Provisional text

OPINION OF ADVOCATE GENERAL

SPIELMANN

delivered on 5 March 2026 (1)

Case C5/25 [Pilev] (i)

Criminal proceedings

against

WE

other party:

Sofiyska gradska prokuratura

(Request for a preliminary ruling from the Sofiyski gradski sad (Sofia City Court, Bulgaria))

( Reference for a preliminary ruling – Judicial cooperation in criminal matters – Protection of natural persons in relation to the processing of personal data in criminal matters – Processing operations of courts when acting in their judicial capacity – Applicability of Directive (EU) 2016/680 – Verification of the defendant’s identity in open court – Information relating to place of birth, nationality, place of residence, educational attainment level, marital status, criminal record and ethnicity )






 Introduction

1.        This case concerns the scope of the collection of the personal data of a defendant by a national criminal court for the sole purpose of verifying that that person is indeed the individual named in the indictment. It does not, however, concern the question of the court’s independence when acting in its capacity as the court ruling on the substance of a case or the court’s discretion to question the defendant in this regard.

2.        This case therefore affords the Court an opportunity to clarify the scope of Directive (EU) 2016/680 (2) in relation to Regulation (EU) 2016/679 (3) and to consolidate its case-law on the proportionality of the processing (collection) of personal data by a criminal court to the objective pursued.

 Legal framework

 Directive 2016/680

3.        Article 1 of that directive, entitled ‘Subject matter and objectives’, provides, in paragraph 1 thereof:

‘This directive lays down the rules relating to the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.’

4.        Article 2 of that directive, entitled ‘Scope’, provides, in paragraph 1 thereof:

‘This directive applies to the processing of personal data by competent authorities for the purposes set out in Article 1(1).’

5.        Article 3 of Directive 2016/680, entitled ‘Definitions’, is worded as follows:

‘For the purposes of this directive:

(7)      “competent authority” means:

(a)      any public authority competent for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security; or

(b)      any other body or entity entrusted by Member State law to exercise public authority and public powers for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security;

…’

6.        In accordance with Article 4 of that directive, entitled ‘Principles relating to processing of personal data’:

‘1.      Member States shall provide for personal data to be:

(c)      adequate, relevant and not excessive in relation to the purposes for which they are processed;

…’

7.        Article 8 of that directive, entitled ‘Lawfulness of processing’, provides, in paragraph 1 thereof, as follows:

‘Member States shall provide for processing to be lawful only if and to the extent that processing is necessary for the performance of a task carried out by a competent authority for the purposes set out in Article 1(1) and that it is based on Union or Member State law.’

8.        Article 10 of Directive 2016/680, entitled ‘Processing of special categories of personal data’, is worded as follows:

‘Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be allowed only where strictly necessary, subject to appropriate safeguards for the rights and freedoms of the data subject, and only:

(a)      where authorised by Union or Member State law;

(b)      to protect the vital interests of the data subject or of another natural person; or

(c)      where such processing relates to data which are manifestly made public by the data subject.’

 Bulgarian law

 The Code of Criminal Procedure (NPK)

9.        Article 138(2) and (3) of the nakazatelno-protsesualen kodeks (Code of Criminal Procedure) (4) of 29 April 2006 (‘the NPK’) is worded as follows:

‘…

2.      Before the examination, the competent body shall verify the identity of the defendant.

3.      The examination of the defendant shall begin with the question of whether he or she understands the charges, after which the defendant shall be invited, if he or she so wishes, to state in free narrative form everything that he or she knows about the case.’

10.      Article 272(1) of the NPK provides:

‘The presiding judge shall verify the defendant’s identity by asking the defendant his or her full name, date and place of birth, ethnicity, nationality, place of residence, educational attainment level, marital status and personal identification number and whether he or she has any previous convictions.’

11.      Article 311(1)(2) of the NPK provides:

‘… the record of the court hearing shall include … the information relating to the identity of the defendant.’

 The Law on civil registration (ZGR)

12.      The zakon za grazhdanskata registratsia (Law on civil registration) (5) of 27 July 1999 (‘the ZGR’) provides, in Article 8(1) thereof, that the principal items of information relating to the civil status of natural persons are their name, date (day, month and year) and place of birth, sex, nationality and personal identification number.

 The Law on Bulgarian identity documents (ZBLD)

13.      The zakon za balgarskite lichni dokumenti (Law on Bulgarian identity documents) (6) of 1 April 1999 (‘the ZBLD’) provides, in Article 3(1) thereof, as follows:

‘Identity documents shall certify the holder’s identity and, where necessary, his or her nationality by means of the data contained therein.’

14.      Article 6 of the ZBLD provides:

‘Citizens shall be required to confirm their identity at the request of competent officials designated by law.’

15.      Article 16(1) of the ZBLD is worded as follows:

‘Bulgarian identity documents shall contain the following mandatory personal data:

1.      name;

2.      date of birth;

3.      personal identification number (identification number or foreign-national identification number);

4.      sex;

5.      nationality.’

 The Law on the judiciary (ZSV)

16.      The zakon za sadebnata vlast (Law on the judiciary) (7) (‘the ZSV’) provides, in Article 8(2) thereof, as follows:

‘In the performance of judicial duties, … no rights may be limited or advantages granted on grounds of … ethnicity …’

 The dispute in the main proceedings, the question referred for a preliminary ruling and the proceedings before the Court

17.      An indictment was submitted by the Sofiyska gradska prokuratura (Public Prosecutor’s Office of the City of Sofia, Bulgaria) to the Sofiyski gradski sad (Sofia City Court, Bulgaria), which is the referring court, alleging that, on 6 September 2023, in Sofia, a natural person, first, had bribed police officers so that they would not issue an infringement notice against him for driving a car without a driving licence and, secondly, at the same time and at the same place, had been working as a taxi driver without being in possession of the necessary licence. It is alleged that those acts amount to criminal offences.

