JUDGMENT OF THE COURT (Fifth Chamber)
8 December 2022 (*)
(Reference for a preliminary ruling – Protection of natural persons with regard to the processing of personal data – Regulation (EU) 2016/679 – Articles 2, 4 and 6 – Applicability of Regulation 2016/679 – Concept of ‘legitimate interest’ – Concept of ‘task carried out in the public interest or in the exercise of official authority’ – Directive (EU) 2016/680 – Articles 1, 3, 4, 6 and 9 – Lawfulness of the processing of personal data collected in the course of a criminal investigation – Subsequent processing of data relating to a presumed victim of a criminal offence for the purpose of making a formal accusation in respect of him or her – Concept of purpose ‘other than that for which the personal data are collected’ – Data used by the public prosecutor’s office of a Member State for the purposes of its defence in an action for damages against the State)
In Case C-180/21,
REQUEST for a preliminary ruling under Article 267 TFEU from the Administrativen sad – Blagoevgrad (Administrative Court, Blagoevgrad, Bulgaria), made by decision of 19 March 2021, received at the Court on 23 March 2021, in the proceedings
VS
v
Inspektor v Inspektorata kam Visshia sadeben savet,
interested party:
Teritorialno otdelenie – Petrich kam Rayonna prokuratura – Blagoevgrad,
THE COURT (Fifth Chamber),
composed of E. Regan, President of the Chamber, D. Gratsias (Rapporteur), M. Ilešič, I. Jarukaitis, and Z. Csehi, Judges,
Advocate General: M. Campos Sánchez-Bordona,
Registrar: A. Calot Escobar,
having regard to the written procedure,
after considering the observations submitted on behalf of:
– VS, by V. Harizanova,
– Inspektor v Inspektorata kam Visshia sadeben savet, by S. Mulyachka,
– the Bulgarian Government, by M. Georgieva and T. Mitova, acting as Agents,
– the Czech Government, by O. Serdula, M. Smolek and J. Vláčil, acting as Agents,
– the Netherlands Government, by M.K. Bulterman and J.M. Hoogveld, acting as Agents,
– the European Commission, by H. Kranenborg and I. Zaloguin, acting as Agents,
after hearing the Opinion of the Advocate General at the sitting on 19 May 2022,
gives the following
Judgment
1 This request for a preliminary ruling concerns the interpretation of Article 1(1) of Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (OJ 2016 L 119, p. 89) and of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2006 L 119, p. 1; ‘the GDPR’), in particular Article 6(1) thereof.
2 The request has been made in proceedings between VS and Inspektor v Inspektorata kam Visshia sadeben savet (Inspector with the Inspectorate at the Supreme Judicial Council, Bulgaria) (‘the IVSS’) concerning the lawfulness of the processing of personal data concerning VS by the District Public Prosecutor’s Office, Petrich (Bulgaria).
Legal context
European Union law
The GDPR
3 Recitals 19, 45 and 47 of the GDPR state:
‘(19) … Member States may entrust competent authorities within the meaning of [Directive 2016/680] with tasks which are not necessarily carried out for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and prevention of threats to public security, so that the processing of personal data for those other purposes, in so far as it is within the scope of Union law, falls within the scope of this Regulation.
…
…
(45) Where processing is … necessary for the performance of a task carried out in the public interest or in the exercise of official authority, the processing should have a basis in Union or Member State law. This Regulation does not require a specific law for each individual processing. A law as a basis for several processing operations based on a legal obligation to which the controller is subject or where processing is necessary for the performance of a task carried out in the public interest or in the exercise of an official authority may be sufficient. …
…
(47) The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller. … Given that it is for the legislator to provide by law for the legal basis for public authorities to process personal data, that legal basis should not apply to the processing by public authorities in the performance of their tasks. …’
4 Article 2 of that regulation, entitled ‘Material scope’, provides, in paragraphs 1 and 2:
‘1. This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.
2. This Regulation does not apply to the processing of personal data:
(a) in the course of an activity which falls outside the scope of Union law;
…
(d) by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.’
5 Article 4 of the GDPR, entitled ‘Definitions’, provides:
‘For the purposes of this Regulation:
(1) “personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
(2) “processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
…
(7) “controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
…’
6 Article 5 of the GDPR, entitled ‘Principles relating to processing of personal data’, provides, in paragraph 1:
‘Personal data shall be:
…
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; … (“purpose limitation”);
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimisation”);
…’
7 Under Article 6 of the GDPR, entitled ‘Lawfulness of processing’:
‘1. Processing shall be lawful only if and to the extent that at least one of the following applies:
…
(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
…
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data …
Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.
…
3. The basis for the processing referred to in point (c) and (e) of paragraph 1 shall be laid down by:
(a) Union law; or
(b) Member State law to which the controller is subject.
The purpose of the processing shall be determined in that legal basis or, as regards the processing referred to in point (e) of paragraph 1, shall be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. …’
8 Article 21 of the GDPR, entitled ‘Right to object’, provides, in paragraph 1:
‘The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1) … The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.’
9 Article 23 of that regulation, entitled ‘Restrictions’, states, in paragraph 1, that EU or Member State law to which the data controller or processor is subject may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 12 to 22, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard, inter alia, certain important objectives of general public interest of the European Union or of a Member State.
Directive 2016/680
10 Recitals 8 to 12, 27 and 29 of Directive 2016/680 state:
‘(8) Article 16(2) TFEU mandates the European Parliament and the Council [of the European Union] to lay down the rules relating to the protection of natural persons with regard to the processing of personal data and the rules relating to the free movement of personal data.
(9) On that basis, [the GDPR] lays down general rules to protect natural persons in relation to the processing of personal data and to ensure the free movement of personal data within the Union.
(10) In Declaration No 21 on the protection of personal data in the fields of judicial cooperation in criminal matters and police cooperation, annexed to the final act of the intergovernmental conference which adopted the Treaty of Lisbon, the conference acknowledged that specific rules on the protection of personal data and the free movement of personal data in the fields of judicial cooperation in criminal matters and police cooperation based on Article 16 TFEU may prove necessary because of the specific nature of those fields.
