphs 2 and 3:
‘2. Member States shall require the controller to erase personal data without undue delay and provide for the right of the data subject to obtain from the controller the erasure of personal data concerning him or her without undue delay where processing infringes the provisions adopted pursuant to Article 4, 8 or 10, or where personal data must be erased in order to comply with a legal obligation to which the controller is subject.
3. Instead of erasure, the controller shall restrict processing where:
(a) the accuracy of the personal data is contested by the data subject and their accuracy or inaccuracy cannot be ascertained; or
(b) the personal data must be maintained for the purposes of evidence.
…’
13 Under Article 20 of that directive, entitled ‘Data protection by design and by default’, Member States are to provide for the data controller to implement appropriate technical and organisational measures in order to meet the requirements of that directive and protect the rights of data subjects and, inter alia, to ensure that, by default, only personal data which are necessary for each specific purpose of the processing are processed.
14 Article 29 of Directive 2016/680, entitled ‘Security of processing’, provides in paragraph 1:
‘Member States shall provide for the controller and the processor, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in particular as regards the processing of special categories of personal data referred to in Article 10.’
Bulgarian law
Criminal Code
15 Article 82(1) of the Nakazatelen kodeks (Criminal Code, DV No 26 of 2 April 1968), in the version applicable to the dispute in the main proceedings, provides:
‘The sentence imposed shall not be enforced where:
1. 20 years have elapsed, if the sentence is life imprisonment without the possibility of commutation or life imprisonment;
2. 15 years have elapsed, if the sentence is a term of imprisonment of more than 10 years;
3. 10 years have elapsed, if the sentence is a term of imprisonment of between 3 and 10 years;
4. 5 years have elapsed, if the sentence is a term of imprisonment of less than 3 years, and
5. 2 years have elapsed, for all other cases.’
16 Article 85(1) of that code provides:
‘Legal rehabilitation shall erase the conviction and shall repeal for the future the effects which the laws attach to the conviction itself, unless a law or decree provides otherwise.’
17 Article 88a of that code is worded as follows:
‘Where a period equal to that referred to in Article 82(1) has elapsed since the sentence was served and the convicted person has not committed a new intentional criminal offence subject to public prosecution and punishable by a term of imprisonment, the conviction and its consequences shall be erased notwithstanding any provision laid down by any other law or decree.’
The Law on the Ministry of the Interior
18 Article 26 of the Zakon za Ministerstvo na vatreshnite raboti (Law on the Ministry of the Interior, DV No 53 of 27 June 2014), in the version applicable to the dispute in the main proceedings (‘the Law on the Ministry of the Interior’), provides:
‘(1) When processing personal data related to activities concerning the protection of national security, combating crime, maintaining public order and the conduct of criminal proceedings, the authorities of the Ministry of the Interior:
…
3. may process all necessary categories of personal data;
…
(2) The time limits for data storage referred to in paragraph 1 or the time limits for a periodic review of the need to store such data shall be determined by the Ministry of the Interior. Those data shall be erased pursuant to a judicial decision or a decision by the Personal Data Protection Commission.’
19 Under Article 27 of the Law on the Ministry of the Interior:
‘Data taken from a person’s entry in the police records made pursuant to Article 68 shall be used only in connection with safeguarding national security, combating crime and maintaining law and order.’
20 Article 68 of that law is worded as follows:
‘(1) The police authorities shall create a police record of persons who are accused of an intentional criminal offence subject to public prosecution. The authorities responsible for the investigation shall adopt the measures required for the creation of the record by the police authorities.
(2) The creation of the police record is a form of processing of personal data of the persons referred to in paragraph 1, which shall be carried out in accordance with the requirements of this Law.
(3) For the purposes of creating a police record, the police authorities shall:
1. collect the personal data set out in Article 18 of the Law on Bulgarian identity documents;
2. take a person’s fingerprints and photograph him or her;
3. take samples to create a person’s DNA profile.