18.      A representative of the Public Prosecutor’s Office of the City of Sofia, the defendant and his legal representative attended the first hearing, which was held on 5 July 2024. The referring court continued the proceedings and, in accordance with Article 272(1) of the NPK, the presiding judge of the chamber was required to verify the identity of the defendant by asking him for the personal particulars referred to in that provision.

19.      The presiding judge of the chamber satisfied himself that the person appearing before him was the individual named in the indictment on the basis of the identity document which the defendant presented. However, he refrained from asking the defendant the questions relating to his identity for which Article 272(1) of the NPK provides, and the proceedings were stayed.

20.      The referring court requested the Konstitutsionen sad (Constitutional Court, Bulgaria) to rule Article 272(1) of the NPK incompatible with certain provisions of the Konstitutsia na Republika Bulgaria (Constitution of the Republic of Bulgaria). (8) The Konstitutsionen sad (Constitutional Court) declined to give a substantive ruling and so the referring court decided to refer the matter to the Court of Justice for a preliminary ruling.

21.      The referring court points out that, while it can, as it did at the first hearing, identify a defendant with sufficient certainty by consulting his or her identity card, which contains all the necessary identification information, it is also useful to ask for the identification information provided for by Article 272(1) of the NPK, so that the person appearing before the court can, by means of the answers given, establish with greater certainty that he or she is the defendant, which is to say that the identity document used does not belong to another person and has not been forged. However, it states that it is sufficient to ask the individual appearing in court for his or her full name, date of birth and personal identification number.

22.      Thus, the referring court wonders whether, by asking the person appearing before it in open court for the other particulars referred to in Article 272(1) of the NPK – specifically, his or her place of birth, ethnicity, nationality, place of residence, educational attainment level, marital status and previous convictions – and by recording the oral answers in the record of the hearing, it would be infringing the requirement of necessity governing the processing of personal data provided for by Directive 2016/680. Since those other particulars are not necessary for the reliable and complete identification of the defendant, asking for them goes beyond what is needed in order to achieve the objective pursued by Article 272(1) of the NPK, namely the identification of the defendant.

23.      The referring court notes that some of the personal data referred to in Article 272(1) of the NPK could serve other purposes. The place of residence could serve to determine the address where any summons is to be served and previous convictions could also be relevant for sentencing purposes.

24.      The referring court nevertheless points out, in essence, that those items of information, gathered before the judicial investigation commences, do not serve to identify the defendant. In fact, questioning the defendant and recording his or her answers does not suffice to verify those particulars reliably. Lastly, under national law, the information obtained in the course of identifying the person appearing in court cannot be used for the purposes of the decision on the substance of the case. The court first establishes the identity of the person appearing in court and only then informs that person of his or her rights. Consequently, those items of information (ethnicity, previous convictions, marital status, educational attainment level) are of no probative value.

25.      Consequently, the referring court has doubts as to whether Article 272(1) of the NPK satisfies the requirements laid down in Article 4(1)(c) and Article 8(1) of Directive 2016/680. In its view, the collecting, entry in the court record and subsequent storage in the case file of personal data concerning place of birth, ethnicity, nationality, place of residence, educational attainment level, marital status and criminal record go beyond what is necessary for the purposes of the criminal proceedings. It also has doubts as to the consistency of Article 272(1) of the NPK with Article 10 of Directive 2016/680, in so far as concerns information relating to the defendant’s ethnicity, since that information reveals the defendant’s ethnic origin.

26.      In those circumstances, the Sofiyski gradski sad (Sofia City Court) decided to stay the proceedings and to refer the following question to the Court of Justice for a preliminary ruling:

‘Is a national provision, such as Article 272(1) of the NPK[, in accordance with] which, when verifying the identity of a defendant, his or her personal data relating to place of birth, ethnicity, nationality, place of residence, educational attainment level, marital status and criminal record are processed (collected, recorded and stored) compatible with Articles 4(1)[(c), Article 8(1) and Article 10](1) of Directive 2016/680 where the personal data thus collected are in no way necessary for the purposes of the criminal proceedings?’

27.      Written observations were submitted by the European Commission, which also made oral submissions at the hearing in open court on 3 December 2025.

 Analysis

28.      While it is clear from the request for a preliminary ruling that the referring court takes it as given that the national legislation at issue falls within the scope of Directive 2016/680, it is necessary, before addressing the substance of the question referred by the national court, to address the matter of the applicability of Directive 2016/680, to which much of the hearing was in fact devoted.

 The applicability of Directive 2016/680

29.      First of all, the question of whether there is ‘processing of personal data’ does not arise in the case in the main proceedings. It is clear from the request for a preliminary ruling that the personal identification data at issue are collected, recorded in the court record and stored in the case file. Moreover, even if it were to be considered that the data had already been collected by the competent authority under national law, (9) the concept of ‘processing’ is a broad one and would include consultation and storage by the referring court. The condition relating to the presence of ‘processing of personal data’ is thus fulfilled.

30.      Next, it is clear from the wording of Article 2(1) of Directive 2016/680, read in conjunction with Article 1(1) of that directive, that two conditions must be met in order for the processing of personal data to fall within the scope of that directive. First, the processing must be carried out by a competent authority within the meaning of Article 3(7) of that directive and, secondly, the processing must be carried out for one of the purposes listed in Article 1(1) of thereof, those being ‘the prevention, investigation, detection [and] prosecution of criminal offences [and] the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security’. Conversely, the GDPR, which is the lex generalis governing the processing of personal data, excludes from its scope any processing that is carried out by ‘competent authorities’ for such purposes, (10) Directive 2016/680 being the applicable lex specialis in that domain. (11)

31.      As regards, first of all, the question of whether a court falls within the scope ratione personae of Directive 2016/680, the answer, in my view, is that it does. Indeed, Article 3(7)(a) of that directive can, by the words ‘public authority competent for …’ refer not only to police authorities, but also to national criminal courts. (12) That view, while it may not expressly follow from the definition of the concept of ‘competent public authority’, may be logically inferred from the context in which that provision appears and, in particular, from a number of provisions of Directive 2016/680.