(11) It is therefore appropriate for those fields to be addressed by a directive that lays down the specific rules relating to the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security, respecting the specific nature of those activities. Such competent authorities may include not only public authorities such as the judicial authorities, the police or other law-enforcement authorities but also any other body or entity entrusted by Member State law to exercise public authority and public powers for the purposes of this Directive. Where such a body or entity processes personal data for purposes other than for the purposes of this Directive, [the GDPR] therefore applies in cases where a body or entity collects personal data for other purposes and further processes those personal data in order to comply with a legal obligation to which it is subject. …
(12) The activities carried out by the police or other law-enforcement authorities are focused mainly on the prevention, investigation, detection or prosecution of criminal offences, including police activities without prior knowledge if an incident is a criminal offence or not. … Member States may entrust competent authorities with other tasks which are not necessarily carried out for the purposes of the prevention, investigation, detection or prosecution of criminal offences, including the safeguarding against and the prevention of threats to public security, so that the processing of personal data for those other purposes, in so far as it is within the scope of Union law, falls within the scope of [the GDPR].
…
(27) For the prevention, investigation and prosecution of criminal offences, it is necessary for competent authorities to process personal data collected in the context of the prevention, investigation, detection or prosecution of specific criminal offences beyond that context in order to develop an understanding of criminal activities and to make links between different criminal offences detected.
…
(29) Personal data should be collected for specified, explicit and legitimate purposes within the scope of this Directive and should not be processed for purposes incompatible with the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. If personal data are processed by the same or another controller for a purpose within the scope of this Directive other than that for which it has been collected, such processing should be permitted under the condition that such processing is authorised in accordance with applicable legal provisions and is necessary for and proportionate to that other purpose.’
11 Article 1 of that directive, entitled ‘Subject matter and objectives’, provides, in paragraph 1:
‘This Directive lays down the rules relating to the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.’
12 The definitions of the terms ‘personal data’ and ‘processing’ in paragraphs 1 and 2, respectively, of Article 3 of that directive, entitled ‘Definitions’, reproduce those set out in Article 4(1) and (2) of the GDPR.
13 Under Article 3(7)(a) and (8) of Directive 2016/680:
‘For the purposes of this Directive:
…
(7) “competent authority” means:
(a) any public authority competent for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security; …
…
(8) “controller” means the competent authority which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law’.
14 Article 4 of Directive 2016/680, entitled ‘Principles relating to processing of personal data’, states, in paragraph 1:
‘Member States shall provide for personal data to be:
…
(b) collected for specified, explicit and legitimate purposes and not processed in a manner that is incompatible with those purposes;
(c) adequate, relevant and not excessive in relation to the purposes for which they are processed;
…’
15 Article 4(2) of Directive 2016/680 provides:
‘Processing by the same or another controller for any of the purposes set out in Article 1(1) other than that for which the personal data are collected shall be permitted in so far as:
(a) the controller is authorised to process such personal data for such a purpose in accordance with Union or Member State law; and
(b) processing is necessary and proportionate to that other purpose in accordance with Union or Member State law.’
16 Under Article 6 of Directive 2016/680, entitled ‘Distinction between different categories of data subject’:
‘Member States shall provide for the controller, where applicable and as far as possible, to make a clear distinction between personal data of different categories of data subjects, such as:
(a) persons with regard to whom there are serious grounds for believing that they have committed or are about to commit a criminal offence;
(b) persons convicted of a criminal offence;
(c) victims of a criminal offence or persons with regard to whom certain facts give rise to reasons for believing that he or she could be the victim of a criminal offence; …
…’
17 Article 9 of Directive 2016/680, entitled ‘Specific processing conditions’, provides, in paragraphs 1 and 2:
‘1. Personal data collected by competent authorities for the purposes set out in Article 1(1) shall not be processed for purposes other than those set out in Article 1(1) unless such processing is authorised by Union or Member State law. Where personal data are processed for such other purposes, [the GDPR] shall apply unless the processing is carried out in an activity which falls outside the scope of Union law.
2. Where competent authorities are entrusted by Member State law with the performance of tasks other than those performed for the purposes set out in Article 1(1), [the GDPR] shall apply to processing for such purposes …, unless the processing is carried out in an activity which falls outside the scope of Union law.’
Bulgarian law
Constitution of the Republic of Bulgaria
18 Article 127 of the Constitution of the Republic of Bulgaria provides:
‘The Public Prosecutor’s Office shall ensure that laws are complied with by:
1. directing the investigation and reviewing the lawfulness of its conduct;
2. having the powers to conduct an investigation;
3. making a formal accusation in respect of persons who have committed criminal offences and prosecuting criminal offences subject to public prosecution;
…’
The ZZLD
19 In accordance with Article 1 thereof, the Zakon za zashtita na lichnite danni (Law on the Protection of Personal Data) (DV No 1 of 4 January 2002; ‘the ZZLD’) seeks to ensure the protection of natural persons with regard to the processing of personal data as governed by the GDPR and with regard to the processing of such data by the competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public order and security.
20 In accordance with Article 17(1) of the ZZLD, the IVSS is to monitor and ensure compliance with the GDPR, the ZZLD and acts on the subject of the protection of personal data in the processing of personal data by, inter alia, the Public Prosecutor’s Office and the investigating authorities in the exercise of their judicial functions, for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties. Article 38b of the ZZLD confers on the data subject, in the event of an infringement of his or her rights, inter alia by those authorities, the right to lodge a complaint with the IVSS.
21 Article 42(2) and (3), Article 45(2) and Article 47 of the ZZLD implement Article 9(1) and (2), Article 4(2) and Article 6 of Directive 2016/680 respectively.
The Code of Criminal Procedure
22 Article 191 of the Nakazatelno-protsesualen kodeks (Code of Criminal Procedure) (DV No 86 of 28 October 2005), in the version applicable to the dispute in the main proceedings, provides:
‘Pre-trial proceedings shall be conducted in respect of criminal offences subject to public prosecution.’
23 Article 192 of the Code of Criminal Procedure, in the version applicable to the dispute in the main proceedings, provides:
‘Pre-trial proceedings shall comprise an investigation and actions of the Public Prosecutor after the investigation has been closed.’
The Code of Civil Procedure
24 Articles 8 and 9 of the Grazhdanski protsesualen kodeks (Code of Civil Procedure) (DV No 59 of 20 July 2007), in the version applicable to the dispute in the main proceedings, implement the principles of audi alteram partem and equality of arms respectively.
25 Article 154 of the Code of Civil Procedure, in the version applicable to the dispute in the main proceedings, entitled ‘Burden of proof’, provides, in paragraph 1:
‘Each party shall be required to establish the facts on which it bases its claims or objections.’
