Provisional text
JUDGMENT OF THE COURT (Fifth Chamber)
4 June 2026 (*)
( Reference for a preliminary ruling – Protection of natural persons with regard to the processing of personal data in criminal matters – Regulation (EU) 2016/679 – Directive (EU) 2016/680 – Scope – Processing of data collected in the course of an investigation against a police officer as a person suspected of a criminal offence – Recording of data relating to this investigation in the police officer’s personnel file – Lawfulness of processing – Point (c) of the first subparagraph of Article 6(1) and Article 6(3) of that regulation – Processing necessary for compliance with a legal obligation – Legal basis for the processing – Article 17 of that regulation – Right to erasure )
In Case C‑312/24 [Darashev], (i)
REQUEST for a preliminary ruling under Article 267 TFEU from the Sofiyski rayonen sad (Sofia District Court, Bulgaria), made by decision of 30 January 2024, received at the Court on 29 April 2024, in the proceedings
CL
v
Prokuratura na Republika Bulgaria,
THE COURT (Fifth Chamber),
composed of M.L. Arastey Sahún, President of the Chamber, J. Passer, E. Regan (Rapporteur), D. Gratsias and B. Smulders, Judges,
Advocate General: M. Szpunar,
Registrar: R. Stefanova-Kamisheva, Administrator,
having regard to the written procedure and further to the hearing on 21 May 2025,
after considering the observations submitted on behalf of:
– the Bulgarian Government, by T. Mitova, S. Ruseva and R. Stoyanov, acting as Agents,
– the Hungarian Government, by Zs. Biró-Tóth and M.Z. Fehér, acting as Agents,
– the European Commission, by A. Bouchagiar, G. Koleva and H. Kranenborg, acting as Agents,
after hearing the Opinion of the Advocate General at the sitting on 4 September 2025,
gives the following
Judgment
1 This request for a preliminary ruling concerns the interpretation of Article 1 of Council Directive 2000/78/EC of 27 November 2000 establishing a general framework for equal treatment in employment and occupation (OJ 2000 L 303, p. 16), Article 2(1), points 2 and 6 of Article 4, Article 9(2)(b) and Article 17(1)(a) and (d) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016 L 119, p. 1, and corrigendum OJ 2018 L 127, p. 2; ‘the GDPR’), Article 3(1) and (2), Article 9(1) and Article 16(2) of Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (OJ 2016 L 119, p. 89), and of Article 52 of the Charter of Fundamental Rights of the European Union (‘the Charter’).
2 The request has been made in proceedings between CL and the Prokuratura na Republika Bulgaria (Public Prosecutor’s Office of the Republic of Bulgaria; ‘the Public Prosecutor’s Office’) concerning compensation claimed by CL for the harm which he claims to have suffered on account of, first, the investigative measures to which he was subject in the course of a criminal investigation concerning him and, second, the consequences of that investigation.
Legal context
European Union law
Directive 2000/78
3 Article 1 of Directive 2000/78, entitled ‘Purpose’, provides:
‘The purpose of this Directive is to lay down a general framework for combating discrimination on the grounds of religion or belief, disability, age or sexual orientation as regards employment and occupation, with a view to putting into effect in the Member States the principle of equal treatment.’
The GDPR
4 Recitals 4, 10, 19, 39, 41, 65 and 66 of the GDPR state:
‘(4) … This Regulation respects all fundamental rights and observes the freedoms and principles recognised by the Charter as enshrined in the Treaties, in particular the respect for private and family life ….
…
(10) In order to ensure a consistent and high level of protection of natural persons and to remove the obstacles to flows of personal data within the [European] Union, the level of protection of the rights and freedoms of natural persons with regard to the processing of such data should be equivalent in all Member States. Consistent and homogenous application of the rules for the protection of the fundamental rights and freedoms of natural persons with regard to the processing of personal data should be ensured throughout the [European] Union. …
…
(19) …
With regard to the processing of personal data by those competent authorities for purposes falling within scope of this Regulation, Member States should be able to maintain or introduce more specific provisions to adapt the application of the rules of this Regulation. Such provisions may determine more precisely specific requirements for the processing of personal data by those competent authorities for those other purposes, taking into account the constitutional, organisational and administrative structure of the respective Member State. …
…
(39) … The personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed. This requires, in particular, ensuring that the period for which the personal data are stored is limited to a strict minimum. Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means. …
…
(41) Where this Regulation refers to a legal basis or a legislative measure, this does not necessarily require a legislative act adopted by a parliament, without prejudice to requirements pursuant to the constitutional order of the Member State concerned. However, such a legal basis or legislative measure should be clear and precise and its application should be foreseeable to persons subject to it, in accordance with the case-law of the Court of Justice of the European Union … and the European Court of Human Rights.
…
(65) A data subject should have the right to have personal data concerning him or her rectified and a “right to be forgotten” where the retention of such data infringes this Regulation or Union or Member State law to which the controller is subject. In particular, a data subject should have the right to have his or her personal data erased and no longer processed where the personal data are no longer necessary in relation to the purposes for which they are collected or otherwise processed, where a data subject … objects to the processing of personal data concerning him or her, or where the processing of his or her personal data does not otherwise comply with this Regulation. … However, the further retention of the personal data should be lawful where it is necessary … for compliance with a legal obligation, for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller …
(66) To strengthen the right to be forgotten in the online environment, the right to erasure should also be extended in such a way that a controller who has made the personal data public should be obliged to inform the controllers which are processing such personal data to erase any links to, or copies or replications of those personal data. …’
5 Article 1 of the GDPR, entitled ‘Subject matter and objectives’, provides in paragraph 2:
‘This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.’
6 Article 2 of the GDPR, entitled ‘Material scope’, provides:
‘1. This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.
2. This Regulation does not apply to the processing of personal data:
…
(d) by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.
…’
7 Article 4 of the GDPR, entitled ‘Definitions’, is worded as follows:
‘For the purposes of this Regulation:
(1) “personal data” means any information relating to an identified or identifiable natural person …; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
(2) “processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
…
(6) “filing system” means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;
…’
8 Article 5 of the GDPR, entitled ‘Principles relating to processing of personal data’, provides, in paragraph 1:
‘Personal data shall be:
(a) processed lawfully, fairly and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”);
…
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods in so far as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (“storage limitation”);
…’
9 Under Article 6 of the GDPR, entitled ‘Lawfulness of processing’:
‘1. Processing shall be lawful only if and to the extent that at least one of the following applies:
…
(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
…
3. The basis for the processing referred to in point[s] (c) and (e) of paragraph 1 shall be laid down by:
(a) Union law; or
(b) Member State law to which the controller is subject.
The purpose of the processing shall be determined in that legal basis or, as regards the processing referred to in point (e) of paragraph 1, shall be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. That legal basis may contain specific provisions to adapt the application of rules of this Regulation, inter alia: the general conditions governing the lawfulness of processing by the controller; the types of data which are subject to the processing; the data subjects concerned; the entities to, and the purposes for which, the personal data may be disclosed; the purpose limitation; storage periods; and processing operations and processing procedures, including measures to ensure lawful and fair processing such as those for other specific processing situations as provided for in Chapter IX. The Union or the Member State law shall meet an objective of public interest and be proportionate to the legitimate aim pursued.
…’
10 Article 9 of the GDPR, entitled ‘Processing of special categories of personal data’, provides:
‘1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited.
