JUDGMENT OF THE COURT (Fifth Chamber)

24 February 2022 (*)

"Reference for a preliminary ruling - Protection of individuals with regard to the processing of
personal data - Regulation (EU) 2016/679 - Article 2 - Scope - Article 4 - Concept of 'processing' -
Article 5 - Principles relating to processing - Purpose limitation - Minimisation of data - Article 6 -
Lawfulness of processing - Processing necessary for the performance of a task carried out in the
public interest Article 6 - Lawfulness of processing - Processing necessary for the performance of
a task carried out in the public interest by the controller - Processing necessary for compliance
with a legal obligation to which the controller is subject - Article 23 - Limitations - Processing of
data for tax purposes - Request for communication of information relating to advertisements for
the sale of vehicles placed online - Proportionality".

In Case C-175/20,

reference for a preliminary ruling under Article 267 TFEU from the Administratīvā apgabaltiesa
(Regional Administrative Court, Latvia), made by decision of 11 March 2020, received at the Court
on 14 April 2020, in the proceedings

"SS" SIA

against

Valsts ieņēmumu dienests,

THE COURT (Fifth Chamber),

composed of: E. Regan, President of the Chamber, K. Lenaerts, President of the Court, acting for
the Fifth Chamber, C. Lycourgos, President of the Fourth Chamber, I. Jarukaitis and M. Ilešič
(Rapporteur), Judges,

Advocate General: M. Bobek,

Registrar: A. Calot Escobar,

Having regard to the written procedure

Having regard to the observations submitted :

- for 'SS' SIA, by Mr M. Ruķers,

- for the Latvian Government, initially by Ms K. Pommere, V. Soņeca and L. Juškeviča, and
subsequently by Ms K. Pommere, acting as Agents

- the Belgian Government, by J.-C. Halleux and P. Cottin, acting as Agents, assisted by C. Molitor,
lawyer,

- the Hellenic Government, by E.-M. Mamouna and O. Patsopoulou, acting as Agents,

- the Spanish Government, initially by J. Rodríguez de la Rúa Puig and S. Jiménez García, and
subsequently by J. Rodríguez de la Rúa Puig, acting as Agents,

- for the European Commission, initially by Mr H. Kranenborg and Mr D. Nardi and Ms I. Rubene,
and subsequently by Mr H. Kranenborg and Ms I. Rubene, acting as Agents,

having heard the Opinion of the Advocate General at the sitting on 2 September 2021

hereby gives the following judgment

Judgment

1 The reference for a preliminary ruling concerns the interpretation of Regulation (EU) 2016/679
of the European Parliament and of the Council of 27 April 2016 on the protection of individuals
with regard to the processing of personal data and on the free movement of such data, and
repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016 L 119, p. 1, and
corrigendum OJ 2018 L 127, p. 2), in particular Article 5(1) thereof.

2 The request was made in the context of a dispute between 'SS' SIA and Valsts ieņēmumu
dienests (Tax Administration, Latvia) (hereinafter the 'Latvian Tax Administration') concerning a
request for disclosure of information relating to vehicle sales advertisements published on SS's
website.

The legal framework

Union law

Regulation 2016/679

3 Regulation 2016/679, which is based on Article 16 TFEU, is applicable, by virtue of Article 99(2)
thereof, from 25 May 2018.

4 Recitals 1, 4, 10, 19, 26, 31, 39, 41 and 50 of that Regulation state:

"(1) The protection of individuals with regard to the processing of personal data is a fundamental
right. Article 8(1) of the Charter of Fundamental Rights of the European Union (hereinafter
referred to as "the Charter") and Article 16(1) [TFEU] provide that everyone has the right to the
protection of personal data concerning them.

[...]

(4) The processing of personal data should be designed to serve humanity. The right to the
protection of personal data is not an absolute right; it must be considered in relation to its
function in society and balanced against other fundamental rights in accordance with the
principle of proportionality. This Regulation respects all fundamental rights and observes the
freedoms and principles recognised by the Charter and enshrined in the Treaties, in particular
respect for private and family life, home and communications, protection of personal data,
freedom of thought, conscience and religion, freedom of expression and information, freedom of
enterprise, the right to an effective remedy and to a fair trial, and cultural, religious and linguistic
diversity.

[...]

(10) In order to ensure a consistent and high level of protection for individuals and to remove
obstacles to the flow of personal data within the Union, the level of protection of the rights and
freedoms of individuals with regard to the processing of personal data should be equivalent in all
Member States. [...]

[...]

(19) The protection of individuals with regard to the processing of personal data by the
competent authorities for the purpose of the prevention, investigation, detection or prosecution
of criminal offences or the execution of criminal penalties, including the protection against and
prevention of threats to public security and the free flow of such data, is the subject of a specific
legal act of the Union. This Regulation should therefore not apply to processing activities carried
out for those purposes. However, personal data processed by public authorities under this
Regulation should, when used for those purposes, be governed by a more specific Union legal
act, namely Directive (EU) 2016/680 of the European Parliament and of the Council[, of 27 April
2016, on the protection of individuals with regard to the processing of personal data by
competent authorities for the purpose of the prevention, investigation, detection or prosecution
of criminal offences or the execution of criminal penalties and on the free movement of such data
and repealing Council Framework Decision 2008/977/JHA (OJ 2016 L 119, p. 89)]. [...]

[...]

(26) Data protection principles should be applied to any information relating to an identified or
identifiable natural person. [...] In determining whether a natural person is identifiable, account
should be taken of all the means likely reasonably to be used by the controller or by any other
person to identify the natural person directly or indirectly, such as targeting. [...]

