Who should be the “controller” of personal data files in the courts? On processing personal data “acting in judicial capacity” and judicial independence. Special reference to the current legislation in Portugal and Spain

Abstract

As it follows from Recital 20 as well as from the delimitation set out in itsArticle 2 in its material scope of application, the Regulation (EU) 2016/679 – General Data Protection Regulation (GDPR) – is competent to apply to the court’s activity and other judicial authorities, stating that “Union or Member State law could specify the processing operations and processing procedures in relation to the processing of personal data by courts and other judicial authorities.” The GDPR exempts the processing of personal data “by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security” [Article 2(2)(d), to which Directive (EU) 2016/680 of 27 April 2016 shall apply]. Recital 80 of the aforementioned Directive states in similar terms to the GDPR that: “While this Directive applies also to the activities of national courts and other judicial authorities, the competence of the supervisory authorities should not cover the processing of personal data where courts are acting in their judicial capacity, in order to safeguard the independence of judges in the performance of their judicial tasks.” In view of this legal framework, the question of who should hold the status of (data) “controller” in the courts is still not a peaceful question. In this paper we shall develop our argument, pointing out that it should be the judges and courts, who would hold the role of “controller” for the processing of personal data when “acting in judicial capacity” as defined in the recent judgment of the Court of Justice of the European Union (CJEU) of 24 March 2022 in case C-245/20. Finally, we shall make a critical analysis of this question in the current regulation in Portugal and Spain about data protection and the “controller” in the courts (“Responsável pelo Tratamento” in Portuguese; “Responsable del Tratamiento” in Spanish).