…
(6) The entry in the police records shall be erased pursuant to a written order by the personal data processing controller or by officials authorised by the controller for that purpose, of his or her own motion or following a written and reasoned application by the recorded person, where:
1. the record was created in breach of the law;
2. the criminal proceedings are discontinued, except in the cases referred to in Article 24(3) of the [Nakazatelno-protsesualen kodeks (Code of Criminal Procedure)];
3. the criminal proceedings resulted in an acquittal;
4. the person was exempted from criminal liability and an administrative penalty was imposed on that person;
5. the person is deceased, in which case the application may be made by that person’s heirs.
…’
The dispute in the main proceedings and the question referred for a preliminary ruling
21 An entry in the police records was made in respect of NG, in accordance with Article 68 of the Law on the Ministry of the Interior, in the course of a criminal investigation for failing to tell the truth as a witness, which is a criminal offence under Article 290(1) of the Criminal Code. Following that investigation, NG was charged with a criminal offence and, by judgment of 28 June 2016, confirmed on appeal by judgment of 2 December 2016, he was found guilty of that offence and given a one year suspended sentence. After serving that sentence, NG was legally rehabilitated, under Article 82(1) and Article 88a of the Criminal Code, on 14 March 2020.
22 On 15 July 2020, on the basis of that legal rehabilitation, NG applied to the relevant district authority of the Ministry of the Interior for the erasure of the entry concerning him in the police records.
23 By decision of 2 September 2020, the DGPN refused that application on the ground that a final criminal conviction, even in the event of legal rehabilitation, is not one of the grounds for erasure of an entry in the police records, which are exhaustively listed in Article 68(6) of the Law on the Ministry of the Interior.
24 By decision of 2 February 2021, the Administrativen sad Sofia grad (Administrative Court of the City of Sofia, Bulgaria) dismissed the action brought by NG against that decision of the DGPN on grounds, in essence, similar to those given by the DGPN.
25 NG brought an appeal before the referring court, the Varhoven administrativen sad (Supreme Administrative Court, Bulgaria). The main ground of that appeal alleges a breach of the principle, inferred from Articles 5, 13 and 14 of Directive 2016/680, that the processing of personal data resulting from their storage cannot be carried on indefinitely. According to NG, in essence, that is de facto the case where, in the absence of a ground for removal from the police register applicable in the event of legal rehabilitation, the data subject can never obtain the erasure of personal data collected in connection with a criminal offence for which he or she was convicted by final judgment, even after serving his or her sentence and having been legally rehabilitated.
26 In that regard, in the first place, the referring court notes that entry in the police records constitutes the processing of personal data for the purposes set out in Article 1(1) of Directive 2016/680 and therefore falls within the scope of that directive.
27 In the second place, it states that legal rehabilitation is not one of the grounds for removal from the police records, listed exhaustively in Article 68(6) of the Law on the Ministry of the Interior, and that none of those grounds is applicable in that situation, with the result that it is impossible for the data subject to have his entry erased from those police records in such a case.
28 In the third place, the referring court notes that recital 26 of Directive 2016/680 refers to safeguards so that the data collected are not excessive or stored for longer than is necessary for the purposes for which they are processed and states that the data controller must set time limits for erasure or periodic review. In addition, it infers from recital 34 of that directive that processing for the purposes set out in Article 1(1) thereof should involve the restriction, erasure or destruction of those data. In its view, those principles are reflected in Article 5 and Article 13(2) and (3) of that directive.
29 In that regard, the referring court has doubts as to whether the objectives set out in the preceding paragraph preclude national legislation which leads, for the competent authorities, to a ‘virtually unlimited right’ to data processing for the purposes set out in Article 1(1) of Directive 2016/680 and, for the data subject, to the loss of his or her right to the restriction of processing or erasure of his or her data.
30 In those circumstances, the Varhoven administrativen sad (Supreme Administrative Court) decided to stay the proceedings and to refer the following question to the Court of Justice for a preliminary ruling:
‘Does the interpretation of Article 5 in conjunction with Article 13(2)(b) and (3) of [Directive 2016/680], permit national legislative measures which lead to a virtually unrestricted right of competent authorities to process personal data for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and/or to the elimination of the data subject’s right to have the processing of his or her data restricted or to have them erased or destroyed?’