[...]

(31) Public authorities to which personal data are disclosed pursuant to a legal obligation in the
exercise of their official functions, such as tax and customs authorities, financial investigation
units, independent administrative authorities or financial market authorities responsible for the
regulation and supervision of securities markets, should not be regarded as recipients if they
receive personal data which are necessary for the purpose of carrying out a particular enquiry in
the public interest in accordance with Union law or the law of a Member State. Requests for
access by public authorities should always be in writing, reasoned and occasional, and should not
relate to the whole of a file or lead to the interconnection of files. The processing of personal
data by the public authorities in question should be carried out in accordance with the applicable
data protection rules in relation to the purposes of the processing.

[...]

(39) [...] The principle of transparency requires that any information and communication relating
to the processing of such personal data should be easily accessible, easily understandable and
formulated in clear and simple terms. This principle applies, in particular, to information given to
data subjects on the identity of the controller and on the purposes of the processing as well as to
other information aimed at ensuring fair and transparent processing in respect of the natural
persons concerned and their right to obtain confirmation and communication of the personal
data relating to them which are being processed. Natural persons should be informed of the
risks, rules, safeguards and rights connected with the processing of personal data and how to
exercise their rights with regard to such processing. In particular, the specific purposes of the
processing of personal data should be explicit and legitimate and determined at the time of
collection of the personal data. Personal data should be adequate, relevant and restricted to what
is necessary for the purposes for which they are processed. This requires, inter alia, ensuring that
the period of storage of data is limited to the strict minimum. Personal data should only be
processed if the purpose of the processing cannot reasonably be achieved by other means. [...]

[...]

(41) Where this Regulation refers to a legal basis or a legislative measure, this does not
necessarily mean that the adoption of a legislative act by a Parliament is required, without
prejudice to the obligations under the constitutional order of the Member State concerned.
However, such a legal basis or legislative measure should be clear and precise and its application
should be foreseeable for litigants, in accordance with the case law of the Court [...] and the
European Court of Human Rights.

[...]

(50) Processing of personal data for purposes other than those for which the personal data were
originally collected should only be allowed if it is compatible with the purposes for which the
personal data were originally collected. In this case, no legal basis other than that on which the
personal data were originally collected is required. If the processing is necessary for the
performance of a task carried out in the public interest or in the exercise of official authority
vested in the controller, Union law or the law of a Member State may determine and specify the
tasks and purposes for which further processing should be considered compatible and lawful.
Further processing for archival purposes in the public interest, for scientific or historical research
purposes or for statistical purposes should be considered as compatible lawful processing. The
legal basis under Union law or the law of a Member State for the processing of personal data
may also constitute the legal basis for further processing. In order to establish whether the
purposes of further processing are compatible with those for which the personal data were
originally collected, the controller, after having complied with all requirements relating to the
lawfulness of the original processing, should take into account, inter alia any link between those
purposes and the purposes of the intended further processing; the context in which the personal
data were collected, in particular the reasonable expectations of the data subjects, in the light of
their relationship with the controller, as to the further use of those data; the nature of the
personal data; the consequences for the data subjects of the intended further processing; and the
existence of appropriate safeguards in both the initial and the intended further processing. "

5 Article 2 of Regulation 2016/679, entitled "Material scope", states:

" 1. This Regulation shall apply to the processing of personal data wholly or partly by
automatic means, and to the processing otherwise than by automatic means of personal data
which form part of a filing system or are intended to form part of a filing system.
2. This Regulation shall not apply to the processing of personal data carried out :

(a) in the course of an activity which falls outside the scope of Union law ;

(b) by Member States in the course of activities which fall within the scope of Chapter 2 of Title V
of the Treaty on European Union;

(c) by a natural person in the course of a strictly personal or domestic activity

(d) by the competent authorities for the purpose of the prevention, investigation, detection or
prosecution of criminal offences or the execution of criminal penalties, including protection
against and prevention of threats to public security.

[...] "

6 Article 4 of this Regulation, entitled "Definitions", reads as follows:

"For the purposes of this Regulation, the following definitions shall apply:

1) "personal data" means any information relating to an identified or identifiable natural person
(hereinafter referred to as "data subject"); an "identifiable natural person" is one who can be
identified, directly or indirectly, in particular by reference to an identifier, such as a name, an
identification number, location data, an online identifier, or to one or more factors specific to his
or her physical, physiological, genetic, mental, economic, cultural or social identity;

2) "processing" means any operation or set of operations which is performed upon personal data
or sets of personal data, whether or not by automatic means, such as collection, recording,
organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure
by transmission, dissemination or otherwise making available, alignment or combination,
restriction, erasure or destruction;

[...]

(6) 'filing system' means any structured set of personal data which are accessible according to
specified criteria, whether centralised, decentralised or distributed on a functional or
geographical basis

(7) 'controller' means the natural or legal person, public authority, agency or other body which
alone or jointly with others determines the purposes and means of the processing; [...]

[...]

