Home Year 2020 Personal Data in Court in the Era of GDPR

The Complaint of the Data Subject Will be Discussed to Oblige the County Court Issue Information on the Processing of Personal Data of the Data Subject [1]

Maris Juha
Supervisory Director of the Data Protection Inspectorate

Nele Parrest
Justice of the Supreme Court

The data subject lodged a complaint with the administrative court. He asked to oblige the county court to provide him with information on who had accessed his data in the court information system and when. The data subject first submitted a request for access to the log data to the Ministry of Justice, which forwarded it to Harju County Court as the court hearing the cases related to the data subject. The data subject was a party to the proceedings in two civil cases (one of which ended) and in one criminal case.

In this case, who has to respond to the data subject’s request for information on the processing of personal data? Which rules govern the answer? What are the possibilities of legal remedies of the person against the data processing operations of the court? How do paper files and digital files differ in terms of processing the personal data? Can one instance of court oblige another? Can the data subject apply to the Data Protection Inspectorate to inspect the operations of personal data processing of courts?

I Complexity of standards

As in any area of European Union (EU) law, personal data protection law is often a difficult task, if not a task requiring high legal pilotage, to orientate in different pieces of legislation and to determine the outcome of the interaction between different levels of standards. Since 1 May 2018 the processing of personal data is regulated by the General Data Protection Regulation 2016/679 (GDPR).[2] In addition, the Directive 2016/680[3] of law enforcement authorities and the Personal Data Protection Act (IKS), which was adopted by the Estonian legislator with a slight delay and entered into force on 15 January 2019, are in force as a national legislation. In addition, the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (which act of ratification entered into force in 2002) and its subsequent additional protocols (i.e. Convention 108+)[4] should not be forgotten. The latest, thorough amendments to the Convention entered into force for Estonia on 1 December 2020.

The legislation referred to does not apply to all institutions or procedures in the same way. This article looks at how they apply to the courts.

1.1. Convention 108+

We should start from the oldest, i.e. the convention. The Convention 108+ regulates the processing of personal data in the public and private sectors, unless the person processes the data exclusively for personal or domestic purposes.[5] The additional protocol of 2018 added the exceptions related to courts to the Convention. Article 11 provides for the possibility of restricting the application of certain articles of the Convention (including the rights of the data subject provided for in Article 9) by the law of a Member State, if this is necessary to ensure the protection of impartiality and independence of the courts. It was also stated that the supervisory authorities “have no competence with regard to the processing carried out by bodies acting in the exercise of their judicial function” (Article 15 (10)).

The Convention requires that the party to the Convention would apply necessary measures in its law to give effect to the provisions of the Convention and to ensure their effective application (Article 4 (1)), with the relevant committee assessing the effectiveness of domestic measures. It follows that, in addition to (or in conjunction with) ratification, a Member State should introduce national rules. This is analogous to the transposition of an EU directive.

It is clear from the explanatory notes to the draft laws ratifying the Convention and the 2001 Additional Protocol that Personal Data Protection Act (IKS) in force at that time was considered to be the implementing act of the Convention.[6] The explanatory memorandum to the draft ratification of the 2018 Additional Protocol states that the implementation of the draft does not involve any activities for the state and it is not necessary to develop implementing acts for the implementation of the protocol.[7]

By looking at the wording of the scope of the previous (1996, 2003 and 2007) IKSs, these were comprehensive, although these did not explicitly refer to the Convention. On the other hand, § 1 of IKS, which entered into force in 2019, delimits the scope of IKS only through the transposition of the EU law into Estonian law (implementation of GDPR and data processing of law enforcement agencies in criminal proceedings). There are also no indications in the explanatory memorandum of the draft that IKS is a legal act intended to implement Convention 108+. On the contrary, the explanatory memorandum repeatedly emphasizes only the need to transpose EU law into national law as the objective of the draft.[8]

Thus, Convention 108+ no longer has a general implementing act in force. It is true that there is no substantive problem with the scope of GDPR, as GDPR and Convention 108+ are compatible. Thus, through the provisions of GDPR (and of IKS that help to apply it), the objectives of Convention 108+ have been essentially met. The clear implementing acts of Convention 108+ can also be considered to be those special laws which regulate the activities of such institutions which, pursuant to § 2 of IKS, are not subject to either GDPR or IKS.

The explanatory memorandum to the draft of IKS Implementation Act lists what is outside the scope of IKS (and thus also GDPR): “The draft [—] was prepared based on the understanding that the processing of personal data in the following areas of law remains beyond the scope of the Personal Data Protection Act and General Data Protection Regulation: the constitutional institutions in the performance of their basic tasks, including the adoption of legislation and the state budget. The General Data Protection Regulation may extend to the processing of personal data in the performance of the clerical, personnel and asset management tasks of the constitutional institutions. The same explanatory memorandum clarifies that both in the field of national security and in the performance of the essential functions of national constitutional institutions, Member States may sovereignly regulate the protection of personal data, taking into account the principles that were included in the Convention 108+.[9]

It should be noted at the outset that the courts were not considered a constitutional institution in the extract of the referred explanatory memorandum, i.e. fortunately the courts are not affected by the above. However, it should be noted that each reader of the article can search whether and to what extent special laws include implementing provisions under Convention 108+, for example, from the State Audit Office Act, Chancellor of Justice Act, etc.

In the absence of clear implementing rules for Convention 108+, the data subject can only invoke the Convention directly in the exercise of his/her rights, if the provision of the Convention is sufficiently clear and does not include the discretion (cf. e.g. Articles 9 “Everyone has a right” and 8 “A party to the convention should ensure”). However, the supervisory competence of the Data Protection Inspectorate over constitutional institutions, for example, cannot be deduced in this way. Thus, by analyzing the 2015 issue of the Data Protection Inspectorate’s supervisory competence over the Chancellery of the Riigikogu, the Supreme Court held that such control would be possible based on the principle of separation of powers only if the legislator had explicitly subjected the Riigikogu and the Chancellery to such control.[10]

1.2. GDPR, Directive and the Personal Data Protection Act[11]

GDPR is not clear in the question as to whether and to what extent the rules set out therein apply when a personal data processor is a court. This has opened the door to different interpretations. There are views where courts are considered to be completely beyond the scope of GDPR or, with reference to Article 16 of the Treaty on the Functioning of the European Union (TFEU), it is considered that GDPR is applicable only in the situations where courts apply EU law, but not in a purely national situation. However, the prevailing view is that GDPR still in principle extends to the courts in personal data processing.[12]^,[13]

The clear general exception in the extension of GDPR to the courts is the exception of law enforcement authorities, i.e. so-called criminal proceedings, under Article 2 (2)d) of GDPR: “The personal data are processed by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security”. That is to say, GDPR does not extend to the processing of personal data carried out under Directive 2016/680. In Estonia, for example, this is a situation where courts apply the law of criminal procedure.

