22 June 2021 (*1)

(Reference for a preliminary ruling – Protection of natural persons with regard to the processing of personal data – Regulation (EU) 2016/679 – Articles 5, 6 and 10 – National legislation providing for public access to personal data relating to penalty points imposed for road traffic offences – Lawfulness – Concept of ‘personal data relating to criminal convictions and offences’ – Disclosure for the purpose of improving road safety – Right of public access to official documents – Freedom of information – Reconciliation with the fundamental rights to respect for private life and to the protection of personal data – Re-use of data – Article 267 TFEU – Temporal effect of a preliminary ruling – Ability of a constitutional court of a Member State to maintain the legal effects of national legislation incompatible with EU law – Principles of primacy of EU law and of legal certainty)

In Case C‑439/19,

REQUEST for a preliminary ruling under Article 267 TFEU from the Latvijas Republikas Satversmes tiesa (Constitutional Court, Latvia), made by decision of 4 June 2019, received at the Court on 11 June 2019, in the proceedings brought by

other party:

Latvijas Republikas Saeima,

THE COURT (Grand Chamber),

composed of K. Lenaerts, President, R. Silva de Lapuerta, Vice-President, J.‑C. Bonichot, A. Arabadjiev, E. Regan, M. Ilešič (Rapporteur) and N. Piçarra, Presidents of Chambers, E. Juhász, M. Safjan, D. Šváby, S. Rodin, F. Biltgen, K. Jürimäe, C. Lycourgos and P.G. Xuereb, Judges,

Advocate General: M. Szpunar,

Registrar: A. Calot Escobar,

having regard to the written procedure,

after considering the observations submitted on behalf of:

–the Latvian Government, initially by V. Soņeca and K. Pommere, and subsequently by K. Pommere, acting as Agents,

–the Netherlands Government, by M.K. Bulterman and M. Noort, acting as Agents,

–the Austrian Government, by J. Schmoll and G. Kunnert, acting as Agents,

–the Portuguese Government, by L. Inez Fernandes, P. Barros da Costa, A.C. Guerra and I. Oliveira, acting as Agents,

–the Swedish Government, by C. Meyer-Seitz, H. Shev, H. Eklinder, R. Shahsavan Eriksson, A. Runeskjöld, M. Salborn Hodgson, O. Simonsson and J. Lundberg acting as Agents,

–the European Commission, by D. Nardi, H. Kranenborg and I. Rubene, acting as Agents,

after hearing the Opinion of the Advocate General at the sitting on 17 December 2020,

gives the following

1This request for a preliminary ruling concerns the interpretation of Articles 5, 6 and 10 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016 L 119, p. 1; ‘the GDPR’), of Article 1(2)(cc) of Directive 2003/98/EC of the European Parliament and of the Council of 17 November 2003 on the re-use of public sector information (OJ 2003 L 345, p. 90), as amended by Directive 2013/37/EU of the European Parliament and of the Council of 26 June 2013 (OJ 2013 L 175, p. 1) (‘Directive 2003/98’), and of the principles of primacy of EU law and legal certainty.

2The request has been made in proceedings brought by B concerning the legality of national legislation providing for public access to personal data relating to penalty points imposed for road traffic offences.

Legal context

Directive 95/46/EC

Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ 1995 L 281, p. 31) was repealed by the GDPR, with effect from 25 May 2018. Article 3 of that directive, headed ‘Scope’, was worded as follows:

‘1. This Directive shall apply to the processing of personal data wholly or partly by automatic means, and to the processing otherwise than by automatic means of personal data which form part of a filing system or are intended to form part of a filing system.

– in the course of an activity which falls outside the scope of Community law, such as those provided for by Titles V and VI of the [EU Treaty, in the version in force prior to the Treaty of Lisbon,] and in any case to processing operations concerning public security, defence, State security (including the economic well-being of the State when the processing operation relates to State security matters) and the activities of the State in areas of criminal law,

…’

The GDPR

Recitals 1, 4, 10, 16, 19, 39, 50 and 154 of the GDPR state:

‘(1) The protection of natural persons in relation to the processing of personal data is a fundamental right. Article 8(1) of the Charter of Fundamental Rights of the European Union (the “Charter”) and Article 16(1) [TFEU] provide that everyone has the right to the protection of personal data concerning him or her.

