CJEU - C‑199/24 - Legal Newsdesk Sweden AB
CJEU rules commercial databases publishing criminal convictions are not journalistic and not GDPR exempt.
Summary
The Court of Justice of the European Union (CJEU) ruled that the publication of criminal conviction data in commercially available databases does not qualify as journalistic activity. Therefore, such activities cannot claim exemption from GDPR under national laws implementing Article 85(2) GDPR. The court also clarified that Article 85 GDPR does not permit broad derogations from the entire GDPR for these types of data processing.
Full text
Help CJEU - C‑199/24 - Legal Newsdesk Sweden AB: Difference between revisions From GDPRhub Jump to:navigation, search ← Older editVisualWikitext Revision as of 13:21, 14 July 2026 view sourceBms (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators155 editsTag: Visual edit← Older edit Latest revision as of 08:00, 15 July 2026 view source Bms (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators155 editsTag: Visual edit Line 43: Line 43: }}}} The CJEU opined that the publication of information about criminal convictions in commercially available databases does not constitute a journalistic activity and cannot be exempt from the GDPR under national laws implementing Article 85(2) GDPR. He also stated that Article 85 GDPR does not justify legal derogations from the entire GDPR.The CJEU held that the mere publication of information about criminal convictions in commercially available databases does not constitute a journalistic activity and cannot be exempt from the GDPR under national laws implementing Article 85(2) GDPR. The Court also held that Article 85 GDPR does not justify legal derogations from the entire GDPR. ==English Summary====English Summary== Latest revision as of 08:00, 15 July 2026 CJEU - C‑199/24 Legal Newsdesk Sweden AB Court: CJEU Jurisdiction: European Union Relevant Law: Article 85(1) GDPR Article 85(2) GDPR Article 8 CFREUArticle 11 CFREU Decided: 09.07.2026 Parties: Legal Newsdesk Sweden AB Case Number/Name: C‑199/24 Legal Newsdesk Sweden AB European Case Law Identifier: ECLI:EU:C:2025:670 Reference from: District Court of Attunda (Attunda tingsrätt) Language: 24 EU Languages Original Source: AG OpinionJudgement Initial Contributor: bms The CJEU held that the mere publication of information about criminal convictions in commercially available databases does not constitute a journalistic activity and cannot be exempt from the GDPR under national laws implementing Article 85(2) GDPR. The Court also held that Article 85 GDPR does not justify legal derogations from the entire GDPR. Contents 1 English Summary 1.1 Facts 1.1.1 The legal context: Article 85 GDPR and Swedish law 1.1.2 The case at hand 1.1.3 The questions referred 1.2 Advocate General Opinion 1.3 Holding 2 Comment 3 Further Resources English Summary Facts The legal context: Article 85 GDPR and Swedish law Under Swedish law[1] the Swedish Agency for the Media can issue publications certificates which confers constitutional protection to the activities of the holder. Such certificates can also be issued for the publication and maintenance of databases of personal data[2]. Swedish law[3] provides for broad GDPR derogations for certain activities covered by the permit, as an implementation of Article 85 GDPR ("Processing and freedom of expression and information"): The GDPR and the Swedish Law on data protection do not apply when they would conflict with the constitutional protection afforded by a publication certificate. Additionally, specific Articles of the GDPR and the Law on data protection - including all of Chapter VIII of the GDPR (Remedies, liabilities and penalties)- do not apply to the processing of personal data that takes place for journalistic purposes or for academic, artistic or literary creation. As a result of these broad exemption, data subjects have limited remedies available when the processing of their data is covered by a publication certificate. In particular, Swedish law[4] provides that in such cases, controllers can only be held liable for damages when the processing of personal data constitutes defamation. The case at hand Legal Newdesk Sweden AB, formerly Garrapatica AB (the controller), holds such a certificate. The controller maintained a database (Lexbase) where personal data, including criminal convictions, are stored. The data were made available to third parties for payment. A data subject challenged the processing of his data on Lexbase. In particular, he claimed that the controller could not lawfully make information about his criminal convictions available after the same information was removed from the public register of criminal records. After sending an unsuccessful erasure request, the data subject initiated civil proceedings before the District Court of Attunda and requested SEK 300,000 (about €26,000) in damages over the allegedly unlawful processing of their data on the Lexbase database. The controller, on the other hand, claimed that its activities were exempt from the GDPR because they were covered by the constitutional protection of the publishing certificate. The questions referred The District Court referred three somewhat complex questions to the Court of Justice about the interpretation of Article 85 GDPR: Does Article 85(1) of the GDPR make it possible for the Member States to adopt legislative measures in addition to those which they must adopt under Article 85(2) of the regulation relating to the processing of personal data for purposes other than journalistic ones or the purposes of academic, artistic or literary expression? If the previous question is answered in the affirmative: Does Article 85(1) of the GDPR allow a reconciliation of the right to the protection of personal data pursuant to that regulation with the freedom of expression and of information which means that the only legal remedy available to a person whose personal data are processed by making criminal convictions involving that person available to the public on the internet in return for payment is the initiation of criminal proceedings for defamation or the claiming of damages for defamation? If the first question is answered in the negative or the second question is answered in the negative: Can an activity which consists of making available to the public on the internet in return for payment, without any processing or editing, public documents in the form of criminal convictions constitute processing of personal data for the purposes set out in Article 85(2) of the GDPR? Advocate General Opinion The Advocate General opined that a data processing activity, such as that carried out by the controller in the case at hand, did not constitute a journalistic activity and did not fall under Article 85(2) GDPR. Furthermore, the Advocate General opined that Article 85(2) GDPR did not allow for legal derogations to Chapter VIII GDPR. Finally, the Advocate opined that neither paragraph (1) nor (2) of Article 85 allowed for derogations to all of the GDPR. Holding The CJEU held that Article 85(1) GDPR does not allow Member States to create derogations from the GDPR beyond those expressly permitted by Article 85(2). Article 85(1) requires Member States to reconcile data protection with freedom of expression and information. However, it does not itself authorise exemptions from the GDPR. Such exemptions may only be introduced under Article 85(2) and only for processing carried out for journalistic purposes or for academic, artistic or literary expression. The CJEU therefore found that Member States cannot rely on Article 85(1) to exclude other forms of processing from the application of the GDPR. The CJEU also held that Article 85 GDPR does not permit Member States to restrict the remedies available to data subjects under Chapter VIII GDPR. National law cannot limit a data subject whose criminal-conviction data is published online to defamation proceedings only. Accordingly, the data subject must retain access to the remedies provided under Articles 77, 78, 79 and 82 GDPR, including the right to lodge a complaint with the DPA, seek an effective judicial remedy and claim compensation. Regarding journalistic purposes, the CJEU confirmed that the concept must be interpreted broadly. The fact that processing is carried out online, for payment or in relation to criminal convictions does not, by itself, exclude the application of Article 85(2). However, the mere publication of information is not