Article 2 (2)a) of GDPR is also somewhat unclear as another potential general exception. According to this provision GDPR does not apply, if “personal data are processed in the course of an activity beyond the scope of Union law”, i.e. this is a situation beyond the scope of EU law. However, this exception has been interpreted very narrowly in previous practice and the activities of courts in the administration of justice probably does not tend to fall under it (it is true that it cannot be certain until the Court of Justice takes a clear position in this).[14] Advocate General Szpunar has given the following reasons for the narrow interpretation of the exception: “As stated in Article 16 of TFEU, data protection is a separate policy of the Union. The General Data Protection Regulation is specifically designed to process personal data in any form, regardless of the issue involved – whether by Member States or individuals. The restrictive interpretation of Article 2 (2) a) of the General Data Protection Regulation would completely defeat that purpose. Instead, the regulation for the data protection tiger would turn out to be a domestic cat.” [15]

Although GDPR (subject to the exceptions arising from the Directive 2016/680) is in principle likely to be extended to courts, there is still a special regime for courts under GDPR. This is in so far as they perform their “judicial capacity”[16] (judicial capacity, fonction juridictionnelle, justiziellen Tätigkeit)[17]. Thus, the courts may process special categories of personal data (Article 9 (2)f)); if EU or national law so provides and provided that it is proportionate, the court may restrict the data subject’s rights (Article 23 (1)f))[18]; the courts do not have to appoint a data protection officer (recital 97, Article 37 (1)a)); and the supervisory competence of the Data Protection Inspectorate does not extend to them (recital 20, Article 55 (3)). The latter is also provided for in Article 45 of Directive 2016/680 as regards law enforcement authorities.

It is inferred from recital 20 and Article 23 of GDPR and recital 80 of the Directive 2016/680 that the exceptions granted to courts are intended to ensure the independence of the judiciary.[19]

The Estonian legislator has also proceeded from the view that GDPR applies to courts. However, it will require some effort to ascertain the legislator’s will. Namely, § 2 of IKS provides that IKS and GDPR apply to “1) offence proceedings and judicial proceedings with the specifications provided by procedural codes; 2) constitutional institutions insofar as this does not concern the performance of their constitutional duties and is not regulated in the specific acts”.

By analyzing this provision, the authors (having also talked with the officials who developed the draft) came to the understanding that § 2 (2) of IKS did not mean the courts as to constitutional institutions. Otherwise, § 2 (1) of IKS would be completely meaningless, according to which GDPR and IKS apply to court proceedings with the exceptions provided for in the procedural codes. The courts are not separately mentioned in the list of constitutional institutions provided in the explanatory memorandum to IKS.[20] The exception of “administration of justice” allowed for courts by GDPR to restrict the rights of the data subject (Article 23) should be included in the procedural codes. If there is no special provision in the procedural code, GDPR and IKS apply pursuant to § 2 (1) of IKS.

However, looking at § 2 of IKS adds to the confusion that according to the provision IKS and GDPR also apply to the activities of law enforcement agencies in “prevention, detection and processing of an offense and execution of a sentence”, while according to § 12 (3) of IKS, GDPR should not apply. However, according to the explanatory memorandum to IKS, it was intended to draw the line between GDPR and the scope of the Directive in such a way that GDPR and Chapter 4 of IKS should be followed in misdemeanour and criminal proceedings until criminal proceedings are instituted. [21] Thus, for example, the police’s law enforcement activities in preventing and identifying a threat are carried out according to some data protection rules, while the criminal proceedings for an offense detected in the course of it are already carried out according to others. The execution of a sentence, including probation, is also subject to Chapter 4 of IKS.

There is another issue to be addressed when it comes to misdemeanour proceedings. Namely, Chapter 6 of IKS gives the Data Protection Inspectorate the competence to conduct misdemeanour proceedings in data protection violations and provides for misdemeanours (some data protection offenses are also in the Penal Code (KarS), see § 157 and 157¹). It is no exaggeration to say that almost every injustice can be placed under these misdemeanours. Thus, one may ask whether the inspectorate can punish a judge or a court official, including for violations committed in the course of justice, and whether this is not a “back door” supervision of the substantive activities of courts, which according to GDPR should be prohibited. The Data Protection Inspectorate is in a difficult situation, as it is bound by the principle of mandatory misdemeanour proceedings (see § 3¹ of the Code of Misdemeanour Procedure). This issue is especially acute in case of these misdemeanours that have been included in IKS for the transposition of the administrative fines of GDPR into Estonian law. When recalling that IKS and Penal Code (KarS) included misdemeanour elements also before the entry into force of GDPR, the legislator could consciously decide that it is not reasonable to start sharing the procedural competence between the Data Protection Inspectorate and the police solely on the basis of the person subject to proceedings.

1.3. Interim conclusion

In summary, according to the authors, it can be concluded that there is no formal implementing act of Convention 108+, which makes it difficult to say what are the implementing provisions and exceptions to the directly applicable rules of the Convention adopted by the Estonian state for the application of the Convention. In essence, however, the implementation of Convention 108+ is fulfilled by the fact that GDPR and IKS (including Chapter 4 of IKS) apply to courts, and these in turn apply to courts insofar as the procedural codes do not provide otherwise. The procedural codes are those which should indicate the exceptions to the “administration of justice” granted to courts in Article 23 of GDPR and the rules necessary for the application of Directive 2016/680. Although the Data Protection Inspectorate may not check whether the courts have lawfully processed personal data within the framework of the administration of justice, GDPR as a whole applies to “other” activities outside the administration of justice, including the supervisory competence of the Data Protection Inspectorate.

II Starting points for the interpretation of the judicial exception

The explanation of what is the “judicial capacity” of a court according to GDPR cannot be limited to Estonian law (e.g. Chapter XIII of the Constitution, especially § 146, § 15 of the State Liability Act), case law (e.g. cases in the issue which decisions and actions can be taken by court officials[22]) or legal approaches[23]. Here, too, the well-known principle applies that the terms and standards of the European Union law have an autonomous content and meaning[24]. Thus, the fact that the Estonian legislator has decided to entrust a task to a court and regulate the relevant procedure in the code of judicial procedure is not decisive in deciding on the scope of the special regime of GDPR. Estonia’s views can only be a source of inspiration, as in general, however, the Court of Justice pursues to base its positions on the common understandings of the Member States and constitutional principles. Ultimately, however, the power to define the term and draw the borders remains with the European Court of Justice.