(4) The processing of personal data should be designed to serve mankind. The right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality. This Regulation respects all fundamental rights and observes the freedoms and principles recognised in the Charter as enshrined in the Treaties, in particular the respect for private and family life, home and communications, the protection of personal data, freedom of thought, conscience and religion, freedom of expression and information, freedom to conduct a business, the right to an effective remedy and to a fair trial, and cultural, religious and linguistic diversity.

(10) In order to ensure a consistent and high level of protection of natural persons and to remove the obstacles to flows of personal data within the Union, the level of protection of the rights and freedoms of natural persons with regard to the processing of such data should be equivalent in all Member States. Consistent and homogenous application of the rules for the protection of the fundamental rights and freedoms of natural persons with regard to the processing of personal data should be ensured throughout the Union. …

(16) This Regulation does not apply to issues of protection of fundamental rights and freedoms or the free flow of personal data related to activities which fall outside the scope of Union law, such as activities concerning national security. This Regulation does not apply to the processing of personal data by the Member States when carrying out activities in relation to the common foreign and security policy of the Union.

(19) The protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security and the free movement of such data, is the subject of a specific Union legal act. This Regulation should not, therefore, apply to processing activities for those purposes. However, personal data processed by public authorities under this Regulation should, when used for those purposes, be governed by a more specific Union legal act, namely Directive (EU) 2016/680 of the European Parliament and of the Council [of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (OJ 2016 L 119, p. 89)]. …

(39) … In particular, the specific purposes for which personal data are processed should be explicit and legitimate and determined at the time of the collection of the personal data. … Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means. …

(50) The processing of personal data for purposes other than those for which the personal data were initially collected should be allowed only where the processing is compatible with the purposes for which the personal data were initially collected. In such a case, no legal basis separate from that which allowed the collection of the personal data is required. If the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, Union or Member State law may determine and specify the tasks and purposes for which the further processing should be regarded as compatible and lawful. …

Article 1 of the GDPR, headed ‘Subject matter and objectives’, provides:

‘1. This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.

Article 2 of the GDPR, headed ‘Material scope’, provides in paragraphs 1 and 2:

‘1. This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.

(a) in the course of an activity which falls outside the scope of Union law;

(b) by the Member States when carrying out activities which fall within the scope of Chapter 2 of Title V of the TEU;

(c) by a natural person in the course of a purely personal or household activity;

(d) by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.’

As set out in Article 4 of the GDPR, headed ‘Definitions’:

‘For the purposes of this Regulation:

(1) “personal data” means any information relating to an identified or identifiable natural person …;

(2) “processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

…

(7) “controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

…’

Article 5 of the GDPR, headed ‘Principles relating to processing of personal data’, states:

‘1. Personal data shall be:

(a)processed lawfully, fairly and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”);

(b)collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; … (“purpose limitation”);

(c)adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimisation”);

(d)accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (“accuracy”);

(e)kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; … (“storage limitation”);

(f)processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (“integrity and confidentiality”).

9.Article 6 of the GDPR, headed ‘Lawfulness of processing’, provides in paragraph 1:

‘Processing shall be lawful only if and to the extent that at least one of the following applies:

(a)the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

(b)processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

(c)processing is necessary for compliance with a legal obligation to which the controller is subject;

(d)processing is necessary in order to protect the vital interests of the data subject or of another natural person;

(e)processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(f)processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.’

10.Article 10 of the GDPR, headed ‘Processing of personal data relating to criminal convictions and offences’, provides:

‘Processing of personal data relating to criminal convictions and offences or related security measures based on Article 6(1) shall be carried out only under the control of official authority or when the processing is authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects. Any comprehensive register of criminal convictions shall be kept only under the control of official authority.’

11.Article 51 of the GDPR, headed ‘Supervisory authority’, states in paragraph 1:

‘Each Member State shall provide for one or more independent public authorities to be responsible for monitoring the application of this Regulation, in order to protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data within the Union (“supervisory authority”).’

