Provisional text

JUDGMENT OF THE COURT (Fifth Chamber)

24 February 2022 (*)

( Reference for a preliminary ruling – Protection of natural persons with regard to the processing of personal data – Regulation (EU) 2016/679 – Article 2 – Scope – Article 4 – Concept of ‘processing’ – Article 5 – Principles relating to processing – Purpose limitation – Data minimisation – Article 6 – Lawfulness of processing – Processing necessary for the performance of a task carried out in the public interest by the controller – Processing necessary for compliance with a legal obligation to which the controller is subject – Article 23 – Limitations – Processing of data for tax purposes – Request for the disclosure of information relating to vehicle sale advertisements placed online – Proportionality )

In Case C‑175/20,

REQUEST for a preliminary ruling under Article 267 TFEU from the Administratīvā apgabaltiesa (Regional Administrative Court, Latvia), made by decision of 11 March 2020, received at the Court on 14 April 2020, in the proceedings

‘SS’ SIA

v

Valsts ieņēmumu dienests,

THE COURT (Fifth Chamber),

composed of E. Regan, President of the Chamber, K. Lenaerts, President of the Court, acting as a Judge of the Fifth Chamber, C. Lycourgos, President of the Fourth Chamber, I. Jarukaitis and M. Ilešič (Rapporteur), Judges,

Advocate General: M. Bobek,

Registrar: A. Calot Escobar,

having regard to the written procedure,

after considering the observations submitted on behalf of:

–        ‘SS’ SIA, by M. Ruķers,

–        the Latvian Government, initially by K. Pommere, V. Soņeca and L. Juškeviča, and subsequently by K. Pommere, acting as Agents,

–        the Belgian Government, by J.‑C. Halleux and P. Cottin, acting as Agents, and by C. Molitor, avocat,

–        the Greek Government, by E.‑M. Mamouna and O. Patsopoulou, acting as Agents,

–        the Spanish Government, initially by J. Rodríguez de la Rúa Puig and S. Jiménez García, and subsequently by J. Rodríguez de la Rúa Puig, acting as Agents,

–        the European Commission, initially by H. Kranenborg, D. Nardi and I. Rubene, and subsequently by H. Kranenborg and I. Rubene, acting as Agents,

after hearing the Opinion of the Advocate General at the sitting on 2 September 2021,

gives the following

Judgment

1        This request for a preliminary ruling concerns the interpretation of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016 L 119, p. 1, and corrigendum OJ 2018 L 127, p. 2), in particular Article 5(1) of that regulation.

2        The request has been made in proceedings between ‘SS’ SIA and the Valsts ieņēmumu dienests (State Tax Authority, Latvia) (‘the Latvian tax authority’) regarding a request for disclosure of information relating to vehicle sale advertisements published on the website of SS.

 Legal context

 European Union law

 Regulation 2016/679

3        Regulation 2016/679, which is based on Article 16 TFEU, applies, under Article 99(2) thereof, from 25 May 2018.

4        Recitals 1, 4, 10, 19, 26, 31, 39, 41 and 50 of that regulation state:

‘(1)      The protection of natural persons in relation to the processing of personal data is a fundamental right. Article 8(1) of the Charter of Fundamental Rights of the European Union (the “Charter”) and Article 16(1) [TFEU] provide that everyone has the right to the protection of personal data concerning him or her.

…

(4)      The processing of personal data should be designed to serve mankind. The right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality. This Regulation respects all fundamental rights and observes the freedoms and principles recognised in the Charter as enshrined in the Treaties, in particular the respect for private and family life, home and communications, the protection of personal data, freedom of thought, conscience and religion, freedom of expression and information, freedom to conduct a business, the right to an effective remedy and to a fair trial, and cultural, religious and linguistic diversity.

…

(10)      In order to ensure a consistent and high level of protection of natural persons and to remove the obstacles to flows of personal data within the Union, the level of protection of the rights and freedoms of natural persons with regard to the processing of such data should be equivalent in all Member States. …

 …

(19)      The protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security and the free movement of such data, is the subject of a specific Union legal act. This Regulation should not, therefore, apply to processing activities for those purposes. However, personal data processed by public authorities under this Regulation should, when used for those purposes, be governed by a more specific Union legal act, namely Directive (EU) 2016/680 of the European Parliament and of the Council [of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (OJ 2016 L 119, p. 89)]. …

…

(26)      The principles of data protection should apply to any information concerning an identified or identifiable natural person. … To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. …

…

(31)      Public authorities to which personal data are disclosed in accordance with a legal obligation for the exercise of their official mission, such as tax and customs authorities, financial investigation units, independent administrative authorities, or financial market authorities responsible for the regulation and supervision of securities markets[,] should not be regarded as recipients if they receive personal data which are necessary to carry out a particular inquiry in the general interest, in accordance with Union or Member State law. The requests for disclosure sent by the public authorities should always be in writing, reasoned and occasional and should not concern the entirety of a filing system or lead to the interconnection of filing systems. The processing of personal data by those public authorities should comply with the applicable data-protection rules according to the purposes of the processing.