The ensuring of the independence of the judiciary as the aim of exceptions[25] given to the courts is a part of the rule of law principle and is therefore one of the fundamental principles of the European Union (Article 2 of the Treaty on European Union (TEU)). The courts of the Member States are primarily those which should guarantee the right of an individual to effective judicial protection in the areas covered by the EU law (Article 19 (1) of TEU), including in the application of GDPR. The requirement of a remedy for effective judicial protection also includes the standards protecting the independence of the judiciary, which should “enable to rule out not only any direct effect in the form of instructions but also forms of indirect effect which may guide the decisions of the judges concerned”.[26] The independence of national courts is also particularly important for judicial cooperation under the preliminary ruling mechanism.[27]

On the other hand, one of the main objectives of GDPR – is to ensure the high European level of protection of the right to the protection of personal data – fundamental right (recitals 1 and 10; Article 8 of the Charter of Fundamental Rights of the European Union).

Thus, values seem to collide (at least seemingly) at the same level. It may therefore be asked whether the Court’s interpretation of the exception to the “administration of justice” in GDPR applies in a number of other areas, according to which exceptions to the general rule should be interpreted restrictively. That is to say, the court can rely on the judicial exception only in narrowly defined cases (see also the second sentence of recital 80 of the Directive 2016/680). Obviously, that must be answered in the affirmative. For example, the European Court of Justice has narrowly defined the concepts of public service and the exercise of official authority as exceptions to the principles of free movement of workers[28] (Article 45 (4) TFEU) and freedom of establishment[29] (Article 51 TFEU), in which the Member States may be interested in reserving (core) administrative functions only to their own nationals. The principle of a restrictive interpretation of data protection law in areas falling within the exclusive competence of the Member States is also apparent from the current case law of the Court of Justice.[30] It can also be inferred from the case-law that the interpretation provided by the European Court of Justice is formed in detail by an analysis of the organization, subordination, tasks to be performed, etc. of a body in a particular Member State, i.e. the conclusion reached for one Member State may not automatically apply to a similar body in another Member State. [31]

III Extrajudicial tasks

The legislator has considered the performance of clerical, personnel and asset management tasks to be an extra-judicial activity. [32] According to the authors, the activities of the court office should not be taken into account as clerical tasks. The keeping of the register of documents, order of office supplies, public procurements and information systems management have been probably kept in mind.

However, there is an important nuance related to courts information systems. Namely, the controller of the courts information system and e-file database[33] is the Ministry of Justice and these are developed, maintained and hosted by the Centre of Registers and Information Systems (see § 34 (2) of the Courts Act (KS), § 5 of Regulation no. 5 of the Minister of Justice of 15 February 2006 “Courts information system”, § 4 of Regulation no. 111 of the Minister of Justice of 3 July 2008 “Establishment of the e-file system and statutes for maintaining the e-file system”. GDPR as a whole applies to the activities of these two agencies and the Data Protection Inspectorate has also the right to supervise the maintenance of both databases. Among other things, the data subject has the right to submit a request for access to the data included in either database to the controller[34] and the Data Protection Inspectorate can supervise whether the data subject’s request has been duly complied with.

However, the distinction should be made between what the data subject wishes to inspect. If the data subject wishes to inspect the (digital) file of the court proceedings, the procedural codes apply and are specified in the provisions of the Internal Rules of the Court Office[35] which govern who has access to the data and to what extent and who has the power to decide on it.[36] The technical regulation of the information system (statutes) should not become a “back door” through which the standards of access to the file of procedural codes can be circumvented. However, if, for example, the data subject only wants information on whether his/her personal data are in the courts information system or whether and who has viewed his/her data in the courts information system[37], then, as a general rule, it should presumably be a request for access to the file subject to GDPR and IKS and not to the procedural codes. As this is not access to the file, the requirement of the procedural codes to make a note on access to the file should not be a problem here either: (e.g. § 88 (3) of the Code of Administrative Court Procedure (HKMS), § 59 (5¹) of the Code of Civil Procedure, § 29 (1) of the Internal Rules of the Court Office). It should be acknowledged that in individual cases it may be complicated to draw a line between the two situations and the first request for information on whether there is personal data in the information system may later lead to a new request for access to the file.

The situation is analogous to the publication of court decisions in the Riigi Teataja. The latter is also a database, the controller of which is the Ministry of Justice (§ 1 (2) and § 8 of the Riigi Teataja Act). For example, there has been a complaint in the proceedings of the Data Protection Inspectorate, which pointed out that personal data is properly covered in the court decision, but the person’s name is included in the title of the court decision file. The inspectorate resolved this matter through the controller of the Riigi Teataja, who though found that it was not responsible for how the court uploads the decisions. Due to the fact that it no longer interferes with the administration of justice, the inspectorate has declared itself competent to adjudicate a complaint concerning the removal of personal data from a published decision of the Supreme Court on the basis of § 28 of the Criminal Records Database Act. Involvement with the court may also arise when contesting the accuracy of entries in the criminal records database, as the latter does not exist as a separate data set. Its data is displayed according to the entries in the e-file and the entries have been made in the e-file by the court.

The processing of personal data of judicial officers and judges for the purpose of personnel management, including recruitment, is clearly out of justice. Although the order appointing a judge is one of the guarantees of the independence of judges, there are no special provisions included in GDPR. It is expected that the supervision of the Data Protection Inspectorate in this regard should not jeopardize the independence of the court, as the increased requirements have been set for the independence of the Data Protection Inspectorate itself and the inspectorate serves to protect the rights of data subjects, i.e. judges and aspirants. There is undoubtedly room for debate here, however.

The protection of the judicial exception does not extend to the activities of other persons and bodies involved in the legal proceedings. In practice, the Data Protection Inspectorate is often pursued to be used in front of a cart to succeed in court proceedings. Thus, the inspectorate receives many complaints against the counterparty that the counterparty has illegally obtained the evidence and submitted it to the court. The inspectorate can automatically check whether a participant to the proceeding has illegally collected personal data, as this is an extrajudicial activity. However, the inspectorate does not interfere in the submission of such evidence to the court, as this would be a direct interference in the administration of justice. The party whose rights have been violated may apply to the court to declare the certificate inadmissible (e.g. § 238 (3) 1) of TsMS, § 62 (3) 1) of HKMS). The evidence obtained in violation of the rules on the processing of personal data is not automatically inadmissible. The admissibility of evidence depends on the nature and gravity of the infringement in a particular case. [38] There has also been a case where a participant to the proceeding has erroneously submitted a document about the wrong person to the court. In this case the Data Protection Inspectorate only checked the legality of the activities of the submitter of the document without interfering in the preparation of the court file.

