Back to Feed
PolicyJul 14, 2026

CJEU - C‑199/24 - Legal Newsdesk Sweden AB

CJEU rules Member States cannot create GDPR derogations beyond Article 85(2).

Summary

The Court of Justice of the European Union (CJEU) has ruled that Member States cannot create data protection derogations from the GDPR beyond those explicitly permitted by Article 85(2). This means that exemptions for processing personal data for journalistic, academic, artistic, or literary expression cannot be extended to other forms of processing. The court also clarified that data subjects must retain access to remedies under Chapter VIII of the GDPR, even when their criminal conviction data is published online, and cannot be limited solely to defamation proceedings.

Full text

Help CJEU - C‑199/24 - Legal Newsdesk Sweden AB: Difference between revisions From GDPRhub Jump to:navigation, search ← Older editVisualWikitext Revision as of 15:54, 10 September 2025 view sourceAp (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators727 editsmTag: Visual edit← Older edit Latest revision as of 07:22, 14 July 2026 view source Bms (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators147 editsTag: Visual edit Line 7: Line 7: |Judgement_Link=|Judgement_Link= |Date_Decided=|Date_Decided=09.07.2026 |Year=|Year= Line 19: Line 19: |GDPR_Article_Link_4=|GDPR_Article_Link_4= |EU_Law_Name_1=|EU_Law_Name_1=Article 8 CFREU |EU_Law_Link_1=|EU_Law_Link_1=https://fra.europa.eu/en/eu-charter/article/8-protection-personal-data |EU_Law_Name_2=|EU_Law_Name_2=Article 11 CFREU |EU_Law_Link_2=|EU_Law_Link_2=https://fra.europa.eu/en/eu-charter/article/11-freedom-expression-and-information |National_Law_Name_1=|National_Law_Name_1= Line 39: Line 39: |Reference_Case_Number_Name=|Reference_Case_Number_Name= |Initial_Contributor=cci|Initial_Contributor=bms || }}}} Line 68: Line 68: ==== The questions referred ======== The questions referred ==== The District Court referred three somewhat complex questions to the Court of Justice about the interpretation of [[Article 85 GDPR|Article 85 GDPR]]:The District Court referred three somewhat complex questions to the Court of Justice about the interpretation of [[Article 85 GDPR]]: # ''Does Article 85(1) of the GDPR make it possible for the Member States to adopt legislative measures in addition to those which they must adopt under Article 85(2) of the regulation relating to the processing of personal data for purposes other than journalistic ones or the purposes of academic, artistic or literary expression?''# ''Does Article 85(1) of the GDPR make it possible for the Member States to adopt legislative measures in addition to those which they must adopt under Article 85(2) of the regulation relating to the processing of personal data for purposes other than journalistic ones or the purposes of academic, artistic or literary expression?'' Line 78: Line 78: === Holding ====== Holding === TBDThe CJEU held that [[Article 85 GDPR|Article 85(1) GDPR]] does not allow Member States to create derogations from the GDPR beyond those expressly permitted by [[Article 85 GDPR|Article 85(2)]]. [[Article 85 GDPR|Article 85(1)]] requires Member States to reconcile data protection with freedom of expression and information. However, it does not itself authorise exemptions from the GDPR. Such exemptions may only be introduced under [[Article 85 GDPR|Article 85(2)]] and only for processing carried out for journalistic purposes or for academic, artistic or literary expression. The CJEU therefore found that Member States cannot rely on Article 85(1) to exclude other forms of processing from the application of the GDPR. The CJEU also held that [[Article 85 GDPR]] does not permit Member States to restrict the remedies available to data subjects under Chapter VIII GDPR. National law cannot limit a data subject whose criminal-conviction data is published online to defamation proceedings only. Accordingly, the data subject must retain access to the remedies provided under [[Article 77 GDPR|Articles 77]], [[Article 78 GDPR|78]], [[Article 79 GDPR|79]] and [[Article 82 GDPR|82 GDPR]], including the right to lodge a complaint with the DPA, seek an effective judicial remedy and claim compensation. Regarding journalistic purposes, the CJEU confirmed that the concept must be interpreted broadly. The fact that processing is