(9) 'recipient' means the natural or legal person, public authority, agency or any other body to
whom personal data are disclosed, whether a third party or not. However, public authorities
which may receive personal data in the context of a particular enquiry in accordance with Union
law or the law of a Member State shall not be regarded as recipients; the processing of such data
by the public authorities in question shall be in accordance with the applicable data protection
rules depending on the purposes of the processing;
[...] "

7 According to Article 5 of that Regulation, entitled "Principles for the processing of personal
data":

" 1. Personal data must be :

(a) processed lawfully, fairly and transparently in relation to the data subject (lawfulness, fairness,
transparency) ;

(b) collected for specified, explicit and legitimate purposes and not further processed in a way
incompatible with those purposes; [...] (purpose limitation) ;

(c) adequate, relevant and limited to what is necessary for the purposes for which they are
processed (data minimisation);

(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to
ensure that personal data which are inaccurate, having regard to the purposes for which they are
processed, are erased or rectified without delay (accuracy);

(e) kept in a form which permits identification of data subjects for no longer than is necessary for
the purposes for which they are processed; [...] (limitation of storage) ;

(f) processed in such a way as to ensure appropriate security of personal data, including
protection against unauthorised or unlawful processing and against accidental loss, destruction
or damage, by means of appropriate technical or organisational measures (integrity and
confidentiality);

2. The controller shall be responsible for compliance with paragraph 1 and shall be able to
demonstrate that it is complied with (accountability).

8 Article 6 of the same Regulation, entitled "Lawfulness of processing", provides:

" 1. Processing shall be lawful only if and insofar as at least one of the following conditions is
met

(a) the data subject has consented to the processing of his personal data for one or more specific
purposes ;

(b) processing is necessary for the performance of a contract to which the data subject is party or
for the performance of pre-contractual measures taken at the request of the data subject

(c) processing is necessary for compliance with a legal obligation to which the controller is
subject

(d) processing is necessary to protect the vital interests of the data subject or of another natural
person
(e) processing is necessary for the performance of a task carried out in the public interest or in
the exercise of official authority vested in the controller

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller
or by a third party, unless the interests or fundamental rights and freedoms of the data subject
which require the protection of personal data prevail, in particular where the data subject is a
child.

Point (f) of the first subparagraph shall not apply to processing by public authorities in the
performance of their tasks.

2. Member States may maintain or introduce more specific provisions to adapt the application
of the rules of this Regulation in relation to processing for the purpose of complying with
paragraph 1(c) and (e), by determining more precisely the specific requirements applicable to the
processing and other measures to ensure lawful and fair processing, including in other specific
processing situations as provided for in Chapter IX.

3. The basis for the processing referred to in paragraph 1(c) and (e) shall be defined by :

(a) Union law; or

(b) the law of the Member State to which the controller is subject.

The purposes of the processing shall be defined in that legal basis or, in the case of the
processing referred to in paragraph 1(e), are necessary for the performance of a task carried out
in the public interest or in the exercise of official authority vested in the controller. [Union law or
the law of the Member States shall serve a public interest objective and be proportionate to the
legitimate aim pursued.

4. Where processing for a purpose other than that for which the data were collected is not
based on the consent of the data subject or on Union or Member State law which constitutes a
necessary and proportionate measure within a democratic society to safeguard the objectives
referred to in Article 23(1), the controller shall, in order to determine whether processing for
another purpose is compatible with the purpose for which the personal data were originally
collected, take into account, inter alia :

(a) whether there is a link between the purposes for which the personal data were collected and
the purposes of the further processing envisaged

(b) the context in which the personal data were collected, in particular as regards the relationship
between the data subjects and the controller

(c) the nature of the personal data, in particular if special categories of personal data are
processed under Article 9 or if personal data relating to criminal convictions and offences are
processed under Article 10

(d) the possible consequences of the proposed further processing for the data subjects;

(e) the existence of appropriate safeguards, which may include encryption or pseudonymisation.
9 Under Article 13(3) of Regulation 2016/679:

"Where the controller intends to further process personal data for a purpose other than that for
which the personal data were collected, the controller shall provide the data subject in advance
with information about that other purpose and any other relevant information referred to in
paragraph 2."

10 Article 14 of this Regulation states:

" 1. Where the personal data have not been obtained from the data subject, the controller
shall provide the data subject with all the following information:

[...]

(c) the purposes of the processing operation for which the personal data are intended and the
legal basis for the processing;

[...]

5. Paragraphs 1 to 4 shall not apply where and insofar as:

[...]

(c) obtaining or providing the information is expressly provided for by Union law or the law of the
Member State to which the controller is subject and which provides for appropriate measures to
protect the data subject's legitimate interests; [...]

[...] "

11 According to Article 23(1)(e) of that Regulation:

"Union law or the law of the Member State to which the controller or the processor is subject
may, by means of legislative measures, restrict the scope of the obligations and rights provided
for in Articles 12 to 22 and Article 34, as well as in Article 5 insofar as the provisions of the law in
question correspond to the rights and obligations provided for in Articles 12 to 22, where such
restriction respects the essence of fundamental rights and freedoms and is a necessary and
proportionate measure within a democratic society to ensure:

[...]

(e) other important objectives of general public interest of the Union or of a Member State, in
particular an important economic or financial interest of the Union or of a Member State,
including monetary, budgetary and taxation matters, public health and social security ;

[...] "

12 Article 25(2) of Regulation 2016/679 states:

"The controller shall implement appropriate technical and organisational measures to ensure
that, by default, only personal data that are necessary for each specific purpose of the processing
are processed. This applies to the amount of personal data collected, the extent of their
processing, their storage period and their accessibility. In particular, these measures shall ensure
that, by default, personal data are not made accessible to an indeterminate number of natural
persons without the involvement of the natural person concerned."

Directive 2016/680

13 Recitals 10 and 11 of Directive 2016/680 state:

"(10) In Declaration No 21 on the protection of personal data in the field of judicial cooperation
in criminal matters and police cooperation, annexed to the Final Act of the Intergovernmental
Conference which adopted the Treaty of Lisbon, the Conference recognised that specific rules on
the protection of personal data and on the free movement of personal data in the fields of
judicial cooperation in criminal matters and police cooperation based on Article 16 [TFEU] might
be necessary due to the specific nature of these fields.