…

(39)      … The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used. That principle concerns, in particular, information to the data subjects on the identity of the controller and the purposes of the processing and further information to ensure fair and transparent processing in respect of the natural persons concerned and their right to obtain confirmation and communication of personal data concerning them which are being processed. Natural persons should be made aware of risks, rules, safeguards and rights in relation to the processing of personal data and how to exercise their rights in relation to such processing. In particular, the specific purposes for which personal data are processed should be explicit and legitimate and determined at the time of the collection of the personal data. The personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed. This requires, in particular, ensuring that the period for which the personal data are stored is limited to a strict minimum. Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means. …

…

(41)      Where this Regulation refers to a legal basis or a legislative measure, this does not necessarily require a legislative act adopted by a parliament, without prejudice to requirements pursuant to the constitutional order of the Member State concerned. However, such a legal basis or legislative measure should be clear and precise and its application should be foreseeable to persons subject to it, in accordance with the case-law of the Court … and the European Court of Human Rights.

…

(50)      The processing of personal data for purposes other than those for which the personal data were initially collected should be allowed only where the processing is compatible with the purposes for which the personal data were initially collected. In such a case, no legal basis separate from that which allowed the collection of the personal data is required. If the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, Union or Member State law may determine and specify the tasks and purposes for which the further processing should be regarded as compatible and lawful. Further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes should be considered to be compatible lawful processing operations. The legal basis provided by Union or Member State law for the processing of personal data may also provide a legal basis for further processing. In order to ascertain whether a purpose of further processing is compatible with the purpose for which the personal data are initially collected, the controller, after having met all the requirements for the lawfulness of the original processing, should take into account, inter alia: any link between those purposes and the purposes of the intended further processing; the context in which the personal data have been collected, in particular the reasonable expectations of data subjects based on their relationship with the controller as to their further use; the nature of the personal data; the consequences of the intended further processing for data subjects; and the existence of appropriate safeguards in both the original and intended further processing operations.’

5        Article 2 of Regulation 2016/679, headed ‘Material scope’, provides:

‘1.      This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.

2.      This Regulation does not apply to the processing of personal data:

(a)      in the course of an activity which falls outside the scope of Union law;

(b)      by the Member States when carrying out activities which fall within the scope of Chapter 2 of Title V of the TEU;

(c)      by a natural person in the course of a purely personal or household activity;

(d)      by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.

…’.

6        Article 4 of that regulation, headed ‘Definitions’, is worded as follows:

‘For the purposes of this Regulation:

(1)      “personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

(2)      “processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

…

(6)      “filing system” means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;

(7)      “controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; …

…

(9)      “recipient” means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;

…’.

7        Under Article 5 of that regulation, headed ‘Principles relating to processing of personal data’:

‘1.      Personal data shall be:

(a)      processed lawfully, fairly and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”);

(b)      collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; … (“purpose limitation”);

(c)      adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimisation”);

(d)      accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (“accuracy”);

(e)      kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; … (“storage limitation”);

(f)      processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (“integrity and confidentiality”).

2.      The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (“accountability”).’

8        Article 6 of that regulation, headed ‘Lawfulness of processing’, provides:

‘1.      Processing shall be lawful only if and to the extent that at least one of the following applies:

(a)      the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

(b)      processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

(c)      processing is necessary for compliance with a legal obligation to which the controller is subject;

(d)      processing is necessary in order to protect the vital interests of the data subject or of another natural person;

(e)      processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(f)      processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.

2.      Member States may maintain or introduce more specific provisions to adapt the application of the rules of this Regulation with regard to processing for compliance with points (c) and (e) of paragraph 1 by determining more precisely specific requirements for the processing and other measures to ensure lawful and fair processing including for other specific processing situations as provided for in Chapter IX.

3.      The basis for the processing referred to in point[s] (c) and (e) of paragraph 1 shall be laid down by:

(a)      Union law; or

(b)      Member State law to which the controller is subject.

The purpose of the processing shall be determined in that legal basis or, as regards the processing referred to in point (e) of paragraph 1, shall be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. … The Union or the Member State law shall meet an objective of public interest and be proportionate to the legitimate aim pursued.

