On January 9, 2025, the Court of Justice of the European Union (“CJEU”) delivered its judgment in Case C-394/23, Mousse v. SNCF Connect. This marks a significant interpretation of the GDPR by underscoring the principle of data minimisation in the light of limiting the collection of personal data within commercial contexts to that which is strictly needed.
The French railway operator, SNCF Connect (“SNCF”), required each of their customers to indicate their title (i.e. Mr or Ms) upon purchasing transport tickets online. The French Association Mousse argued that such a requirement contravened the GDPR. Specifically, the Association claimed that the data collection manifestly violated the principle of data minimisation, enshrined by article 5(1)(c) of the GDPR, as such information is not necessary for completing this specific transaction and is data which unnecessarily corresponds to gender identity.
The CJEU reaffirmed the GDPR’s principle with regards to data minimisation, mandating that personal data must be: “Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.”[1] The Court considered two key elements on lawful data processing, namely:
The latter point was emphasised by the Court, stating that the potential unnecessary discrimination risks render the processing as disproportionate, further invalidating the SNCF’s practices.
Undoubtedly, this judgment has far-reaching implications for companies operating within the EU especially in transport sectors such as shipping and aviation and it reaffirms the need for all organisations to critically assess whether the personal data they are currently collecting is essential for their business processes.
--
Author: J.J. Galea
Do you require assistance on such analysis? GTG is here to help!
GTG’s team of seasoned advocates has extensive experience in technology law and data protection, providing you with the highest level of legal advice.
Contact us at info@gtg.com.mt for more information and assistance.
[1] Article 5(1)(c), GDPR
[2] Article 6(1)(f), GDPR