(11) These areas should therefore be governed by a Directive laying down specific rules on the
protection of individuals with regard to the processing of personal data by competent authorities
for the purpose of the prevention, investigation, detection or prosecution of criminal offences or
the execution of criminal penalties, including protection against and prevention of threats to
public security, while respecting the specific nature of those activities. The competent authorities
in question may include not only public authorities such as the judiciary, the police or other law
enforcement authorities, but also any other body or entity entrusted by the law of a Member
State with the exercise of public authority and the exercise of public powers for the purposes of
this Directive. Where such a body or entity processes personal data for purposes other than those
provided for in this Directive, Regulation [2016/679] shall apply. Therefore, Regulation [2016/679]
shall apply where a body or entity collects personal data for other purposes and further
processes them to comply with a legal obligation to which it is subject. [...] "

14 Article 3 of this Directive states:

"For the purposes of this Directive, the following definitions shall apply:

[...]

7. "competent authority" means :

(a) any public authority competent for the prevention, investigation, detection or prosecution of
criminal offences or the execution of criminal penalties, including protection against and
prevention of threats to public security; or

(b) any other body or entity to which the law of a Member State entrusts the exercise of public
authority and the exercise of public prerogatives for the purpose of the prevention, investigation,
detection or prosecution of criminal offences or the execution of criminal penalties, including
protection against and prevention of threats to public security ;

[...] "
Latvian law

15 Under Article 15(6) of the likums 'Par nodokļiem un nodevām' (the Law on Taxes and Fees,
Latvijas Vēstnesis, 1995, No 26), in the version applicable to the dispute in the main proceedings
(hereinafter the 'Law on Taxes and Fees'), the provider of internet advertisement services is
obliged to provide, at the request of the Latvian tax authorities, the information available to it
concerning taxpayers who have published advertisements using its services.

The main proceedings and the questions referred for a preliminary ruling

16 SS is a provider of internet advertisement services established in Latvia.

17 On 28 August 2018, the Latvian tax authorities sent SS a request for information based on
Article 15(6) of the Law on Taxes and Duties, in which they asked SS to restore the tax authorities'
access to the chassis numbers of the vehicles advertised on the company's internet portal and to
the telephone numbers of the sellers and to provide SS with those numbers by 3 September 2018
at the latest, information on the advertisements published during the period between 14 July and
31 August 2018 in the section entitled "Private cars" on this portal.

18 That request specified that that information, including the link to the advertisement, the text
of the advertisement, the make, model, chassis number and price of the vehicle, and the seller's
telephone number, was to be submitted electronically, in a format which allowed the data to be
filtered or selected.

19 Furthermore, if access to the information contained in the advertisements published on the

internet portal in question could not be restored, SS was requested to state the reason for that
and to provide, by the third day of each month, the relevant information relating to the
advertisements published during the previous month.

20 Taking the view that the Latvian tax authority's request for disclosure did not comply with the
principles of proportionality and minimisation of personal data, enshrined in Regulation
2016/679, SS lodged a complaint against that request with the acting Director General of the
Latvian tax authority.

21 By decision of 30 October 2018, the latter rejected that complaint, stating, inter alia, that, in
the context of the processing of the personal data at issue in the main proceedings, the Latvian
tax administration was exercising the powers conferred on it by law.

22 SS brought an action before the administratīvā rajona tiesa (District Administrative Court,
Latvia) seeking to have that decision annulled. In addition to the arguments it had set out in its
complaint, it argued therein that that decision did not indicate the specific purpose of the
processing of personal data envisaged by the Latvian tax authorities, nor the amount of data
necessary for it, in breach of Article 5(1) of Regulation 2016/679.

23 By judgment of 21 May 2019, the administratīvā rajona tiesa (District Administrative Court)
dismissed that action, stating, in substance, that the Latvian tax administration was entitled to
request access to information relating to any person and in unlimited quantities, unless that
information was considered incompatible with the purposes relating to tax collection. The court
also held that the provisions of Regulation 2016/679 were not applicable to this administration.

24 SS appealed against that judgment to the national court, arguing, first, that the Latvian tax
authorities were subject to the provisions of Regulation 2016/679 and, second, that, by requiring
a large amount of personal data relating to an unlimited number of advertisements on a monthly
basis and without any time-limit, without identifying the taxpayers in respect of whom a tax audit
would be initiated, those authorities had infringed the principle of proportionality.

25 The national court states that, in the context of the dispute in the main proceedings, it is not
disputed that the execution of the request for access at issue is intrinsically linked to the
processing of personal data, or that the Latvian tax authorities are entitled to obtain information
which is available to a provider of internet advertising services and is necessary for the execution
of specific tax collection measures.

26 The dispute in the main proceedings concerns the amount and type of information which may
be requested by the Latvian tax authorities, whether that information is limited or unlimited, and
whether the obligation to provide information to which SS is subject must be limited in time.

27 In particular, the referring court considers that it is for it to determine whether, in the
circumstances of the main proceedings, the processing of personal data is carried out in a
transparent manner in relation to the data subjects, whether the information specified in the
request for communication at issue is requested for specified, explicit and legitimate purposes,
and whether the processing of personal data is carried out only in so far as it is actually necessary
for the performance of the functions of the Latvian tax administration, within the meaning of
Article 5(1) of Regulation 2016/679.

28 To that end, it would be necessary to define the criteria for assessing whether a request for
communication from the Latvian tax administration respects the essence of fundamental rights
and freedoms and whether the request for communication at issue in the main proceedings can
be regarded as necessary and proportionate in a democratic society in order to guarantee
important objectives of the Union and of Latvian public interests in budgetary and tax matters.