4.      Where the processing for a purpose other than that for which the personal data have been collected is not based on the data subject's consent or on a Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard the objectives referred to in Article 23(1), the controller shall, in order to ascertain whether processing for another purpose is compatible with the purpose for which the personal data are initially collected, take into account, inter alia:

(a)      any link between the purposes for which the personal data have been collected and the purposes of the intended further processing;

(b)      the context in which the personal data have been collected, in particular regarding the relationship between data subjects and the controller;

(c)      the nature of the personal data, in particular whether special categories of personal data are processed, pursuant to Article 9, or whether personal data related to criminal convictions and offences are processed, pursuant to Article 10;

(d)      the possible consequences of the intended further processing for data subjects;

(e)      the existence of appropriate safeguards, which may include encryption or pseudonymisation.’

9        Under Article 13(3) of Regulation 2016/679:

‘Where the controller intends to further process the personal data for a purpose other than that for which the personal data were collected, the controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information as referred to in paragraph 2.’

10      Article 14 of that regulation provides:

‘1.      Where personal data have not been obtained from the data subject, the controller shall provide the data subject with the following information:

…

(c)      the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;

…

5.      Paragraphs 1 to 4 shall not apply where and in so far as:

…

(c)      obtaining or disclosure is expressly laid down by Union or Member State law to which the controller is subject and which provides appropriate measures to protect the data subject's legitimate interests; …

…’.

11      Under Article 23(1)(e) of that regulation:

‘Union or Member State law to which the data controller or processor is subject may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34, as well as Article 5 in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard:

…

(e)      other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, including monetary, budgetary and taxation … matters, public health and social security;

…’.

12      Article 25(2) of Regulation 2016/679 provides:

‘The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual's intervention to an indefinite number of natural persons.’

 Directive 2016/680

13      Recitals 10 and 11 of Directive 2016/680 state:

‘(10)      In Declaration No 21 on the protection of personal data in the fields of judicial cooperation in criminal matters and police cooperation, annexed to the final act of the intergovernmental conference which adopted the Treaty of Lisbon, the conference acknowledged that specific rules on the protection of personal data and the free movement of personal data in the fields of judicial cooperation in criminal matters and police cooperation based on Article 16 TFEU may prove necessary because of the specific nature of those fields.

(11)      It is therefore appropriate for those fields to be addressed by a directive that lays down the specific rules relating to the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security, respecting the specific nature of those activities. Such competent authorities may include not only public authorities such as the judicial authorities, the police or other law-enforcement authorities but also any other body or entity entrusted by Member State law to exercise public authority and public powers for the purposes of this Directive. Where such a body or entity processes personal data for purposes other than for the purposes of this Directive, Regulation [2016/679] applies. Regulation [2016/679] therefore applies in cases where a body or entity collects personal data for other purposes and further processes those personal data in order to comply with a legal obligation to which it is subject. …’.

14      Article 3 of that directive provides:

‘For the purposes of this Directive:

…

(7)      “competent authority” means:

(a)      any public authority competent for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security; or

(b)      any other body or entity entrusted by Member State law to exercise public authority and public powers for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security;

…’.

 Latvian law

15      Under Article 15(6) of the version of the Likums ‘Par nodokļiem un nodevām’ (Law on taxes and duties, Latvijas Vēstnesis, 1995, No 26) applicable to the dispute in the main proceedings (‘the Law on taxes and duties’), a provider of internet advertisement services is obliged to provide, on request by the Latvian tax authority, the information which it has concerning taxpayers who have published advertisements using its services.

 The dispute in the main proceedings and the questions referred for a preliminary ruling

16      SS is a provider of internet advertisement services established in Latvia.

17      On 28 August 2018, the Latvian tax authority sent SS a disclosure request based on Article 15(6) of the Law on taxes and duties, in which they asked SS to restore the tax authority’s access to the chassis numbers of the vehicles which were the subject of an advertisement published on that company’s internet portal and to the telephone numbers of the sellers and to provide them, no later than 3 September 2018, with information on the advertisements published in the period from 14 July to 31 August 2018 in the section of that portal entitled ‘Cars’.

18      That request specified that that information, including a link to the advertisement, the text of the advertisement, the make, model, chassis number and price of the vehicle, and the telephone number of the seller, was to be submitted electronically, in a format allowing the data to be filtered or selected.

19      Moreover, if access to the information appearing in the advertisements published on the internet portal at issue could not be restored, SS was asked to indicate the reason for that and to provide, no later than the third day of each month, the relevant information relating to the advertisements published in the course of the previous month.

20      Taking the view that the Latvian tax authority’s disclosure request was not compliant with the principles of proportionality and minimisation of personal data, established by Regulation 2016/679, SS filed a complaint against that request with the acting Director-General of the Latvian tax authority.