The Zakon za otgovornostta na darzhavata i obshtinite za vredi
26 Article 2b of the Zakon za otgovornostta na darzhavata i obshtinite za vredi (Law on liability of the State and of municipalities for damage) (DV No 60 of 5 August 1988) provides:
‘(1) The State shall be liable for damage caused to citizens and legal persons by an infringement of the right to have the case examined and disposed of within a reasonable time in accordance with Article 6(1) of the Convention [for the Protection of Human Rights and Fundamental Freedoms, signed in Rome on 4 November 1950].
(2) The actions referred to in paragraph 1 shall be examined in accordance with the Code of Civil Procedure, whereby the court shall take into account the total duration and subject matter of the proceedings, their factual and legal complexity, the conduct of the parties and of their procedural or legal representatives, the conduct of the other parties to the proceedings and of the competent authorities, and other facts relevant to the correct resolution of the dispute.
…’
The dispute in the main proceedings and the questions referred for a preliminary ruling
27 In 2013, the District Public Prosecutor’s Office, Petrich, opened pre-trial proceedings No 252/2013 against an unknown person for the commission of an offence referred to in Article 325(1) of the Nakazatelen kodeks (Criminal Code), read in conjunction with Article 20(2) thereof, in the context of an incident which took place in a bar. The applicant in the main proceedings, VS, took part in those proceedings as a victim of that criminal offence.
28 In 2016, following a number of complaints concerning, inter alia, VS, the District Public Prosecutor’s Office, Petrich, compiled a number of files containing information relating to that person, but did not open any pre-trial proceedings in the absence of evidence that a criminal offence had been committed.
29 In 2018, in the context of pre-trial proceedings No 252/2013, the public prosecutor made formal accusations in respect of all the persons who took part in the incident at issue in those proceedings, including VS.
30 In civil proceedings, VS brought an action before the Okrazhen sad Blagoevgrad (Regional Court, Blagoevgrad, Bulgaria) against the Public Prosecutor’s Office of the Republic of Bulgaria seeking damages for the harm allegedly resulting from the excessive duration of pre-trial proceedings No 252/2013. At the hearing on 15 October 2018, for the purposes of defending that public prosecutor’s office, a public prosecutor of the District Public Prosecutor’s Office, Petrich, representing the Public Prosecutor’s Office, requested that the files opened by that public prosecutor’s office in 2016, referred to in paragraph 28 of this judgment, be produced in the context of that action. It is apparent from the order for reference that that public prosecutor thus intended to demonstrate that the health problems relied on by the applicant in the main proceedings were not, as he claimed, attributable to those pre-trial proceedings, but had been caused by the checks carried out by the police and by the District Public Prosecutor’s Office, Petrich, in connection with those files. At the same hearing, the Okrazhen sad Blagoevgrad (Regional Court, Blagoevgrad) ordered that public prosecutor’s office to produce certified copies of the documents in the files in question, which the public prosecutor of that public prosecutor’s office then did.
31 On 12 March 2020, VS lodged a complaint with the IVSS, claiming that the District Public Prosecutor’s Office, Petrich, had infringed the provisions relating to the protection of personal data. By his first claim, he submitted that that public prosecutor’s office had unlawfully used his personal data, which had been collected when he was considered to be a victim of a criminal offence, in order to prosecute him in the same proceedings and in respect of the same acts. By his second claim, he alleged that the public prosecutor’s office acted unlawfully as regards the processing of personal data that were collected in the files referred to in paragraph 28 of this judgment, in the context of his action for damages against the Public Prosecutor’s Office of the Republic of Bulgaria. By decision of 22 June 2020, the IVSS rejected that complaint.
32 On 31 July 2020, VS brought an action before the referring court against that decision, claiming, first, that the processing of his personal data in the course of pre-trial proceedings No 252/2013 is contrary to, inter alia, the principles of Directive 2016/680, and second, that the processing of the data collected in the files referred to in paragraph 28 of this judgment, after the Public Prosecutor’s Office had refused to initiate pre-trial proceedings, infringes the principles of the GDPR.
33 Taking the view, in the light of the Court’s case-law, that the dispute in the main proceedings concerns the processing of personal data in the context of activities coming within the scope of the GDPR and Directive 2016/680, the referring court has doubts as to the limits laid down by EU law concerning the subsequent processing of personal data that were initially collected by the controller for the purposes of the investigation and detection of a criminal offence.
34 In particular, first, the referring court has doubts whether, in the event that the Public Prosecutor’s Office of the Republic of Bulgaria, as a ‘competent authority’ within the meaning of Article 3(7)(a) of Directive 2016/680, and as a ‘controller’ within the meaning of Article 3(8) of that directive, has collected, for the purposes of the investigation and detection of a criminal offence, personal data relating to a person who was considered to be a victim at the time of that collection, the subsequent processing of those data by the same authority for the purposes of the prosecution of that person serves a purpose that comes within the scope of that directive but that is other than that for which the data in question was collected, within the meaning of Article 4(2) of that directive.
35 Second, the referring court states that the reference, in the context of the action for damages brought by VS, to the information relating to that person contained in the files opened in 2016 by the District Public Prosecutor’s Office, Petrich, serves a different purpose from that for which that information was collected and states that, in the context of that action, the Public Prosecutor’s Office, as defendant, is not acting for the purposes of the prevention, investigation, detection or prosecution of criminal offences. However, the referring court has doubts whether the mere fact of indicating to the civil court having jurisdiction that those files concern VS and of transmitting to it that information in full or in part constitutes ‘processing’ of ‘personal data’, within the meaning of Article 4(1) and (2) of the GDPR, coming within the scope of that regulation, in accordance with Article 2(1) thereof.
36 Furthermore, the referring court considers, in essence, that the dispute in the main proceedings raises the question of reconciling the protection of personal data and the rights of a party to judicial proceedings, where those data have been collected by that party in its capacity as controller within the meaning of Article 3(8) of Directive 2016/680, in particular in the light of point (f) of the first subparagraph of Article 6(1) of the GDPR relating to the necessity of processing for the purposes of the legitimate interests pursued by that controller.
37 The referring court considers that the other grounds for lawfulness of the processing of personal data coming within the scope of the GDPR, which are set out in the first subparagraph of Article 6(1) of that regulation, are not relevant in the dispute in the main proceedings. In particular, according to that court, the provision, for the purposes of its defence in civil proceedings, by the Public Prosecutor’s Office to the court having jurisdiction of information relating to the criminal files opened by it is not necessary for the performance of a task carried out in the public interest and is not covered by the exercise of official authority within the meaning of point (e) of the first subparagraph of Article 6(1) of that regulation.