Consideration of the question referred
31 According to settled case-law, in the procedure laid down by Article 267 TFEU providing for cooperation between national courts and the Court of Justice, it is for the latter to provide the national court with an answer which will be of use to it and enable it to decide the case before it. To that end, the Court of Justice should, where necessary, reformulate the questions referred to it. The Court may also find it necessary to consider provisions of EU law which the national court has not referred to in its questions (judgment of 15 July 2021, Ministrstvo za obrambo, C-742/19, EU:C:2021:597, paragraph 31 and the case-law cited).
32 In the present case, the referring court’s question arises from the fact that, as is apparent from the request for a preliminary ruling and from the information provided by the Bulgarian Government at the hearing before the Court, none of the grounds justifying the erasure of personal data entered in the police records, exhaustively listed by the Law on the Ministry of the Interior, is applicable in the situation at issue in the main proceedings, in which a person has been convicted by final judgment, even after his or her legal rehabilitation, with the result that those data are stored in that register and may be processed by the authorities which have access to it without any time limit other than the death of that person.
33 In that regard, first of all, it is apparent from the order for reference, in particular from the considerations summarised in paragraph 27 above, and from the wording of the question referred itself that the referring court asks, in particular, whether the national legislation at issue in the main proceedings is compatible with the principle of proportionality. As recital 104 of Directive 2016/680 highlights, the limitations imposed by that directive on the right to the protection of personal data, provided for in Article 8 of the Charter, and on the right to respect for private and family life and the right to an effective remedy and to a fair trial, protected by Articles 7 and 47 respectively of the Charter, must be interpreted in accordance with the requirements of Article 52(1) thereof, which include respect for that principle.
34 Next, in the wording of its question, the referring court rightly refers to Article 5 of that directive, relating to appropriate time limits for the erasure of personal data or for a periodic review of the need for the storage of personal data. Since Article 5 is closely connected both with Article 4(1)(c) and (e) of that directive and with Article 16(2) and (3) thereof, the question referred for a preliminary ruling must be understood as also referring to those two provisions.
35 Similarly, since the national legislation at issue in the main proceedings provides for the storage, inter alia, of biometric and genetic data, which fall within the special categories of personal data the processing of which is specifically governed by Article 10 of Directive 2016/680, it must be held that the question referred also concerns the interpretation of that provision.
36 Lastly, the relevance of an interpretation of Article 13 of Directive 2016/680 emerges clearly from the request for a preliminary ruling only as regards paragraph 2(b) of that article. It is true, as the referring court points out, that Article 13(3) also reflects the principles set out, inter alia, in recital 26 of that directive. However, it does not appear from the file submitted to the Court that a legislative measure delaying or restricting the provision of information to the data subject, within the meaning of Article 13(3), is also at issue in the main proceedings.
37 In the light of the foregoing, it must be held that, by its question, the referring court asks, in essence, whether Article 4(1)(c) and (e) of Directive 2016/680, read in conjunction with Articles 5 and 10, Article 13(2)(b) and Article 16(2) and (3) thereof, and in the light of Articles 7 and 8 of the Charter, must be interpreted as precluding national legislation which provides for the storage, by police authorities, for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, of personal data, including biometric and genetic data, concerning persons who have been convicted by final judgment of an intentional criminal offence subject to public prosecution, until the death of the data subject, even in the event of his or her legal rehabilitation, without also granting that person the right to have those data erased or, where appropriate, to have their processing restricted.