2. Paragraph 1 shall not apply if one of the following applies:
…
(b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;
…’
11 Article 10 of the GDPR, entitled ‘Processing of personal data relating to criminal convictions and offences’, provides:
‘Processing of personal data relating to criminal convictions and offences or related security measures based on Article 6(1) shall be carried out only under the control of official authority or when the processing is authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects. …’
12 Article 17 of that regulation, entitled ‘Right to erasure (“right to be forgotten”)’, is worded as follows:
‘1. The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
(a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
…
(d) the personal data have been unlawfully processed;
…
3. Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:
…
(b) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
…’
Directive 2016/680
13 Recitals 11 and 12 of Directive 2016/680 state:
‘(11) It is therefore appropriate for those fields to be addressed by a directive that lays down the specific rules relating to the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security, respecting the specific nature of those activities. Such competent authorities may include not only public authorities such as the judicial authorities, the police or other law-enforcement authorities but also any other body or entity entrusted by Member State law to exercise public authority and public powers for the purposes of this Directive. Where such a body or entity processes personal data for purposes other than for the purposes of this Directive, [the GDPR] applies. [The GDPR] therefore applies in cases where a body or entity collects personal data for other purposes and further processes those personal data in order to comply with a legal obligation to which it is subject. …
(12) The activities carried out by the police or other law-enforcement authorities are focused mainly on the prevention, investigation, detection or prosecution of criminal offences, including police activities without prior knowledge if an incident is a criminal offence or not. … They also include maintaining law and order as a task conferred on the police or other law-enforcement authorities where necessary to safeguard against and prevent threats to public security and to fundamental interests of the society protected by law which may lead to a criminal offence. …’
14 Article 1 of that directive, entitled ‘Subject matter and objectives’, provides, in paragraph 1:
‘This Directive lays down the rules relating to the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.’
15 Article 2 of that directive, entitled ‘Scope’, provides in paragraph 1:
‘This Directive applies to the processing of personal data by competent authorities for the purposes set out in Article 1(1).’
16 Article 3 of Directive 2016/680, entitled ‘Definitions’, states:
‘For the purposes of this Directive:
(1) “personal data” means any information relating to an identified or identifiable natural person …; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
(2) “processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
…
(7) “competent authority” means:
(a) any public authority competent for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security; or
…
(8) “controller” means the competent authority which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
…’
17 Article 9 of Directive 2016/680, entitled ‘Specific processing conditions’, provides:
‘1. Personal data collected by competent authorities for the purposes set out in Article 1(1) shall not be processed for purposes other than those set out in Article 1(1) unless such processing is authorised by Union or Member State law. Where personal data are processed for such other purposes, [the GDPR] shall apply unless the processing is carried out in an activity which falls outside the scope of Union law.
2. Where competent authorities are entrusted by Member State law with the performance of tasks other than those performed for the purposes set out in Article 1(1), [the GDPR] shall apply to processing for such purposes, including for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, unless the processing is carried out in an activity which falls outside the scope of Union law.
…’
18 Article 10 of that directive lays down conditions relating to the processing of special categories of personal data.
19 Article 16 of that directive, entitled ‘Right to rectification or erasure of personal data and restriction of processing’, provides, in paragraph 2:
‘Member States shall require the controller to erase personal data without undue delay and provide for the right of the data subject to obtain from the controller the erasure of personal data concerning him or her without undue delay where processing infringes the provisions adopted pursuant to Article 4, 8 or 10, or where personal data must be erased in order to comply with a legal obligation to which the controller is subject.’
Bulgarian law
20 The zakon za otgovornostta na darzhavata i obshtinite za vredi (Law on the liability of the State and of municipalities for damage) (DV No 60 of 5 August 1988), in the version applicable to the dispute in the main proceedings, provides, in Article 2(1)(2) and (3):
‘The State shall be liable for damage caused to citizens by investigative authorities, the public prosecutor’s office or the court in the event of: … 2. infringement of rights protected by Article 5(2) to (4) of the Convention; 3. an accusation of having committed a criminal offence, if the person is acquitted or if the criminal proceedings are terminated on the grounds that the act was not committed by the person concerned or that the act committed does not constitute a criminal offence, or that criminal proceedings were initiated after expiry of the limitation period or the offence was covered by an amnesty; …’
21 The zakon za ministerstvoto na vatreshnite raboti (Law on the Ministry of the Interior) (DV No 53 of 27 June 2014), in the version applicable to the dispute in the main proceedings (‘the ZMVR’), provides, in Article 2(1):
‘The activities of the Ministry of the Interior aim to protect the rights and freedoms of citizens, combat crime, protect national security, maintain public order, prevent fires and protect the population.’
22 Article 26(2) of the ZMVR is worded as follows:
‘The time limits for storage of the data referred to in paragraph 1 or the time limits for a periodic review of the need to store such data shall be determined by the Minister for the Interior. Those data shall also be erased pursuant to a judgment or decision of the [Personal] Data Protection Commission.’
23 Under Article 29(1) and (2) of the ZMVR:
‘(1) The controller responsible for the processing of personal data shall be the Minister for the Interior, who may entrust the processing of personal data to such officers as he or she may designate. (2) Rules governing the processing of personal data shall be established by instruction of the Minister for the Interior.’
24 Article 147 of the ZMVR provides:
‘(1) A personnel file shall be drawn up for every officer of the Ministry of the Interior. (2) The rules governing the drawing up, management and keeping of personnel files, as well as the rules governing their use shall be established by instruction of the Minister for the Interior.’
25 Article 150 of the ZMVR provides:
‘(1) The Minister for the Interior shall draw up a code of ethics for officers of the Ministry of the Interior, which shall be published in the Darzhaven vestnik [(Bulgarian Official Journal)]; (2) Officers are required to comply with the rules laid down in the Code of Ethics for Officers of the Ministry of the Interior.’
26 Under Article 155(1) and (4) of the ZMVR:
‘(1) An officer of the Ministry of the Interior shall be a natural person with capacity to act who has not been subject to the following: … 2. a conviction for an intentional criminal offence under ordinary law, irrespective of rehabilitation; 3. a charge or prosecution for an intentional criminal offence under ordinary law; …
…
(4) The circumstances referred to in paragraph 1(2) shall be established by the appointing authority of its own motion.’
27 The zakon za zashtita na lichnite danni (Law on the protection of personal data) (DV No 1 of 4 January 2002), in the version applicable to the dispute in the main proceedings (‘the ZZLD’), provides, in Article 6(1) and (2) thereof:
‘(1) The Personal Data Protection Commission … is a permanent and independent supervisory authority which ensures the protection of persons with regard to the processing of and access to their personal data as well as inspections in respect of compliance with [the GDPR] and with this law; (2) the [Personal Data Protection] Commission shall contribute to the implementation of State policy concerning the protection of personal data.’
28 Article 42 of the ZZLD is worded as follows:
‘(1) The rules laid down in the present chapter shall apply where personal data are processed by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including safeguarding against and the prevention of threats to public policy and public security. (2) Personal data collected for the purposes referred to in paragraph 1 shall not be processed for other purposes, unless otherwise provided for in EU law or in the legislation of the Republic of Bulgaria. (3) Where the competent authorities referred to in paragraph 1 process personal data for purposes other than those referred to in paragraph 1 and in the cases referred to in paragraph 2, [the GDPR] and the relevant provisions of this law, which implement that regulation, shall apply. (4) A competent authority within the meaning of paragraph 1 shall mean any public authority with responsibility for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. (5) Unless otherwise provided for by law, a controller, within the meaning of the present chapter, who processes personal data for the purposes laid down in paragraph 1, is a competent authority within the meaning of paragraph 4 or the administrative structure of which that authority forms part, which, alone or jointly with other authorities, determines the purposes and the means of processing personal data.’