12.Article 85 of the GDPR, headed ‘Processing and freedom of expression and information’, provides in paragraph 1:

‘Member States shall by law reconcile the right to the protection of personal data pursuant to this Regulation with the right to freedom of expression and information, including processing for journalistic purposes and the purposes of academic, artistic or literary expression.’

13.Article 86 of the GDPR, headed ‘Processing and public access to official documents’, provides:

‘Personal data in official documents held by a public authority or a public body or a private body for the performance of a task carried out in the public interest may be disclosed by the authority or body in accordance with Union or Member State law to which the public authority or body is subject in order to reconcile public access to official documents with the right to the protection of personal data pursuant to this Regulation.’

14.As set out in Article 87 of the GDPR, headed ‘Processing of the national identification number’:

‘Member States may further determine the specific conditions for the processing of a national identification number or any other identifier of general application. In that case the national identification number or any other identifier of general application shall be used only under appropriate safeguards for the rights and freedoms of the data subject pursuant to this Regulation.’

15.Article 94 of the GDPR provides:

‘1. Directive [95/46] is repealed with effect from 25 May 2018.

Directive 2016/680

16.Recitals 10, 11 and 13 of Directive 2016/680 state:

‘(10)In Declaration No 21 on the protection of personal data in the fields of judicial cooperation in criminal matters and police cooperation, annexed to the final act of the intergovernmental conference which adopted the Treaty of Lisbon, the conference acknowledged that specific rules on the protection of personal data and the free movement of personal data in the fields of judicial cooperation in criminal matters and police cooperation based on Article 16 TFEU may prove necessary because of the specific nature of those fields.

(11)It is therefore appropriate for those fields to be addressed by a directive that lays down the specific rules relating to the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security, respecting the specific nature of those activities. Such competent authorities may include not only public authorities such as the judicial authorities, the police or other law-enforcement authorities but also any other body or entity entrusted by Member State law to exercise public authority and public powers for the purposes of this Directive. Where such a body or entity processes personal data for purposes other than for the purposes of this Directive, [the GDPR] applies. [The GDPR] therefore applies in cases where a body or entity collects personal data for other purposes and further processes those personal data in order to comply with a legal obligation to which it is subject. …’

(13)A criminal offence within the meaning of this Directive should be an autonomous concept of Union law as interpreted by the Court of Justice of the European Union …’

17.Article 3 of Directive 2016/680 provides:

‘For the purposes of this Directive:

…

7.“competent authority” means:

(a)any public authority competent for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security; or

(b)any other body or entity entrusted by Member State law to exercise public authority and public powers for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security;

…’

Directive 2003/98

18.Recital 21 of Directive 2003/98 states:

‘This Directive should be implemented and applied in full compliance with the principles relating to the protection of personal data in accordance with Directive [95/46].’

19.Article 1 of Directive 2003/98, headed ‘Subject matter and scope’, provides as follows:

‘1. This Directive establishes a minimum set of rules governing the re-use and the practical means of facilitating re-use of existing documents held by public sector bodies of the Member States.

…

(cc)documents access to which is excluded or restricted by virtue of the access regimes on the grounds of protection of personal data, and parts of documents accessible by virtue of those regimes which contain personal data the re-use of which has been defined by law as being incompatible with the law concerning the protection of individuals with regard to the processing of personal data;

…

…’

Latvian law

20.Article 96 of the Latvijas Republikas Satversme (Constitution of the Republic of Latvia; ‘the Latvian Constitution’) provides:

‘Everyone has the right to respect for his or her private life, home and correspondence.’

21.Under Article 1(5) of the Informācijas atklātības likums (Law on freedom of information) of 29 October 1998 (Latvijas Vēstnesis, 1998, No 334/335), re-use consists in the use of publicly accessible information, held and created by an authority, for commercial or non-commercial purposes other than the initial purpose for which the information was created, if that use is by a private party and does not involve tasks in the exercise of public authority.

22.Under Article 4 of that law, publicly accessible information is information that does not fall within the category of information subject to restricted access.

23.Article 5(1) of that law provides that information is subject to restricted access where it is intended for a restricted group of persons for the purpose of the performance of their tasks or professional duties and the disclosure or loss thereof, on account of its nature and content, hinders or may hinder an authority’s activities, or causes or may cause harm to statutorily protected interests of persons. Article 5(2) states that information is regarded as being subject to restricted access where, inter alia, it is so provided by law and Article 5(6) specifies that information that has already been published cannot be regarded as being information subject to restricted access.