38 As a preliminary point, it should be noted that the question referred concerns the processing of personal data for purposes falling, in accordance with Article 1(1) of Directive 2016/680, within the scope of that directive. It is apparent, however, from Article 27 of the Law on the Ministry of the Interior, cited in the order for reference, that the data stored in the police register may also be processed in the context of the protection of national security, to which, under Article 2(3)(a) of Directive 2016/680, read in the light of recital 14 thereof, that directive does not apply. It will therefore be for the referring court to satisfy itself that the storage of the data of the applicant in the main proceedings is not capable of serving purposes relating to the protection of national security, given that Article 2(3)(a) of Directive 2016/680 lays down an exception to the application of EU law which must be interpreted strictly (see, by analogy, judgment of 22 June 2021, Latvijas Republikas Saeima (Penalty points), C-439/19, EU:C:2021:504, paragraph 62 and the case-law cited).
39 In the first place, it should be borne in mind that the fundamental rights to respect for private life and to the protection of personal data guaranteed by Articles 7 and 8 of the Charter are not absolute rights, but must be considered in relation to their function in society and be weighed against other fundamental rights. Any limitation on the exercise of those fundamental rights must, in accordance with Article 52(1) of the Charter, be provided for by law, respect the essence of those fundamental rights and observe the principle of proportionality. Under the principle of proportionality, limitations may be made only if they are necessary and genuinely meet objectives of general interest recognised by the European Union or the need to protect the rights and freedoms of others. They must apply only in so far as is strictly necessary and the legislation which entails the limitations in question must lay down clear and precise rules governing the scope and application of those limitations (see, to that effect, judgment of 22 June 2021, Latvijas Republikas Saeima (Penalty points), C-439/19, EU:C:2021:504, paragraph 105 and the case-law cited).
40 As stated, in essence, in recital 26 of Directive 2016/680, those requirements are not met where the objective of general interest pursued can reasonably be achieved just as effectively by other means less restrictive of the fundamental rights of the persons concerned (see, by analogy, judgment of 22 June 2021, Latvijas Republikas Saeima (Penalty points), C-439/19, EU:C:2021:504, paragraph 110 and the case-law cited).
41 In the second place, first of all, under Article 4(1)(c) of that directive, Member States are to provide for personal data to be adequate, relevant and not excessive in relation to the purposes for which they are processed. That provision thus requires the Member States to observe the principle of ‘data minimisation’, which gives expression to the principle of proportionality (see, to that effect, judgment of 22 June 2021, Latvijas Republikas Saeima (Penalty points), C-439/19, EU:C:2021:504, paragraph 98 and the case-law cited).
42 It follows that, in particular, the collection of personal data in the context of criminal proceedings and their storage by police authorities, for the purposes set out in Article 1(1) of that directive, must, like any processing falling within the scope of that directive, comply with those requirements. Such storage also constitutes an interference with the fundamental rights to respect for private life and to the protection of personal data, irrespective of whether or not the information stored is sensitive, whether or not the persons concerned have been inconvenienced in any way on account of that interference, or whether or not the stored data will subsequently be used (see, by analogy, judgment of 5 April 2022, Commissioner of An Garda Síochána and Others, C-140/20, EU:C:2022:258, paragraph 44 and the case-law cited).
43 Furthermore, as regards, more specifically, the proportionality of the period for which the data will be stored, the Member States must, pursuant to Article 4(1)(e) of Directive 2016/680, provide that those data are to be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data are processed.
44 In that context, Article 5 of that directive requires the Member States to provide for the establishment of appropriate time limits for the erasure of personal data or for a periodic review of the need for the storage of those data and procedural measures to ensure that those time limits are observed.
45 As stated in recital 26 of Directive 2016/680, that provision seeks to ensure that personal data are not, in accordance with the requirements of Article 4(1)(e) of that directive, kept longer than is necessary. It is true that Directive 2016/680 leaves it to the Member States to set appropriate time limits on the storage period and to decide whether those time limits concern the erasure of those data or the periodic review of the need to store them, provided that the observance of those time limits is ensured by adequate procedural measures. However, the ‘appropriate’ nature of those periods requires, in any event, that – in accordance with Article 4(1)(c) and (e) of that directive, read in the light of Article 52(1) of the Charter – those time limits allow, where appropriate, the erasure of the data concerned where their storage is no longer necessary for the purposes which justified the processing.
