GDPR

On January 9, 2025, the Court of Justice of the European Union (“CJEU”) delivered its judgment in Case C-394/23, Mousse v. SNCF Connect. This marks a significant interpretation of the GDPR by underscoring the principle of data minimisation in the light of limiting the collection of personal data within commercial contexts to that which is strictly needed.

Background

The French railway operator, SNCF Connect (“SNCF”), required each of their customers to indicate their title (i.e. Mr or Ms) upon purchasing transport tickets online. The French Association Mousse argued that such a requirement contravened the GDPR. Specifically, the Association claimed that the data collection manifestly violated the principle of data minimisation, enshrined by article 5(1)(c) of the GDPR, as such information is not necessary for completing this specific transaction and is data which unnecessarily corresponds to gender identity.

Findings

The CJEU reaffirmed the GDPR’s principle with regards to data minimisation, mandating that personal data must be: “Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.”[1] The Court considered two key elements on lawful data processing, namely:

  1. Contractual Necessity, whereas the processing of data must be “objectively indispensable”, effectively finding that such processing was not necessary in the context of executing a purchase for a transport ticket; and
  2. Legitimate interest, whereas the data processing must align with a legitimate interest pursued by the data controller. Naturally, without overriding the fundamental rights and freedoms of data subjects.[2] On this front, the CJEU outlined several points of note, namely:
  • SNCF’s customers were not adequately informed of the legitimate interest being pursued;
  • Such processing was not strictly necessary for the stated purposes (that of purchasing transport tickets online); and
  • The fundamental freedoms and rights, including the risk of discrimination based on gender identity outweighed the commercial interest in personalised communication.

The latter point was emphasised by the Court, stating that the potential unnecessary discrimination risks render the processing as disproportionate, further invalidating the SNCF’s practices.

Future implications

Undoubtedly, this judgment has far-reaching implications for companies operating within the EU especially in transport sectors such as shipping and aviation and it reaffirms the need for all organisations to critically assess whether the personal data they are currently collecting is essential for their business processes.

--

Author: J.J. Galea

Do you require assistance on such analysis? GTG is here to help!

GTG’s team of seasoned advocates has extensive experience in technology law and data protection, providing you with the highest level of legal advice.

Contact us at info@gtg.com.mt for more information and assistance.


[1] Article 5(1)(c), GDPR

[2] Article 6(1)(f), GDPR

Disclaimer This article is not intended to impart legal advice and readers are asked to seek verification of statements made before acting on them.
Skip to content