Data minimization and data economy: ECJ overturns obligation to address customers when purchasing tickets online

ECJ issues ruling on data minimization: Mr. and Mrs. do not have to be queried.
Categories:

Is the systematic collection of the form of address "Mr." or "Mrs." by a rail company when purchasing tickets online compatible with the General Data Protection Regulation (GDPR) compatible? This question was addressed by the European Court of Justice (ECJ) in its ruling of January 9, 2025 - and in doing so, it focused in particular on the GDPR anchored principle of Data minimization concentrated.

"Mr." or "Mrs." as mandatory information when purchasing tickets

The Mousse association filed a complaint with the French data protection authority Commission Nationale de l'Informatique et des Libertés (CNIL) a Complaint against the French rail company SNCF Connect.

SNCF Connect sells rail tickets such as train tickets, season tickets and discount cards online via its website and apps. When purchasing these tickets online via this website and apps, the company's customers must indicate their title by ticking "Mr." or "Mrs.".

In the opinion of the association, this obligation violates the GDPRin particular with regard to the principle of Data minimization. The salutation corresponding to a gender identity should not be a necessary indication for the purchase of a ticket. In 2021, the CNIL rejected this Complaint on the grounds that this practice does not Infringement against the GDPR represent.

Mousse did not agree with this decision and appealed to the French Council of State to have it annulled. The Council of State then referred the question to the Court of Justice, in particular whether the collection of data on the form of address of customers, which is limited to "Mr." or "Mrs.", was lawful and, in particular, compatible with the principle of Data minimization compatible if the purpose of this collection is to enable personalized commercial communication with these customers in line with general practice in this area.

Reading tip: EGC orders EU Commission to pay damages due to Facebook login

„Salutation not essential for contract fulfillment"

In its judgment (C-394/23), the ECJ interprets Art. 6 para. 1 subpara. 1 lit. b and f in conjunction with Art. 5 para. 1 lit. c GDPR to the effect that "the Processing personal data concerning the salutation of a carrier's customers, which aims to personalize commercial communications on the basis of their gender identity, does not appear objectively indispensable or essential for the proper performance of a contract and therefore cannot be considered necessary for the performance of that contract".

Because according to the principle of Data minimization in the GDPR may personal data only be processed to an extent that is appropriate, proportionate and limited to what is necessary for the purpose. The ECJ pointed out that the GDPR an exhaustive list of justifications for the Processing of personal data. The following are particularly relevant Processing for the performance of a contract or for the purposes of the legitimate interests pursued by the controller or by a third party.

Risk of discrimination outweighs legitimate interest

With regard to the performance of the contract, the Court found that the indication of the form of address was not objectively indispensable to personalize the commercial communication. In order to properly perform a rail transportation contract, the company could use common courtesy phrases unrelated to the customer's gender identity. Such alternative methods of communication would be practicable and would interfere less with the rights of the persons concerned.

With regard to the legitimate interest, the Court emphasized that the collection of the salutation is not necessary if the customers are not informed about the purpose of the Processing are informed or if the Processing goes beyond what is necessary to achieve this purpose. Furthermore, the Court emphasized that the risk of discrimination on the basis of gender identity can play an important role when weighing up the legitimate interests. Furthermore, the Processing inadmissible if the fundamental rights and freedoms of the data subject, in particular due to the risk of discrimination, outweigh the legitimate interest of the company.

ECJ: Companies obliged to minimize data

This judgment makes it clear that the Processing of personal data must meet strict legal requirements. It shows that, in similar cases, national courts and data protection authorities have a duty to examine alternative solutions that interfere less with the rights of data subjects and must pay greater attention to the principles of data minimization and proportionality.

Companies are obliged to consider alternative, less intrusive solutions, particularly when it comes to the Processing sensitive data such as gender identity.

The national courts must now decide on the specific facts of the case on the basis of this ruling, taking into account the requirements of the ECJ.

Source: Judgment of the ECJ of January 9, 2025 (C-394/23)

Do you need support in optimizing your data protection processes? We are at your disposal. Contact us and we will develop customized solutions for you in the following areas Data protection and Compliance.

Get in touch with us:
Phone: +1 (954) 852-1633
E-Mail:info@2b-advice.com

Now new: the intelligent Ailance™ chatbot
Answers to your questions about data protection & Compliance and Ailance™ solutions at the click of a button. This is now possible thanks to the new Ailance™ chatbot.
To the free trial version
Contact us
Tags:
Share this post :

Popular categories

Newsletter

Subscribe to our data protection newsletter to receive the latest updates, tips and insights straight to your inbox.
Subscribe

Latest posts