32.      Indeed, in accordance with Article 32(1) of that directive, Member States must provide for controllers to designate a data protection officer, but may exempt courts and other independent judicial authorities from that obligation ‘when acting in their judicial capacity’. Similarly, Article 45(2) of that directive, read in the light of recital 80 thereof, (13) is aimed expressly at national courts and excludes competence on the part of supervisory authorities with regard to processing operations carried out by ‘courts when acting in their judicial capacity’, (14) so as not to interfere with specific rules of criminal procedures or the independence of the judiciary.

33.      Those provisions confirm that courts are subject, when acting in their judicial capacity, to the obligations imposed by Directive 2016/680, albeit their independence and impartiality are preserved in that context. (15)

34.      In addition, judicial authorities are expressly mentioned in recital 11 of Directive 2016/680, which states that ‘such competent authorities may include … public authorities such as the judicial authorities’. Recitals 20, 49 and 107 and Article 18 of that directive (16) also refer to the processing of personal data by ‘courts and other judicial authorities, in particular as regards personal data contained in a judicial decision or in records in relation to criminal proceedings’. (17)

35.      Therefore, national courts must be regarded as ‘competent public authorities’ for the purposes of that directive and as being subject to the provisions thereof when they process personal data in judicial decisions or documents relating to criminal proceedings. (18)

36.      Secondly, the more delicate question arises of whether processing carried out by a court in the context of criminal court proceedings may be considered to fall within the scope ratione materiae of Directive 2016/680. That question, which has not, to my knowledge, yet been addressed, (19) amounts to asking whether or not such processing serves one of the purposes listed in Article 1(1) and Article 3(7)(a) of that directive and, in particular, that of the ‘prosecution’ of criminal offences.

37.      I would observe that the Court has already held, in the judgment in Inspektor v Inspektorata kam Visshia sadeben savet (Purposes of the processing of personal data – Criminal investigation), (20) that the purposes referred to in Article 1 of Directive 2016/680 are separate purposes, namely those of the ‘prevention’, ‘investigation’, ‘detection’ and ‘prosecution’ of criminal offences and the ‘execution of criminal penalties’. That judgment thus clarified that the EU legislature had sought to adopt rules corresponding to the specific features which characterise the activities carried out by the competent authorities in the field governed by that directive, while taking account of the fact that they constitute distinct activities serving purposes specific to them. (21)

38.      Admittedly, as Advocate General Campos Sánchez-Bordona indicated in his Opinion, the concept of ‘prosecution’ may refer to an activity which (although not in the Spanish-language version of the directive) precedes the judicial proceedings. (22) Moreover, leaving aside the differences between the legal systems of the Member States, this term generally refers to all the acts and procedures initiated by the public prosecutor’s office against persons suspected of having committed an offence, with a view to having them tried to establish their guilt or innocence. (23)

39.      Nevertheless, in order to establish the scope ratione materiae of Directive 2016/680, it seems to me that, rather than attempting to distinguish between the role of the ‘prosecuting authority’ and that of the court in the context of criminal court proceedings, it would be more appropriate to interpret the concept of ‘prosecution’ from the perspective of the purpose of the prosecution of criminal offences. Indeed, the rules in that directive apply to the activity of the processing of personal data ‘for the purposes of’ criminal prosecutions.

40.      Such a teleological approach would, to my mind, imply a broad interpretation of the concept of ‘prosecution activities’, one that can encompass some of the acts carried out by a criminal court in the context of court proceedings. The processing of personal data carried out by a court in the context of criminal court proceedings can, in fact, under certain circumstances, depending on the national procedural system, (24) be considered as helping to establish that the acts ascribed to the defendant have sufficient probative value and that the classification of those acts under criminal law is accurate, so as to lead, ultimately, to a judgment. (25) In that sense, such data processing by the court responsible for the processing may be regarded as being carried out ‘for the purposes of … prosecution’, within the meaning of the relevant provisions of Directive 2016/680.

41.      In that context, the activities of ‘prosecution’ could include not only the investigation conducted by the police and the decision as to whether or not to prosecute taken by the public prosecutor, but also the preparation of the case, the referral to a court and, where appropriate, criminal court proceedings such as those at issue in the dispute in the main proceedings.

42.      I would also point out that, as is apparent from the request for a preliminary ruling, after the police investigation, the referring court, to which the indictment issued by the public prosecutor’s office is submitted, continues the proceedings and itself conducts a judicial inquiry, (26) which commences with the verification of the defendant’s identity in accordance with Article 272 of the NPK and continues to the substantive judgment delivered by that same court. That court’s task is thus to ‘conduct the judicial proceedings in the context of criminal prosecutions following the indictment submitted by the public prosecutor’. According to the referring court, this is the judicial phase of the criminal proceedings instituted for the purposes of criminal prosecution. In that context, the concept of ‘prosecution activities’ carried out in the context of criminal court proceedings takes on its full meaning.

43.      I would add that that broad approach to the concept of ‘prosecution activities’, in addition to having the advantage of not pre-judging the various national criminal justice systems, is not contrary to the principle that exceptions to the application of the GDPR, the lex generalis, must be interpreted strictly. (27) Such an approach does not mean that criminal court proceedings are exempt from personal data protection regulations, but rather that they are subject to the lex specialis in the field, specifically provided for in Article 2(2)(d) of the GDPR.

44.      Finally, a teleological approach to ‘prosecution activities’ seems to me to flow from the legislative history of Directive 2016/680 and to be suited to the directive’s objectives.

