On 28 November 2024, the Court of Justice of the European Union (CJEU) delivered a significant judgment in Case C-169/23 Másdi, clarifying key GDPR transparency provisions. The case arose from a dispute in Hungary regarding the issuance of COVID-19 immunity certificates and whether authorities were required to inform individuals about the processing of their personal data.



The Court examined Article 14(5)(c), Article 32, and Article 77(1) of the GDPR. Here's what the Court ruled:

Article 14(5)(c) Exception

The Court held that the exception applies to all personal data not collected directly from the data subject, whether obtained from external sources or created by controllers during their duties. However, this exception is valid only if national or EU law specifically provides for the collection or disclosure of such data and ensures measures to protect the data subject’s rights.

Supervisory Authority’s Role (Article 77(1))
Supervisory authorities are required to verify whether national laws meet the conditions of Article 14(5)(c). This includes ensuring the law provides clear protections, such as informing individuals about how their data are processed. However, their role does not include verifying if the controller has implemented adequate technical and organizational measures under Article 32.



Transparency and Control
The Court reaffirmed the GDPR’s principle of giving data subjects sufficient transparency and control over their data to ensure the lawfulness of processing. If authorities find that the Article 14(5)(c) exception is inapplicable, controllers must comply with GDPR’s information obligations

Find all resources from this episode at: https://conformally.com/privacy-navigator
Learn more about Conformally at https://conformally.com