29 Article 43 of the ZZLD provides:
‘The rules of the present chapter shall apply to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.’
30 In accordance with Article 46 of the ZZLD:
‘(1) Where the time limits for the erasure of personal data or for periodic verification of the need for their storage are not determined by law, they shall be determined by the controller; (2) The periodic verification referred to in paragraph 1 shall be documented and reasons shall be given for the decision to continue to store the data.’
31 Instruction No 8121z-532 of 9 September 2014 on the preparation, keeping, storage and use of personnel files of officers of the Ministry of the Interior (DV No 78 of 19 September 2014, amended and supplemented in DV No 27 of 14 April 2015, amended and supplemented in DV No 53 of 25 June 2021) (‘the instruction relating to personnel files’), provides, in Article 3:
‘Personnel files shall be drawn up and stored by the “human resources” unit of the relevant structures. They shall be numbered in ascending order, recorded in a logbook … and stored at premises (repositories) that meet the storage requirements for materials containing classified information.’
32 Article 5 of the instruction relating to personnel files is worded as follows:
‘(1) The processing of personal data in personnel files shall be carried out in accordance with the provisions of the zakon za zashtita na klasifitsiranata informatsia … [(Law on the protection of classified information)], the [ZZLD] and the [GDPR]; (2) The processing of information stored in the personnel files shall be carried out for the purposes of: 1. commencement, change and termination of the employment or service relationship of officers; 2. the performance of the contract of employment, including discharge of obligations laid down by law or by collective agreements, management, planning and organisation of work, equality and diversity in the workplace, health and safety at work, protection of the employer’s or employee’s property; 3. exercise and enjoyment, on an individual or collective basis, of the rights and benefits of employment; 4. archives in the public interest, scientific or historical research purposes or statistical purposes; (3) access to information stored in personnel files shall be limited and carried out in accordance with the provisions of the [Law on the protection of classified information], the [ZZLD] and [the GDPR].’
33 Article 6 of the instruction relating to personnel files provides:
‘(1) Documents categorised in three sections and containing data and information relating to the examination, award and conclusion of employment contracts, to changes of duties and to the termination of employment of officials shall be collected and stored in the personnel files. (2) The first section contains documents relating to the taking up of employment at the Ministry of the Interior. (3) The second section contains documents relating to professional development (declarations, minutes, proposals, assessment reports, personal records, certificates of training courses followed, documents certifying participation in competitions, security verification, sick leave records, and so forth). (4) The third section contains documents relating to changes of duties (decisions, records of the commencement and termination of employment, documents relating to disciplinary proceedings, employment contracts, supplementary agreements, notifications referred to in Article 62 of the Kodeks na truda (Labour Code), and so forth).’
The dispute in the main proceedings and the questions referred for a preliminary ruling
34 Between 2012 and 2023, the applicant in the main proceedings held various positions as a police officer within the ‘Security Police’ Directorate-General and the ‘National Police’ Directorate-General of the Bulgarian Ministry of the Interior.
35 On 1 March 2016, an investigation was initiated by the ‘Internal Security’ directorate of that ministry, against an unknown perpetrator, in respect of an offence of robbery committed with the involvement of other persons.
36 On 17 May 2016, a general meeting was held of all the police officers of the directorate in which the applicant in the main proceedings worked. That meeting was attended by the head of the section concerned, a representative of the ‘Internal Security’ directorate, a public prosecutor from the Sofiyska gradska prokuratura (the Public Prosecutor’s Office of the City of Sofia) and an investigator. At that meeting, the applicant in the main proceedings was publicly arrested and required to hand over his badge, weapon and service pass.
37 In the course of the investigation at issue, the applicant in the main proceedings was subject, in his capacity as a suspect, to various investigative measures, namely a search, the taking of fingerprints and, after a judicial authorisation was issued, a search of his home giving rise to seizure of items. He took part in an identification procedure during which he was not identified by the victims as the perpetrator of the crime and no trace of his fingerprints was found on items belonging to the victims. After 24 hours in police custody, the applicant in the main proceedings was released and, subsequently, he was neither investigated for nor accused of the offence of robbery. As the perpetrator could not be identified, the investigation was suspended.
38 The applicant in the main proceedings continued to perform his duties at the Ministry of the Interior and took part in competitions for the purpose of obtaining promotion, which was refused on the ground that he had been taken into police custody as a suspect in an investigation for robbery. His personnel file and the archives of that ministry contain information concerning his detention in police custody and the investigative measures concerning him as a suspect.
39 The applicant in the main proceedings brought an action before the Sofiyski rayonen sad (Sofia District Court, Bulgaria), which is the referring court, seeking an order that the Public Prosecutor’s Office pay compensation for the non-material damage caused to him by the measures to which he was subject in the course of the investigation at issue and by the consequences resulting therefrom. He claims that he suffered non-material damage on account of the fact that, as a long-serving employee of the Ministry of the Interior, he was taken into police custody in front of his colleagues for an offence which there was no proof of his having committed. That humiliating measure constitutes an obstacle to his advancement at work and he maintains, in that regard, that his employer, who placed him in police custody, keeps a database record of that investigation and his listing as a suspect and refuses to remove or erase those data.
40 It is apparent from the order for reference that, in accordance with the case-law of the Varhoven kasatsionen sad na Republika Balgaria (Supreme Court of Cassation of the Republic of Bulgaria), a suspect who has not been prosecuted and who has benefited from a decision to take no further action is entitled to compensation.
41 The referring court states that the Ministry of the Interior is a single administrative authority, the task of which is to ensure that public order is maintained; it is composed of several directorates, including the ‘National Police’ and the ‘Security Police’ directorates, which are involved in the protection of public order, and the ‘Internal Security’ directorate which carries out investigations concerning employees of that ministry, irrespective of the types of offences alleged against them and the unit in which they are employed.
42 As a single administrative authority, the Ministry of the Interior is the employer of all officers performing their duties therein, but each directorate of the Ministry of the Interior stores information relating to its staff and records it in their personnel file. When an employee takes part in competitions for promotions and transfers, he or she must communicate his or her personnel file as well as information relating to the manner in which he or she has fulfilled his or her obligations and information concerning whether he or she has ever been suspected or accused of a criminal offence, subject to criminal prosecution, or committed a disciplinary offence or a breach of public order. Information obtained during an investigation is also stored in the personnel file.
43 In the first place, the referring court asks whether the GDPR applies to situations such as that at issue in the main proceedings, that is to say where a single organisational structure is concerned, part of which acts as an employer, while another part performs the functions of an investigating authority in criminal proceedings.
44 In the second place, if that is the case, that court seeks to establish whether the storage of information such as that referred to in paragraph 42 of the present judgment in an employee’s personnel file constitutes ‘processing of personal data’ within the meaning of point 2 of Article 4 of the GDPR, and whether that file constitutes a ‘filing system’ within the meaning of point 6 of Article 4 of the GDPR. The question also arises as to whether the storage of data such as that at issue in the present case falls within the scope of Article 9(2)(b) of the GDPR.
45 In the third place, the referring court asks whether the Ministry of the Interior is entitled, in its capacity as employer, to refuse professional advancement to one of its employees on the sole ground that that employee was a suspect, defendant in criminal proceedings or accused person including where the criminal proceedings were ultimately suspended. While it is common knowledge that staff of the Ministry of the Interior, who ensure compliance with public policy, must satisfy more stringent moral and ethical criteria than other categories of workers or employees, that court has doubts as to whether the detailed rules relating to the processing of data in the personnel file of employees of that ministry relating to the status of suspect, accused person or defendant are proportionate to the requirements imposed on that type of employee. Only a final conviction, according to that court, constitutes a valid ground for unilateral termination of an employee’s employment contract.