45.      First of all, as regards the legislative history of Directive 2016/680, I would observe that, with the entry into force of the Lisbon Treaty, Article 16 TFEU became the proper legal basis for the revision of Framework Decision 2008/977/JHA. (28) As mentioned in recital 10 of Directive 2016/680, in Declaration No 21 on the protection of personal data in the fields of judicial cooperation in criminal matters and police cooperation, annexed to the final act of the intergovernmental conference which adopted the Treaty of Lisbon, (29) the conference acknowledged that specific rules on the protection of personal data and the free movement of personal data in the fields of judicial cooperation in criminal matters and police cooperation based on Article 16 TFEU could prove necessary because of the specific nature of those fields. The Commission therefore proposed two texts, one general, in the form of a regulation that would become the GDPR, and the other specific to the protection of personal data in the field of criminal justice, (30) which was regarded as more sensitive and therefore to be the subject of a directive requiring transposition by the Member States – one that would become Directive 2016/680 – applying to all acts that may be taken by criminal justice actors, whether or not they have a cross-border dimension. (31)

46.      The approach taken by the European Union was thus to distinguish between data processing in the police and criminal justice context and other processing of personal data, so as to take account of the specific nature of the protection of personal data in the field covered by Directive 2016/680, namely the protection of personal data in the field of judicial cooperation in criminal matters and police cooperation, as is apparent from recitals 10 and 11 of that directive.

47.      Secondly, as regards the aims of Directive 2016/680, that directive seeks, in particular, as is apparent from recitals 4, 7 and 15 thereof, to ensure a consistent and high level of protection of the personal data of natural persons and to facilitate the exchange of personal data between competent authorities of Members States, in order to ensure effective judicial cooperation in criminal matters and police cooperation.

48.      I would note that, as has been pointed out by legal theoreticians, the dual regime for the protection of personal data may give rise to significant difficulty in determining which instrument is relevant, the GDPR or Directive 2016/680. (32)

49.      It is therefore all the more important that, in the same criminal procedure, the processing of personal data should not be governed by two different instruments, solely because the processing has been carried out by different law-enforcement authorities at different stages of the procedure. If a criminal court giving judgment in criminal proceedings were excluded from the scope of Directive 2016/680, this would, as the Commission emphasised at the hearing, lead to a fragmented regime under which the same criminal procedure would be subject to one or other of two instruments, depending on the stage of the procedure in question.

50.      That approach would, in my view, run counter not only to the principle of legal certainty, (33) but also to the consistent and coherent protection of personal data.

51.      In addition, in some cases, law-enforcement authorities will have greater flexibility in the exercise of their duties in the context of Directive 2016/680 than they would have in the context of the GDPR. (34) In particular, the processing of ‘special categories of personal data’, which include so-called ‘sensitive’ data, is allowed – although only where strictly necessary – under Article 10 of that directive, whereas it is prohibited under Article 9(1) of the GDPR, subject to the exceptions laid down in Article 9(2) thereof. Similarly, Article 4(1)(c) of Directive 2016/680, which concerns the principle of data minimisation, provides that personal data must be adequate, relevant and not excessive, whereas Article 5(1)(c) of the GDPR provides that they must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

52.      The application of Directive 2016/680 throughout the duration of the criminal procedure is therefore all the more justified, since the rules governing the protection of personal data may differ, in certain respects, from those of the GDPR.

53.      Lastly, a fragmented approach to criminal procedures would be hard to reconcile with the objective, mentioned in recital 7 of Directive 2016/680, of facilitating the exchange of personal data between competent authorities of Members States in order to ensure effective judicial cooperation in criminal matters and police cooperation.

54.      It follows from all of the foregoing that the processing of personal data carried out by a national court in the context of the examination of a criminal case falls within the scope of Directive 2016/680 as processing carried out by a competent authority for the purposes of the prosecution of criminal offences.

 Substance

55.      The referring court asks, in essence, whether Article 4(1)(c), Article 8(1) and Article 10 of Directive 2016/680 preclude national legislation which provides for the systematic verification by a criminal court of all of the information referred to in Article 272(1) of the NPK when it is for the sole purpose of identifying the defendant in criminal court proceedings. (35)

56.      It should be borne in mind that the fundamental rights to respect for private life and to the protection of personal data guaranteed by Articles 7 and 8 of the Charter of Fundamental Rights of the European Union (‘the Charter’) are not absolute rights. Limitations may therefore be imposed, so long as, in accordance with Article 52(1) of the Charter, they are provided for by law, respect the essence of the fundamental rights and observe the principle of proportionality. (36)

57.      The principle of data minimisation, laid down in Article 4(1)(c) of Directive 2016/680, and the principle of lawfulness of processing, provided for in Article 8(1) of that directive, thus require the Member States to provide for the personal data in question to be adequate, relevant and not excessive in relation to the purposes for which they are processed and for processing to be necessary for the purposes pursued, in accordance with the principle of proportionality.

58.      In addition, Article 10 of Directive 2016/680, which is a specific provision governing the processing of special categories of personal data, including data revealing racial or ethnic origin, aims to ensure enhanced protection of data subjects, in so far as, due to their particular sensitivity and the context in which they are processed, the data at issue are liable, as is apparent from recital 37 of that directive, to create significant risks for fundamental rights and freedoms, such as the right to respect for private life and the right to the protection of personal data, guaranteed by Articles 7 and 8 of the Charter. (37)

59.      In the present case, the referring court has the task of conducting the court proceedings in criminal prosecutions following on from an indictment issued by the public prosecutor’s office. In order to be able to perform that task, it must formally establish the identity of the person appearing before it and, in particular, verify that that person is indeed the individual named in the indictment. (38) For the purposes of verifying the identity of the defendant, Article 272(1) of the NPK requires the referring court systematically to ask the person appearing in each individual case for a number of items of personal data, these being his or her full name, date and place of birth, ethnicity, nationality, place of residence, educational attainment level, marital status and personal identification number and whether he or she has any previous convictions.

60.      The objective of verifying the identity of the defendant is, as such, legitimate and likely to be an objective of general interest recognised by the European Union, within the meaning of Article 52(1) of the Charter, in particular that of ensuring that there is no mistake as to who is appearing in court.