IV Borderline cases of justice

4.1. “Other” tasks assigned to the court

The Constitution provides for a number of such functions for the court which are not the administration of justice in the narrow sense, but where the issuer of the Constitution has wished to ensure, for some good reason, increased protection of fundamental rights. For example, the administration of justice is not the detention of a person (§ 21 (2) of the Constitution), the permission to interfere with the confidentiality of messages (§ 43 of the Constitution) or the termination and suspension of the activities of an association, union or political party (§ 48 (4) of the Constitution) [39]. In addition to the Constitution, several laws provide for situations where the court should legitimize the activities of the administration in restricting certain fundamental rights, either in criminal proceedings (e.g. surveillance activities, seizure of property)[40] or beyond it (see e.g. Chapter 27 of HKMS[41], Chapter 54 of TsMS).

On the one hand, since the grant of an authorization is not a judicial dispute or a punishment which is classically considered to be a part of the administration of justice,[42] it could be considered that authorization procedures are not covered by the special regime of the judicial clause of GDPR and the directive 2016/680. On the other hand, the requirement that liberty may be taken only with the permission of a court guaranteeing independence and impartiality derives from Article 5 of the European Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR). In the situation where the purpose of the exceptions is to ensure independence and it coincides with the purpose for which the court was given the power to authorize the restriction of a fundamental right, it may be necessary to extend the judicial exception to such authorization. At the same time, it does not seem reasonable to differentiate between different court permits depending on what is deducible to what is provided for in the ECHR and what is not, unless the legislator has obliged the court to grant permits in the situations that should obviously remain the preserve of administrative authorities.

In Estonia, the courts are also responsible for maintaining the following registers: commercial register, register of non-profit associations and foundations, commercial pledge register, land register, ship’s registration book. In case of registration a narrow interpretation of the judicial exception presupposes that the European Court of Justice does not consider it to fall within the scope of the special judicial regime. The purpose of entrusting the court with the task of keeping a register is generally to ensure the turnover or legal certainty. However, this argument has not been very strong for the European Court of Justice, for example, in deciding whether a Member State may reserve the profession of notary only to its own nationals.[43] The Supreme Court en banc has also confirmed that the registry procedure is generally not administration of justice.[44] However, the administration of justice is the settlement of a dispute over the accuracy of a registry entry. An example of the complexities of data protection related to registers can be found in the practice of the Data Protection Inspectorate. According to the law a political party maintains a list of members at the registration department and it is published in the register of non-profit associations and foundations (§ 8¹ of the Political Parties Act). The management board of the political party and registration department have the right to change the entries. The Data Protection Inspectorate was approached by a person who wished to have his or her name removed from the list of party members, claiming that he or she had never belonged to a political party. As the party did not respond to the inspectorate and did not use the opportunity to submit objections, the inspectorate issued a precept to the party to delete the person’s name. If this reaction was not followed, the Data Protection Inspectorate issued a substitution enforcement order to the controller of the register of non-profit associations and foundations.

However, the Ministry of Justice, as the controller of the register, found that the addressee of the order should be the Centre of Registers and Information Systems which can technically perform such an act. The registration department of the court was left out of the matter altogether. However, this approach raises doubts among the authors of the article.

In Estonia, the court system also includes the payment orders department (§ 16¹ of KS). When looking again by analogy the views of the Court of Justice on the admissibility of imposing a nationality requirement on a notary, the court has stated that “the competence of a notary in matters of issuing an order for payment is based solely on the will of the creditor and the debtor and does not affect the jurisdiction of the court in the absence of an agreement between the parties, …is in no way connected with a direct and specific involvement in the exercise of official authority”. This position is also not changed by the EU Regulation 1896/2006 on cross-border payment orders, as the payment order procedure only concerns uncontested and the financial claims that have become collectible.[45] In the light of the foregoing, it might be foreseeable at first sight that the European Court of Justice does not appear to consider the order for payment procedure to be generally judicial. However, the interpretation that there is no question of justice is called into question by the own case-law of the European Court of Justice on the application of Regulation no 1896/2006, which, inter alia, enables the court[46] to review the legality of consumer contract terms upon its own initiative.[47] According to the authors, the order for payment procedure should rather be subject to justice.

In view of the above, it is also questionable whether all matters of non-action proceedings resolved in county court proceedings are justice or not (Part 11 of TsMS, e.g. calling proceedings, declaration of a person dead, establishment of custody over property, etc.). Obviously, this depends on the nature of the matter, as some of them clearly involve the need to resolve a dispute or are an authorization to protect a fundamental right; however, some of them are more similar to registry files created to ensure turnover security.

To sum up, it is clear from the case-law of the European Court of Justice in various cases, first, that the question of the consent of the person is relevant (if not decisive) in determining whether an act of public authority is specific to the exercise of official authority, i.e. whether there is an agreement between the parties under which the public authority performs an act, or whether there is a dispute between the parties which the public authority must resolve. Secondly, the European Court of Justice has prohibited discrimination on grounds of nationality in respect of the professions which involve the activities that are ancillary or preparatory to the exercise of official authority or certain activities which involve regular and communication within the system with administrative authorities or the court, including compulsory participation in their activities, but which does not affect the discretion or decision-making power of those institutions, or certain activities which do not involve the exercise of the right of decision, coercion or the right to apply coercive measures“[48]. Obviously, the above views can be used as guidelines for deciding whether or not a court task should be considered a matter of justice.

4.2. Borderline cases “inside” court proceedings

The court proceedings are a time-consuming process consisting of various acts: receipt of documents sent to the court; registration in their register (courts information system); making documents in the register available to different persons and authorities; communication with (potential) parties to the proceedings, including sending them documents (by post, e-mail, official publication Ametlikud Teadaanded, etc.); verification of data in various registers (e.g. in criminal records database, population register, etc.); arranging a court hearing; drafting of court decisions (regulations and decisions); disclosure of information concerning court proceedings (in the Riigi Teataja, e.g. information on the date of the court session and time of announcing the decision, court decisions, etc.); granting access to the file – information collected during court proceedings.

