In a recent judgment concerning data protection in the rail sector, the Court of Justice examined the necessity of collecting gender identity data when purchasing transport tickets. This case, involving the French railway company SNCF Connect, highlights critical aspects of GDPR compliance and the principles of data minimization.
Core Issues:
The French data protection authority, CNIL, was petitioned by the association Mousse to review SNCF Connect’s practice of requiring customers to select a title such as ‘Mr’ or ‘Ms’ when buying rail tickets online. Mousse argued that this requirement breaches the General Data Protection Regulation (GDPR), particularly concerning data minimization, as gender identity is not necessary for executing a ticket purchase.
Despite CNIL initially rejecting the complaint, Mousse escalated the matter to the French Council of State, which then sought clarification from the Court of Justice. The issue revolved around whether collecting customer titles for personalized commercial communication aligns with GDPR principles.
Court’s Findings:
The Court reaffirmed that under GDPR, data collection must adhere to data minimization, relevant only to necessary purposes. Processing personal data is lawful only if it is crucial for contract performance or legitimate interests. However, the personalization of communication using gender identity is not deemed essential for fulfilling a rail transport contract.
The Court suggested an alternative of using neutral and inclusive terms in communications, removing the need to rely on presumed gender identity. This presents a less intrusive option aligning with privacy principles.
Furthermore, the Court emphasized conditions under which legitimate interests cannot justify processing gender data: lack of customer awareness of the legitimate interest, exceeding necessity for attaining that interest, or potential discrimination based on gender identity undermining fundamental rights.
Implications for Data Protection Experts:
This ruling underscores the importance of evaluating necessity in data processing under the GDPR. Data protection officers must scrutinize practices to ensure data collected is both adequate and limited. Adopting inclusive and non-discriminatory practices becomes imperative to align with evolving interpretations of the GDPR.
The lesson for privacy professionals is clear: consistent reviews of data practices with a focus on minimization and necessity can prevent breaches and ensure compliance with established legal frameworks.
Original source link: [Link](https://curia.europa.eu/jcms/upload/docs/application/pdf/2025-01/cp250002en.pdf)