The European Court of Justice (EUCJ) has issued a judgement on the 22^nd of June 2021 on the law case n. C-439/19 Latvijas Republikas Saeima, on the lawfulness of the national legislation which disciplines the access of the public to personal data on sanctions points inflicted to drivers for some crimes on the road traffic.

The European Supervisory Committee has declared the following:

• Information on sanctions points on a natural personal identified are personal data and their communication to a public authority by third parties makes a processing which is part of the field of application of the General Data Protection Regulation;
• The exception to the field of application of the GDPR pursuant to article 2, paragraph 1 and paragraph 2, letter a) shall be restrictively interpreted. The purpose of this disposal is to exclude from the field of application of this regulation of personal data processing carry out and public bodies in the field of an activity carried out in order to guarantee the national security or an activity which can be part of the same category, so the sole reason is the power, and it is not sufficient that this exception is automatically applicable to this activity;
• The article 10 of the GDPR is applicable only to “punishable acts” which requires an independent and uniform interpretation all over Europe, that shall be researched in the light of the purpose pursued by this disposal and of the context to which this disposal is part. The qualification given by the Member State is not determining, because this qualification can be different in each country;
• Three criteria are important in order to assess the criminal law of the infraction. The first criteria is the juridical qualification of the infraction in the national right. The second is the nature of the same breach and the third one is the level of seriousness of the sanction which is threatening the data subject. Also in case of infractions that are not qualified as “sanctioned” by the national law, this nature can anyway result by the same nature of the infraction and by the level of seriousness of sanctions which can arise by this breach;
• According to what is mentioned before, the article 10 of the GDPR is applicable to personal data protection on sanctioning points imposed to drivers for road traffic offences and therefore its processing is submitted to additional restriction in this disposal;
• In the measure in which this additional personal data processing is not anymore carried out “under the control” of a public body, the national law which authorize the communication of those data by a public authority shall provide “adequate guarantees for the protection of rights and fundamental freedoms of data subjects”.
• The GDPR precludes a national legislation which authorizes the public authorities responsible of the register in which are subscribed the imposed sanction to drivers for road traffic offences to notify those data to economical operators for the reuse or the imposition of the obligation to make those data available to the public without that the person who requires the access need to justify a particular interest in obtaining those information.

SOURCE: AUTORITA’ PER LA PROTEZIONE DEI DATI DELLA SLOVACCHIA