38 In those circumstances, the Administrativen sad – Blagoevgrad (Administrative Court, Blagoevgrad) decided to stay the proceedings and to refer the following questions to the Court of Justice for a preliminary ruling:
‘(1) Is Article 1(1) of [Directive 2016/680] to be interpreted as meaning that, when stating the objectives of that directive, the terms “prevention, investigation, detection or prosecution of criminal offences [or the execution of criminal penalties]” are listed as aspects of a general objective?
(2)(a) Are the provisions of [the GDPR] applicable to the Public Prosecutor’s Office of the Republic of Bulgaria in view of the fact that information concerning a person, which was collected by the Public Prosecutor’s Office, in its capacity as “controller” pursuant to point 8 of Article 3 of [Directive 2016/680], in an investigation file opened in relation to that person with a view to verifying indications of a criminal offence, was used in the context of the judicial defence of the Public Prosecutor’s Office as a party to civil proceedings – by virtue of the fact that the circumstance of that file having been opened was revealed or that the contents of the file were presented?
(b) If that question is answered in the affirmative: Is the expression “legitimate interests” in [point (f) of the first subparagraph of Article 6(1) of the GDPR] to be interpreted as including the disclosure, in whole or in part, of information concerning a person which has been collected in a public prosecution investigation file opened in relation to that person for the purposes of the prevention, investigation, detection or prosecution of criminal offences, in the case where that disclosure is carried out for the purposes of the defence of the controller as a party to civil proceedings, and does that expression exclude the consent of the data subject?’
Consideration of the questions referred
The first question
39 As a preliminary point, it should be noted that, even if the referring court formally confined its first question to the interpretation of Article 1(1) of Directive 2016/680, that circumstance does not prevent the Court from providing it with all the elements of interpretation which may be useful for the judgment in the main proceedings, by extracting from the body of material provided by that court, and in particular from the statement of reasons for the order for reference, the elements of EU law which require interpretation in the light of the subject matter of the dispute (see, to that effect, judgment of 22 April 2021, Profi Credit Slovakia, C-485/19, EU:C:2021:313, paragraph 50 and the case-law cited).
40 It follows that, by its first question, the referring court seeks, in essence, to ascertain (i) whether Article 1(1) of Directive 2016/680, read in conjunction with Article 4(2) and Article 6 thereof, must be interpreted as meaning that the processing of personal data serves a purpose other than that for which those data were collected, where such data were collected for the purposes of the detection and investigation of a criminal offence and the data subject was, at the time of that collection, considered to be a victim, but that processing is carried out for the purpose of prosecuting that person following the conclusion of the criminal investigation at issue, and, (ii) as the case may be, whether that processing is permitted.
41 According to settled case-law, it is necessary, for the interpretation of a provision of EU law, that account be taken not only of its wording, but also of its context and the objectives pursued by the rules of which it is part. The origins of a provision of EU law may also provide information relevant to its interpretation (see, to that effect, judgment of 1 October 2019, Planet49, C-673/17, EU:C:2019:801, paragraph 48 and the case-law cited).
42 In the first place, it must be noted, first of all, that the wording of Article 1(1) of Directive 2016/680, which relates to the subject matter of that directive, expressly distinguishes between different categories of activities whose purposes the processing of the relevant personal data may serve. In that regard, it is apparent from the various language versions of that provision, in particular those in Bulgarian, Spanish, German, Greek, English and Italian, that the different purposes referred to in Article 1(1) of that directive correspond to the ‘prevention’, ‘detection’, ‘investigation’ and ‘prosecution’ of criminal offences and ‘the execution of criminal penalties’, including the ‘safeguarding’ against ‘threats to public security’ and the ‘prevention’ of such threats.
43 Next, the wording of Article 4(2) of that directive, which states that processing for ‘any of the purposes set out in Article 1(1) [thereof] other than that for which the personal data are collected’ is to be permitted, subject to compliance with the requirements laid down by that provision, expressly confirms that the terms listed in Article 1(1), namely ‘prevention’, ‘investigation’, ‘detection’ ‘prosecution’, ‘execution of criminal penalties’, ‘safeguarding against [threats to public security]’ and ‘the prevention of threats to public security’ concern several separate purposes of the processing of personal data coming within the scope of that directive.
44 It can thus be inferred from the very wording of Article 1(1) of Directive 2016/680, read in conjunction with Article 4(2) thereof, that, where personal data have been collected for the purposes of the ‘detection’ and ‘investigation’ of a criminal offence and have subsequently been processed for the purposes of ‘prosecution’, that collection and that processing serve different purposes.
45 Lastly, it must be observed that, under Article 6 of that directive, Member States are under an obligation to provide for the controller, where applicable and as far as possible, to make a clear distinction between personal data of different categories of data subjects, such as, inter alia, those referred to in points (a), (b) and (c) of that article, namely, respectively, persons with regard to whom there are serious grounds for believing that they have committed or are about to commit a criminal offence, persons convicted of a criminal offence, and victims of a criminal offence or persons with regard to whom certain facts give rise to reasons for believing that he or she could be the victim of a criminal offence.
46 Consequently, a person whose personal data are processed for the purposes of criminal prosecution must be regarded as coming within the category of persons with regard to whom there are serious grounds for believing that they have committed a criminal offence, within the meaning of Article 6(a) of Directive 2016/680. It follows that, if, as in the situation referred to in the first question, that person had initially been considered to be a victim of a criminal offence, within the meaning of Article 6(c) of that directive, that processing therefore reflects a change in that person’s category, which it is for the controller to take into account in accordance with the requirement laid down in that article to make a clear distinction between data of different categories of persons.
47 That said, it must be stated that neither Article 1(1) of Directive 2016/680 nor Article 4(2) thereof refers to Article 6 of that directive or to its content in order to lay down the purpose of the processing of personal data coming within the scope of that directive.
48 Moreover, as the Advocate General observed, in essence, in point 62 of his Opinion, the expression ‘where applicable and as far as possible’, used in Article 6 of Directive 2016/680, clearly indicates that it is not necessarily possible to draw a clear distinction between such data, in particular where, as in the present case, those data are collected for the purposes of an ‘investigation’ or ‘detection’ of a criminal offence, since the same person may come within several categories of persons as referred to in Article 6 of that directive and the determination of the categories concerned might change in the course of the pre-trial proceedings, in accordance with the gradual clarification of the facts at issue.
49 It must be inferred from this that Article 6 lays down an obligation that is separate from that laid down in Article 4(2) and, as the Advocate General noted in points 61 to 64 of his Opinion, that obligation is not relevant for the purpose of determining whether the processing of personal data serves a purpose other than that for which those data were collected, within the meaning of that provision.