46 In the fourth place, the referring court asks whether the principle of the ‘right to be forgotten’, provided for in Article 17(1)(a) of the GDPR, read in the light of recitals 65 and 66 of that regulation, must be interpreted as meaning that the data in an employee’s personnel file must be erased, where they have been collected by a unit of the employer, other than that to which the employee belongs, which is responsible for conducting the investigation, and where those data show that that employee has been suspected or accused of an offence or has been the subject of criminal proceedings. That court also has doubts, in that context, as to the scope of the concept of ‘unlawful processing’, for the purposes of Article 17(1)(d) of the GDPR.
47 In the fifth place, the referring court has doubts as to whether the provisions of Directive 2016/680 are applicable to the situation at issue in the main proceedings and, if so, whether the storage of the data at issue in the main proceedings is lawful and proportionate in the light of Article 9(1) and Article 10 of that directive and concerning the erasure of those data under Article 16(2) of that directive.
48 In the sixth and last place, that court points out that the applicant in the main proceedings took part in competitions for promotion and transfer and that, despite his high classification, he was not selected on account of his status as a suspect in the investigation for robbery. In that context, that court asks whether the storage of personal data by a single administrative authority, such as the Ministry of the Interior, constitutes a form of discrimination, within the meaning of Article 1 of Directive 2000/78.
49 In those circumstances, the Sofiyski rayonen sad (Sofia District Court) decided to stay the proceedings and to refer the following questions to the Court of Justice for a preliminary ruling:
‘(1) Is Article 2(1) of the GDPR to be interpreted as meaning that data processing includes activities within one and the same organisational structure, in which some of its directorates perform the duties of an employer while one other directorate has the function of an investigating authority in criminal proceedings against employees of the other directorates? If the answer is in the affirmative:
(2) Is the expression “processing of personal data” in [point 2 of Article 4] of the GDPR to be interpreted as covering an activity in the context of which information concerning a particular employee which has been obtained by the employer, in its capacity as the investigating authority, through one of its directorates is added to that employee’s personal file?
(3) Is the expression “filing system” in [point 6 of Article 4] of the GDPR to be interpreted as covering the personal file of an employee or worker working in a directorate of the employer where the information has been collected by another directorate of the employer which has the status of an investigating authority?
(4) Is Article 9(2)(b) of the GDPR to be interpreted as meaning that an organisational entity of an employer may gather and store data indicating that a particular employee was suspected of, charged with or put on trial for a criminal offence in criminal proceedings if that information was collected by another organisational entity of the employer which has the status of an investigating authority?
(5) Is the “right to be forgotten” within the meaning of Article 17(1)(a) of the GDPR to be interpreted as meaning that an employer is required to erase from the personal file of the employee any data which it has collected and stored through another of its directorates, which has the status of a public authority for the purposes of investigating its employees, and which indicate that the employee:
– is suspected of, charged with or on trial for a criminal offence in pending criminal proceedings, or
– was suspected of, charged with or put on trial for a criminal offence for which criminal proceedings were stayed or abandoned?
(6) Are personal data “unlawfully processed” within the meaning of Article 17(1)(d) of the GDPR to be interpreted as including data which the employer has received, collected and stored through another of its organisational entities which performs investigative functions in criminal proceedings against employees of other organisational entities of the employer, where those data are recorded in the personal file and relate to the fact that the employee has been suspected of, charged with or on trial for a criminal offence, that is to say:
– is suspected of, charged with or on trial for a criminal offence in pending criminal proceedings; or
– was suspected of, charged with or put on trial for a criminal offence for which criminal proceedings were stayed or abandoned?
(7) Are “personal data”, within the meaning of Article 3(1) of [Directive 2016/680], read in conjunction with Article 52 of the [Charter], to be interpreted as [including] data which have been obtained, collected and stored by the employer through one of its organisational entities which performs the functions of an investigating authority in criminal proceedings against an employee serving in another organisational entity of the employer?
(8) Is “processing” within the meaning of Article 3(2) of [Directive 2016/680], read in conjunction with Article 52 of the [Charter], to be interpreted as meaning that it encompasses an activity consisting in the employer storing in the employee’s personal file data which the employer has obtained, collected and stored through one of its organisational entities which performs the duties of an investigating authority in criminal proceedings against any of the employer’s employees serving in another of its organisational entities?
(9) Is Article 9(1) of [Directive 2016/680], read in conjunction with Article 52 of the [Charter], to be interpreted as meaning that it permits the employer to collect and store information on an employee who is suspected of, charged with or on trial for a criminal offence in cases where the employer collected that information through another of its organisational entities which has the status of an investigating authority in criminal proceedings against that employee?
(10) Is Article 16(2) of [Directive 2016/680], in conjunction with Article 52 of the [Charter], to be interpreted as meaning that the employer must erase from the employee’s personnel file any data which the employer has collected and stored through another of its organisational entities[,] which has the status of an investigating authority in criminal proceedings against that employee, and which relate to the fact that the employee:
– is suspected of, charged with or on trial for a criminal offence in pending criminal proceedings, or
– was suspected of, charged with or put on trial for a criminal offence for which criminal proceedings were stayed or abandoned?
(11) Is Article 1 of [Directive 2000/78] to be interpreted as not permitting an employer, one of whose organisational entities undertakes investigative actions against an employee of another organisational entity, to deny an employee promotion on the sole ground that he [or she]:
– is suspected of, charged with or on trial for a criminal offence in pending criminal proceedings, or
– was suspected of, charged with or put on trial for a criminal offence for which criminal proceedings were stayed or abandoned?’
Consideration of the questions referred
Admissibility
50 The Bulgarian Government submits that all the questions referred for a preliminary ruling are manifestly inadmissible.
51 That government maintains that the claim for compensation for harm is directed solely at the Public Prosecutor’s Office, which is part of the judiciary, whereas the Ministry of the Interior, which is part of the executive and is the employer of the applicant in the main proceedings, alone holds the information in the latter’s personnel file. That applicant cannot, therefore, request the Public Prosecutor’s Office to erase his data, or hold it responsible for the Ministry of the Interior’s holding that information, or complain that it has hindered his career advancement.
52 That government states that, in order for the Public Prosecutor’s Office to incur liability, the referring court must determine, in accordance with national legislation governing State liability, whether the rights of the data subject, in the capacity of an accused person, were infringed and whether he was unjustly accused of an offence. The dispute in the main proceedings concerns neither the application of the provisions of the GDPR nor that of the national legislation transposing Directives 2016/680 and 2000/78. The interpretation of those acts of EU law is therefore not necessary in order to resolve that dispute.
53 In that regard, it is clear from the Court’s settled case-law that questions on the interpretation of EU law referred by a national court, in the factual and legislative context which that court is responsible for defining, and the accuracy of which is not a matter for the Court to determine, enjoy a presumption of relevance. The Court may refuse to rule on a question referred for a preliminary ruling from a national court only where it is quite obvious that the interpretation of EU law that is sought is unrelated to the actual facts of the main action or its purpose, where the problem is hypothetical, or where the Court does not have before it the factual or legal material necessary to give a useful answer to the questions submitted to it (see judgment of 8 May 2025, Stadt Wuppertal, C‑130/24, EU:C:2025:340, paragraph 42 and the case-law cited).
