Asking Customers to Provide Courtesy Titles and GDPR – Conclusions from the CJEU Advocate General’s Opinion concerning Case C-394/23
Asking customers to provide courtesy titles (such as ‘Mr’, ‘Miss’, ‘Mrs.’) is a common business practice, which is particularly popular in the e-commerce sector, where these details, usually collected at the time of purchasing goods or ordering a service, are used for personalisation of any follow-up communication with the customer. Collecting and retaining information concerning the way a particular person wants to be addressed is processing of their personal data. This results in the need to ensure the compliance of such data collection with the EU data privacy law. The recent opinion of the Advocate General of the CJEU in Case C-394/23 can provide crucial guidelines for controllers, who wish to address their customers using the provided titles.
Can you ask your customers for information on how to address them?
On 11 July 2024, Maciej Szpunar, Advocate General of the Court of Justice of the European Union, presented his opinion in Case C‑394/23. The main issue covered in the opinion is the analysis carried out in order to determine whether the processing of personal data in the form of a title (such as Mr./Mrs./Ms.) which indicates the gender of the data subject, is in compliance with the provisions of the GDPR.
The Conseil d’État (Council of State of France) has requested a preliminary CJEU ruling concerning a dispute between SNCF Connect, a transport company which sells rail travel documents including train tickets, and Association Mousse, an advocacy organisation that combats discrimination on the grounds of gender and sexual orientation. During the process of purchasing the travel documents offered by the company, customers were required to choose their title – either ‘Monsieur’ [Mr.] or ‘Madame’ [Ms.] indicating their gender, which was noted by the Association. Mousse lodged a complaint with the French data protection authority (Commission Nationale Informatique & Libertés, or CNIL) claiming that the collection of this kind of data did not meet the requirements of the GDPR, and that it constituted a breach of the principle of data minimisation, which states that the data collected by the controller should be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
CNIL took the view that the processing was lawful under Article 6(1)(b) of the GDPR, on the ground that it was necessary for the performance of the contract concluded with the data subject, or taking necessary steps before its conclusion. The authority also concluded that the practices employed by SNCF Connect did not constitute a breach of the data minimisation principle, since addressing customers using data concerning their gender corresponded to common practice in civil, commercial and administrative communications.
The Association Mousse lodged a complaint concerning the case with the Conseil d’État. During the proceedings before the Conseil d’État, CNIL and the company maintained that such processing was lawful and consistent with the provisions of the GDPR, as it is necessary for the performance of the contract due to the need of communicating with the customer in the customary manner, namely using titles indicating their gender. In response to claims raised by Mousse, CNIL noted that such data processing could furthermore be considered necessary for the purposes of the legitimate interests pursued by SNCF Connect within the meaning of Article 6(1)(f) of the GDPR; thus, the data subjects can – depending on their particular situation – rely on the right to object, envisaged in Article 21 GDPR. In other words, CNIL stated that the assessment of lawfulness of the processing of personal data on the basis of Article 6(1)(f) of the GDPR is impacted by the data subject’s right to object to the processing of their data.
Given the uncertainty concerning interpretation of these provisions, Conseil d’État decided to refer the following questions to the Court of Justice for a preliminary ruling:
‘(1) In order to assess whether data collection is adequate, relevant and limited to what is necessary, within the meaning of Article 5(1)(c) of the GDPR and the need for processing in accordance with points (b) and (f) of Article 6(1) of that regulation, may account be taken of commonly accepted practices in civil, commercial and administrative communications, with the result that the collection of data relating to customers’ titles, which is limited to “Monsieur” or “Madame”, may be regarded as necessary, without this being precluded by the principle of data minimisation? (2) In order to assess the need for the compulsory collection and processing of data relating to customers’ titles, even though some customers consider that they do not come under either of the two titles and that the collection of such data is not relevant in their case, should account be taken of the fact that those customers may, after having provided those data to the data controller in order to benefit from the service offered, exercise their right to object to the use and storage of those data by relying on their particular situation, in accordance with Article 21 of the GDPR?’ |
What were the the Advocate General’s conclusions?
The Advocate General stated the following observations:
- While the purpose of the processing of personal data, namely commercial communications with the customer, needs to be considered an integral part of the process of the conclusion and performance of the contract, using the titles in accordance with commonly accepted practices is not indispensable for achieving this purpose – it merely constitutes the means employed to attain that purpose, which does not affect the proper conclusion of the contract or its performance. The service, which entails the sale of a travel document, as well as the transport service subsequently provided by SCNF Connect will not be affected when the company chooses to address its customers using only generic non-gender-specific phrases. This means that the collection of data in the form of gender-specific titles is not required in order to ensure effective communication with the customer.