50 In the second place, as regards the context of the legislation at issue, it should be noted that Article 4(1)(b) and (c) of Directive 2016/680 provides, first, that personal data must be collected for specified, explicit and legitimate purposes and not be processed in a manner that is incompatible with those purposes, and second, that those data must be adequate, relevant and not excessive in relation to the purposes for which they are processed. Those two requirements are set out, in essence, in the same terms in Article 5(1)(b) and (c) of the GDPR, which states that they correspond to the principles of purpose limitation and data minimisation, respectively.
51 That said, it must be observed that Article 4(2) of that directive, in the light of recital 29 thereof, authorises subsequent processing of personal data for a purpose other than that for which those data were collected, where that purpose is among those set out in Article 1(1) of that directive and that processing satisfies the two conditions laid down in Article 4(2)(a) and (b). First, the controller must be authorised to process such personal data for such a purpose in accordance with EU or Member State law. Second, processing must be necessary and proportionate to that other purpose.
52 In particular, personal data collected for the purposes of the ‘prevention’ and ‘detection’ or ‘investigation’ of criminal offences may be processed subsequently, where appropriate, by different competent authorities, for the purposes of ‘prosecution’ or the ‘execution of criminal penalties’, where a criminal offence has been identified and consequently calls for law enforcement action.
53 However, in the context of the collection of personal data for the purposes of the ‘detection’ and ‘investigation’ of criminal offences, the competent authorities are required to gather any data that are potentially relevant to the determination of the acts constituting the criminal offence at issue at a stage where those acts have not yet been established. By contrast, in the context of the processing of personal data for the purposes of ‘prosecution’, those data aim to establish that the acts attributed to the accused persons have sufficient probative value and that the classification of those acts under criminal law is accurate, in order to enable the court having jurisdiction to give a ruling.
54 Consequently, first, personal data necessary for the purposes of the ‘detection’ and ‘investigation’ of a criminal offence will not be systematically necessary for the purposes of ‘prosecution’. Second, the consequences of the processing of personal data for the data subjects might be substantially different, as regards, in particular, the degree of interference with their right to the protection of those data and the effects of that processing on their legal situation in the criminal proceedings in question.
55 In addition, it should be noted that the scope of Article 4(2) is not limited to the processing of personal data in connection with the same criminal offence as that warranting the collection of those data. As stated in recital 27 of Directive 2016/680, that directive takes account of the need for the authorities responsible for combating criminal offences to process personal data for a purpose other than that which led to the collection of those data, in particular with the aim of developing an understanding of criminal activities and of making links between different criminal offences detected.
56 It follows from the foregoing that, in order to meet the requirements referred to in Article 4(2)(a) and (b) of Directive 2016/680, the assessment of compliance with those requirements in the processing, by the same or by another controller, of personal data for one of the purposes set out in Article 1(1), other than that for which those data were collected, must be carried out by regarding each of the purposes referred to in Article 1(1) as specific and distinct.
57 In the third place, as regards the objectives of the legislation at issue, it should be noted that, as is apparent from recitals 10 and 11 of Directive 2016/680, the EU legislature sought to adopt rules which take account of the specific nature of the field covered by that directive.
58 In that regard, recital 12 states that the activities carried out by the police or other law-enforcement authorities are focused mainly on the prevention, investigation, detection or prosecution of criminal offences, including police activities without prior knowledge if an incident is a criminal offence or not.
59 It follows from this that the EU legislature sought to adopt rules corresponding to the specific features which characterise the activities carried out by the competent authorities in the field governed by that directive, while taking account of the fact that they constitute distinct activities serving purposes specific to them.
60 This interpretation, in the light of the context of the provision at issue and the objectives pursued by the legislation of which it is part, is borne out by its origins, in particular by the statement of the Council’s reasons concerning Council Position (EU) No 5/2016 at first reading with a view to the adoption of a Directive of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (OJ 2016 C 158, p. 46). In that statement of reasons, the Council explains the insertion of that provision into Directive 2016/680 by stating that it ‘enables, for example, [a] prosecutor to process the same personal data for the prosecution of a crime, as the police did for the detection of a crime given that both purposes in the example are covered by Article 1(1) [of that directive]’.
61 It is therefore for the referring court to determine, with a view to resolving the dispute in the main proceedings, whether the processing of personal data concerning VS by the District Public Prosecutor’s Office, Petrich, for the purpose of prosecuting that person, could be permitted in the light of the conditions laid down in Article 4(2) of Directive 2016/680, by ascertaining, first, whether that authority was authorised under Bulgarian criminal law to carry out that processing and, second, whether that processing was necessary and proportionate to its purpose.
62 In that regard, it should be noted that, for the purpose of assessing whether that processing is necessary and proportionate, the referring court may, where appropriate, take account of the fact that the authority responsible for that prosecution must be in a position to rely on the data collected during that investigation as evidence of the acts constituting the offence, in particular those relating to the persons involved therein, provided that those data are necessary to identify those persons and to establish their involvement.
63 In the light of all the foregoing, the answer to the first question is that Article 1(1) of Directive 2016/680, read in conjunction with Article 4(2) and Article 6 thereof, must be interpreted as meaning (i) that the processing of personal data serves a purpose other than that for which those data were collected, where such data were collected for the purposes of the detection and investigation of a criminal offence, but that processing is carried out for the purpose of prosecuting a person following the conclusion of the criminal investigation at issue, irrespective of the fact that that person was considered to be a victim at the time of that collection, and (ii) that such processing is permitted pursuant to Article 4(2) of that directive, provided that it meets the conditions laid down in that provision.
The second question
64 By its second question, the referring court asks, in essence, first, whether Article 3(8) and Article 9(1) and (2) of Directive 2016/680 and Article 2(1) and (2) of the GDPR must be interpreted as meaning that that regulation is applicable to the processing of personal data by the public prosecutor’s office of a Member State for the purpose of exercising its rights of defence in an action for damages against the State, where it informs the court having jurisdiction of the existence of files concerning a natural person who is a party to that action, opened for the purposes set out in Article 1(1) of that directive, and transmits those files to that court and, second, if that question were to be answered in the affirmative, whether point (f) of the first subparagraph of Article 6(1) of that regulation must be interpreted as meaning that such processing of personal data may be regarded as lawful for the purposes of the legitimate interests pursued by the controller, within the meaning of that provision.