24.In accordance with Article 10(3) of the Law on freedom of information, publicly accessible information may be provided upon request. The applicant is not required to justify specifically his or her interest in obtaining the information, and may not be refused access on the ground that the information does not concern him or her.

25.Article 14 of the Ceļu satiksmes likums (Law on road traffic) of 1 October 1997 (Latvijas Vēstnesis, 1997, No 274/276), in the version applicable at the material time (‘the Law on road traffic’), headed ‘Access to information kept in the national register of vehicles and their drivers …’, states in paragraph 2:

‘Information relating … to a person’s right to drive vehicles, to fines for the commission of road traffic offences which have been imposed on a person but not paid within the time limits laid down by law and other information recorded in the national register of vehicles and their drivers … shall be regarded as information in the public domain.’

26.Article 43 of the Law on road traffic, headed ‘Penalty points system’, provides in paragraph 1:

‘In order to influence the behaviour of drivers of vehicles, by promoting safe driving and compliance with road traffic rules, and in order to reduce as far as possible the risks for human life, human health and a person’s property, administrative offences committed by drivers of vehicles shall be entered in the register of convictions and penalty points shall be entered in the national register of vehicles and their drivers.’

27.In accordance with paragraphs 1 and 4 of Ministru kabineta noteikumi Nr. 551 ‘Pārkāpumu uzskaites punktu sistēmas piemērošanas noteikumi’ (Cabinet Regulation No 551 on the rules for application of the penalty points system) of 21 June 2004 (Latvijas Vēstnesis, 2004, No 102), penalty points for administrative offences committed in relation to road traffic by drivers of vehicles are automatically registered on the day upon which the period for appealing against the decision imposing an administrative penalty expires.

28Under paragraph 7 of that regulation, penalty points are removed when they have expired.

29By virtue of paragraph 12 of that regulation, depending on the number of penalty points, drivers are subject to measures such as warnings, road safety training or tests, or a driving ban for a specified period.

30As is apparent from Article 32(1) of the Satversmes tiesas likums (Law on the Constitutional Court) of 5 June 1996 (Latvijas Vēstnesis, 1996, No 103), a judgment of the Latvijas Republikas Satversmes tiesa (Constitutional Court, Latvia) is final and enforceable when it is delivered. In accordance with Article 32(3) of that law, a legal provision which the Latvijas Republikas Satversmes tiesa (Constitutional Court) has declared to be inconsistent with a higher-ranking rule of law is treated as void from the day of publication of the judgment of that court, unless the court decides otherwise.

The dispute in the main proceedings and the questions referred for a preliminary ruling

31B is a natural person upon whom penalty points were imposed on account of one or more road traffic offences. In accordance with the Law on road traffic and Regulation No 551 of 21 June 2004, the Ceļu satiksmes drošības direkcija (Road Safety Directorate, Latvia) (‘the CSDD’) entered those penalty points in the national register of vehicles and their drivers.

32Since the information relating to those penalty points that was contained in the register was accessible to the public and moreover, according to B, had been disclosed, for purposes of re-use, to a number of economic operators, B lodged a constitutional complaint with the Latvijas Republikas Satversmes tiesa (Constitutional Court), in order for it to examine whether Article 14(1)(2) of the Law on road traffic is consistent with the fundamental right to respect for private life laid down in Article 96 of the Latvian Constitution.

33The Latvijas Republikas Saeima (Parliament of the Republic of Latvia; ‘the Latvian Parliament’) was involved in the proceedings as the institution which had adopted the Law on road traffic. In addition, the CSDD, which processes the data relating to penalty points imposed for road traffic offences, was heard, as were the Datu valsts inspekcija (data protection authority), which is the supervisory authority, within the meaning of Article 51 of the GDPR, in Latvia, and a number of other authorities and persons.

34In the context of the main proceedings, the Latvian Parliament confirmed that, under Article 14(1)(2) of the Law on road traffic, any person may obtain information relating to penalty points imposed on another person, either by enquiring directly at the CSDD or by using the services provided by commercial re-users.