29 In those circumstances, the Administratīvā apgabaltiesa (Regional Administrative Court, Latvia)

decided to stay the proceedings and to refer the following questions to the Court for a
preliminary ruling:

"(1) Are the requirements of Regulation [2016/679] to be interpreted as meaning that a request
for communication from the tax authorities, such as that at issue in the main proceedings, which
involves a significant amount of personal data, must comply with the requirements set out in the
provisions of Regulation 2016/679 (in particular, in Article 5(1))?

2. Are the requirements of Regulation [2016/679] to be interpreted as meaning that the tax
authorities may derogate from the provisions of Article 5(1) of Regulation [2016/679], even
though such a right is not conferred on them by the legislation in force in Latvia?

3. Having regard to the requirements of Regulation [2016/679], is there a legitimate objective

justifying the obligation imposed by a request for disclosure, such as that at issue in the present
case, to provide all the information requested in unlimited quantities and for an indefinite period
of time, without an end date being set for the execution of the request for disclosure?

4) Having regard to the requirements of Regulation [2016/679], is there a legitimate aim

justifying the obligation imposed by a request for access, such as that at issue in this case, to
provide all the data requested, even though the request for access does not specify the purpose
for which the information is to be provided (or does so incompletely)?

5) In the light of the requirements of Regulation [2016/679], is there a legitimate aim justifying
the obligation imposed by a request for disclosure, such as the one at issue in the present case,
to provide all the data requested, even though in practice the request is directed at all the data
subjects who have published advertisements in the section entitled 'Private car' on a portal?

6) What criteria should be used to verify that the tax administration, as controller, adequately
ensures that the processing (including the collection of information) complies with the
requirements of Regulation [2016/679]?

7) What criteria should be used to determine whether a request for communication, such as the
one at issue in this case, is properly reasoned and of a casual nature?

8) What criteria should be used to verify that a processing of personal data is carried out to the
extent necessary and in a manner compatible with the requirements of Regulation [2016/679]?

9) What criteria should be used to verify that the tax authority, as controller, ensures that a data
processing operation complies with the requirements of Article 5(1) of Regulation [2016/679]
(responsibility)?"

The questions referred for a preliminary ruling

The first question

30 By its first question, the referring court asks, in essence, whether the provisions of Regulation
2016/679 must be interpreted as meaning that the collection by the tax authorities of a Member
State from an economic operator of information involving a significant amount of personal data
is subject to the requirements of that regulation, in particular those set out in Article 5(1) thereof.

31 In order to answer that question, it is necessary to ascertain, first, whether such a request falls
within the material scope of Regulation 2016/679, as defined in Article 2(1) thereof, and, second,
whether it is not among the processing of personal data which Article 2(2) of that regulation
excludes from that scope.

32 In the first place, under Article 2(1) of that regulation, Regulation 2016/679 applies to the
processing of personal data wholly or partly by automatic means, and to the processing
otherwise than by automatic means of personal data which form part of a filing system or are
intended to form part of a filing system.

33 Article 4(1) of Regulation 2016/679 specifies that 'personal data' means any information
relating to an identified or identifiable natural person, that is to say, a natural person who can be
identified, directly or indirectly, in particular by reference to an identifier, such as a name, an
identification number, location data, an online identifier, or to one or more factors specific to his
or her physical, physiological, genetic, mental, economic, cultural or social identity. Recital 26 of
that regulation states in that regard that, in order to determine whether a natural person is
identifiable, account must be taken of all the means likely to be reasonably used by the controller
or by any other person to identify the natural person directly or indirectly.

34 In the context of the dispute in the main proceedings, it is common ground that the
information of which the Latvian tax authorities are requesting disclosure constitutes personal
data within the meaning of Article 4(1) of Regulation 2016/679.

35 Under Article 4(2) of that regulation, the collection, consultation, communication by

transmission and any form of making available of personal data constitute 'processing' within the
meaning of that regulation. It is apparent from the wording of that provision, in particular the
expression 'any operation', that the Union legislature intended the concept of 'processing' to
have a broad scope. That interpretation is corroborated by the non-exhaustive nature, expressed
by the phrase 'such as', of the operations referred to in that provision.

36 In the present case, the Latvian tax authorities require the economic operator concerned to
restore access by those authorities to the chassis numbers of vehicles advertised on their internet
portal and to provide them with information on the advertisements published on that portal.

37 Such a request, by which the tax authority of a Member State asks an economic operator to
communicate and make available personal data which the latter is required to provide and make
available to that authority under the national legislation of that Member State, initiates a process
of 'collection' of those data, within the meaning of Article 4(2) of Regulation 2016/679.

38 Furthermore, the communication and making available of those data to that administration by
the economic operator in question involves 'processing', within the meaning of Article 4(2).

39 In the second place, it is necessary to consider whether the operation by which the tax
administration of a Member State seeks to collect from an economic operator personal data
concerning certain taxpayers may be regarded as being excluded from the scope of Regulation
2016/679 by virtue of Article 2(2) thereof.

40 In that regard, it should be recalled, at the outset, that that provision provides for exceptions
to the scope of that regulation, as defined in Article 2(1) thereof, and that those exceptions must
be interpreted strictly (judgment of 16 July 2020 in Case C-311/18 Facebook Ireland and Schrems,
EU:C:2020:559, paragraph 84).

41 In particular, Article 2(2)(d) of Regulation 2016/679 provides that the latter does not apply to
the processing of personal data carried out by the competent authorities for the purpose of the
prevention, investigation, detection or prosecution of criminal offences or the execution of
criminal penalties.