21      By decision of 30 October 2018, the acting Director-General rejected that complaint, stating, inter alia, that, in processing the personal data at issue in the main proceedings, the Latvian tax authority was exercising the powers conferred on it by law.

22      SS brought an action before the administratīvā rajona tiesa (District Administrative Court, Latvia) seeking the annulment of that decision. In addition to the arguments which it had set out in its complaint, it argued in its action that that decision did not indicate the specific purpose of the processing of the personal data envisaged by the Latvian tax authority or the amount of data necessary for that processing, in breach of Article 5(1) of Regulation 2016/679.

23      By judgment of 21 May 2019, the administratīvā rajona tiesa (District Administrative Court) dismissed that action, indicating, in essence, that the Latvian tax authority was entitled to request access to information relating to any person and in unlimited amounts, unless that information was regarded as incompatible with the purposes of tax collection. That court, in addition, found that the provisions of Regulation 2016/679 were not applicable in respect of that authority.

24      SS brought an appeal against that judgment before the referring court, arguing, first, that the Latvian tax authority was subject to the provisions of Regulation 2016/679 and, second, that, by requiring on a monthly basis and with no limit in time a significant amount of personal data relating to an unlimited number of advertisements, without identifying the taxpayers in respect of whom a tax inquiry was under way, that authority breached the principle of proportionality.

25      The referring court indicates that, in the dispute in the main proceedings, it is common ground that the fulfilment of the disclosure request at issue is intrinsically linked to processing of personal data and that the Latvian tax authority has the right to obtain information which is at the disposal of a provider of internet advertising services and is necessary for the implementation of specific measures in the field of tax collection.

26      The dispute in the main proceedings concerns the amount and type of information which may be requested by the Latvian tax authority, the limited or unlimited nature of that information and the question of whether the disclosure obligation to which SS is subject must be limited in time.

27      In particular, the referring court takes the view that it falls to it to determine whether, in the circumstances of the case in the main proceedings, the processing of the personal data is carried out in a transparent manner in relation to the data subjects, whether the information specified in the disclosure request at issue is requested for specified, explicit and legitimate purposes and whether the processing of the personal data is carried out only to the extent that it is really necessary for the performance of the duties of the Latvian tax authority, for the purposes of Article 5(1) of Regulation 2016/679.

28      To that end, it is necessary to define the criteria for assessing whether a disclosure request issued by the Latvian tax authority respects the essence of the fundamental rights and freedoms and whether the disclosure request at issue in the main proceedings may be regarded as necessary and proportionate in a democratic society in order to safeguard important objectives of the European Union and Latvian public interests in budgetary and tax matters.

29      In those circumstances, the Administratīvā apgabaltiesa (Regional Administrative Court, Latvia) decided to stay the proceedings and to refer the following questions to the Court for a preliminary ruling:

‘(1)      Must the requirements laid down in [Regulation 2016/679] be interpreted as meaning that a request for information issued by a tax authority, such as the request at issue in this case, which seeks the disclosure of information containing a considerable amount of personal data, must comply with the requirements laid down in [Regulation 2016/679] (in particular Article 5(1) thereof)?

(2)      Must the requirements laid down in [Regulation 2016/679] be interpreted as meaning that the [tax authority] may depart from the provisions of Article 5(1) of that regulation even though the legislation in force in the Republic of Latvia does not empower it to do so?

(3)      For the purposes of interpreting the requirements laid down in [Regulation 2016/679], can there be considered to be a legitimate objective justifying the obligation, imposed by a request for information such as that at issue in this case, to provide all of the data requested in an undefined amount and for an undefined period of time, in the case where there is no prescribed expiry date for the fulfilment of that request for information?

(4)      For the purposes of interpreting the requirements laid down in [Regulation 2016/679], can there be considered to be a legitimate objective justifying the obligation, imposed by a request for information such as that at issue in this case, to provide all of the data requested even if the request for information does not (or does not fully) specify the purpose of disclosing that information?

(5)      For the purposes of interpreting the requirements laid down in [Regulation 2016/679], can there be considered to be a legitimate objective justifying the obligation, imposed by a request for information such as that at issue in this case, to provide all of the data requested even if that request relates in practice to absolutely all data subjects who have published advertisements in the “[Cars]” section of a portal?

(6)      What criteria must be used to verify that a tax authority, acting as controller, is duly ensuring that the processing of data (including the collection of information) is compliant with the requirements laid down in [Regulation 2016/679]?

(7)      What criteria must be used to verify that a request for information such as that at issue in this case is duly reasoned and occasional?