All above actions are generally necessary to achieve the goal of resolving the dispute between the parties. These steps are a part of the resolution process. However, in the strict sense, justice is probably only the core, that is to say, in resolving a dispute which has given rise to a case, by assessing the facts and evidence collected in the course of the court proceedings in accordance with its internal convictions and interpreting and applying the rules. Based on this, both the Estonian legislator (see, for example, § 22¹ of TsMS, § 12 of HKMS, § 23¹ of the Code of Criminal Procedure) and the courts have recognized that certain steps of the above can be performed by a court official instead of a judge. For example, the Supreme Court has stated that the determination of procedural costs (which is essentially compensation of damage) in the form provided for in the current GDPR is justice in the meaning of the Constitution.[49] However, it follows from the judgment that if it were a “technical and computational operation“ in which the determinant has no discretion (whether, to what extent and in what proportion), that would probably not be justice.[50] The termination of a legal person for an offense is also not a judicial administration if it takes place as a formal technical act, i.e. the decision-maker “only checks the existence or absence of the circumstances clearly provided by law”. If, for substantive reasons, compulsory dissolution takes place on the basis of a discretion, it may be a matter of justice.[51]

However, when deciding on the scope of the special regime of GDPR, it may be difficult to draw such an internal border. This is because so-called peripheral activities may have a greater or lesser impact on the core – how the case is resolved in substance. Given that the purpose of the special regime is to ensure the independence of the judiciary, the authors consider that the special standards protecting the administration of justice should be interpreted more broadly here.[52] This is also supported by the wording of GDPR and Directive 2016/680, which refers to the independence of the court as an organization and not as a judge as a person. If it were within the competence of the Data Protection Inspectorate to check whether the employee of the office receiving the complaint registered the case in the courts information system correctly, whether the registry inquiries made by the Advocate General or adviser were necessary to resolve the case, the extent to which the judgment should be made public, whether the personal data, etc. had to be hidden when the court file was introduced to the other party to the proceedings, whether such supervisory powers could call into question the independence of the judiciary. The only exception may be access to the court file after the end of the court proceedings, as this cannot have an ex-post effect on the outcome of the case. As regards the access to the file, the answer of the European Court of Justice to the question referred should also be clarified. [53]

When reviewing the provisions of the Forensic Examination Act (KES), forensic examination should also be placed under borderline cases. The legislator has appointed the court and officially certified expert to be joint personal data controllers in criminal proceedings, civil and administrative court proceedings and misdemeanour proceedings (§ 4¹ (3) KES). [54] Although the purpose of the data processing is determined by the court, the necessary data is collected and the means and manner of their processing are determined by a forensic expert or expert institution. Although expert examinations are performed in administrative, civil and criminal matters, pursuant to § 4¹ (2) of KES, the provisions of enforcement authority of Chapter 4 of IKS apply to the forensic institution in preparation and performance of an expert examination regardless of the type of proceedings. On the other hand, according to the explanatory memorandum of officially certified expert, it is not considered a law enforcement agency and its activities are always subject to the regulation of GDPR, however, by considering the differences arising from the procedural codes. [55]

According to the authors, a forensic expert is essentially similar to an auditor, for example, who receives a task from a company, but performs the audit independently and in accordance with the provisions of a special law. The auditor is considered to be an independent controller. Surprisingly, the expert assessments of the state forensic institution for civil proceedings are subject to the regulation of law enforcement agencies, while the rest of the court proceedings are subject to GDPR (subject to the exceptions provided for in the code of procedure). The line between the application of GDPR and chapter 4 of IKS is drawn depending on the person performing the expert assessment, not on the type of proceedings.

V Processing of personal data in the administration of justice “with the exceptions provided for in the procedural codes”

As in any other case of personal data processing, when assessing the lawfulness of the processing of personal data by court it should be first asked who is the controller (Article 4 (7) of GDPR), i.e. the court as an institution or a specific panel resolving the case (alone or collegially). Apparently, the controller is generally more of a court as an organization, as the judge cannot decide which cases he or she will decide, several data processing issues have been decided in advance in the information systems, and the court has also been handled as a whole in GDPR.[56]

It is then necessary to decide on the legal basis for the processor to process the data (Articles 6 and 9 of GDPR) and to assess whether the principles of data processing (Article 5 of GDPR) and other relevant provisions have been followed.

Leaving aside the judicial activity of a court belonging within the scope of Directive 2016/680, the legal basis for the court to process personal data derives from Article 6 (1)e) and (3) of GDPR. In essence, it is a reference standard which means that a Member State has an obligation to establish the relevant standards in accordance with the guidelines set by the EU legislator. As stated, a Member State can restrict the data subject’s rights provided that “such a restriction respects the nature of fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to ensure the independence of the judiciary and judicial proceedings” (Article 23 (1)f)).

There is no doubt that the Estonian courts have a legal basis to process personal data, including special categories of personal data. The only question could be whether, in a particular case, national law complied with the rules stipulated on the volume of data (e.g. whether a personal identification number was sufficient or an address was also required) or the method of processing (e.g. whether the data should have been disclosed or only disclosed to the parties to the proceeding, how large was the audience to whom the data was disclosed, etc). However, it should always be borne in mind that restrictions may subsidiarily result from the principles of personal data processing set out in Article 5 of GDPR (e.g. purpose limitation, minimality, accuracy, timeliness).

No detailed analysis has been made in Estonia (at least not known to the authors) as to whether the standards of procedural codes is sufficient to establish specifications for the data subject’s rights arising from GDPR and whether all restrictions meet the “quality requirements” set out in Article 23 of GDPR. For example, the right to rectify[57] (Article 16), delete[58] (Article 17) and object (Article 21) provided for in GDPR is generally not compatible with the needs of justice, at least during the court proceedings, as this may hamper the establishment of the facts necessary to resolve the case and correct and fair settlement of the matter.[59] As indicated, according to § 2 (1) of IKS, GDPR applies to the activities of the court, unless the code of procedure provides for a differentiation. The current procedural codes do not explicitly prescribe whether one or the other right provided for GDPR can be exercised in court proceedings. This raises the question of whether the non-regulation of an issue in the procedural code indicates that it was intended to provide for a distinction from GDPR or to apply GDPR. The legislator could solve the problem before the major problems arise in specific cases.