42 As is apparent from recital 19 of that regulation, that exception is motivated by the fact that
the processing of personal data for such purposes by the competent authorities is governed by a
specific Union act, namely Directive 2016/680, which was adopted on the same day as Regulation
2016/679 and which defines, Article 3(7) of that directive defines what is to be understood by
'competent authority', a definition which is to be applied, by analogy, to Article 2(2)(d) of that
regulation (see, to that effect, Case C-439/19 Latvijas Republikas Saeima (Penalty points) EU:
C:2021:504, paragraph 69].

43 It follows from recital 10 of Directive 2016/680 that the concept of 'competent authority' must
be understood in relation to the protection of personal data in the field of judicial cooperation in
criminal matters and police cooperation, taking into account the adjustments which may be
necessary in that regard owing to the specific nature of those areas. Furthermore, recital 11 of
that directive states that Regulation 2016/679 applies to the processing of personal data carried
out by a 'competent authority' within the meaning of Article 3(7) of that directive, but for
purposes other than those provided for in that directive (judgment of 22 June 2021 in Case C-
439/19 Latvijas Republikas Saeima (Penalty points), EU:C:2021:504, paragraph 70).

44 Thus, when it requests an economic operator to communicate to it personal data relating to

certain taxpayers for the purposes of collecting tax and combating tax fraud, it does not appear
that the tax administration of a Member State can be regarded as a 'competent authority' within
the meaning of Article 3(7) of Directive 2016/680 and, consequently, that such requests for
information can fall within the exception provided for in Article 2(2)(d) of Regulation 2016/679.

45 Furthermore, even if it cannot be ruled out that the personal data at issue in the main
proceedings may be used in the context of criminal proceedings which might be brought, in the
event of an offence in the field of taxation, against some of the data subjects, it does not appear
that those data are collected for the specific purpose of carrying out such criminal proceedings or
in the context of the activities of the State relating to areas of criminal law (see, to that effect,
Case C-73/16 Puškár [2017] ECR I-0000, at paragraph 7): C:2017:725, paragraph 40).

46 Therefore, the collection by the tax authorities of a Member State of personal data relating to
advertisements for the sale of vehicles published on the website of an economic operator falls
within the material scope of Regulation 2016/679 and, consequently, that collection must comply,
in particular, with the principles relating to the processing of personal data set out in Article 5 of
that regulation.

47 Having regard to all the foregoing considerations, the answer to the first question is that the
provisions of Regulation 2016/679 must be interpreted as meaning that the collection by the tax
authorities of a Member State from an economic operator of information involving a significant
amount of personal data is subject to the requirements of that regulation, in particular those set
out in Article 5(1) thereof.

The second question

48 By its second question, the national court asks, in essence, whether the provisions of
Regulation No 2016/679 must be interpreted as meaning that the tax authorities of a Member
State may derogate from the provisions of Article 5(1) of that regulation even though such a right
has not been granted to them by the national law of that Member State.

49 As a preliminary point, it should be recalled that, as is apparent from its recital 10, Regulation
2016/679 aims, inter alia, to ensure a high level of protection for natural persons within the
Union.
50 To that end, Chapters II and III of Regulation 2016/679 set out, respectively, the principles
governing the processing of personal data and the rights of the data subject that must be
respected in any processing of personal data. In particular, any processing of personal data must,
inter alia, comply with the principles relating to the processing of such data set out in Article 5 of
that regulation (see, to that effect, Case C-511/18, C-512/18 and C-520/18 La Quadrature du Net
and Others, EU:C:2020:791, paragraph 208).

51 Article 23 of Regulation 2016/679, however, allows the Union and the Member States to adopt
'legislative measures' limiting the scope of the obligations and rights provided for, inter alia, in
Article 5 of that regulation in so far as they correspond to the rights and obligations provided for
in Articles 12 to 22 of that regulation, where such a restriction respects the essence of
fundamental rights and freedoms and constitutes a necessary and proportionate measure in a
democratic society to safeguard important objectives of general public interest of the Union or of
the Member State concerned, such as, in particular, an important economic or financial interest,
including in the budgetary and taxation fields.

52 In that regard, it follows from recital 41 of Regulation 2016/679 that the reference in that
regulation to a 'legislative measure' does not necessarily imply that the adoption of a legislative
act by a parliament is required.

53 That being so, it should be recalled that, as stated in recital 4, Regulation 2016/679 respects all
fundamental rights and observes the freedoms and principles recognised by the Charter and
enshrined in the Treaties, which include, in particular, the protection of personal data.

54 Under the first sentence of Article 52(1) of the Charter, any limitation on the exercise of the
rights and freedoms recognised by the Charter, which include, in particular, the right to respect
for private life, guaranteed by Article 7 of the Charter, and the right to the protection of personal
data, enshrined in Article 8 of the Charter, must be provided for by law, which implies, in
particular, that the legal basis which permits interference with those rights must itself define the
scope of the limitation on the exercise of the right concerned (see, to that effect, judgment of 6
October 2020 in Case C-623/17 Privacy International, EU: C:2020:790, paragraph 65, and the case-
law cited).

55 In that regard, the Court has held, moreover, that the legislation containing a measure
permitting such interference must lay down clear and precise rules governing the scope and
application of the measure at issue and imposing minimum requirements, so that the persons
whose personal data have been transferred have sufficient guarantees to protect those data
effectively against the risk of abuse (see, to that effect, Case C-746/18 Prokuratuur (Conditions of
access to data relating to electronic communications), EU: C:2021:152, paragraph 48, and the
case-law cited therein).