Admissibility
65 In its written observations, the IVSS disputes the admissibility of the second question on the ground that it was raised by the referring court in the context of the examination of a claim put forward by VS which had been rejected as inadmissible by the decision that is the subject matter of the dispute in the main proceedings, on account of the expiry of the statutory time limit for raising it.
66 According to the Court’s settled case-law, questions on the interpretation of EU law referred by a national court in the factual and legislative context which that court is responsible for defining, and the accuracy of which is not a matter for the Court to determine, enjoy a presumption of relevance. The Court may refuse to rule on a question referred for a preliminary ruling by a national court only where it is quite obvious that the interpretation of EU law that is sought is unrelated to the actual facts of the main action or its purpose, where the problem is hypothetical, or where the Court does not have before it the factual or legal material necessary to give a useful answer to the questions submitted to it (see, to that effect, judgment of 27 September 2017, Puškár, C-73/16, EU:C:2017:725, paragraph 50 and the case-law cited).
67 In the present case, it should be noted, as the Advocate General observed in points 76 and 77 of his Opinion, that the matter of the admissibility of the claims raised by VS in his complaint before the IVSS comes entirely within the jurisdiction of the referring court. Moreover, in the order for reference, that court stated that it considered the second question to be relevant, notwithstanding IVSS’ rejection of the claim referred to in paragraph 65 of this judgment as inadmissible. It is not, in any event, for the Court of Justice to re-examine that assessment.
68 It follows that the second question is admissible.
Substance
– The application of the GDPR to the processing of personal data by the public prosecutor’s office of a Member State for the purpose of exercising its rights of defence in an action for damages against the State
69 In the first place, it is necessary to determine whether the use, by the public prosecutor’s office of a Member State, of information concerning a natural person that it has collected and processed for purposes coming within the scope of Article 1(1) of Directive 2016/680, with a view to exercising its rights of defence in civil proceedings, constitutes ‘processing’ of ‘personal data’ within the meaning of Article 4(1) and (2) of the GDPR.
70 First of all, it must be borne in mind that ‘personal data’, within the meaning of Article 4(1) of the GDPR, means ‘any information relating to an identified or identifiable natural person’, it being understood that, according to the case-law, that definition is applicable where, by reason of its content, purpose and effect, the information in question is linked to a particular person (see, to that effect, judgment of 20 December 2017, Nowak, C-434/16, EU:C:2017:994, paragraph 35). Furthermore, under Article 4(2) of the GDPR, the concept of ‘processing’ is defined as ‘any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means’ such as, inter alia, ‘consultation’, ‘use’, ‘disclosure by transmission’, ‘dissemination’ or ‘otherwise making available’. Those definitions reflect the aim of the EU legislature to assign a broad scope to those two concepts (see, to that effect, judgments of 20 December 2017, Nowak, C-434/16, EU:C:2017:994, paragraph 34, and of 24 February 2022, Valsts ieņēmumu dienests (Processing of personal data for tax purposes), C-175/20, EU:C:2022:124, paragraph 35).
71 In that regard, first, the fact that the defendant in civil proceedings informs the court having jurisdiction, even succinctly, in its written pleadings or at the hearing, of the opening of files concerning the natural person who has brought those proceedings, in particular for the purposes of the ‘detection’ or ‘investigation’ of a criminal offence, means that that defendant ‘consulted’, ‘used’ and ‘transmitted’ or ‘disclosed’ ‘personal data’ for the purposes of Article 4(1) and (2) of the GDPR. Thus, both in terms of its content and its purpose and effect, that information is linked to a particular person, who is identifiable both by the party that disclosed it and by the court to which it is transmitted.
72 Second, the fact that that defendant produces, at the request of the court having jurisdiction, files relating to procedures concerning that natural person involves, at the very least, the ‘use’ and ‘disclosure by transmission’ of ‘personal data’ within the meaning of Article 4(1) and (2) of the GDPR.
73 In the second place, it must be borne in mind that Article 2(1) of the GDPR defines broadly the material scope of that regulation (judgment of 22 June 2021, Latvijas Republikas Saeima (Penalty points), C-439/19, EU:C:2021:504, paragraph 61), which includes any ‘processing of personal data wholly or partly by automated means and … the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system’. The corollary of that broad definition is that the exceptions to the application of the GDPR listed in Article 2(2) thereof must be interpreted strictly. That is the case, in particular, with the exception provided for in Article 2(2)(d) which concerns the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties (see, to that effect, judgment of 24 February 2022, Valsts ieņēmumu dienests (Processing of personal data for tax purposes), C-175/20, EU:C:2022:124, paragraphs 40 and 41 and the case-law cited).
74 In that regard, the Court has held that, as follows from recital 19 of that regulation, the reason for that exception is that the processing of personal data by the competent authorities for the purposes set out in Article 2(2)(d) of the GDPR is governed by a specific EU legal act, namely Directive 2016/680, which was adopted on the same day as the GDPR (see, to that effect, judgment of 24 February 2022, Valsts ieņēmumu dienests (Processing of personal data for tax purposes), C-175/20, EU:C:2022:124, paragraph 42 and the case-law cited).
75 As is apparent from recital 12 of Directive 2016/680, the EU legislature laid down, in Article 9 of that directive, rules relating to the processing of personal data for purposes other than those set out in Article 1(1) of that directive, for which those data were collected.
76 In that regard, Article 9(1) of Directive 2016/680 provides, first, that such processing of personal data cannot, in principle, be carried out, unless it is authorised by EU or Member State law and, second, that the GDPR is to apply to that processing, unless the processing is carried out in an activity which falls outside the scope of EU law. Furthermore, under Article 9(2) of that directive, unless the processing is carried out in such an activity, the GDPR is to apply to the processing by the competent authorities in the performance of their tasks other than those performed for the purposes set out in Article 1(1) of that directive.
77 In the situations referred to in paragraphs 71 and 72 of this judgment, the collection and processing of personal data by the public prosecutor’s office of a Member State for the purposes of the ‘prevention’, ‘detection’, ‘investigation’ or ‘prosecution’ of a criminal offence certainly constitute processing of personal data for the purposes set out in Article 1(1) of Directive 2016/680, within the meaning of Article 9(1) and (2) of that directive.
78 However, even where the bringing of an action for damages against the State arises from alleged misconduct on the part of the public prosecutor’s office in the course of criminal proceedings, such as, as in the present case, alleged infringements of the right to be tried within a reasonable time, the aim of the State’s defence in such an action is not to perform, as such, that public prosecutor office’s tasks for the purposes set out in Article 1(1) of Directive 2016/680.