35It stated that that provision is lawful because it is justified by the objective of improving road safety. That public interest requires that persons infringing traffic regulations, in particular those disregarding them systematically and in bad faith, be openly identified and that drivers of vehicles, by means of that transparency, be deterred from committing offences.

36Furthermore, that provision is justified by the right of access to information, laid down by the Latvian Constitution.

37The Latvian Parliament explained that, in practice, disclosure of the information contained in the national register of vehicles and their drivers is subject to the condition that the person requesting the information must provide the national identification number of the driver about whom he or she wishes to enquire. This precondition for obtaining information is attributable to the fact that, unlike the person’s name, which may be identical to the name of other persons, the national identification number is a unique identifier.

38The CSDD pointed out that Article 14(1)(2) of the Law on road traffic does not impose any limits on either public access to or re-use of data relating to penalty points. As regards the contracts which it concludes with commercial re-users, the CSDD stated that they do not provide for legal transfer of the data and that re-users must ensure that the information transmitted to their customers does not exceed that which can be obtained from the CSDD. In addition, under those contracts the acquirer affirms that it will use the information obtained in accordance with the purposes indicated in the contract and in compliance with the legislation in force.

39The Datu valsts inspekcija (data protection authority) expressed its doubts as to whether Article 14(1)(2) of the Law on road traffic is consistent with Article 96 of the Latvian Constitution which lays down the right to respect for private life. In its view, the importance and the objective of processing carried out on the basis of the provision at issue in the main proceedings are not clearly established, and it cannot therefore be ruled out that that processing is inappropriate or disproportionate. Whilst the statistics relating to road traffic accidents in Latvia show a decrease in the number of accidents, there is, however, no proof that the penalty points system and public access to information relating to it have contributed to that favourable development.

40The Latvijas Republikas Satversmes tiesa (Constitutional Court) notes, first of all, that the constitutional complaint concerns Article 14(1)(2) of the Law on road traffic only in so far as that provision makes penalty points entered in the national register of vehicles and their drivers accessible to the public.

41It observes, next, that penalty points are personal data and that, when assessing the right to respect for private life laid down in Article 96 of the Latvian Constitution, account is to be taken of the GDPR and, more generally, of Article 16 TFEU and Article 8 of the Charter.

42As regards the objectives of the Latvian road traffic legislation, that court explains that it is in particular in order to promote road safety that offences committed by drivers, which are classified as administrative offences in Latvia, are entered in the register of convictions and that penalty points are entered in the national register of vehicles and their drivers.

43So far as concerns, in particular, the national register of vehicles and their drivers, it states that that register enables the number of road traffic offences committed to be ascertained and measures to be implemented in the light of their number. The system relating to penalty points entered in that register is thus intended to improve road safety, first, by enabling drivers of vehicles who disregard the road traffic rules systematically and in bad faith to be distinguished from drivers who commit offences occasionally. Second, such a system is also capable of influencing the conduct of road users in a preventive manner, by encouraging them to comply with the road traffic rules.

44That court observes that it is not in dispute that Article 14(1)(2) of the Law on road traffic grants any person the right to request and obtain from the CSDD the information contained in the national register of vehicles and their drivers concerning the penalty points imposed on drivers. It confirms that, in practice, the information is provided to the person requesting it once that person indicates the national identification number of the driver concerned.

45The Latvijas Republikas Satversmes tiesa (Constitutional Court) then explains that, since penalty points are classified as publicly accessible information, they fall within the scope of the Law on freedom of information and that that information may therefore be re-used for commercial or non-commercial purposes other than the initial purpose for which the information was created.

46In order to interpret and apply Article 96 of the Latvian Constitution consistently with EU law, that court seeks to ascertain, first, whether information relating to penalty points is among the information referred to in Article 10 of the GDPR, that is to say, ‘personal data relating to criminal convictions and offences’. If it is, the view could be taken that Article 14(1)(2) of the Law on road traffic fails to comply with the requirement contained in Article 10 of the GDPR that processing of the data to which that article relates can take place only ‘under the control of official authority’ or if there are ‘appropriate safeguards for the rights and freedoms of data subjects’.