61.      It is therefore necessary for the referring court to determine whether the requirement to collect the data at issue is, first, appropriate for contributing to the attainment of the identity verification objective which it pursues, secondly, necessary, meaning that there are no alternative measures less restrictive of the right to the protection of personal data but equally effective for the attainment of the objective relied on (39) and, thirdly, proportionate to that objective, which implies a proper balance between the objective of general interest pursued and the rights of the person whose personal data are collected, (40) the Court of Justice having jurisdiction to provide the referring court with the necessary guidance on interpretation.

62.      I would point out that the question referred does not concern the collection of certain civil status and identification data, namely the person’s full name, date of birth and personal identification number. Those data, moreover, are classic items of identification information, including under the Bulgarian legislation on civil status and identity documents. (41)

63.      The referring court does, on the other hand, question the proportionality of the systematic collection of some items of information, namely (i) place of birth and nationality, (ii) place of residence, educational attainment level, marital status and criminal record; and (iii) ethnicity, which I shall discuss in turn.

64.      First of all, some of those data items, including place of birth and nationality, are among the ‘principal items of information relating to … civil status’. (42) They therefore enable the identity of the individual named in the indictment to be verified and any confusion to be avoided. Furthermore, the interference with the right to privacy and the protection of personal data which the collection of such data entails is not such that, after the interests at stake are weighed, it appears disproportionate to the identity verification objective pursued.

65.      Secondly, as regards the collection of the additional data relating to educational attainment level, marital status, place of residence and criminal record, this may, as the referring court and the Commission pointed out in their written submissions, be relevant for purposes other than identification. Educational attainment level and marital status may be important for individualising the sentence. The place of residence may be pertinent if the enforcement of a criminal penalty is transferred to another State. Similarly, a criminal record may make it possible to determine whether or not there has been recidivism. Nevertheless, as is apparent from the Bulgarian rules of procedure, those items of information, collected by the presiding judge of the chamber at the stage of verifying the identity of the person appearing in court, may not be used for the purposes of the decision on the substance of the case and are of no probative value. Moreover, and in any event, questioning the defendant and recording his or her answers is not sufficient to establish the reliability of those items of data. Official documents, such as a criminal record, civil status record or a degree certificate will need to be consulted or produced.

66.      That being so, I take the view that legislation which, in an indiscriminate and generalised manner, renders it necessary systematically to question any defendant regarding those additional items of information, and then to record the answers in the court record, is liable to go beyond what is necessary for the simple purpose of identifying the defendant. The requirement of identification does not, in my view, render it necessary systematically to process all of the categories of data listed, only those which, in light of the specific circumstances, are necessary in order to dispel any reasonable doubt as to the identity of the person appearing in court, which is a matter for the national court to assess.

67.      Furthermore, even assuming that certain information relating to educational attainment level, marital status, place of residence and criminal record might, in some cases, be needed in order to identify the defendant, the principle of proportionality also requires that all the relevant factors be weighed and that the importance of the objective of general interest pursued be balanced against the seriousness of the interference with the fundamental rights and personal data protection of the data subject. (43) However, the fact that those data are systematically requested, combined with the fact that they are collected in open court, recorded in the court record and then stored in the case file, which is accessible to the parties, is liable to constitute an interference that goes beyond what is necessary for identification purposes at this preliminary stage of criminal proceedings.

68.      Thirdly, as regards data relating to ‘ethnicity’, it must be borne in mind that Article 10 of Directive 2016/680 provides that the processing of sensitive data is to be allowed ‘only where strictly necessary’, which constitutes a strengthened condition for the lawful processing of such data and entails, inter alia, a particularly strict review of compliance with the principle of ‘data minimisation’, as derived from Article 4(1)(c) of that directive; that requirement constitutes a specific application of that principle to those sensitive data. (44) The use of the adverb ‘only’ before the words ‘where strictly necessary’ underlines that the processing of those particular categories of data can be regarded as permissible only in a limited number of cases, while the absolute nature of that necessity means that it is to be assessed with particular rigour. (45)

69.      A question that is systematically asked in open court of any defendant regarding his or her ‘ethnicity’, and thus concerning the ethnic origin of the defendant, in no way meets the requirements laid down in Article 10 of Directive 2016/680. (46) The identification of the defendant can, as a general rule, be ensured by the civil status data and the identification information that are already available, in particular from identity documents, without it being necessary to have recourse to a marker of the defendant’s ethnic origin. Furthermore, the requirement of strict necessity implies that it must be shown, on the basis of specific factors, that, in the absence of that particular item of data, the objective pursued cannot be attained in an equivalent manner. A general and indiscriminate obligation to collect such personal data at this stage of the proceedings for the identification of the defendant, one which does not depend on any particular difficulty relating to that identification, seems to me to be contrary, as a matter of principle, to the requirement of strict necessity laid down in Article 10 of that directive. (47)

70.      It follows from all of the foregoing that, in my view, the answer to the referring court’s question should be that Article 4(1)(c), Article 8(1) and Article 10 of Directive 2016/680 are to be interpreted as precluding a provision of national legislation, such as Article 272(1) of the NPK, in that it requires that the personal data of the defendant relating to his or her place of residence, educational attainment level, marital status, criminal record and ethnicity are systematically processed (collected, recorded and stored) when the defendant’s identity is verified in the context of criminal proceedings, where those items of personal data are not necessary for that purpose, which is a matter for the referring court to ascertain.

 Conclusion

71.      Having regard to all of the foregoing considerations, I propose that the Court of Justice answer the question referred for a preliminary ruling by the Sofiyski gradski sad (Sofia City Court, Bulgaria) as follows:

Article 4(1)(c), Article 8(1) and Article 10 of Directive 2016/680 (EU) of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA,

must be interepreted as precluding a provision of national legislation, such as Article 272(1) of the nakazatelno-protsesualen kodeks (Bulgarian Code of Criminal Procedure), in that it requires that the personal data of the defendant relating to his or her place or residence, educational attainment level, marital status, criminal record and ethnicity are systematically processed (collected, recorded and stored) when the defendant’s identity is verified in the context of criminal proceedings, where those items of personal data are not necessary for that purpose, which is a matter for the referring court to ascertain.