carried out online, for payment or in relation to criminal convictions does not, by itself, exclude the application of [[Article 85 GDPR|Article 85(2)]]. However, the mere publication of information is not sufficient. Processing qualifies as journalistic only where it is intended to inform the public and is carried out in accordance with journalistic professional and ethical standards. It must involve editorial work or adaptation, or at least follow an editorial policy, and the relevant factual information must be verified. The CJEU found that making unedited criminal judgements available to any paying user did not appear to satisfy those requirements. In particular, the activity did not appear to involve editorial assessment, adaptation or a journalistic policy. The fact that the documents could be useful to journalists was not enough to bring the processing within [[Article 85 GDPR|Article 85(2)]]. It was for the referring Court to verify whether the controller’s activity met the conditions for processing for journalistic purposes. The CJEU did not impose a fine, award compensation or order corrective measures. Those issues remained for the referring Court to decide. == Comment ==== Comment == ''Share your comments here!''''Share your comments here!'' Latest revision as of 07:22, 14 July 2026 CJEU - C‑199/24 Legal Newsdesk Sweden AB Court: CJEU Jurisdiction: European Union Relevant Law: Article 85(1) GDPR Article 85(2) GDPR Article 8 CFREUArticle 11 CFREU Decided: 09.07.2026 Parties: Legal Newsdesk Sweden AB Case Number/Name: C‑199/24 Legal Newsdesk Sweden AB European Case Law Identifier: ECLI:EU:C:2025:670 Reference from: District Court of Attunda (Attunda tingsrätt) Language: 24 EU Languages Original Source: AG Opinion Initial Contributor: bms The AG opined that the publication of information about criminal convictions in commercially available databases does not constitute a journalistic activity and cannot be exempt from the GDPR under national laws implementing Article 85(2) GDPR. He also stated that Article 85 GDPR does not justify legal derogations from the entire GDPR. Contents 1 English Summary 1.1 Facts 1.1.1 The legal context: Article 85 GDPR and Swedish law 1.1.2 The case at hand 1.1.3 The questions referred 1.2 Advocate General Opinion 1.3 Holding 2 Comment 3 Further Resources English Summary Facts The legal context: Article 85 GDPR and Swedish law Under Swedish law[1] the Swedish Agency for the Media can issue publications certificates which confers constitutional protection to the activities of the holder. Such certificates can also be issued for the publication and maintenance of databases of personal data[2]. Swedish law[3] provides for broad GDPR derogations for certain activities covered by the permit, as an implementation of Article 85 GDPR ("Processing and freedom of expression and information"): The GDPR and the Swedish Law on data protection do not apply when they would conflict with the constitutional protection afforded by a publication certificate. Additionally, specific Articles of the GDPR and the Law on data protection - including all of Chapter VIII of the GDPR (Remedies, liabilities and penalties)- do not apply to the processing of personal data that takes place for journalistic purposes or for academic, artistic or literary creation. As a result of these broad exemption, data subjects have limited remedies available when the processing of their data is covered by a publication certificate. In particular, Swedish law[4] provides that in such cases, controllers can only be held liable for damages when the processing of personal data constitutes defamation. The case at hand Legal Newdesk Sweden AB, formerly Garrapatica AB (the controller), holds such a certificate. The controller maintained a database (Lexbase) where personal data, including criminal convictions, are stored. The data were made available to third parties for payment. A data subject challenged the processing of his data on Lexbase. In particular, he claimed that the controller could not lawfully make information about his criminal convictions available after the same information was removed from the public register of criminal records. After sending an unsuccessful erasure request, the data subject initiated civil proceedings before the District Court of Attu

Entities

GDPR (product)