54 Furthermore, it must be recalled that it is not for the Court to rule on the interpretation of provisions of national law or to decide whether the interpretation or application of those provisions by the national court is correct, since such an interpretation falls within the exclusive jurisdiction of the national court (judgment of 4 October 2024, Bezirkshauptmannschaft Landeck (Attempt to access personal data stored on a mobile telephone), C‑548/21, EU:C:2024:830, paragraph 53 and the case-law cited).
55 Thus, the Court must take into account, under the division of jurisdiction between the Courts of the European Union and the national courts, the factual and legal context, as set out in the order for reference, of the questions referred for a preliminary ruling. As a result, whatever criticism the government of a Member State may have made of the interpretation of national law adopted by the referring court, the questions referred for a preliminary ruling must be examined in the light of that court’s interpretation, the accuracy of which is not a matter for the Court to determine (judgment of 29 July 2024, CU and ND (Social assistance – Indirect discrimination), C‑112/22 and C‑223/22, EU:C:2024:636, paragraph 40 and the case-law cited).
56 That said, in order for the Court to be able to give an interpretation of EU law that is useful to the national court, Article 94(c) of the Rules of Procedure of the Court of Justice provides that the request for a preliminary ruling must contain a statement of the reasons which prompted the referring court to inquire about the interpretation or validity of certain provisions of EU law, and the relationship between those provisions and the national legislation applicable to the main proceedings (judgment of 2 July 2015, Gullotta and Farmacia di Gullotta Davide & C., C‑497/12, EU:C:2015:436, paragraph 17).
57 In the present case, as regards the subject matter of the dispute in the main proceedings, it is common ground that the questions referred for a preliminary ruling were raised in a dispute pending before the referring court concerning a claim for compensation for the harm allegedly suffered by the applicant in the main proceedings not only on account of the measures to which he was subject in the course of an investigation, but also of the consequences of that investigation. In the latter regard, it is apparent from the order for reference that the harm allegedly suffered results, in particular, from the storage and subsequent use, by the employer, of personal data collected in the course of that investigation, since that employer refused professional advancement to the applicant in the main proceedings on the ground that he was a suspect in that investigation. The applicant in the main proceedings also requests that his name be removed from the database in which he is listed as a suspect.
58 The file before the Court thus sets out, first, that there is a link between the subject matter of the dispute in the main proceedings and the rules of EU law on the protection of personal data and, second, the reasons which led the referring court to consider whether the employer’s refusal to erase the data in question is compatible with those rules.
59 As regards, specifically, the relevance of the interpretation of Directive 2000/78 for the purposes of resolving the dispute in the main proceedings, since the question relating thereto seeks, in essence, to determine whether the harm suffered by the applicant in the main proceedings, associated with a refusal of professional advancement based on his status as a suspect, may be examined in the light of the provisions of that directive that question entails, in the circumstances of the present case, providing a substantive answer relating to the interpretation of Article 1 of that directive, which defines the purpose of that directive.
60 Consequently, the arguments put forward by the Bulgarian Government do not permit the view that all the questions referred for a preliminary ruling are inadmissible.
61 By contrast, it must be observed, in the first place, that, by the fourth question, the referring court refers to Article 9 of the GDPR, which governs, as is apparent from its title, the processing of sensitive categories of personal data. It is not apparent from the request for a preliminary ruling that the data at issue in the main proceedings fall within one of the categories of data listed in Article 9(1), namely, inter alia, data revealing racial or ethnic origin, the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person or data concerning the health of a natural person. Since the requested interpretation of Article 9(2)(b) of the GDPR is irrelevant for the purposes of resolving the dispute in the main proceedings, that fourth question must be deemed inadmissible.
62 In the second place, certain circumstances referred to in the wording of the fifth, sixth and ninth to eleventh questions are not relevant in the light of the situation at issue in the main proceedings, which concerns, as is apparent from the order for reference as summarised in paragraphs 35 to 37 of the present judgment, a person suspected of having committed an offence in the context of a criminal investigation which was ultimately suspended. There is therefore no need to answer those questions in so far as they concern the processing of data relating to an employee who is accused or has been accused of having committed an offence or who is or has been the subject of criminal proceedings, since those questions are, in that respect, hypothetical.
63 In the third place, as regards certain other factual premisses on which the eleventh question is based, the Bulgarian Government stated at the hearing that, during the period following the criminal investigation at issue, the applicant in the main proceedings, contrary to what he claims, was promoted on several occasions. It must, however, be pointed out that the presumption of relevance enjoyed by the questions referred for a preliminary ruling, recalled in paragraph 53 of the present judgment, cannot be rebutted by the simple fact that one of the parties to the main proceedings contests certain facts, the accuracy of which is not a matter for the Court to determine and on which the delimitation of the subject matter of those proceedings depend (judgment of 5 December 2006, Cipolla and Others, C‑94/04 and C‑202/04, EU:C:2006:758, paragraph 26).
Substance
The first to third and seventh to ninth questions
64 It should be borne in mind that, in the procedure laid down by Article 267 TFEU providing for cooperation between national courts and the Court of Justice, it is for the latter to provide the national court with an answer which will be of use to it and enable it to decide the case before it. To that end, the Court of Justice should, where necessary, reformulate the questions referred to it. Furthermore, the Court may decide to take into consideration rules of EU law to which the national court has made no reference in the wording of its question (judgment of 18 January 2024, Hewlett Packard Development Company, C‑367/21, EU:C:2024:61, paragraph 44 and the case-law cited).
65 In that regard, it should be noted that, as the Advocate General observed in points 47 to 53 of his Opinion, although, by its second, third, seventh and eighth questions, the referring court formally asks the Court about the interpretation to be given to the concepts of ‘processing’ of personal data and ‘filing system’, within the meaning of points 2 and 6 of Article 4 of the GDPR, and to the concepts of ‘personal data’ and ‘processing’, within the meaning of Article 3(1) and (2) of Directive 2016/680, in addition to the fact that the latter concepts are defined in terms identical to those used in the GDPR, in reality, that court seeks to determine whether the situation at issue in the main proceedings falls within the scope of the GDPR or Directive 2016/680. It is apparent from the reasoning of the order for reference and from those questions that the true purpose of those questions concerns the question of which of those acts applies to data processing carried out by a directorate of a public authority, acting as employer, consisting in storing in the personnel file of an employee of that authority data relating to his status as a suspect in a criminal investigation, where that directorate obtained those data through another directorate of the same public authority, which was empowered to conduct that type of investigation.
66 In those circumstances, it must be held that, by its first to third and seventh to ninth questions, which it is appropriate to examine together, the referring court asks, in essence, whether Article 2(1) of the GDPR and Article 9(1) of Directive 2016/680 must be interpreted as meaning that that regulation applies to the processing of personal data by a directorate of a public authority, consisting in the storage in the personal file of one of its officers of data relating to his status as a suspect in a criminal investigation (‘the processing at issue in the main proceedings’), where that directorate obtained those data through another directorate belonging to the same public authority, which was empowered to conduct that type of investigation.
67 Under Article 2(2)(d) of the GDPR, that regulation does not apply to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.
68 Article 1(1) of Directive 2016/680 provides, by contrast, that it lays down rules relating to the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.
69 In addition, Article 9(1) of that directive provides, inter alia, that where personal data are processed for purposes other than those set out in Article 1(1) of that directive, the GDPR is to apply unless the processing is carried out in an activity which falls outside the scope of EU law.
70 It follows that, where the processing of personal data is carried out by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, Directive 2016/680 applies, whereas if processing is carried out for other purposes, the GDPR applies (see, to that effect, judgment of 8 December 2022, Inspektor v Inspektorata kam Visshia sadeben savet (Purposes of the processing of personal data – Criminal investigation), C‑180/21, EU:C:2022:967, paragraph 73).