1      Original language: French.

i      The name of this case is a fictitious name. It does not correspond to the real name of any party to the proceedings.

2      Directive of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (OJ 2016 L 119, p. 89).

3      Regulation of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016 L 119, p. 1; ‘the GDPR’).

4      DV No 86 of 28 October 2005, as amended and supplemented by DV No 39 of 1 May 2024.

5      DV No 67 of 27 July 1999, as amended and supplemented by DV No 85 of 8 October 2024.

6      DV No 93 of 11 August 1998, as amended and supplemented by DV No 67 of 4 August 2023.

7      DV No 64 of 7 August 2007, as amended and supplemented by DV No 67 of 9 August 2024.

8      DV No 56 of 13 July 1991.

9      It is debateable whether the referring court itself collects the data or whether the data have already been collected by the competent authority (see, in that regard, Article 138(2) of the NPK).

10      See Article 2(2)(d) of the GDPR.

11      The GDPR remains applicable to the processing of personal data by a ‘competent authority’, within the meaning of Article 3(7) of Directive 2016/680, where the processing is carried out for other purposes, relating, for example, to employment, staff training, archiving, research or statistics. See, to that effect, judgment of 21 June 2022, Ligue des droits humains (C‑817/19, EU:C:2022:491, paragraph 72 and the case-law cited). See also Leiser, M. and Custers, B., ‘The Law Enforcement Directive: Conceptual Challenges of EU Directive 2016/680’, in European Data Protection Law Review, Vol. 5, No 3, 2019, pp. 367 to 378, and in particular p. 371.

12      On the other hand, I take the view that Article 7(3)(b) of Directive 2016/680 does not concern courts, but instead, with the wording ‘any other body or entity entrusted by Member State law to exercise public authority and public powers for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties’ is intended to apply to private bodies. Those could include privatised police forces or prisons governed by private entities. See, on this point, Purtova, N., ‘Between the GDPR and the Police Directive: navigating through the maze of information sharing in public–private partnerships’, in International Data Privacy Law, Vol. 8, No 1, February 2018, pp. 52 to 68. See also De Hert, P. and Sajfert, J., ‘Chapter 10: Variety, velocity and volume of personal data in criminal investigations and proceedings: the limits drawn by the purpose limitation and data minimization principles in Directive (EU) 2016/680’, in Research Handbook on EU Criminal Law, Mitsilegas, V., Bergström, M. and Quintel, T. (eds), Edward Elgar Publishing, 2024, 2nd edition, pp. 212 to 228.

13      According to recital 80, ‘while this directive applies also to the activities of national courts and other judicial authorities, the competence of the supervisory authorities should not cover the processing of personal data where courts are acting in their judicial capacity, in order to safeguard the independence of judges in the performance of their judicial tasks.’

14      See, by analogy, with reference to the equivalent provision in the GDPR, judgment of 24 March 2022, Autoriteit Persoonsgegevens (C‑245/20, EU:C:2022:216, paragraph 26). That judgment concerned an administrative dispute relating to a processing operation carried out by a court in the context of making documents from a court case file that contained personal data temporarily available to journalists, a processing operation that was held to fall within the scope of the exercise of the court’s judicial capacity, within the meaning of the GDPR.

15      See, on this point, Tosconi, L. and Bygrave, L.A., ‘Article 3 – Definitions’, in The EU Law Enforcement Directive (LED): A Commentary, Kosta, E. and Boehm, F. (eds), Oxford University Press, 2024, pp. 79 to 132, in particular p. 104, section 7.2.4, which also cites the minutes of the twelfth meeting of the Commission expert group on Regulation (EU) 2016/679 and Directive (EU) 2016/680, of 2 October 2017, which records the Member States’ agreement that that directive should apply to criminal courts (document available at: https://ec.europa.eu/transparency/expert-groups-register/screen/expert-groups/consult?lang=en&groupID= 3461).

16      In particular, Article 18 of that directive, entitled ‘Rights of the data subject in criminal investigations and proceedings’, concerns the exercise of the right to obtain information, the right of access and the right to rectification or erasure, and stipulates that those rights can be exercised in accordance with Member State law where the personal data are contained ‘in a judicial decision or record or case file processed in the course of criminal investigations and proceedings’.

17      See recital 20 of Directive 2016/680.

18      I would add that, as recital 20 of that directive indicates, this does not deprive the Member States of the option of specifying processing operations and processing procedures in their national rules of criminal procedure.

19      While the scope of Directive 2016/680 has been the subject of judgments of the Court, those judgments have not addressed this question. For example, air carriers, although they have a legal obligation to transfer passenger name record (PNR) data, have been found not to be competent authorities within the meaning of Article 3(7) of Directive 2016/680 (see judgment of 21 June 2022, Ligue des droits humains (C‑817/19, EU:C:2022:491, paragraph 81)). See also Opinion of Advocate General Pikamäe in Vyriausioji tarnybinės etikos komisija (C‑184/20, EU:C:2021:991, point 28) concerning the Vyriausioji tarnybinės etikos komisija (Chief Official Ethics Commission, Lithuania), to which the GDPR applied (see judgment of 1 August 2022, Vyriausioji tarnybinės etikos komisija, C‑184/20, ‘the judgment in Vyriausioji tarnybinės etikos komisija’, EU:C:2022:601). Similarly, the Ceļu satiksmes drošības direkcija (Road Safety Directorate, Latvia) was found not to be a ‘competent authority’, within the meaning of Directive 2016/680, when carrying out the activities at issue in the main proceedings, which consisted in disclosing to the public, for road safety purposes, personal data relating to penalty points (see judgment of 22 June 2021, Latvijas Republikas Saeima (Penalty points) (C‑439/19, EU:C:2021:504, paragraph 71)).