56 Consequently, any measure adopted under Article 23 of Regulation 2016/679 must, as the
Union legislature has, moreover, emphasised in recital 41 of that regulation, be clear and precise
and its application foreseeable for litigants. In particular, the latter must be able to identify the
circumstances and conditions in which the scope of the rights conferred on them by that
regulation may be limited.

57 It follows from the foregoing considerations that the tax authorities of a Member State cannot
derogate from the provisions of Article 5 of Regulation 2016/679 in the absence of a clear and
precise legal basis in Union law or in national law, the application of which is foreseeable for
those subject to the law, providing for the circumstances and conditions in which the scope of
the obligations and rights provided for in Article 5 may be limited.

58 Therefore, the answer to the second question is that the provisions of Regulation 2016/679
must be interpreted as meaning that the tax authorities of a Member State may not derogate
from the provisions of Article 5(1) of that regulation where such a right has not been granted to
them by a legislative measure within the meaning of Article 23(1) thereof.

The third to ninth questions

59 By its third to ninth questions, which must be considered together, the national court asks, in
essence, whether the provisions of Regulation 2016/679 must be interpreted as precluding the
tax authorities of a Member State from requiring a provider of internet advertisement services to
communicate to it, for an indefinite period and without specifying the purpose of that request for
communication, information relating to all taxpayers who have published advertisements in one
of the sections of its internet portal.

60 As a preliminary point, it should be observed that two processing operations involving

personal data are likely to take place in a situation such as that at issue in the main proceedings.
As is apparent from paragraphs 37 and 38 of this judgment, they are the collection of personal
data by the tax authorities from the service provider concerned and, in that context, the
communication by transmission of those data by that provider to those authorities.

61 As is apparent from the case-law cited in paragraph 50 of this judgment, each of those
processing operations must, subject to the derogations permitted by Article 23 of Regulation
2016/679, comply with the principles relating to the processing of personal data set out in Article
5 of that regulation and the rights of the data subject set out in Articles 12 to 22 thereof.

62 In the present case, the referring court questions, in particular, the fact that, first, the
processing operations referred to in paragraph 60 of this judgment concern unlimited amounts
of information relating to an indefinite period and, second, that the purpose of those processing
operations is not specified in the request for disclosure.

63 In that regard, it should be pointed out, first, that Article 5(1)(b) of Regulation 2016/679
provides that personal data must be collected, in particular, for specified, explicit and legitimate
purposes.

64 First, the requirement that the purposes of the processing must be specified implies, as
follows from recital 39 of that regulation, that those purposes must be identified, at the latest,
when the personal data are collected.

65 Secondly, the purposes of the processing must be explicit, which means that they must be
clearly stated.

66 Finally, these purposes must be legitimate. It is therefore important that they ensure lawful
processing within the meaning of Article 6(1) of the Regulation.
67 The processing operations referred to in paragraph 60 of this judgment are initiated by the
request for communication of personal data which the Latvian tax authorities send to the
provider of internet advertisement services. It appears, in that regard, that, under Article 15(6) of
the Law on Taxes and Duties, that provider is obliged to comply with such a request.

68 In the light of the considerations set out in paragraphs 64 and 65 of this judgment, it is
necessary that the purposes of such processing be clearly stated in that request.

69 Provided that the purposes thus set out in that request are necessary for the performance of a
task carried out in the public interest or in the exercise of official authority vested in the tax
authorities, that circumstance is sufficient, as follows from the first subparagraph of Article 6(1),
first indent, and Article 6(3)(e) of Regulation No 2016/679, read in conjunction with the second
subparagraph of Article 6(3) of that regulation, for those processing operations also to satisfy the
requirement of lawfulness referred to in paragraph 66 of this judgment.

70 In that regard, it should be recalled that the collection of taxes and the fight against tax fraud
must be regarded as tasks in the public interest within the meaning of Article 6(1), first
subparagraph, point (e), of Regulation 2016/679 (see, by analogy, Case C-73/16 Puškár [2017]
ECR I-0000, paragraph 108).

71 It follows that, in a case where the communication of the personal data at issue is not directly
based on the legal provision on which it is based, but results from a request from the competent
public authority it is necessary for that request to specify the specific purposes of that collection
of data with regard to the task of public interest or the exercise of public authority, in order to
enable the recipient of that request to ensure that the transmission of the personal data in
question is lawful and to enable the national courts to review the lawfulness of the processing
operations concerned.

72 In the second place, in accordance with Article 5(1)(c) of Regulation 2016/679, personal data
must be adequate, relevant and restricted to what is necessary for the purposes for which they
are processed.

73 In that regard, it should be recalled that, according to settled case-law, derogations from and
restrictions on the principle of the protection of such data must be limited to what is strictly
necessary (see, to that effect, Case C-439/19 Latvijas Republikas Saeima (Penalty points) [2007]
ECR I-0000, paragraph 110, and the case-law cited).

74 It follows that the controller, including where it acts in the context of the public interest task
with which it has been entrusted, may not collect personal data in a general and indiscriminate
manner and must refrain from collecting data which are not strictly necessary for the purposes of
the processing.

75 In the present case, it should be noted that, as is apparent from paragraphs 17 to 19 of this
judgment, the Latvian tax authorities requested the economic operator concerned to provide
them with data relating to advertisements for the sale of passenger cars published on their
website between 14 July and 31 August 2018 and, in the event that access to that information
could not be restored, to provide it, by the third day of each month, with data relating to
passenger car sales advertisements published on its website during the previous month, without
attaching any time limit to the latter request.
76 Having regard to the considerations set out in paragraph 74 of this judgment, it is for the
national court to ascertain whether the purpose of collecting those data can be achieved without
the Latvian tax authorities potentially having at their disposal data relating to all the passenger
car sales advertisements published on that operator's internet site and, in particular, whether it is
conceivable that those authorities might target certain advertisements by means of specific
criteria.