As stated, according to the exception of the administration of justice, the courts do not have the supervisory competence of the Data Protection Inspectorate in the processing of personal data and the courts are not obliged to appoint a data protection officer. The recital 20 of GDPR states that “it should be possible to entrust supervision of such data processing operations to specific bodies within the judicial system of the Member State, which should, in particular ensure compliance with the rules of this regulation, enhance awareness among members of the judiciary of their obligations under this regulation and handle complaints in relation to such data processing operations”. In other words, the judicial system should have internally a person or body involved in general preventive activities in the field of personal data protection (notification, systematic assessment of the need for measures and their effectiveness, etc.). The person should also be able to lodge a complaint if he or she finds that the court has violated his or her data protection rights. It is true that the preamble to an EU act should not have binding legal force on a Member State.[60]

There is no separate mechanism for prevention and complaint handling in Estonia. The codes of court procedure enable to file an objection to the activities of a court during court proceedings (e.g. § 90 of HKMS, § 333 of TsMS), to a limited extent procedural acts can be challenged by way of appeal (e.g. § 79 (5), § 88 (5), § 89 (5) of HKMS; § 59 (6) of TsMS) and losses in the activities of the court of lower instance can be brought to the attention of a higher court also by exercising the general right of appeal. The recital 20 of GDPR leaves open whether the above-mentioned internal appeal procedure should meet the requirement of an effective remedy and, if so, then which are the criteria to which compliance should be assessed, for example, in the case of solutions used in Estonia. As the right to an effective remedy (see also Article 79 of GDPR) [61] is a fundamental right under Article 47 of the EU Charter of Fundamental Rights, it probably also applies in a situation where the court is a controller or processor. However, as the court itself is the respondent, the question of how to exercise this right is much more complicated, as human rights instruments do not generally provide for a right of appeal to a higher court, but are only limited to the right of access to the court. It is unclear whether it is sufficient to be able to draw the attention of the court as a processor to a possible error of its own.

Conclusion

We should recognize the ones who read this dense and complex text to the end. Now anyone can assess based on the knowledge gained from the article whether they can solve the model case at the beginning of the article: who, on the basis of which rules and what has to be decided, and what are the data subject’s legal remedies.

The provisions of the protection of personal data are complex and probably estranging, both in terms of terminology and in terms of synergies between different levels of legislation. Applying the provisions in the administration of justice is even more of a headache. This is not only due to the transfer of rules for the paper world to the digital world can be difficult, but also as the reaching the right solution often requires not only legal knowledge but also knowledge of the technological organization of data processing. For example, you need to know what a database is and what an information system is, who is responsible for what, how the data moves, who gives access rights and what they are and what can be read from the logs. In addition, the connections with the regulation of access to public information need to be understood.

Hopefully, the article provided food for thought and contributed to finding the right and fair solution in a particular case.

____________________________

[1] The article expresses the personal views of the authors, which are not attributable to the institutions employing the authors, nor do they bind them in their future professional activities.

[2] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC.

[3] Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA.

[4] The consolidated text of the Convention is available only in English on the website of the Council of Europe. The protocol has been published in Estonian RT II, 3 July 2020, 2.

[5] The Estonian legislator has not entered any reservations to the extent of the scope of the Convention in ratifying the Convention and its Additional Protocols.

[6] Explanatory Memorandum to the Draft on Ratification of the Convention for the Protection of Persons in Automatic Processing of Personal Data 549 SE (9th composition of the Riigikogu); Explanatory Memorandum to the Draft on the Ratification of the Additional Protocol to the Convention for the Protection of Persons with Automatic Processing of Personal Data 442 SE (11th composition of the Riigikogu).

[7] Explanatory Memorandum to the Draft Act on Amendments to the Protocol to Amend the Convention for the Protection of Persons with Automatic Processing of Personal Data 143 SE, p. 23 (4th composition of the Riigikogu). The original text of the Convention did not contain provisions on the supervisory authority. Article 13 (2) thereof dealt with co-operation between Member States and the Data Protection Inspectorate was designated as an authorized body pursuant to Article 13 (2) of the Convention by the Ratification Act (RT II 2001, 1, 3). Although the requirement to designate a supervisory authority was added to the Convention only by the Additional Protocol of 2001 and entered into force for Estonia in 2009 (see Additional Protocol to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (RT II 2009, 17, 44)). The explanatory memorandum to the draft Additional Protocol Ratification Act of 2018 states the following: “Upon ratification of the Convention in 2000, Estonia has designated the Data Protection Inspectorate as an authorized authority and thus it is not necessary to re-appoint a supervisory authority” (Explanatory Memorandum to the draft Act 143 SE, p. 16). The explanatory memorandum is clearly incorrect with the number of the year of the inspectorate’s appointment as a supervisory authority.

[8] See Explanatory Memorandum to the Draft on the Personal Data Protection Act 679 SE (13th composition of the Riigikogu), p. 5: “The first is the implementation of the General Data Protection Regulation to the extent granted to the Member State with the discretion to specify the provisions of the general regulation. The second objective is to transpose the directive on the protection of natural persons with regard to the processing of personal data by law enforcement authorities in the prevention, detection, prosecution or enforcement of criminal offenses.”

[9] Explanatory Memorandum to the Draft Act on Implementation of the Personal Data Protection Act 778 SE, pp. 5–6 (13th composition of the Riigikogu).

[10] RKHKo 3-3-1-90-14. The supervisory competence of the inspectorate was based on the Public Information Act, which provided for state and administrative supervision over the information holders. The Supreme Court noted that administrative supervision is exercised in accordance with § 75¹ of the Government of the Republic Act, which defines administrative supervision as the control of one administrative authority over another administrative authority. The Chancellery of the Riigikogu is a state agency, but for the purposes of the Government of the Republic Act, the Chancellery of the Riigikogu is not considered an administrative authority.

[11] The substantive activities of security authorities and the activities of national defence agencies in ensuring national defence are excluded from the competence of the EU (see, for example, recital 16 of GDPR, recital 14 of Directive 2016/680). Apparently, GDPR, Directive 2016/680 and IKS therefore do not apply, for example, to administrative courts when granting permits to restrict fundamental rights under the Security Authorities Act. However, there is no full clarity on this issue and the issue would need further analysis to create a final position.

[12] See with further references e.g. S. Ory, S. Weth. Betroffenenrechte in der Justiz – Die DS-GVO auf Konfrontationskurs mit der ZPO? – NJW 2018, lk 2829; A. Wiebe, M. Eichfeld. Spannungsverhältnis Datenschutzrecht und Justiz. – NJW 2019, pg 2734; A. Roβnagel. Artikel 2. – Datenschutzrecht. DSGVO mit BDSG. S. Smitis, G. Hornung, I. Spiecker (Hrsg.), NomosKommentar, 2019, p 19; H. Kranenborg. Article 2. – The EU General Data Protection Regulation (GDPR). A Commentary. C. Kuner, A. A. Bygrave, C. Docksey (ed.), Oxford University Press, 2020, p. 70.

[13] The scope of GDPR is also not affected by whether the court hears the case on the basis of a digital file or a paper file, as the latter is also a “data set” within the meaning of Article 2 (1).