(8)      What criteria must be used to verify that personal data are being processed to the extent necessary and in a manner compatible with the requirements laid down in [Regulation 2016/679]?

(9)      What criteria must be used to verify that a tax authority, acting as controller, ensures that data are processed in accordance with the requirements laid down in Article 5(1) of [Regulation 2016/679] (accountability)?’

 Consideration of the questions referred

 The first question

30      By its first question, the referring court asks, in essence, whether the provisions of Regulation 2016/679 must be interpreted as meaning that the collection by the tax authorities of a Member State from an economic operator of information involving a significant amount of personal data is subject to the requirements of that regulation, in particular those set out in Article 5(1) thereof.

31      In order to answer that question, it is necessary to ascertain, first, whether such a request falls within the material scope of Regulation 2016/679, as defined in Article 2(1) thereof, and, secondly, whether it is not among the instances of processing of personal data which Article 2(2) of that regulation excludes from that scope.

32      In the first place, under Article 2(1) thereof, Regulation 2016/679 applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.

33      Article 4(1) of Regulation 2016/679 specifies that ‘personal data’ is to mean any information relating to an identified or identifiable natural person, that is to say to a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Recital 26 of that regulation specifies, in that regard, that, in order to determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used either by the controller or by another person to identify the natural person directly or indirectly.

34      In the dispute in the main proceedings, it is common ground that the information which the Latvian tax authority is asking to have disclosed constitutes personal data within the meaning of Article 4(1) of Regulation 2016/679.

35      Under Article 4(2) of that regulation, the collection, consultation, disclosure by transmission and making available in any way of personal data constitute ‘processing’ within the meaning of that regulation. It is apparent from the wording of that provision, in particular from the expression ‘any operation’, that the EU legislature intended to give the concept of ‘processing’ a broad scope. That interpretation is corroborated by the non-exhaustive nature, expressed by the phrase ‘such as’, of the operations mentioned in that provision.

36      In the present case, the Latvian tax authority is requiring the economic operator concerned to restore the access of the authority’s services to the chassis numbers of the vehicles which are the subject of an advertisement published on its internet portal and to provide them with information on the advertisements published on that portal.

37      Such a request, by which the tax authorities of a Member State ask an economic operator to disclose and make available personal data which that operator is obliged to provide and make available to those authorities under the national legislation of that Member State, initiates a process of ‘collection’ of those data, within the meaning of Article 4(2) of Regulation 2016/679.

38      In addition, the disclosure and making available of those data to those authorities by the economic operator at issue involve ‘processing’ within the meaning of such Article 4(2).

39      In the second place, it is necessary to examine whether the operation by which the tax authorities of a Member State seek to collect from an economic operator personal data concerning certain taxpayers may be regarded as excluded from the scope of Regulation 2016/679 under Article 2(2) thereof.

40      In that regard, it should be noted, at the outset, that that provision lays down exceptions to the scope of that regulation, as defined in Article 2(1) thereof, which must be interpreted strictly (judgment of 16 July 2020, Facebook Ireland and Schrems, C‑311/18, EU:C:2020:559, paragraph 84).

41      In particular, Article 2(2)(d) of Regulation 2016/679 provides that that regulation does not apply to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties.

42      As is clear from recital 19 of Regulation 2016/679, the reason for that exception is that the processing of personal data for such purposes by the competent authorities is governed by a specific EU legal act, namely Directive 2016/680, which was adopted on the same day as Regulation 2016/679. Directive 2016/680 defines ‘competent authority’ in Article 3(7) and such a definition must be applied, by analogy, to Article 2(2)(d) of Regulation 2016/679 (see, to that effect, judgment of 22 June 2021, Latvijas Republikas Saeima (Penalty points), C‑439/19, EU:C:2021:504, paragraph 69).

43      It is apparent from recital 10 of Directive 2016/680 that the concept of ‘competent authority’ must be understood in relation to the protection of personal data in the fields of judicial cooperation in criminal matters and police cooperation, in view of the arrangements which may prove necessary, in that regard, because of the specific nature of those fields. In addition, recital 11 of that directive explains that Regulation 2016/679 applies to processing of personal data that is carried out by a ‘competent authority’, within the meaning of Article 3(7) of the directive, but for purposes other than those of the directive (judgment of 22 June 2021, Latvijas Republikas Saeima (Penalty points), C‑439/19, EU:C:2021:504, paragraph 70).

44      Thus, when they request an economic operator to disclose to them personal data relating to certain taxpayers for the purposes of the collection of tax and combating tax fraud, it does not appear that the tax authorities of a Member State may be regarded as a ‘competent authority’ within the meaning of Article 3(7) of Directive 2016/680 or, therefore, that such information requests may fall within the exception provided for in Article 2(2)(d) of Regulation 2016/679.