79 Furthermore, in the light of the principle that exceptions to the application of the GDPR must be interpreted strictly, that processing of personal data cannot be regarded as being carried out ‘in an activity which falls outside the scope of Union law’, within the meaning of Article 2(2)(a) of the GDPR and Article 9(1) and (2) of Directive 2016/680. In that regard, it follows from the case-law that the sole purpose of that expression is to exclude from the scope of the GDPR the processing of personal data carried out by the State authorities in the course of an activity which is intended to safeguard national security or of an activity which can be classified in the same category. The participation of a public authority in civil proceedings as a defendant in an action for damages against the State does not seek to safeguard national security; nor can it be classified in the same category of activities (see, to that effect, judgment of 22 June 2021, Latvijas Republikas Saeima (Penalty points), C-439/19, EU:C:2021:504, paragraphs 66 to 68 and the case-law cited).
80 In the third place, it should be noted that, for the purpose of applying the GDPR to the data processing referred to in paragraphs 71 and 72 of this judgment, the public prosecutor’s office must be considered to be a ‘controller’, within the meaning not only of Article 4(7) of the GDPR, but also of Article 3(8) of Directive 2016/680, in that ‘alone or jointly with others’, it ‘determines the purposes and means’ of that processing, within the meaning of the latter provision. It is that authority, as a party to the proceedings, which informs the court having jurisdiction of the existence of files opened in criminal matters concerning the other party and which transmits those files to it. Its status as ‘controller’, having regard to the broad definition of that concept, which seeks to ensure effective and complete protection of data subjects, is independent of the extent of its involvement and its level of responsibility, which may be different from those of the court having jurisdiction, for which it is to authorise or order such processing (see, by analogy, judgment of 29 July 2019, Fashion ID, C-40/17, EU:C:2019:629, paragraphs 66 to 70).
81 Irrespective of whether the data processing referred to in paragraph 80 of this judgment comes within the scope of Article 9(1) or (2) of Directive 2016/680, it is apparent from the wording of those paragraphs and the relationship between them that the GDPR applies to any processing of personal data, collected for the purposes set out in Article 1(1) of that directive, for other purposes, unless the processing in question falls outside the scope of EU law, including where the ‘controller’, within the meaning of Article 3(8) of that directive, is a ‘competent authority’ within the meaning of Article 3(7)(a) thereof and carries out the processing of personal data in the context of tasks other than those performed for the purposes set out in Article 1(1) of that directive.
82 In the light of all the foregoing, it must be held that the GDPR is applicable to the processing of personal data by the public prosecutor’s office of a Member State for the purpose of exercising its rights of defence in an action for damages against the State, where, first, it informs the court having jurisdiction of the opening of files relating to a natural person who is a party to that action for the purposes set out in Article 1(1) of Directive 2016/680 and, second, it transmits those files to that court.
– The lawfulness of the processing of personal data by the public prosecutor’s office of a Member State for the purpose of exercising its rights of defence in an action for damages against the State
83 It must be borne in mind that Article 6 of the GDPR lists, in a restrictive manner, the cases in which processing of personal data can be regarded as lawful (see, to that effect, judgment of 22 June 2021, Latvijas Republikas Saeima (Penalty points), C-439/19, EU:C:2021:504, paragraph 99).
84 Those cases include point (e) of the first subparagraph of Article 6(1) of the GDPR, which makes provision for processing that is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, and point (f) of the first subparagraph of Article 6(1) of that regulation, which refers to processing that is necessary for the purposes of the legitimate interests or freedoms pursued by the controller or by a third party, unless the interests or fundamental rights and freedoms of the data subject require the protection of personal data. According to the second subparagraph of Article 6(1) of that regulation, point (f) of the first subparagraph of Article 6(1) thereof is not to apply to processing carried out by public authorities in the performance of their tasks.
85 It should be noted that, as the Commission correctly stated in its written observations, it is clear from the wording of the second subparagraph of Article 6(1) of the GDPR that the processing of personal data by a public authority in the performance of its tasks cannot come within the scope of point (f) of the first subparagraph of Article 6(1) of the GDPR, relating to the processing of personal data that is necessary for the purposes of the legitimate interests pursued by the controller. As follows from recital 47 of the GDPR and as the Commission has claimed, that latter provision cannot apply to such data processing, since the legal basis of that processing must be provided for by the legislature. It follows that, where processing by a public authority is necessary for the performance of a task in the public interest, and therefore comes within scope of the tasks referred to in the second subparagraph of Article 6(1) of that regulation, the application of point (e) of the first subparagraph of Article 6(1) of the GDPR and that of point (f) of the first subparagraph of Article 6(1) of the GDPR are mutually exclusive.
86 It is therefore necessary, before considering the matter of the application of point (f) of the first subparagraph of Article 6(1) of the GDPR, to determine whether the processing, by the public prosecutor’s office of a Member State, of personal data initially collected for one or more of the purposes set out in Article 1(1) of Directive 2016/680, for the purpose of defending the State or a public body in an action for damages for harm caused by misconduct on the part of the State or a public body, is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in it, within the meaning of point (e) of the first subparagraph of Article 6(1).
87 As the Advocate General observed, in essence, in points 94 and 100 of his Opinion, where it is for the public prosecutor’s office to defend the legal and financial interests of the State in an action for damages which calls into question the acts or conduct of that public authority in its performance of tasks in the public interest with which it is entrusted in criminal matters, the defence of those interests may constitute, pursuant to national law, a task carried out in the public interest within the meaning of point (e) of the first subparagraph of Article 6(1) of that regulation.
88 First, by exercising the procedural rights that it enjoys as defendant, that public authority preserves the legal certainty of the acts carried out and decisions adopted in the public interest that are being called into question by the applicant. The public authority’s submissions concerning the applicant’s claims and arguments are capable of preventing, as the case may be, the risk that those claims and arguments might undermine the effective application of rules on the part of the public authority in the performance of the tasks concerning which improper performance is alleged.
89 Second, by its claims and arguments in defence, that public authority is capable of pointing, where such is the case, to the potentially unfounded or excessive nature of the applicant’s claims for compensation, with a view, in particular, to preventing the performance of the tasks carried out in the public interest that are being called into question in the action for damages from being hindered by the prospect of actions for damages, where those tasks are liable to harm the interests of individuals.
90 In that regard, it is irrelevant that, in an action for damages against the State, the public prosecutor’s office is, in its capacity as defendant, on an equal footing with the other parties, and does not exercise public powers, as is the case in the performance of its tasks in criminal matters.
