Is the systematic collection of the form of address "Mr." or "Mrs." by a rail company when purchasing tickets online compatible with the General Data Protection Regulation (GDPR)? The European Court of Justice (ECJ) addressed this question in its ruling of 9 January 2025 - focusing primarily on the principle of data minimization enshrined in the GDPR.
"Mr." or "Mrs." as mandatory information when purchasing tickets
The association Mousse had filed a complaint with the French data protection authority Commission Nationale de l'Informatique et des Libertés (CNIL) against the French rail company SNCF Connect.
SNCF Connect sells rail tickets such as train tickets, season tickets and discount cards online via its website and apps. When purchasing these tickets online via this website and apps, the company's customers must indicate their title by ticking "Mr." or "Mrs.".
In the association's opinion, this obligation violates the GDPR, particularly with regard to the principle of data minimization. The salutation corresponding to a gender identity should not be a necessary indication for the purchase of a ticket. In 2021, the CNIL rejected this complaint on the grounds that this practice did not constitute a breach of the GDPR.
Mousse did not agree with this decision and appealed to the French Council of State to have it annulled. The Council of State then referred the question to the Court of Justice, in particular whether the collection of data on the salutation of customers, limited to the indications "Mr" or "Mrs", can be considered lawful and, in particular, compatible with the principle of data minimization, if the purpose of this collection is to enable personalized commercial communication with these customers, in line with general practice in this area.
Reading tip: EGC orders EU Commission to pay damages due to Facebook login
"Salutation not essential for contract fulfillment"
In its judgment (C-394/23), the ECJ interprets Art. 6 (1) subpara. 1 lit. b and f in conjunction with Art. 5 (1) lit. c GDPR to the effect that "the processing of personal data relating to the salutation of a transport company's customers, which aims to personalize commercial communications on the basis of their gender identity, does not appear to be objectively indispensable or essential for the proper performance of a contract and therefore cannot be regarded as necessary for the performance of that contract".
This is because, according to the principle of data minimization in the GDPR, personal data may only be processed to an extent that is appropriate, proportionate and limited to what is necessary for the purpose. The ECJ pointed out that the GDPR contains an exhaustive list of justifications for the processing of personal data. In particular, processing for the performance of a contract or for the purposes of the legitimate interests pursued by the controller or by a third party are relevant.
Risk of discrimination outweighs legitimate interest
With regard to the performance of the contract, the Court found that the indication of the form of address was not objectively indispensable to personalize the commercial communication. In order to properly perform a rail transportation contract, the company could use common courtesy phrases unrelated to the customer's gender identity. Such alternative methods of communication would be practicable and would interfere less with the rights of the data subjects.
With regard to the legitimate interest, the Court emphasized that the collection of the salutation is not necessary if customers are not informed of the purpose of the processing or if the processing goes beyond what is necessary to achieve that purpose. Furthermore, the Court emphasized that the risk of discrimination based on gender identity can play an important role in the balancing of legitimate interests. Furthermore, processing would be unlawful if the fundamental rights and freedoms of the data subject, in particular due to the risk of discrimination, outweigh the legitimate interest of the company.
ECJ: Companies obliged to minimize data
This ruling makes it clear that the processing of personal data must meet strict legal requirements. It shows that, in similar cases, national courts and data protection authorities have a duty to examine alternative solutions that interfere less with the rights of data subjects and must pay greater attention to the principles of data minimization and proportionality.
Companies are obliged to consider alternative, less intrusive solutions, especially when it comes to processing sensitive data such as gender identity.
The national courts must now decide on the specific facts of the case on the basis of this ruling, taking into account the requirements of the ECJ.