20      Judgment of 8 December 2022 (C‑180/21, ‘the judgment in Inspektor’, EU:C:2022:967). In that case, the question was whether personal data obtained when the person in question was appearing as the victim of the offence that was the subject of the investigation could subsequently be processed for the purpose of prosecuting that person, even though the data had initially been collected and processed for other purposes, namely detection and investigation. In that context, the Court held that, where personal data had been collected for the purposes of the ‘detection’ and ‘investigation’ of a criminal offence and had subsequently been processed for the purposes of ‘prosecution’, that collection and that processing served different purposes (paragraph 44) and the assessment of compliance with the requirement that the processing by the controller must be proportionate had to be carried out taking each of those purposes as specific and distinct (paragraph 56).

21      The judgment in Inspektor (paragraph 59).

22      See Opinion of Advocate General Campos Sánchez-Bordona in Inspektor v Inspektorata kam Visshia sadeben savet (Purposes of the processing of personal data – Criminal investigation) (C‑180/21, EU:C:2022:406, footnote 15). This is the case, inter alia, for the German-, French-, English-, Italian- and Dutch-language versions of Directive 2016/680, but not the Spanish-language version, which refers to ‘enjuiciamiento (judicial proceedings) in the strict sense, which is the exclusive preserve of the courts.

23      On the diversity of national systems and the complementary nature of the missions of the courts and that of the public prosecutor’s office, see Joint opinion by the Consultative Council of European Judges (CCJE) and Consultative Council of European Prosecutors (CCPE) on the relationships between judges and prosecutors [1075 meeting] (CM(2009)192). See also, for a comparative assessment, Pradel, J., Droit pénal comparé, Dalloz, Paris, 2016, 4th edition, in particular No 145 et seq.. See also, on the transposition of Directive 2016/680 in the various Member States, Franssen, V. and Corhay, M., ‘Article 18 – Rights of the data subject in criminal investigations and proceedings’, in The EU Law Enforcement Directive (LED): A Commentary, op. cit.,  pp. 321 to 330, in particular, sub-title B.3., headed ‘National legislation’, pp. 325 to 328.

24      In Opinion 6/2015, A further step towards comprehensive EU data protection, of 28 October 2015, in section VI concerning the powers of supervisory authorities, the European Data Protection Supervisor (EDPS) himself emphasised the important differences in the national systems of the Member States and the fact that it is not always clear if and when public prosecutors are ‘independent judicial authorities’ or to what extent their activities constitute judicial activities. See also the minutes of the fifteenth meeting of the Commission expert group on the Regulation (EU) 2016/679 and Directive (EU) 2016/680, of 20 February 2018, paragraph 5 of which refers to the difficulties encountered in transposing the directive in this regard and notes that some Member States stated that their prosecutors had the same level of independence as their judges (available at: https://ec.europa.eu/transparency/expert-groups-register/screen/meetings/consult?lang=en&meetingId= 3656&fromExpertGroups=true).

25      See the judgment in Inspektor (paragraph 53), in which the Court observed that, ‘in the context of the processing of personal data for the purposes of “prosecution”, those data aim to establish that the acts attributed to the accused persons have sufficient probative value and that the classification of those acts under criminal law is accurate, in order to enable the court having jurisdiction to give a ruling’.

26      As indicated at the hearing, there are no investigating judges under Bulgarian criminal law, although a ‘judicial inquiry’ or ‘judicial investigation’ will follow the police investigation.

27      See, on the strict interpretation of the exceptions to the application of the GDPR, the judgment in Inspektor (paragraph 78), according to which, where the public prosecutor’s office defends the State in an action brought on the basis of administrative liability, its aim is not to perform that public prosecutor office’s tasks for the purposes set out in Article 1(1) of Directive 2016/680, it is therefore the GDPR that applies. Similarly, the collection by the tax authorities of a Member State of personal data relating to vehicle sale advertisements published on the website of an economic operator falls within the material scope of the GDPR, since those data are not collected for the specific purpose of pursuing criminal proceedings or in the context of State activities relating to areas of criminal law (see judgment of 24 February 2022, Valsts ieņēmumu dienests (Processing of personal data for tax purposes) (C‑175/20, EU:C:2022:124, paragraphs 44 to 46)).

28      Council Framework Decision 2008/977/JHA of 27 November 2008 on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters (OJ 2008 L 350, p. 60). Its scope was limited to the cross-border processing of personal data.

29      Conference of the representatives of the governments of the Member States, Final Act, adopted in Brussels on 3 December 2007 (IGC 15/07), available at: https://data.consilium.europa.eu/doc/document/CG-15-2007-INIT/en/pdf.

30      Proposal for a directive of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data, of 25 January 2012 (COM(2012)0010).

31      See De Hert, P. and Papakonstantinou, V., ‘The New Police and Criminal Justice Data Protection Directive. A First Analysis’, in New Journal of European Criminal Law, Vol. 7, No 1, 2016, pp. 7 to 19, and Brière, C., ‘Défaut de transposition de la directive sur la protection des données dans le domaine pénal: vers une application ordinaire de l’article 260, paragraphe 3, TFUE. CJUE (8e ch.), 25 February 2021, Commission européenne/Royaume d’Espagne (Directive données à caractère personnel – Domaine pénal), aff. C‑658/19, EU:C:2021:138’, in Revue des affaires européennes, Vol. 1, 2021, pp. 223 to 233.

32      See, in that regard, Sajfert, J. and Quintel, T., ‘Data Protection Directive (EU) 2016/680 for Police and Criminal Justice Authorities’, in SSRN Electronic Journal, 2017, in particular sub-title I.1, headed ‘Meandering between the Directive and the GDPR’, according to which the delineation between the directive and the GDPR is not apparent. The authors cite the example of a police officer processing data for archiving purposes, which would come under the GDPR. However, which instrument applies is not so clear where the police officer processes personal data for identification or verification purposes in the field of migration and border control: the irregular crossing of a Schengen border may qualify as a criminal offence, but if the irregular migrant applies for asylum, the processing of the application may come under the GDPR or another relevant sectoral framework, notwithstanding any criminal proceedings that have been initiated. This demonstrates the difficulty for competent authorities applying two different legal regimes, depending on the purpose of the processing. See also Vogiatzoglou P., ‘Article 2 – Scope’, in The EU Law Enforcement Directive (LED): A Commentary, op. cit., pp. 67 to 78, in particular sub-title C.2., headed ‘Between the LED and the GDPR’, pp. 74 to 75. See also Purtova, N., ‘Between the GDPR and the Police Directive: navigating through the maze of information sharing in public–private partnerships’, op. cit..