[14] See, for example, C-272/19: Land Hessen, articles 66-73, where the Court of Justice upheld the applicability of GDPR even to the substantive activities of the Petitions Committee of the German Bundestag.

[15] Advocate General Maciej Szpunar C-439/19: Latvijas Republikas Saeima (Points de pénalité), p 52.

[16] In material terms, pre-trial justice is also handled by a number of other bodies and agencies in addition to the court (e.g. extra-judicial proceedings for misdemeanours). Given the aim of the article to focus on the courts, these will not be discussed below.

[17] GDPR also uses the “judicial tasks” and “judicial proceedings” (judicial tasks/judicial proceedings, gerichtlichen Aufgaben/Gerichtsverfahren, missions/procédures judiciaires).

[18] Although Article 23 does not refer to the administration of justice, it emphasizes “the independence of the judiciary” as an objective for restricting the rights of the data subject. Thus, justice is probably also considered as the core function of the court.

[19] Independence is an integral part of the judiciary and an “external” aspect of the right enshrined in Article 47 of the Charter of Fundamental Rights of the European Union, which presupposes that “the body concerned performs the functions of the court in complete independence, without any hierarchical or subordinate relationship and without receiving any instructions or instructions from anyone, and is thus protected from outside interference or pressure which may impair the decision-making power of its members and influence their decisions“; (ECR C-64/16: Associação Sindical dos Juízes Portugueses, article 44; see also, for example, C-272/19: Land Hessen, articles 45 et seq.)

[20] The explanatory memorandum lists four constitutional institutions: the Riigikogu, National Audit Office, the Chancellor of Justice and the President of the Republic. Explanatory Memorandum to the Draft Act 679 SE, p. 4.

[21] Explanatory Memorandum to the Draft Act 679 SE, p. 20.

[22] RKÜKo 3-4-1-29-13 (competence of the Advocate General to determine the costs of proceedings); RKÜKm 3-2-1-153-13, articles 57-60 (competence of the assistant judge to determine the costs of proceedings); RKÜKo 2-17-10423 / 20, articles 31–38 (competence of the assistant judge to decide on removal from the register). See also RKÜKm 3-2-1-153-13, articles 73–74 (setting the limit of lawyer’s expenses as a matter falling within the scope of § 104 (2) 14) of the Constitution) and RKÜKo 3-2-1-40-15, article 45 (certification and compensation of the travel expenses of a lawyer providing legal aid does not fall within the scope of § 104 of the Constitution).

[23] E.g. J. Laidvee, V. Saarmets. Comments on § 146. – Constitution of the Republic of Estonia. Executive edition, 2020; J. Jäätma. Is justice only an understanding of justice? – Juridica 2016, no 2, pp. 75–86

[24] E.g. EKo C-524/06: Huber, article 52; C-673/17: Planet49, article 47.

[25] Ensuring independence as a starting point is also emphasized, e.g. A. Wiebe, M. Eichfeld. Spannungsverhältnis Datenschutzrecht und Justiz. – NJW 2019, p. 2737.

[26] EKo C-619/18: commission v. Poland, articles 46–58, 108, 112.

[27] E.g. EKo C‑274/14: Banco de Santander, article 56.

[28] E.g. EKo 149/79: Commission v. Belgium.

[29] The example of notaries EKo C ‑ 47/08: Commission v. Belgium, C ê 50/08: Commission v France, C 51/08: Commission v Luxembourg, C-53/08: Commission v Austria, C ê 54/08: Commission v Germany, C-61/08: Commission v Greece, C-157/09: Commission v Netherlands, C-151/14: Commission v Latvia, C-392/15: Commission v. Hungary.

[30] See, e.g., C-73/16: Puškár, article 38; Case C-272/19: Land Hessen, articles. 68-70; see also EKo C-623/17: Privacy International, articles 30-49, where the Court confirmed that national legislation falling within the scope of Directive 2002/58 which allows a public authority to oblige providers of electronic communications services to transmit traffic and location data to security and intelligence services in order to protect national security. This is despite the argument of several Member States that security and intelligence activities are among the core functions of the Member States in maintaining public order and safeguarding internal security and territorial integrity and therefore fall within the exclusive competence of the Member States under Article 4 (2) TEU.

[31] See the references to notaries above (footnote 29), as well as cases concerning the independence of prosecutors: C-508/18 ja C-82/19 PPU: OG and PI; C-509/18: PF; C-489/19 PPU: NJ; C-566/19 PPU ja C-626/19PPU: Parquet général du Grand-Duché de Luxembourg and Openbaar Ministerie; C-625/19 PPU: Openbaar Ministerie; C-627/19 PPU: Openbaar Ministerie; C-510/19: Openbaar Ministerie. Estonian prosecutors C-746/18: Public Prosecutor’s Office.

[32] See Explanatory Memorandum to Draft Act 679 SE, p. 7.

[33] It is important to keep in mind that a distinction should be made between the controller of the database and the controller of the data. Thus, the controller of the databases of the courts information system and e-file databases is the Ministry of Justice, but the controller of the personal data included therein is the court. Pursuant to § 43⁴ of the Public Information Act, the controller (administrator) of a database is the state or local government authority, other legal person in public law or person in private law performing public duties who organises the introduction of the database and the administration of services and data. The controller of a database is responsible for the legality of the administration of the database and for developing the database.

[34] § 15 (4) of the Statutes of the Courts Information System refers only to IKS, although the data subject’s right of access derives also directly from GDPR.

[35] See § 28 et seq. of Regulation no. 7 of the Minister of Justice of 8 February 2018 “Internal Rules of the Court Office of the county, administrative and circuit court”. This regulation also refers only to IKS as regards access rights.

[36] However, § 34 (4) of the Courts Act (KS) is a special provision among the procedural codes, according to which, for example, a state agency has the right to access data in the courts information system for the performance of tasks provided by law. Thus, certain officials of the Office of the Chancellor of Justice have the right of access (see § 6 (1) 6) of the Statutes of the Courts Information System; cf. however, cf. § 17 (7), second sentence). See also the Chancellor of Justice’s proposal of 19 June 2020 to the Minister of Justice.

[37] Another question is whether the data subject should also know the name of the person (official) in the log who has viewed his or her data. Pursuant to Article 15 (4) of GDPR the right to obtain a copy of your personal data should not adversely affect the rights or freedoms of others. However, it is questionable whether the performance of an official’s duties falls within that scope. The names of some officials who have access to the courts information system are restricted information (see § 4 (5) of the Police and Border Guard Act) and making an inquiry may be part of proceedings to which access to data is restricted (e.g. criminal proceedings, state supervision proceedings, etc.).