45      Besides, even if the possibility is not excluded that the personal data at issue in the main proceedings may be used in criminal proceedings which may be brought, in the event of an infringement in the field of taxation, against certain of the data subjects, it does not appear that those data would be collected for the specific purpose of pursuing such criminal proceedings or in the context of State activities relating to areas of criminal law (see, to that effect, judgment of 27 September 2017, Puškár, C‑73/16, EU:C:2017:725, paragraph 40).

46      Therefore, the collection by the tax authorities of a Member State of personal data relating to vehicle sale advertisements published on the website of an economic operator falls within the material scope of Regulation 2016/679 and, as a consequence, those authorities must respect, inter alia, the principles relating to the processing of personal data set out in Article 5 of that regulation.

47      In the light of all the foregoing considerations, the answer to the first question is that the provisions of Regulation 2016/679 must be interpreted as meaning that the collection by the tax authorities of a Member State from an economic operator of information involving a significant amount of personal data is subject to the requirements of that regulation, in particular those set out in Article 5(1) thereof.

 The second question

48      By its second question, the referring court asks, in essence, whether the provisions of Regulation 2016/679 must be interpreted as meaning that the tax authorities of a Member State may derogate from the provisions of Article 5(1) of that regulation even though such a right has not been granted to them by the national law of that Member State.

49      As a preliminary point, it should be recalled that, as is apparent from recital 10 thereof, Regulation 2016/679 aims, inter alia, to ensure a high level of protection of natural persons within the European Union.

50      To that end, Chapters II and III of Regulation 2016/679 set out, respectively, the principles governing the processing of personal data and the rights of the data subject, which any processing of personal data must observe. In particular, any processing of personal data must, inter alia, comply with the principles relating to the processing of such data set out in Article 5 of that regulation (see, to that effect, judgment of 6 October 2020, La Quadrature du Net and Others, C‑511/18, C‑512/18 and C‑520/18, EU:C:2020:791, paragraph 208).

51      However, Article 23 of Regulation 2016/679 authorises the European Union and Member States to adopt a ‘legislative measure’ restricting the scope of the obligations and rights provided for, inter alia, in Article 5 of that regulation in so far as they correspond to the rights and obligations provided for in Articles 12 to 22 of that regulation, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard important objectives of general public interest of the European Union or the Member State concerned, such as, in particular, an important economic or financial interest, including budgetary and taxation matters.

52      In that regard, it is apparent from recital 41 of Regulation 2016/679 that the reference, in that regulation, to a ‘legislative measure’ does not necessarily require a legislative act adopted by a parliament.

53      That being said, it should be recalled that, as stated in recital 4 thereof, Regulation 2016/679 respects all fundamental rights and observes the freedoms and principles recognised in the Charter as enshrined in the Treaties, which include, inter alia, the protection of personal data.

54      In accordance with the first sentence of Article 52(1) of the Charter, any limitation on the exercise of the rights and freedoms recognised by the Charter, which include, inter alia, the right to respect for private life, guaranteed by Article 7 of the Charter, and the right to the protection of personal data, established in Article 8 thereof, must be provided for by law, which implies, in particular, that the legal basis which permits the interference with those rights must itself define the scope of the limitation on the exercise of the right concerned (see, to that effect, judgment of 6 October 2020, Privacy International, C‑623/17, EU:C:2020:790, paragraph 65 and the case-law cited).

55      In that regard, the Court has held, moreover, that legislation including a measure allowing such interference must lay down clear and precise rules governing the scope and application of the measure in question and imposing minimum safeguards, so that the persons whose personal data have been transferred have sufficient guarantees that those data will be effectively protected against the risk of abuse (see, to that effect, judgment of 2 March 2021, Prokuratuur (Conditions of access to data relating to electronic communications), C‑746/18, EU:C:2021:152, paragraph 48 and the case-law cited).

56      Consequently, any measure adopted under Article 23 of Regulation 2016/679 must, as the EU legislature, moreover, emphasised in recital 41 of that regulation, be clear and precise and its application be foreseeable to persons subject to it. In particular, those persons must be able to identify the circumstances and conditions under which the scope of the rights which that regulation confers on them may be the subject of a restriction.

57      It follows from the foregoing considerations that the tax authorities of a Member State cannot derogate from the provisions of Article 5 of Regulation 2016/679 in the absence of a clear and precise legal basis under EU or national law, whose application is foreseeable to persons subject to it, laying down the circumstances and conditions under which the scope of the obligations and rights provided for in that Article 5 may be restricted.