46 It is, in particular, in order to enable data subjects to verify that ‘appropriate’ nature and, if necessary, to request such erasure that Article 13(2)(b) and Article 14(d) of Directive 2016/680 provide that, in principle, those persons are to be informed, where possible, of the period for which their personal data will be stored or, if that is not possible, of the criteria used to determine that period.
47 Next, Article 10 of Directive 2016/680 constitutes a specific provision governing the processing of special categories of personal data, including biometric and genetic data. The purpose of that article is to ensure enhanced protection of the data subject, since the data in question, because of their particular sensitivity and the context in which they are processed, are liable, as is apparent from recital 37 of that directive, to create significant risks to fundamental rights and freedoms, such as the right to respect for private life and the right to the protection of personal data, guaranteed by Articles 7 and 8 of the Charter (judgment of 26 January 2023, Ministerstvo na vatreshnite raboti (Recording of biometric and genetic data by the police), C-205/21, EU:C:2023:49, paragraph 116 and the case-law cited).
48 More specifically, Article 10 of Directive 2016/680 lays down the requirement that the processing of sensitive data be allowed ‘only where strictly necessary’, which constitutes a strengthened condition for the lawful processing of such data and entails, inter alia, a particularly strict review of compliance with the principle of ‘data minimisation’, as derived from Article 4(1)(c) of Directive 2016/680; that requirement constitutes a specific application of that principle to those sensitive data (see, to that effect, judgment of 26 January 2023, Ministerstvo na vatreshnite raboti (Recording of biometric and genetic data by the police), C-205/21, EU:C:2023:49, paragraphs 117, 122 and 125).
49 Lastly, Article 16(2) of Directive 2016/680 establishes a right to erasure of personal data where the processing infringes the provisions adopted pursuant to Article 4, 8 or 10 of that directive or where those data must be erased in order to comply with a legal obligation to which the data controller is subject.
50 It follows from Article 16(2) of Directive 2016/680 that that right to erasure may be exercised, inter alia, where the storage of the personal data in question is not or is no longer necessary for the purposes for which they are processed, in breach of the provisions of national law implementing Article 4(1)(c) and (e) of that directive and, as the case may be, Article 10 thereof, or where that erasure is required in order to comply with the time limit set, for that purpose, by national law pursuant to Article 5 of that directive.
51 However, pursuant to Article 16(3) of Directive 2016/680, national law must provide that the data controller is to restrict the processing of those data instead of erasing them where, in accordance with point (a) of that provision, the accuracy of the personal data is contested by the data subject and their accuracy or inaccuracy cannot be ascertained, or where, in accordance with point (b) of that provision, the personal data must be maintained for the purposes of evidence.
52 It follows from the foregoing that the provisions of Directive 2016/680 examined in paragraphs 41 to 51 above establish a general framework to ensure, inter alia, that the storage of personal data and, more specifically, the period of storage, are limited to what is necessary for the purposes for which those data are stored, while leaving it to the Member States to determine, in compliance with that framework, the specific situations in which the protection of the fundamental rights of the data subject requires the erasure of those data and the time at which those data must be erased. However, as the Advocate General observed, in essence, in point 28 of his Opinion, those provisions do not require the Member States to define absolute time limits for the storage of personal data, beyond which those data must be automatically erased.
53 In the present case, it is apparent from the documents before the Court that the personal data entered in the police records pursuant to Article 68 of the Law on the Ministry of the Interior are stored only for operational investigation purposes and, more specifically, for the purpose of comparison with other data collected during investigations into other offences.
54 In that regard, in the first place, it should be noted that the storage, in police records, of data relating to persons who have been convicted by final judgment may prove necessary for the purposes indicated in the preceding paragraph, even after the conviction in question has been erased from the criminal record and, consequently, the effects which national legislation attaches to that conviction are repealed. Those persons may be involved in criminal offences other than those for which they were convicted or, on the contrary, they may be exonerated through the comparison of the data stored by those authorities with the data collected during the proceedings relating to those other offences.