71 In the present case, although the initial collection of personal data carried out by the ‘Internal Security’ directorate of the Ministry of the Interior for the purposes of the investigation concerning the applicant in the main proceedings falls within the scope of Directive 2016/680, the processing at issue in the main proceedings, in so far as it is carried out for human resources management purposes, falls within the scope of the GDPR.
72 It should be noted that the applicability of the GDPR to the processing at issue in the main proceedings is not called into question by the fact that the information concerned was obtained by the employer through the directorate of the Ministry of the Interior responsible for carrying out the investigation concerning the applicant in the main proceedings. In that regard, the Court has already held that it is apparent from the wording of Article 9(1) and (2) of Directive 2016/680 and from the relationship between those paragraphs that the GDPR applies to any processing of personal data collected for the purposes set out in Article 1(1) of that directive, for other purposes, unless the processing in question is not covered by EU law, including where the ‘controller’, within the meaning of Article 3(8) of that directive, is a ‘competent authority’ within the meaning of Article 3(7)(a) thereof, and it also carries out the processing of personal data in the context of tasks other than those carried out for the purposes set out in Article 1(1) of that directive (judgment of 8 December 2022, Inspektor v Inspektorata kam Visshia sadeben savet (Purposes of the processing of personal data – Criminal investigation), C‑180/21, EU:C:2022:967, paragraph 81).
73 In the light of the foregoing, the answer to the first to third and seventh to ninth questions is that Article 2(1) of the GDPR and Article 9(1) of Directive 2016/680 must be interpreted as meaning that that regulation applies to the activity carried out by the directorate of a public authority, consisting in storing in the personnel file of one of its officers data relating to his status as a suspect in a criminal investigation. It is irrelevant in that regard that that directorate obtained those data through another directorate belonging to the same public authority, the latter directorate being empowered to conduct that type of investigation.
The fifth and sixth questions
74 It must be observed that the fifth and sixth questions concern, in essence, the possibility for the officer concerned to obtain the erasure of the data at issue in the main proceedings from his or her personnel file on the basis of Article 17(1)(a) and (d) of the GDPR.
75 It is apparent from the file submitted to the Court that the national law governing the activities of the Ministry of the Interior lays down an obligation for that ministry to draw up and keep a personnel file for each officer of that ministry, and to establish a code of ethics, in respect of which those officers are bound, and requires that those officers, in order to carry out their duties, have not been convicted, investigated or prosecuted for an intentional criminal offence under ordinary law. Similarly, that law provides that the Minister for the Interior is the controller of data processing carried out by officers of the ministry and that he or she is to determine the detailed rules for the processing of data by way of an instruction.
76 In accordance with Article 17(1) of the GDPR, the data subject is to have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller is to have the obligation to erase those personal data without undue delay where one of the grounds set out in that provision applies.
77 That is the case, in accordance with Article 17(1)(a) of the GDPR, where the personal data ‘are no longer necessary in relation to the purposes for which they were collected or otherwise processed’ or, in accordance with Article 17(1)(d), where the data in question have been ‘unlawfully processed’.
78 As the Advocate General observed in point 69 of his Opinion, it is apparent from the fifth and sixth questions and from the statement of reasons for the request for a preliminary ruling, read together, that, by those questions, the referring court asks, more fundamentally, in order to be able to rule on the request for erasure made by the applicant in the main proceedings, whether the storage of the data at issue in the main proceedings in his personnel file is lawful.
79 In that regard, it should be observed that the first subparagraph of Article 6(1) of the GDPR sets out an exhaustive and restrictive list of the cases in which processing of personal data can be regarded as being lawful. Thus, in order to be capable of being regarded as such, processing must fall within one of the cases provided for in that provision (judgment of 4 October 2024, Agentsia po vpisvaniyata, C‑200/23, EU:C:2024:827, paragraph 94 and the case-law cited). Point (c) of the first subparagraph of Article 6(1) of the GDPR provides that the processing of personal data is to be lawful if processing is necessary for compliance with a legal obligation to which the controller is subject.
80 Article 6(3) of the GDPR states, inter alia, that the processing referred to in point (c) of the first subparagraph of Article 6(1) of that regulation must be based on EU or Member State law to which the controller is subject, and that that legal basis must meet an objective of public interest and be proportionate to the legitimate aim pursued (see, to that effect, judgment of 12 September 2024, HTB Neunte Immobilien Portfolio and Ökorenta Neue Energien Ökostabil IV, C‑17/22 and C‑18/22, EU:C:2024:738, paragraph 67 and the case-law cited).
81 It should also be observed that the ground for lawfulness laid down in point (c) of the first subparagraph of Article 6(1) of the GDPR, read in conjunction with Article 6(3) of that regulation, is reflected in Article 17(3)(b) of that regulation, which excludes the right to erasure provided for in Article 17(1), where, inter alia, the processing of data is necessary for compliance with a legal obligation which requires processing by EU or Member State law to which the controller is subject.
82 The Court has already held that, assuming that the processing of the personal data satisfies the ground for lawfulness laid down in point (c) of the first subparagraph of Article 6(1) of the GDPR, that regulation, and in particular the second subparagraph of Article 6(3) thereof, expressly lays down the requirement to strike a balance between, on the one hand, the fundamental rights to respect for private life and the protection of personal data, enshrined in Articles 7 and 8 of the Charter, and, on the other hand, the objectives legitimately pursued by EU law or the law of the Member States forming the basis of the legal obligation in respect of which processing is necessary to ensure compliance therewith (see, to that effect, judgment of 4 October 2024, Agentsia po vpisvaniyata, C‑200/23, EU:C:2024:827, paragraph 124 and the case-law cited).
83 In that context, it should be recalled that Article 52(1) of the Charter accepts that limitations may be imposed on the exercise of rights such as those set forth in Articles 7 and 8 of the Charter, as long as the limitations are provided for by law, respect the essence of those rights and freedoms and, subject to the principle of proportionality, are necessary and genuinely meet objectives of general interest recognised by the European Union or the need to protect the rights and freedoms of others (judgment of 24 September 2019, GC and Others (De-referencing of sensitive data), C‑136/17, EU:C:2019:773, paragraph 58 and the case-law cited).
84 In those circumstances and having regard to the case-law set out in paragraph 64 above, it must be held that, by its fifth and sixth questions, the referring court asks, in essence, whether Article 17(3)(b) of the GDPR, read in conjunction with point (c) of the first subparagraph of Article 6(1) and Article 6(3) of that regulation and in the light of Article 52(1) of the Charter, must be interpreted as meaning that storage, in the personnel file of a police officer, for the purposes of managing his or her career and checking that that officer complies with the rules inherent in his or her duties, of personal data relating to his or her status as a suspect in the context of a suspended criminal investigation, where that officer has not been accused of or faced criminal charges for the offence concerned, may be regarded as justified for the purposes of compliance with a legal obligation to which the public authority, the employer of that police officer, is subject on the basis of national law.
85 It should be noted at the outset that, under Article 1(2) of the GDPR, read in conjunction with recitals 4 and 10, that regulation has the objective in particular of ensuring a high level of protection of the fundamental rights and freedoms of natural persons with respect to the processing of personal data; that right is also recognised in Article 8 of the Charter and is closely connected to the right to respect for private life, enshrined in Article 7 of the Charter (see, to that effect, judgment of 1 August 2022, Vyriausioji tarnybinės etikos komisija, C‑184/20, EU:C:2022:601, paragraph 61).