58      Therefore, the answer to the second question is that the provisions of Regulation 2016/679 must be interpreted as meaning that the tax authorities of a Member State may not derogate from the provisions of Article 5(1) of that regulation where such a right has not been granted to them by a legislative measure within the meaning of Article 23(1) thereof.

 The third to ninth questions

59      By its third to ninth questions, which it is appropriate to examine together, the referring court asks, in essence, whether the provisions of Regulation 2016/679 must be interpreted as precluding the tax authorities of a Member State from requiring a provider of internet advertisement services to disclose to them, for an undefined period of time and without the purpose of that disclosure request being specified, information relating to all the taxpayers who have published advertisements in one of the sections of its internet portal.

60      As a preliminary point, it should be noted that two forms of processing of personal data are liable to take place in a situation such as that at issue in the main proceedings. As is apparent from paragraphs 37 and 38 of the present judgment, those forms are the collection of personal data by the tax authority from the service provider concerned and, in that context, the disclosure by transmission of those data by that provider to that authority.

61      As is apparent from the case-law cited in paragraph 50 of this judgment, each of those processing operations must, subject to the derogations allowed in Article 23 of Regulation 2016/679, observe the principles relating to the processing of personal data set out in Article 5 of that regulation and the rights of the data subject appearing in Articles 12 to 22 thereof.

62      In the present case, the referring court questions, in particular, the circumstance that, first, the forms of processing mentioned in paragraph 60 of this judgment concern information in unlimited amounts relating to an undefined period of time and, second, the purpose of those forms of processing is not specified in the disclosure request.

63      In that regard, it should be emphasised, in the first place, that Article 5(1)(b) of Regulation 2016/679 provides that personal data are to be collected, inter alia, for specified, explicit and legitimate purposes.

64      First of all, the requirement that the purposes of the processing be specified implies, as can be seen from recital 39 of that regulation, that those purposes must be identified, at the latest, at the time of the collection of the personal data.

65      Next, the purposes of the processing must be explicit, which means that they must be clearly stated.

66      Lastly, those purposes must be legitimate. It is important, consequently, that they ensure lawful processing within the meaning of Article 6(1) of that regulation.

67      The forms of processing referred to in paragraph 60 of the present judgment are initiated by the request for disclosure of personal data which the Latvian tax authority sends to the provider of internet advertisement services. It appears, in that regard, that, under Article 15(6) of the Law on taxes and duties, that provider is obliged to comply with such a request.

68      In view of the considerations set out in paragraphs 64 and 65 of the present judgment, it is necessary for the purposes of those forms of processing to be clearly stated in that request.

69      Provided that the purposes thus stated in that request are necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the tax authorities, that circumstance is sufficient, as can be seen from point (e) of the first subparagraph of Article 6(1) of Regulation 2016/679, read in conjunction with the second subparagraph of Article 6(3) of that regulation, for those forms of processing also to satisfy the requirement of lawfulness recalled in paragraph 66 of this judgment.

70      In that regard, it should be recalled that the collection of tax and combating tax fraud must be regarded as tasks carried out in the public interest within the meaning of point (e) of the first subparagraph of Article 6(1) of Regulation 2016/679 (see, by analogy, judgment of 27 September 2017, Puškár, C‑73/16, EU:C:2017:725, paragraph 108).

71      It follows that, in a case where the disclosure of the personal data at issue is not directly based on the legal provision which forms its basis, but results from a request on the part of the competent public authority, it is necessary for that request to make clear what the specific purposes of that data collection are in relation to the task carried out in the public interest or the exercise of official authority, in order to allow the addressee of that request to make sure that the transmission of the personal data at issue is lawful and the national courts to carry out a review of the legality of the forms of processing concerned.

72      In the second place, in accordance with Article 5(1)(c) of Regulation 2016/679, personal data are to be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

73      In that regard, it should be recalled that, according to settled case-law, derogations and limitations in relation to the principle of protection of such data must apply only in so far as is strictly necessary (see, to that effect, judgment of 22 June 2021, Latvijas Republikas Saeima (Penalty points), C‑439/19, EU:C:2021:504, paragraph 110 and the case-law cited).

74      It follows that the controller, including where it acts in connection with a task which it has been charged with carrying out in the public interest, may not proceed, in a general and undifferentiated manner, with the collection of personal data and it must refrain from collecting data which are not strictly necessary in relation to the purposes of the processing.

75      In the present case, it should be pointed out that, as is apparent from paragraphs 17 to 19 of the present judgment, the Latvian tax authority requested the economic operator concerned to provide it with data relating to the car sale advertisements published on the website of that operator from 14 July to 31 August 2018 and, if access to that information could not be restored, to provide it, no later than the third day of each month, with data relating to the car sale advertisements published on that operator’s website in the course of the previous month, without in any way limiting that request in time.

