CJEU Finds Customers’ Title Is Not Necessary Data For The Purchase Of A Train Ticket

On January 9, 2025, the Court of Justice of the European Union ("CJEU") issued a decision on the GDPR's lawfulness and data minimization principles.

The case arose after a French association ("Mousse") complained to the French Supervisory Authority ("CNIL") about the fact that France's main train company SNCF requires customers to indicate their title and gender identity by ticking either "Sir" or "Madam" when purchasing a train ticket online. Mousse considered that such a mandatory requirement could not be justified under the "contractual performance" or "legitimate interests" legal bases set out in Article 6 GDPR, and infringed the GDPR's principles of lawfulness, data minimization and transparency.

The CNIL dismissed the complaint, and Mousse appealed the CNIL's decision before the French Administrative Supreme Court ("Conseil d'Etat"), which stayed the proceedings to refer some questions to the CJEU.

1. Is the processing necessary for the performance of a contract?

As a preliminary remark, the CJEU emphasized that the necessity requirement for relying on either contractual performance or legitimate interests is not met where the objective pursued by the processing could reasonably be achieved just as effectively by other, less intrusive means.

In order to be able to rely on the legal basis of performance of a contract (Art. 6(1)(b) GDPR), the controller must be able to demonstrate that it would not be able to properly perform the contract at stake without implementing the processing. To this end, the CJEU clarified that the controller could take into account not only the main subject matter of the contract, but also other objectives forming an integral part of the contract.

While the main subject matter of the contract was the provision of a rail transport service, the CJEU considered that commercial communications may constitute a purpose forming an integral part of such contract. Indeed, the contract deriving from the purchase of train tickets would typically involve sending the customer a travel document by electronic means, informing the customer of any changes affecting their journey, allowing communications for after-sale services, etc.

However, the CJEU found that such communications did not objectively need to be personalized based on the customer's gender identity - SNCF could have just used generic, inclusive expressions instead of titles. As a result, the CJEU found that processing customers' titles and gender identities was not necessary for personalizing commercial communications, and therefore could not be justified under the GDPR's contractual performance legal basis.

SCNF mentioned there was a second purpose for the collection and use of customer's gender identity, namely to provide carriages reserved for persons with the same gender identity in night trains and to assist passengers with disabilities. According to the CJEU, this second purpose could not justify the systematic and generalized processing of all customers' titles. Such processing would be disproportionate and contrary to the principle of data minimization.

1. Is the processing necessary for the purposes of legitimate interests?

Building on its previous case-law,[1] the CJEU reiterated that a controller must meet three cumulative conditions in order to rely on this legal basis (Art. 6(1)(f) GDPR), namely:

1. The controller or a third party must have a legitimate interest in the processing;
2. Processing the personal data is necessary to pursue said legitimate interest; and
3. Data subjects' fundamental rights and freedoms do not override the pursued legitimate interest.

While the CJEU left it to the referring court to assess whether these conditions are met in the case at hand, it did flag a few points for consideration:

1. The CJEU indicated that a legitimate interest could exist, for example, where there is a relevant and appropriate relationship between the data subject and the controller.
2. On the second condition, the CJEU tentatively concluded that the processing of customers' titles or gender identities does not appear necessary to personalize commercial communications, and that common practices and social conventions should not be taken into account when assessing this necessity condition.
3. On the third condition, the CJEU recalled that when balancing the pursued legitimate interest with the data subjects' rights and freedoms, account should be taken in particular of data subjects' reasonable expectations. In the case at hand, the CJEU considered that SNCF customers did not expect the SNCF to process their title or gender identity as they purchase train tickets. The CJEU also highlights there may be a risk of discrimination based on gender identity, although this will ultimately be for the referring court to determine.

Finally, the Conseil d'Etat had asked the CJEU whether, when assessing if a controller may lawfully rely on legitimate interests to process personal data, the fact that data subjects may have a right to object to the processing should be taken into account. Unsurprisingly, the CJEU considered that the right to object presupposed that the processing is lawful (i.e., that there is a legal basis). In other words, the lawfulness of such processing should not depend on the existence of a right to oppose.

* * *

Covington's Data Privacy and Cybersecurity Practice monitors CJEU cases closely and reports on relevant Court decisions and Advocate General opinions. If you have any questions about the interaction between data protection and local laws, we are happy to assist.

[1] See in particular, CJEU, July 4, 2023, Meta Platforms and Others, C-252/21; CJEU, October 4, 2024, Koninklijke Nederlandse Lawn Tennisbond, C-621/22.

Public link

Please use the above public link if you want to share this noodl on another website.