55 Accordingly, such storage may contribute to the objective of general interest set out in recital 27 of Directive 2016/680, which states that, for the prevention, investigation and prosecution of criminal offences, it is necessary for competent authorities to process personal data collected in the context of the prevention, investigation, detection or prosecution of specific criminal offences beyond that context in order to develop an understanding of criminal activities and to make links between different criminal offences detected (see, to that effect, judgment of 26 January 2023, Ministerstvo na vatreshnite raboti (Recording of biometric and genetic data by the police), C-205/21, EU:C:2023:49, paragraph 98).
56 In the second place, it is apparent from the documents before the Court that the data stored in the police records are the data relating to the data subject referred to in the Bulgarian legislation on identity documents, his or her fingerprints, his or her photograph, a DNA sample taken for profiling purposes and, as the Bulgarian Government confirmed at the hearing, the data relating to the criminal offences committed by the data subject and to his or her convictions in that regard. Those various categories of data may prove essential for the purposes of verifying whether the data subject is involved in criminal offences other than those in respect of which he or she has been convicted by final judgment. Consequently, they may be regarded, in principle, as adequate and relevant in relation to the purposes for which they are processed, within the meaning of Article 4(1)(c) of Directive 2016/680.
57 In the third place, the proportionality of such storage in the light of its purposes must be assessed taking into account also the appropriate technical and organisational measures laid down by national law, which are intended to ensure the confidentiality and security of the stored data with regard to processing contrary to the requirements of Directive 2016/680, in accordance with Articles 20 and 29 of that directive, and in particular the measures referred to in Article 20(2) thereof, ensuring that only personal data which are necessary for each specific purpose of the processing are processed.
58 In the fourth place, as regards the period for which the personal data at issue in the main proceedings are stored, it is apparent, in the present case, from the request for a preliminary ruling that it is only in the event that the data subject is convicted by final judgment of an intentional criminal offence subject to public prosecution that the data in question are stored until that person’s death, since the national legislation provides for the removal of the entries of persons accused of such a criminal offence in other cases.
59 In that regard, it must be stated, however, that the concept of an ‘intentional criminal offence subject to public prosecution’ is particularly general and is liable to apply to a large number of criminal offences, irrespective of their nature and gravity (see, to that effect, judgment of 26 January 2023, Ministerstvo na vatreshnite raboti (Recording of biometric and genetic data by the police), C-205/21, EU:C:2023:49, paragraph 129).
60 As the Advocate General also observed, in essence, in points 73 and 74 of his Opinion, persons convicted by final judgment of a criminal offence falling within the scope of that concept do not all present the same degree of risk of being involved in other criminal offences, justifying a uniform period of storage of the data relating to them. Thus, in certain cases, in the light of factors such as the nature and seriousness of the offence committed or the absence of recidivism, the risk represented by the convicted person will not necessarily justify maintaining the data relating to him in the national police records provided for that purpose until his death. In such cases, there will no longer be a necessary connection between the data stored and the objective pursued (see, by analogy, Opinion 1/15 (EU-Canada PNR Agreement) of 26 July 2017 (EU:C:2017:592, paragraph 205). Accordingly, the storage of such data will not comply with the principle of data minimisation set out in Article 4(1)(c) of Directive 2016/680 and will exceed the period necessary for the purposes for which they are processed, contrary to Article 4(1)(e) of that directive.
61 It must be noted, in that regard, that, admittedly, as the Advocate General stated, in essence, in point 70 of his Opinion, the legal rehabilitation of such a person, resulting in the erasure of his or her conviction from his or her criminal record, such as occurred in the main proceedings, cannot, by itself, render unnecessary the storage of his or her data in the police records, since the purposes of that storage are different from those of the recording of his or her convictions in that criminal record. However, where, as in the present case, under the applicable provisions of national criminal law, such legal rehabilitation is conditional upon the fact that the person concerned has not committed any further intentional criminal offence subject to public prosecution for a certain period of time after the sentence has been served, it may constitute an indication that the person concerned presents a lower risk with regard to the objectives of combating crime or maintaining public order and may therefore be a factor liable to reduce the period for which that storage is necessary.