77 In that context, it should be emphasised that, in accordance with the principle of

accountability set out in Article 5(2) of Regulation 2016/679, the controller must be able to
demonstrate compliance with the principles relating to the processing of personal data set out in
paragraph 1 of that article.

78 Therefore, it is for the Latvian tax authorities to establish that, in accordance with Article 25(2)
of that regulation, they have sought to minimise as far as possible the amount of personal data
to be collected.

79 As regards the fact that the request for access sent by the Latvian tax authorities does not, in
the event that the advertisement service provider concerned does not provide access to the
advertisements published during the period targeted in the request, provide for any time-limit, it
must be borne in mind that, in the light of the principle of data minimisation, the controller is
also required to limit the period of collection of the personal data in question to what is strictly
necessary, in the light of the purpose of the processing envisaged.

80 Consequently, the period of collection cannot exceed the period strictly necessary to achieve
the objective of general interest pursued.

81 As is clear from paragraph 77 of this judgment, the burden of proof in that regard lies with the
Latvian tax authorities.

82 However, the fact that those data are collected without the Latvian tax authorities having
defined, in the request for disclosure itself, a time-limit for such processing does not, as such,
allow the duration of the processing to be considered to exceed the time strictly necessary to
achieve the objective pursued.

83 In that context, it should nevertheless be recalled that, in order to satisfy the requirement of
proportionality to which Article 5(1)(c) of Regulation 2016/679 gives expression (see, to that
effect, Case C-439/19 Latvijas Republikas Saeima (Penalty points), EU:C:2021: 504, paragraph 98,
and the case-law cited therein], the rules on which the processing is based must lay down clear
and precise rules governing the scope and application of the measure at issue and imposing
minimum requirements, so that the persons whose personal data are concerned have sufficient
safeguards to protect those data effectively against the risks of abuse. Those rules must be legally
binding under domestic law and, in particular, must indicate in what circumstances and under
what conditions a measure providing for the processing of such data may be taken, thereby
ensuring that the interference is limited to what is strictly necessary (judgment of 6 October 2020
in Case C-623/17 Privacy International, EU:C:2020:790, paragraph 68, and the case-law cited).

84 It follows that the national rules governing a request for disclosure such as that at issue in the
main proceedings must be based on objective criteria for defining the circumstances and
conditions under which an online service provider is required to transmit personal data relating
to its users (see, to that effect, Case C-623/17 Privacy International, EU:C:2020:790, paragraph 78,
and the case-law cited).

85 Having regard to all the foregoing considerations, the answer to the third to ninth questions is
that the provisions of Regulation 2016/679 must be interpreted as not precluding the tax
authorities of a Member State from requiring a provider of internet advertisement services to
communicate to them information relating to taxpayers who have published advertisements in
one of the sections of its internet portal, provided that, in particular, that data is necessary for the
purposes of the tax authorities' investigation, in particular, that the data are necessary for the
specific purposes for which they are collected and that the period for which the data are
collected does not exceed the period strictly necessary to achieve the objective of general
interest.

Costs

86 Since the proceedings are, as regards the parties to the main proceedings, in the nature of an
incident raised before the national court, it is for that court to rule on the costs. Costs incurred in
submitting observations to the Court, other than those of those parties, are not subject to
reimbursement.

For those reasons, the Court (Fifth Chamber) ruled

The provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27
April 2016 on the protection of individuals with regard to the processing of personal data and on
the free movement of such data, and repealing Directive 95/46/EC (General Data Protection
Regulation) must be interpreted as meaning that the collection by the tax authorities of a
Member State from an economic operator of information involving a significant amount of
personal data is subject to the requirements of that regulation, in particular those set out in
Article 5(1) thereof.

The provisions of Regulation 2016/679 must be interpreted as meaning that the tax authorities of
a Member State may not derogate from the provisions of Article 5(1) of that regulation where
such a right has not been granted to them by a legislative measure within the meaning of Article
23(1) thereof.

The provisions of Regulation 2016/679 must be interpreted as not precluding the tax authorities
of a Member State from requiring a provider of internet advertisement services to communicate
to them information relating to taxpayers who have published advertisements in one of the
sections of its internet portal, provided, in particular, that those data are necessary for the specific
purposes for which they are collected and that the period for which those data are collected does
not exceed the period strictly necessary to achieve the objective of general interest pursued.

In a landmark decision, the European Court of Justice ruled that:

1. The provisions of GDPR must be interpreted as meaning that the collection by the tax
authorities of a Member State from an economic operator of information involving a significant
amount of personal data is subject to the requirements of that regulation, particularly those set
out in Article 5(1) thereof.
2. The provisions of Regulation 2016/679 must be interpreted as meaning that the tax authorities
of a Member State may not derogate from the provisions of Article 5(1) of that regulation where
such a right has not been granted to them by a legislative measure within the meaning of Article
23(1) thereof.

3. The provisions of Regulation 2016/679 must be interpreted as not precluding the tax
authorities of a Member State from requiring a provider of internet advertising services to
communicate to them information relating to taxpayers who have published advertisements in
one of the sections of their internet portal, provided, in particular, that those data are necessary
for the light of the specific purposes for which they are collected and that the period to which the
collection of those data relates does not exceed the period strictly necessary to achieve the
objective of general interest sought.