76      In the light of the considerations set out in paragraph 74 of the present judgment, it is the duty of the referring court to ascertain whether the purpose of the collection of those data could be achieved without the Latvian tax authority potentially having at its disposal data relating to all the car sale advertisements published on the website of that operator and, in particular, whether those authorities might conceivably target certain advertisements by means of specific criteria.

77      In that context, it should be emphasised that, in accordance with the principle of accountability set out in Article 5(2) of Regulation 2016/679, the controller must be able to demonstrate its compliance with the principles relating to the processing of personal data set out in Article 5(1) thereof.

78      Therefore, it is the duty of the Latvian tax authority to establish that, in accordance with Article 25(2) of that regulation, it has sought to minimise as far as possible the amount of personal data to be collected.

79      As regards the circumstance that the disclosure request sent by the Latvian tax authority does not make provision, in the event of failure by the advertisement services provider concerned to restore access to the advertisements published in the period targeted in the request, for any limit in time, it should be recalled that, taking into account the principle of data minimisation, the controller is also obliged to limit to what is strictly necessary, in the light of the objective of the processing envisaged, the period of collection of the personal data at issue.

80      Therefore, the period to which the collection relates cannot exceed the period strictly necessary to achieve the objective of general interest sought.

81      As is apparent from paragraph 77 of the present judgment, the burden of proof in that regard lies with the Latvian tax authority.

82      However, the circumstance that those data are collected without the Latvian tax authority having defined, in the disclosure request itself, a limit in time for such processing does not, as such, allow a finding that the duration of the processing exceeds the period strictly necessary to achieve the objective sought.

83      In that context, it should nevertheless be recalled that, in order to satisfy the requirement of proportionality to which Article 5(1)(c) of Regulation 2016/679 gives expression (see, to that effect, judgment of 22 June 2021, Latvijas Republikas Saeima (Penalty points), C‑439/19, EU:C:2021:504, paragraph 98 and the case-law cited), the legislation which provides the basis for the processing must lay down clear and precise rules governing the scope and application of the measure in question and imposing minimum safeguards, so that the persons whose personal data are affected have sufficient guarantees that those data will be effectively protected against the risk of abuse. That legislation must be legally binding under domestic law and, in particular, must indicate in what circumstances and under which conditions a measure providing for the processing of such data may be adopted, thereby ensuring that the interference is limited to what is strictly necessary (judgment of 6 October 2020, Privacy International, C‑623/17, EU:C:2020:790, paragraph 68 and the case-law cited).

84      It follows that the national legislation governing a disclosure request such as that at issue in the main proceedings must rely on objective criteria in order to define the circumstances and conditions under which a provider of online services is obliged to transmit personal data relating to its users (see, to that effect, judgment of 6 October 2020, Privacy International, C‑623/17, EU:C:2020:790, paragraph 78 and the case-law cited).

85      In the light of all the foregoing considerations, the answer to the third to ninth questions is that the provisions of Regulation 2016/679 must be interpreted as not precluding the tax authorities of a Member State from requiring a provider of internet advertisement services to disclose to them information relating to taxpayers who have published advertisements in one of the sections of its internet portal, provided, in particular, that those data are necessary in the light of the specific purposes for which they are collected and that the period to which the data collection relates does not exceed the period strictly necessary to achieve the objective of general interest sought.

 Costs

86      Since these proceedings are, for the parties to the main proceedings, a step in the action pending before the national court, the decision on costs is a matter for that court. Costs incurred in submitting observations to the Court, other than the costs of those parties, are not recoverable.

On those grounds, the Court (Fifth Chamber) hereby rules:

1.      The provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) must be interpreted as meaning that the collection by the tax authorities of a Member State from an economic operator of information involving a significant amount of personal data is subject to the requirements of that regulation, in particular those set out in Article 5(1) thereof.

2.      The provisions of Regulation 2016/679 must be interpreted as meaning that the tax authorities of a Member State may not derogate from the provisions of Article 5(1) of that regulation where such a right has not been granted to them by a legislative measure within the meaning of Article 23(1) thereof.

3.      The provisions of Regulation 2016/679 must be interpreted as not precluding the tax authorities of a Member State from requiring a provider of internet advertisement services to disclose to them information relating to taxpayers who have published advertisements in one of the sections of its internet portal, provided, in particular, that those data are necessary in the light of the specific purposes for which they are collected and that the period to which the data collection relates does not exceed the period strictly necessary to achieve the objective of general interest sought.

[Signatures]

*      Language of the case: Latvian.