62 In the fifth place, the principle of proportionality, set out in Article 52(1) of the Charter, entails, in particular, a balancing of the importance of the objective pursued and the seriousness of the limitation placed on the exercise of the fundamental rights in question (see, to that effect, judgment of 22 November 2022, Luxembourg Business Registers, C-37/20 and C-601/20, EU:C:2022:912, paragraph 66).
63 In the present case, as noted in paragraph 35 above, the storage of personal data in the police register at issue includes biometric and genetic data. It must therefore be pointed out that, having regard to the significant risks posed by the processing of such sensitive data to the rights and freedoms of data subjects, in particular in the context of the tasks of the competent authorities for the purposes set out in Article 1(1) of Directive 2016/680, the specific importance of the objective pursued must be assessed in the light of a number of relevant factors. Such factors include, inter alia, the fact that the processing serves a specific objective connected with the prevention of criminal offences or threats to public security displaying a certain degree of seriousness, the punishment of such offences or protection against such threats, and the specific circumstances in which that processing is carried out (judgment of 26 January 2023, Ministerstvo na vatreshnite raboti (Recording of biometric and genetic data by the police), C-205/21, EU:C:2023:49, paragraph 127).
64 In that context, the Court has held that national legislation which provides for the systematic collection of the biometric and genetic data of any person accused of an intentional offence subject to public prosecution is, in principle, contrary to the requirement of strict necessity laid down in Article 10 of Directive 2016/680 and referred to in paragraph 48 above. Such legislation is liable to lead, in an indiscriminate and generalised manner, to the collection of the biometric and genetic data of most accused persons (see, to that effect, judgment of 26 January 2023, Ministerstvo na vatreshnite raboti (Recording of biometric and genetic data by the police), C-205/21, EU:C:2023:49, paragraphs 128 and 129).
65 As for the European Court of Human Rights, it has held that the blanket and indiscriminate nature of the powers of retention of the fingerprints, cellular samples and DNA profiles of persons suspected but not convicted of offences, as provided for by the national legislation at issue in the case before that court, failed to strike a fair balance between the competing public and private interests and that, accordingly, the retention of those data constituted a disproportionate interference with the applicants’ right to respect for private life and could not be regarded as necessary in a democratic society; that interference thus constituted a violation of Article 8 of the Convention for the Protection of Human Rights and Fundamental Freedoms, signed in Rome on 4 November 1950 (ECtHR, 4 December 2008, S. and Marper v. the United Kingdom, CE:ECHR:2008:1204JUD003056204, §§ 125 and 126).
66 It is true that the storage of the biometric and genetic data of persons who have already been convicted by final judgment, even until the death of those persons, may be strictly necessary, within the meaning of Article 10 of Directive 2016/680, in particular in order to enable the possible involvement of those persons in other criminal offences to be verified and, accordingly, to prosecute and convict the perpetrators of those offences. It is necessary to have regard to the importance of that type of data for criminal investigations, even many years after the events, in particular where the offences in question constitute serious crimes (see, to that effect, ECtHR, 13 February 2020, Gaughran v. the United Kingdom, CE:ECHR:2020:0213JUD004524515, § 93).
67 However, the storage of biometric and genetic data can be regarded as meeting the requirement that it is to be allowed only ‘where strictly necessary’, within the meaning of Article 10 of Directive 2016/680, only if it takes into consideration the nature and seriousness of the offence which led to the final criminal conviction, or other circumstances such as the particular context in which that offence was committed, its possible connection with other ongoing proceedings or the background or profile of the convicted person. Accordingly, where national legislation, such as that at issue in the main proceedings, provides that the biometric and genetic data of data subjects entered in the police records is – in the event that those persons are convicted by final judgment – to be stored until the death of those persons, the scope of that storage is, as stated in paragraphs 59 and 60 above, excessively broad with regard to the purposes for which those data are processed.