86 In that regard, in accordance with the settled case-law of the Court, any processing of personal data must, first, comply with the principles relating to the processing of data established in Article 5 of the GDPR and, secondly, in the light, in particular, of the principle of the lawfulness of processing, laid down in Article 5(1)(a), satisfy one of the conditions of the lawfulness of the processing listed in Article 6 of that regulation (judgment of 7 March 2024, Endemol Shine Finland, C‑740/22, EU:C:2024:216, paragraph 45 and the case-law cited).
87 It should also be recalled that, in accordance with Article 5 of the GDPR, the controller bears the burden of proving that those data are collected, inter alia, for specified, explicit and legitimate purposes, that they are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed and that they are processed lawfully, fairly and in a transparent manner in relation to the data subject (judgment of 4 October 2024, Agentsia po vpisvaniyata, C‑200/23, EU:C:2024:827, paragraph 97 and the case-law cited).
88 Furthermore, the justifications provided for in points (b) to (f) of the first subparagraph of Article 6(1) of that regulation, in so far as they allow the processing of personal data carried out in the absence of the data subject’s consent to be made lawful, must be interpreted restrictively (judgment of 4 October 2024, Agentsia po vpisvaniyata, C‑200/23, EU:C:2024:827, paragraph 96 and the case-law cited).
89 Although it is for the referring court to determine whether processing such as that at issue in the main proceedings is necessary for compliance with a legal obligation to which the controller is subject, within the meaning of Article 17(3)(b) of the GDPR, read in conjunction with point (c) of the first subparagraph of Article 6(1) and Article 6(3) of that regulation, the Court can nevertheless provide it with useful guidance to enable it to resolve the dispute before it (see, to that effect, judgment of 4 October 2024, Agentsia po vpisvaniyata, C‑200/23, EU:C:2024:827, paragraph 98 and the case-law cited).
90 As is apparent from the Court’s file and, in particular, from the explanations provided by the Bulgarian Government at the hearing, the storage of the data at issue in the main proceedings is based on several provisions contained in instructions, adopted by the Minister for the Interior on the basis of the ZMVR, in order to comply with his legal obligations under that law concerning the management of the personnel files of officers and disciplinary liability of those persons and by virtue of the authority conferred on him by that law to exercise a regulatory power. Consequently, it appears to follow from those factors that the processing of the data at issue in the main proceedings is likely to be necessary for compliance with legal obligations, within the meaning of point (c) of the first subparagraph of Article 6(1) of the GDPR, laid down by the applicable national legislation, which are implemented by the public authority responsible for processing in instructions of a regulatory nature which thus constitute the legal basis for the processing of data carried out by its officers.
91 The question therefore arises as to whether the basis for the processing, for the purposes of Article 6(3) of the GDPR, may be the result of a regulatory act adopted by a public authority of a Member State pursuant to a legal authorisation provided for in a legislative act in order to satisfy the legal obligations of that authority under the latter act.
92 As recital 41 of that regulation states, where it refers to a legal basis or a legislative measure, this does not necessarily require a legislative act adopted by a parliament, without prejudice to obligations provided for under the constitutional order of the Member State concerned. However, such a legal basis or legislative measure should be clear and precise and its application should be foreseeable to data subjects, in accordance with the case-law of the Court of Justice of the European Union and the European Court of Human Rights.
93 In addition, recital 19 of the GDPR specifies that, with regard to the processing of personal data by competent authorities, within the meaning of Directive 2016/680, for purposes falling within the scope of the GDPR, Member States should be able to maintain or introduce more specific provisions to adapt the application of the rules of that regulation. Such provisions may determine more precisely specific requirements for the processing of personal data by those competent authorities for those other purposes, taking into account the constitutional, organisational and administrative structure of the respective Member State.
94 Consequently, it must be inferred that Article 6(3) of the GDPR does not preclude the legal basis for the processing of personal data from being defined by the public authority responsible for processing in a regulatory act intended to implement the legal obligations imposed on it, for the purposes of point (c) of the first subparagraph of Article 6(1) of that regulation, provided that that authority is empowered by national law to adopt that act, that legal basis is clear and precise and its application is foreseeable for the data subjects.
95 In the present case, it is apparent from the Court’s file that instructions of the Minister for the Interior constitute regulatory acts adopted on the basis of the statutory authorisation provided for by the ZMVR and are published in the Bulgarian Official Journal. However, it is still necessary to ascertain, in particular, whether the purposes of the processing are clearly and precisely defined in that legal basis, thus making its application foreseeable, in accordance with Article 6(3) of the GDPR, read in the light of recital 41 of that regulation.
96 In the latter regard, it is apparent from the file submitted to the Court that the instructions of that authority refer, as regards the documents which must be included in the staff member’s personnel file, to documents relating to disciplinary proceedings.
97 It is for the referring court to assess whether, having regard to all the relevant provisions of Bulgarian law, such a reference may be interpreted in a sufficiently clear, precise and foreseeable manner as including the storage of data relating to a criminal investigation in respect of a member of staff, even where that officer has not been accused of or faced criminal charges for the offence concerned and that investigation has not given rise to disciplinary proceedings.
98 If so, it is necessary to consider whether, in accordance with the second subparagraph of Article 6(3) of the GDPR, the legal obligation concerned, in so far as it requires the processing of personal data such as that at issue in the main proceedings, meets an objective of public interest and is proportionate to the legitimate aim pursued.
99 As regards, first, whether the national legislation concerned meets an objective of public interest, the Bulgarian Government maintained, in essence, that there is a public interest in storing data such as those at issue in the main proceedings, having regard to the specific duties of police officers, which consist, in particular, in safeguarding public order and protecting the population.
100 In that regard, it is generally accepted, as the Advocate General observed in point 86 of his Opinion, that the duties of police officers require that they observe strict rules of conduct and, as is apparent from paragraph 45 of the present judgment, in Bulgaria, police officers must satisfy more stringent moral and ethical criteria than other categories of workers or employees thus demonstrating that they have the professional and human qualities necessary for the performance of their duties. Moreover, as was noted in paragraph 75 of the present judgment, those rules of conduct and those criteria are expressly laid down in the national law governing the activities of the Ministry of the Interior and its officers.
101 Thus, it may be considered that requiring police officers to meet such criteria falls within the scope of an objective of public interest and, consequently, a legitimate objective, within the meaning of Article 6(3) of the GDPR, namely, in essence, that of ensuring the probity of staff responsible, inter alia, for safeguarding public order and protecting the population.
102 Consequently, such a legitimate objective is capable of justifying the storage, in the personnel file of a police officer, of information relating, inter alia, to his or her status as a suspect in a criminal investigation, where that criminal investigation is ongoing or where that investigation has resulted in a prosecution or conviction against him or her, in so far as the competent authority may be required, in such cases, in order to ensure compliance with the rules of conduct and the criteria referred to in paragraph 100 of the present judgment, to take precautionary or, as the case may be, disciplinary measures.
103 By contrast, in a situation such as that at issue in the main proceedings, where the criminal investigation concerning the police officer concerned was ultimately suspended, the identity of the perpetrator of the acts could not be established, and where it was found that there was no evidence of the commission of an offence by that police officer and no disciplinary proceedings were brought against him, it is not apparent from the case file that national legislation providing for the storage of data relating to such an investigation is appropriate for the purpose of satisfying that legitimate objective.