[38] Cf. e.g. RKTKo 2-15-12216/93, article 17; RKHKo 3-16-1298/30, article 21.

[39] However, the fine specified in § 48 (4) of the Constitution or if the activity is terminated as a punishment (§ 46 of the Penal Code became invalid as of 1 January 2015) can obviously be considered justice.

[40] See also RKKKm 3-1-1-34-16, article 26: „The court permits required for the conduct of proceedings in pre-trial criminal proceedings should ensure the preventive protection of fundamental rights and are therefore not to be regarded as a substantive administration of justice (e.g. deciding on the guilt and punishment of persons in criminal proceedings).“

[41] Thus, the administrative court authorizes, for example, the tax authority to seize a bank account and similar security measures before a tax decision (§ 136¹ of the Taxation Act), detain an alien in a detention centre (§ 36¹ et seq. of the Act on Granting International Protection to Aliens, § 15 of Obligation to Leave and Prohibition on Entry Act), to suspend several permits and rights of a call-up selectee (§ 33¹ of Military Service Act), etc.

[42] See, for example, RKÜKo 3-1-1-86-07, article 26. Another question is what should be considered as punishment – see, for example, RKÜKo 3-4-1-4-13, articles 40-55 (and references made there).

[43] See, for example, case C-47/08 Commission v Belgium, articles 95, 97; C ê 50/08: Commission v France, articles 85, 87; C 51/08: Commission v Luxembourg, articles 95, 97; C-53/08: Commission v Austria, articles 94, 96; C ê 54/08: Commission v Germany, articles 96, 98; C-61/08: Commission v Greece, articles 87, 89; C-151/14: Commission v Latvia, article 60. See also C-392/15 Commission v Hungary, articles 136, 137 (making entries in registers).

[44] RKÜKo 2-17-10423/20, article 35.

[45] See C-392/15: Commission v Hungary, articles 110–114.

[46] Article 5 (3) of the Regulation: “court” means the authority of a Member State which has jurisdiction over the European order for payment or any other related matter.

[47] EKo C 453/18 and C 494/18 Bondora, articles 44 et seq. and the case-law referred therein.

[48] E.g. EKo C-392/15: Commission v Hungary, article 108.

[49] RKÜKo 3-4-1-29-13, articles 43–47.

[50] Same, articles 46, 48.

[51] RKÜKo 2-17-10423/20, article 37.

[52] See also EKo C-619/18: Commission v. Poland, articles 72, 108: ‘[Protected against outside interference or pressure which may impair the decision-making power of the members of that body and influence their decisions [—]. The standards guaranteeing independence and impartiality should be such as to rebut any reasonable doubt on the part of individuals as to whether that body is outside the scope of external factors and whether it is neutral in the light of conflicting interests“; article 112: “It should therefore enable more precisely to rule out not only any direct impact in the form of instructions, but also the forms of indirect impact which may direct the decisions of the judges concerned.” The opposite view A. Wiebe, M. Eichfeld. Spannungsverhältnis Datenschutzrecht und Justiz. – NJW 2019, pp. 2737-2738, where the author discusses whether the judicial exception should apply as soon as legal proceedings begin, but ultimately concludes that the starting point should be the author of the act: if it is a judge’s action, it is administration of justice, in case of the activities of all other judicial staff it is not.

[53] See EK C-245/20: Autoriteit Persoonsgegevens, where the journalist examined the case file on the day of the hearing, which according to the general practice of the Administrative Jurisdiction Division of the Council of State of the Netherlands, was made available on paper to journalists for ease of reference (neither the Advocate General nor the Court of Justice has given an opinion at the time of writing an article). See also EK C-470/19 (at the time of writing the article the Court has not ruled, however, according to the Advocate General it is not an administrative task to deal with an application for access to the procedural documents of the case).

[54] WP29 was in the opinion that it is not who formally but factually determines the purposes and means of determining the controller. See 10 February 2010. Opinion 1/2010 on the definitions of “controller” and “processor”. See also H. Erkelenz, A. Leopold. Datenschutz beim Beweis durch Sachverständige. – NZS 2019, p. 926 et seq.: the court determines the purpose of the processing, the expert generally determines the means; ultimately, the designation of a controller depends on the individual case.

[55] See explanatory memorandum to draft act 778 SE, p. 53.

[56] Same opinion A. Wiebe, M. Eichfeld. Spannungsverhältnis Datenschutzrecht und Justiz. – NJW 2019, p. 2736.

[57] The independent right to correct personal data (ie in addition to the regulation of the code of procedure) is in any case limited to the issue of factual accuracy: an expert assessment including a diagnosis or similar assessment, nor is a legal assessment of the facts a matter of rectification. However, the debate may be about which fact is correct (analogous to RKTKo 3-2-1-53-07, article 19: legal assessment is not a statement of fact). However, the debate may be about which fact is correct. See also H. Erkelenz, A. Leopold. Datenschutz beim Beweis durch Sachverständige. – NZS 2019, p. 925.

[58] See also the example at the end of Article III, where a party to the proceeding erroneously submitted the certificate including another person’s personal data to the court. The question is whether the data subject for whom a document was erroneously submitted for inclusion in the file has the right to request the court to delete it from the file (Article 17 (1)d) of GDPR), as Article 17 (3)b) the exception of the deletion request „to the extent the personal data processing is necessary for the performance of a task in the public interest“ has not been complied with. The document submitter may no longer be able to “delete” the document from the file.

[59] S. Ory, S. Weth. Betroffenenrechte in der Justiz – Die DS-GVO auf Konfrontationskurs mit der ZPO? – NJW 2018, p. 2832; H. Erkelenz, A. Leopold. Datenschutz beim Beweis durch Sachverständige. – NZS 2019, p. 929.

[60] E.g. EKo C-303/19: Istituto Nazionale della Previdenza Sociale, p. 26. See also the above-mentioned proposal of the Chancellor of Justice of 19 June 2020 to the Minister of Justice, where the Chancellor of Justice takes the view that the systematic monitoring of the legality of the use of the courts information system is necessary, but at least in the case of inquiries within the judiciary, the Ministry of Justice cannot do so.

[61] On article 22 of analogous directive 95/46 article see e.g. C-73/16: Puškár, where the Court of Justice has, in principle, considered it permissible to introduce mandatory pre-trial procedures in the field of data protection, provided that the specific conditions for exercising these remedies (accompanying delays, procedural costs) do not disproportionately prejudice the right to an effective remedy under Article 47 of the Charter. Also H. K. Ellingsen. Effective judicial protection of individual data protection rights: Puškár. – CMLR 55, 2018, pp 1879–1898.