68 In the sixth place, as regards, first, the obligation imposed on Member States to provide for the establishment of appropriate time limits, set out in Article 5 of Directive 2016/680, it should be noted that, for the reasons set out in paragraphs 59, 60 and 67 above and having regard to the requirements of Article 4(1)(c) and (e) and Article 10 of that directive, a time limit can be regarded as ‘appropriate’, within the meaning of Article 5 of that directive, in particular as regards the storage of the biometric and genetic data of any person convicted by final judgment of an intentional criminal offence subject to public prosecution, only if it takes into consideration the relevant circumstances which might require such a storage period, such as those referred to in paragraph 67 above.
69 Consequently, even if the reference, in the national legislation, to the death of the data subject may constitute a ‘time limit’ for the erasure of stored data, within the meaning of Article 5 of Directive 2016/680, such a time limit can be regarded as ‘appropriate’ only in specific circumstances which duly justify it. That is clearly not the case where it is applicable generally and indiscriminately to any person convicted by final judgment.
70 It is true, as pointed out in paragraph 45 above, that Article 5 of Directive 2016/680 leaves it to the Member States to decide whether time limits must be established concerning the erasure of those data or the periodic review of the need for their storage. However, it is also apparent from that paragraph that the ‘appropriate’ nature of the time limits for such a periodic review requires that they allow, in accordance with Article 4(1)(c) and (e) of that directive, read in the light of Article 52(1) of the Charter, the erasure of the data at issue, where their storage is no longer necessary. For the reasons set out in the preceding paragraph, that requirement is not satisfied where, as in the present case, the national legislation provides for such erasure, as regards a person convicted by final judgment of an intentional criminal offence subject to public prosecution, only in the event of that person’s death.
71 As regards, secondly, the guarantees provided for in Article 16(2) and (3) of that directive, concerning the conditions relating to the rights to erasure and to the restriction of processing, it follows from paragraphs 50 and 51 above that those provisions also preclude national legislation which does not allow a person convicted by final judgment of an intentional criminal offence subject to public prosecution to exercise those rights.
72 In the light of all the foregoing considerations, the answer to the question referred is that Article 4(1)(c) and (e) of Directive 2016/680, read in conjunction with Articles 5 and 10, Article 13(2)(b) and Article 16(2) and (3) thereof, and in the light of Articles 7 and 8 of the Charter, must be interpreted as precluding national legislation which provides for the storage, by police authorities, for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, of personal data, including biometric and genetic data, concerning persons who have been convicted by final judgment of an intentional criminal offence subject to public prosecution, until the death of the data subject, even in the event of his or her legal rehabilitation, without imposing on the data controller the obligation to review periodically whether that storage is still necessary, nor granting that data subject the right to have those data erased, where their storage is no longer necessary for the purposes for which they are processed or, where appropriate, to have the processing of those data restricted.
Costs
73 Since these proceedings are, for the parties to the main proceedings, a step in the action pending before the referring court, the decision on costs is a matter for that court. Costs incurred in submitting observations to the Court, other than the costs of those parties, are not recoverable.
On those grounds, the Court (Grand Chamber) hereby rules:
Article 4(1)(c) and (e) of Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA, read in conjunction with Articles 5 and 10, Article 13(2)(b) and Article 16(2) and (3) thereof, and in the light of Articles 7 and 8 of the Charter of Fundamental Rights of the European Union,
must be interpreted as precluding national legislation which provides for the storage, by police authorities, for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, of personal data, including biometric and genetic data, concerning persons who have been convicted by final judgment of an intentional criminal offence subject to public prosecution, until the death of the data subject, even in the event of his or her legal rehabilitation, without imposing on the data controller the obligation to review periodically whether that storage is still necessary, nor granting that data subject the right to have those data erased, where their storage is no longer necessary for the purposes for which they are processed or, where appropriate, to have the processing of those data restricted.
[Signatures]
* Language of the case: Bulgarian.