104 Assuming, nevertheless, that the referring court reaches the conclusion that the national legislation at issue in the main proceedings satisfies a legitimate objective, it is also for that court to assess whether the national legislation requiring that processing is proportionate. In particular, as regards the storage of those data, Article 17(3)(b) of the GDPR must be interpreted in conjunction with Article 5(1)(e) of that regulation as meaning that, where the storage period in respect of those data exceeds that necessary for compliance with that obligation, the data subject is capable of recovering his or her right to erasure of those data, in particular on the ground set out in Article 17(1)(a) of that regulation. It will therefore be for the referring court, if necessary, to ascertain whether the storage period in respect of the data relating to the criminal procedure to which the applicant in the main proceedings was subject was not excessive.
105 It should be added that, in so far as Articles 7 to 11 of the GDPR, which appear, like Articles 5 and 6, in Chapter II of that regulation, which relates to ‘principles’, are intended to clarify the scope of the controller’s obligations under Article 5(1)(a) and Article 6(1) of that regulation, the processing of personal data, in order to be lawful, must also comply, as is apparent from the Court’s case-law, with the other provisions of that chapter which concern, in essence, consent, the processing of special categories of sensitive personal data and the processing of personal data relating to criminal convictions and offences (judgment of 4 May 2023, Bundesrepublik Deutschland (Court electronic mailbox), C‑60/22, EU:C:2023:373, paragraph 58 and the case-law cited).
106 The data at issue in the main proceedings constitute personal data ‘relating to criminal convictions and offences or related security measures’, within the meaning of Article 10 of the GDPR, the processing of which is subject to the additional conditions of lawfulness laid down in Article 10 of the GDPR, irrespective of the fact that, during the criminal investigation, the commission of the offence in respect of which the person was suspected was not established. In particular, under that provision, processing of those data ‘shall be carried out only under the control of official authority’, unless it is ‘authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects’ (see, to that effect, judgment of 24 September 2019, GC and Others (De-referencing of sensitive data), C‑136/17, EU:C:2019:773, paragraphs 72 and 73).
107 In the present case, as the Advocate General stated in point 98 of his Opinion, the processing at issue in the main proceedings is carried out exclusively within the Ministry of the Interior, which has the status of controller. Consequently, that processing is carried out ‘under the control of official authority’ within the meaning of Article 10 of the GDPR.
108 Lastly, as regards the request for erasure under Article 17 of the GDPR at issue in the main proceedings, it should be noted that, as the European Commission stated, if the referring court were to conclude, following its assessment of the lawfulness of that processing, that that processing is not lawful, it would be for the Ministry of the Interior, as controller, in accordance with Article 17(1)(d) of the GDPR, to erase the data concerned without undue delay, in so far as none of the exceptions provided for in Article 17(3) of the GDPR applies (see, to that effect, judgment of 4 October 2024, Agentsia po vpisvaniyata, C‑200/23, EU:C:2024:827, paragraph 118 and the case-law cited).
109 In the light of the foregoing, the answer to the fifth and sixth questions is that Article 17(3)(b) of the GDPR, read in conjunction with point (c) of the first subparagraph of Article 6(1) and Article 6(3) of that regulation and in the light of Article 52(1) of the Charter, must be interpreted as meaning that the storage, in the personnel file of a police officer, for the purposes of the management of his career and the monitoring of compliance, by that staff member, with the rules inherent in his or her duties, of personal data relating to his or her status as a suspect in a suspended criminal investigation, where that officer has not been accused of or faced criminal charges for the offence concerned, may be regarded as justified for the purposes of compliance with a legal obligation to which the public authority, the employer of that officer, is subject on the basis of national law, provided that that legal basis is clear and precise, that its application is foreseeable for data subjects and that that obligation meets an objective of public interest and is proportionate to that objective.
The tenth question
110 In the light of the answers to the first to third and fifth to ninth questions, from which it is apparent that the request for erasure of the data at issue in the main proceedings falls within the scope of the GDPR and, in particular, of Article 17 thereof, there is no need to answer the tenth question, since it concerns the same request, but under Article 16(2) of Directive 2016/680.
The eleventh question
111 By its eleventh question, the referring court asks, in essence, whether Article 1 of Directive 2000/78 must be interpreted as meaning that that directive precludes a public authority, one directorate of which is responsible for conducting criminal investigations of officers employed by that authority, from refusing, in its capacity as employer, to promote one of its officers on the sole ground that he or she had the status of suspect in such an investigation which was ultimately suspended, where that officer has not been accused of or faced criminal charges for the offence concerned.
112 In that regard, it should be recalled that, as is apparent from Article 1 of Directive 2000/78, the purpose of that directive is to lay down a general framework for combating discrimination on the grounds of religion or belief, disability, age or sexual orientation as regards employment and occupation. As is apparent, in particular, from Article 2(1) of that directive, those grounds are listed exhaustively (see, to that effect, judgments of 21 May 2015, SCMD, C‑262/14, EU:C:2015:336, paragraph 29 and the case-law cited, and of 9 March 2017, Milkova, C‑406/15, EU:C:2017:198, paragraph 34 and the case-law cited).
113 The refusal of professional advancement based on the status of suspect of a person who has been the subject of a criminal investigation which was ultimately suspended does not, therefore, fall within the scope of Directive 2000/78.
114 Furthermore, as regards discrimination on the basis of the employment relationship itself, the Court has held that such discrimination does not fall within the general framework laid down by Directive 2000/78 (judgment of 9 March 2017, Milkova, C‑406/15, EU:C:2017:198, paragraph 44 and the case-law cited).
115 Accordingly, the answer to the eleventh question is that Article 1 of Directive 2000/78 must be interpreted as meaning that that directive is not applicable where a public authority, one directorate of which is responsible for conducting criminal investigations concerning officers employed by that authority, refuses, in its capacity as employer, to promote one of its officers on the sole ground that he or she had the status of suspect in such an investigation that was ultimately suspended, where that officer has not been accused of or faced criminal charges for the offence concerned.
Costs
116 Since these proceedings are, for the parties to the main proceedings, a step in the action pending before the national court, the decision on costs is a matter for that court. Costs incurred in submitting observations to the Court, other than the costs of those parties, are not recoverable.
On those grounds, the Court (Fifth Chamber) hereby rules:
1. Article 2(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) and Article 9(1) of Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA
must be interpreted as meaning that that regulation applies to the activity carried out by the directorate of a public authority, consisting in storing in the personnel file of one of its officers data relating to his status as a suspect in a criminal investigation. It is irrelevant in that regard that that directorate obtained those data through another directorate belonging to the same public authority, the latter directorate being empowered to conduct that type of investigation.
2. Article 17(3)(b) of Regulation 2016/679, read in conjunction with point (c) of the first subparagraph of Article 6(1)and Article 6(3) thereof, and in the light of Article 52(1) of the Charter of Fundamental Rights of the European Union,
must be interpreted as meaning that the storage, in the personnel file of a police officer, for the purposes of the management of his career and the monitoring of compliance, by that staff member, with the rules inherent in his or her duties, of personal data relating to his or her status as a suspect in a suspended criminal investigation, where that officer has not been accused of or faced criminal charges for the offence concerned, may be regarded as justified for the purposes of compliance with a legal obligation to which the public authority, the employer of that officer, is subject on the basis of national law, provided that that legal basis is clear and precise, that its application is foreseeable for data subjects and that that obligation meets an objective of public interest and is proportionate to that objective.
3. Article 1 of Council Directive 2000/78/EC of 27 November 2000 establishing a general framework for equal treatment in employment and occupation
must be interpreted as meaning that that directive is not applicable where a public authority, one directorate of which is responsible for conducting criminal investigations concerning officers employed by that authority, refuses, in its capacity as employer, to promote one of its officers on the sole ground that he or she had the status of suspect in such an investigation that was ultimately suspended, where that officer has not been accused of or faced criminal charges for the offence concerned.
[Signatures]