91 In the present case, it is apparent from the order for reference and from the information provided by the Bulgarian Government in response to the questions put by the Court that the action for damages, which is, in part, at the origin of the dispute in the main proceedings, is based on the Law on liability of the State and of municipalities for damage, referred to in paragraph 26 of this judgment, which establishes a system of State liability for harm caused by an infringement of the right to have a case examined and disposed of within a reasonable time, and that, in accordance with Article 7 of that law, it is the party whose unlawful acts, actions or omissions have caused the harm that is to be a party to the dispute and that, on that basis, is to stand in for the State from a procedural point of view.
92 Thus, the role of the authority that caused the harm alleged in such an action for damages is different from that of the defendant in an action for indemnity by the State against the public official who is personally liable on account of shortcomings in the exercise of his or her office, since, in the latter case, that role seeks to defend private interests (see, to that effect, judgment of 18 May 2021, Asociaţia ‘Forumul Judecătorilor din România’ and Others, C-83/19, C-127/19, C-195/19, C-291/19, C-355/19 and C-397/19, EU:C:2021:393, paragraph 225).
93 Therefore, in the light of the foregoing considerations, it should be considered that the processing, by the public prosecutor’s office of a Member State, of personal data initially collected and processed for one or more of the purposes set out in Article 1(1) of Directive 2016/680, for the purpose of defending the State in an action for damages for harm caused by misconduct on the part of that public prosecutor’s office in the performance of its tasks, is, in principle, liable to come not within the scope of point (f) of the first subparagraph of Article 6(1) of the GDPR but rather within that of point (e) of the first subparagraph of Article 6(1) of the GDPR.
94 Moreover, it cannot be ruled out that, where, for the purpose of defending the State in an action for damages, the public prosecutor’s office of a Member State transmits personal data to the court having jurisdiction at that court’s request, that transmission is also liable to come within the scope of point (c) of the first subparagraph of Article 6(1) of the GDPR where, pursuant to the applicable national law, that public prosecutor’s office is required to comply with such a request.
95 In those circumstances, for the purpose of establishing that processing of personal data such as that at issue in the main proceedings comes within the scope of the provisions of the first subparagraph of Article 6(1) of the GDPR, it is for the referring court to verify whether, in accordance with Article 6(3) of that regulation, the national law lays down, first, the basis for such processing and, second, the purposes of that processing or, as regards point (e) of the first subparagraph of Article 6(1) of that regulation, whether that processing is necessary for the public prosecutor’s office’s performance of its task carried out in the public interest.
96 It is, moreover, for the referring court to determine whether the disclosure, by the public prosecutor’s office, of information concerning the person who has brought the action for damages, contained in files opened in cases other than that giving rise to that action, satisfies the other requirements laid down by the GDPR, and in particular the principle of ‘data minimisation’ referred to in Article 5(1)(c) of the GDPR, according to which personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed, and which gives expression to the principle of proportionality (see, to that effect, judgment of 22 June 2021, Latvijas Republikas Saeima (Penalty points), C-439/19, EU:C:2021:504, paragraph 98). In addition, it is for that court to verify that that processing of personal data has been carried out in compliance with the appropriate safeguards, in particular the possibility of effectively submitting comments on the information and evidence provided in that connection by the public prosecutor’s office, but also, in accordance with Article 21(1) of the GDPR, of objecting to the communication of that information and evidence to the court having jurisdiction, subject to the restrictions on that right of objection provided for by national legislation, in accordance with Article 23(1) of that regulation.
97 In the light of all the foregoing, the answer to the second question is that:
– Article 3(8) and Article 9(1) and (2) of Directive 2016/680 and Article 2(1) and (2) of the GDPR must be interpreted as meaning that that regulation is applicable to the processing of personal data by the public prosecutor’s office of a Member State for the purpose of exercising its rights of defence in an action for damages against the State, where, first, it informs the court having jurisdiction of the opening of files relating to a natural person who is a party to that action for the purposes set out in Article 1(1) of Directive 2016/680 and, second, it transmits those files to that court;
– Article 6(1) of the GDPR must be interpreted as meaning that, where an action for damages against the State is based on alleged misconduct on the part of the public prosecutor’s office in the performance of its tasks in criminal matters, such processing of personal data may be regarded as lawful if it is necessary for the performance of a task carried out in the public interest, within the meaning of point (e) of the first subparagraph of Article 6(1) of that regulation, for the purpose of defending the legal and financial interests of the State which falls to the public prosecutor’s office in those proceedings, provided that that processing of personal data complies with all the applicable requirements provided for by that regulation.
Costs
98 Since these proceedings are, for the parties to the main proceedings, a step in the action pending before the national court, the decision on costs is a matter for that court. Costs incurred in submitting observations to the Court, other than the costs of those parties, are not recoverable.
On those grounds, the Court (Fifth Chamber) hereby rules:
1. Article 1(1) of Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA, read in conjunction with Article 4(2) and Article 6 thereof,
must be interpreted as meaning that (i) the processing of personal data serves a purpose other than that for which those data were collected, where such data were collected for the purposes of the detection and investigation of a criminal offence, but that processing is carried out for the purpose of prosecuting a person following the conclusion of the criminal investigation at issue, irrespective of the fact that that person was considered to be a victim at the time of that collection, and that (ii) such processing is permitted pursuant to Article 4(2) of that directive, provided that it meets the conditions laid down in that provision.
2. Article 3(8) and Article 9(1) and (2) of Directive 2016/680 and Article 2(1) and (2) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
must be interpreted as meaning that that regulation is applicable to the processing of personal data by the public prosecutor’s office of a Member State for the purpose of exercising its rights of defence in an action for damages against the State, where, first, it informs the court having jurisdiction of the opening of files relating to a natural person who is a party to that action for the purposes set out in Article 1(1) of Directive 2016/680 and, second, it transmits those files to that court.
3. Article 6(1) of Regulation 2016/679
must be interpreted as meaning that where an action for damages against the State is based on alleged misconduct on the part of the public prosecutor’s office in the performance of its tasks in criminal matters, such processing of personal data may be regarded as lawful if it is necessary for the performance of a task carried out in the public interest, within the meaning of point (e) of the first subparagraph of Article 6(1) of that regulation, for the purpose of defending the legal and financial interests of the State which falls to the public prosecutor’s office in those proceedings, provided that that processing of personal data complies with all the applicable requirements provided for by that regulation.
[Signatures]
* Language of the case: Bulgarian.