- Courtesy titles concerning the company’s customers are required only in the particular cases which require their processing, such as transport services in women-only carriage in a night train offered by the company. In these cases, the processing of the data in question will be lawful within the meaning of Article 6(1)(b) of the GDPR, as it is indispensable for the performance of this particular contract. In other cases, the collection of data indicating the customers’ gender in the form of customary titles is unnecessary and unlawful.
- It would be incorrect to claim that the assessment of the lawfulness and necessity of data processing under Article 6(1)(f) of the GDPR is influenced by the mere existence of the data subject’s right to object. Such an interpretation would improperly extend the grounds for lawful processing beyond the exhaustive list established by the GDPR. Article 21(1) of the GDPR applies only after the processing has been deemed lawful. The Advocate General highlighted that such interpretation could lead to a situation where the lawfulness of the processing depends on the data subject’s diligence—or lack thereof—in exercising their right to object. What is more, the failure to inform the data subjects of the extent of the legitimate interest declared by the data controller in the privacy statement in order to justify the processing, not only constitutes a breach of Article 13(1)(d) of the GDPR, but also puts the lawfulness of the processing into question.
The Advocate General’s entire opinion can be found here.
Conclusion
The intent of the data minimisation principle is to limit the scope of the infringement of a fundamental right to the bare minimum required for the pursuit of the legitimate interest of the data controller. Compliance with this principle focuses on minimizing the association between data and individuals and reducing the number of data processing operations rather than solely limiting the overall scope of data collection[1] For personal data and their processing to be considered necessary under Article 5(1)(c) of the GDPR, they must be objectively adequate and clearly relevant to the pursuit of data controller’s interests.[2] Therefore, compliance with this principle is directly and inherently connected to the purpose of the processing as defined by the data controller.
The conclusions of the Advocate General concerning the case in question suggest that the compliance of collecting titles indicating the customers’ gender by the data controller with the principle of data minimisation and the possibility of determining its lawfulness based on Article 6(1)(b) of the GDPR strictly depends on the subject matter of the contract. It is worth noting that the Advocate General does not claim that the processing of personal data for customer communications cannot be based on Article 6(1)(b) or on the basis of the necessity of the processing for the pursuit of the legitimate interests of the controller (Article 6(1)(f) of the GDPR). In the case analysed by the Advocate General, the controller was simply processing more data than was necessary to achieve the declared purpose. It is also essential to emphasize that the “necessity for the performance of a contract to which the data subject is party, or to take steps at the request of the data subject before entering into a contract” (Article 6(1)(b) GDPR) should be applied with an appropriate degree of flexibility that should be considered the perspective of the data subject, who has either voluntarily entered into the contract or is seeking to do so.[3]
Furthermore, in the case of processing whose legality is based on Article 6(1)(f) of the GDPR, the failure to adequately inform data subjects of the specific interest pursued by the controller with the processing their data renders the entire process unlawful.
It would appear that the case, which led to the Advocate General’s opinion, touches on an issue that is hardly relevant from the point of view of the application of data protection legislation. It should be noted that this case does not only concern a breach of the principle of data minimisation by the controller but also touches on the problem of discrimination against non-binary people who are forced to choose titles that do not correspond to their gender identity. The Advocate General’s support of the arguments raised by the Association Mousse in defence of the rights of these persons signals that the CJEU should also analyse this aspect of the case before giving its judgement. What is more, the outcome of the case and the interpretation of Article 5(1)(c) of the GDPR adopted by the Court in its final judgement will be particularly relevant for developing forms in e-commerce stores and registration forms used by intermediaries.
[1] A. Roßnagel, P. Richter, Article 5, [in:] General Data Protection Regulation Article-by-Article Commentary, ed. I. Spiecker gen. Döhmann, V. Papakonstantinou, G. Hornung, P. De Hert, Baden-Baden, 2023.
[2] E. M.Frenzel, Artikel 5 [in:] Datenschutzgrundverordnung. Bundesdatenschutzgesetz, ed. B. Paal, D. Pauly, München 202, nb 36
[3] G. Santor, Article 6, [in:] General Data Protection Regulation Article-by-Article Commentary, ed. I. Spiecker gen. Döhmann, V. Papakonstantinou, G. Hornung, P. De Hert, Baden-Baden, 2023.