33      The principle of legal certainty requires the application of rules of law to be foreseeable by those subject to them (see judgment of 4 October 2024, Bezirkshauptmannschaft Landeck (Attempt to access personal data stored on a mobile telephone) (C‑548/21, EU:C:2024:830, paragraph 76)).

34      See, in that regard, Sajfert, J. and Quintel, T., ‘Data Protection Directive (EU) 2016/680 for Police and Criminal Justice Authorities’, op. cit., in particular sub-title I.4, headed ‘Croquis of the Directive’, p. 7, according to which, for example, a controller will have more leeway to restrict the right of access and the right to obtain information about the possible refusal of rectification, erasure or restriction of processing under Article 13(3), Article 15(3) and Article 16(4) of Directive 2016/680 than under Article 23 of the GDPR. This is so as to ‘avoid obstructing official or legal inquiries, investigations or procedures’ and to avoid interference with, inter alia, criminal prosecutions (see Article 13(3)(a) and (b) of the directive). See also Purtova, N., ‘Between the GDPR and the Police Directive: navigating through the maze of information sharing in public–private partnerships’, op cit., in particular p. 60, and De Hert, P. and Sajfert, J., ‘Chapter 10: Variety, velocity and volume of personal data in criminal investigations and proceedings: the limits drawn by the purpose limitation and data minimization principles in Directive (EU) 2016/680’, op. cit., p. 222.

35      By way of example, I point out that the referring court requested the Konstitutsionen sad (Constitutional Court) to rule the national provision at issue in the main proceedings incompatible with the Konstitutsia na Republika Bulgaria (Constitution of the Republic of Bulgaria). That application was, however, rejected as inadmissible on the ground that the referring court had failed to take account of Chapter 8 of the zakon za zashtita na lichnite danni (Law on the protection of personal data) of 1 January 2002 (DV No 1 of 4 January 2002, as amended and supplemented by DV No 70 of 20 August 2024; ‘the ZZLD’), which transposes Directive 2016/680. However, the referring court considers that the rules of the ZZLD are general and that Article 272(1) of the NPK, being a lex specialis, remains applicable. The referring court has jurisdiction to interpret its national law (see judgment of 30 April 2024, M.N. (EncroChat) (C‑670/22, EU:C:2024:372, paragraph 76)) and I am therefore of the view that the question – which is presumed relevant – should be answered as asked, (see judgment of 26 January 2023, Ministerstvo na vatreshnite raboti (Recording of biometric and genetic data by the police) (C‑205/21, ‘the judgment in Ministerstvo na vatreshnite raboti’, EU:C:2023:49, paragraph 54)).

36      See judgment of 30 January 2024, Direktor na Glavna direktsia ‘Natsionalna politsia’ pri MVR – Sofia (C‑118/22, ‘the judgment in Direktor na Glavna direktsia’, EU:C:2024:97, paragraph 39).

37      See the judgment in Ministerstvo na vatreshnite raboti (paragraph 116 and the case-law cited). On the concept of ‘ethnic origin’ in another context, see judgment of 18 December 2025, Slagelse Almennyttige Boligselskab, Afdeling Schackenborgvænge (C‑417/23, EU:C:2025:1017, paragraph 71 et seq.), which concerned Directive 2000/43/EC of the Council of 29 June 2000 implementing the principle of equal treatment between persons irrespective of racial or ethnic origin (OJ 2000 L 180, p. 22).

38      In issue, therefore, is not the collection of data by the police in the course of an investigation for the purposes of the identification or the future appearance of the individual being prosecuted, as was true, for example, in the case which gave rise to the judgment of 20 November 2025, Policejní prezidium (Storage of biometric and genetic data) (C‑57/23, EU:C:2025:905, paragraph 84).

39      See, by analogy, judgment of 22 June 2021, Latvijas Republikas Saeima (Penalty points) (C‑439/19, EU:C:2021:504, paragraphs 109 and 110).

40      See, by analogy, the judgment in Vyriausioji tarnybinės etikos komisija (paragraph 98 and the case-law cited). See also the judgment in Direktor na Glavna direktsia (paragraph 62).

41      See points 12 to 15 of this Opinion.

42      See Article 8(1) of the ZGR, the content of which is set out in point 12 of this Opinion.

43      See, by analogy, the judgment in Vyriausioji tarnybinės etikos komisija (paragraph 98 and the case-law cited). See also the judgment in Direktor na Glavna direktsia (paragraph 62).

44      See the judgment in Direktor na Glavna direktsia (paragraph 48 and the case-law cited).

45      See the judgment in Ministerstvo na vatreshnite raboti (paragraph 118 et seq.), and judgment of 20 November 2025, Policejní prezidium (Storage of biometric and genetic data) (C‑57/23, EU:C:2025:905, paragraph 78). See also Opinion of Advocate General Szpunar in Comdribus (C‑371/24, EU:C:2025:631, point 43 et seq.).

46      Moreover, I wonder what could be the point of this question concerning ‘ethnicity’, which is liable to be problematic in regard to the values of the European Union, described in Article 2 TEU.

47      See, to that effect, the judgment in Ministerstvo na vatreshnite raboti (paragraphs 128 and 129); Simon, D., ‘Données personnelles – Traitement des données sensibles dans les procédures pénales’, in Revue Europe, LexisNexis, No 3, 2023, comment No 112.