47That court states that Article 8(5) of Directive 95/46, which left it to each Member State to determine whether the special rules on data relating to offences and criminal convictions should be extended to data relating to administrative offences and sanctions, was, from 1 September 2007, implemented in Latvia in such a way that personal data relating to administrative offences could, like data relating to criminal offences and convictions, be processed only by the persons, and in the circumstances, provided for by law.

48It adds that the scope of Article 10 of the GDPR must, in accordance with recital 4 of that regulation, be assessed in the light of the function of fundamental rights in society. In that respect, the objective of preventing a previous conviction from having an excessive adverse effect on a person’s private and professional life could apply both to criminal convictions and to administrative offences. Account should be taken, in this context, of the case-law of the European Court of Human Rights on the equiparation of certain administrative cases with criminal cases.

49The Latvijas Republikas Satversmes tiesa (Constitutional Court) raises, second, the question of the scope of Article 5 of the GDPR. It is unsure, in particular, whether the Latvian legislature has complied with the obligation, set out in Article 5(1)(f), requiring personal data to be processed with ‘integrity and confidentiality’. It points out that Article 14(1)(2) of the Law on road traffic, which, by giving access to information relating to penalty points, makes it possible to ascertain whether a person has been found guilty of a road traffic offence, was not accompanied by specific measures ensuring the security of such data.

50That court seeks, third, to ascertain whether Directive 2003/98 is relevant when examining whether Article 14(1)(2) of the Law on road traffic is compatible with the right to respect for private life. It is apparent from that directive that the re-use of personal data may be permitted only if that right is respected.

51Fourth, in the light of the Court of Justice’s case-law according to which the interpretation of EU law provided in preliminary rulings has erga omnes and ex tunc effects, the Latvijas Republikas Satversmes tiesa (Constitutional Court) is uncertain whether, if Article 14(1)(2) of the Law on road traffic were to be incompatible with Article 96 of the Latvian Constitution, read in the light of the GDPR and the Charter, it could nevertheless maintain the temporal effects of Article 14(1)(2) of that law until the date of delivery of its judgment, given the large number of legal relationships at issue.

52It states that, under Latvian law, a measure that it declares unconstitutional is to be considered void from the day of delivery of its judgment, unless it decides otherwise. It explains that it must, in that regard, strike a balance between the principle of legal certainty and the fundamental rights of the various parties concerned.

53In those circumstances, the Latvijas Republikas Satversmes tiesa (Constitutional Court) decided to stay the proceedings and to refer the following questions to the Court of Justice for a preliminary ruling:

(1)Must the expression “processing of personal data relating to criminal convictions and offences or related security measures”, used in Article 10 of [the GDPR], be interpreted as meaning that it includes the processing of information relating to penalty points recorded against drivers for motoring offences as provided for in the provision at issue?

(2)Irrespective of the answer to the first question, can the provisions of [the GDPR], in particular the principle of “integrity and confidentiality” referred to in Article 5(1)(f) thereof, be interpreted as meaning that they prohibit Member States from stipulating that information relating to penalty points recorded against drivers for motoring offences falls within the public domain and from allowing such data to be processed by being communicated?

(3)Must recitals 50 and 154, Article 5(1)(b) and Article 10 of [the GDPR] and Article 1(2)(cc) of Directive 2003/98 be interpreted as meaning that they preclude legislation of a Member State which allows information relating to penalty points recorded against drivers for motoring offences to be transmitted for the purposes of re-use?

(4)If any of the foregoing questions is answered in the affirmative, must the principle of the primacy of EU law and the principle of legal certainty be interpreted as meaning that it might be permissible to apply the provision at issue and maintain its legal effects until [the Satversmes tiesa (Constitutional Court) makes a final ruling]?

Consideration of the questions referred

First question

54By its first question, the referring court asks, in essence, whether Article 10 of the GDPR must be interpreted as applying to the processing of personal data relating to penalty points imposed on drivers of vehicles for road traffic offences, consisting in the public disclosure of such data.

55Under Article 10 of the GDPR, processing of personal data relating to criminal convictions and offences or related security measures based on Article 6(1) is to be carried out only under the control of official authority or when the processing is authorised by EU or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects.

56It should, therefore, first of all be determined whether the information relating to penalty points that is disclosed to third parties pursuant to the legislation at issue in the main proceedings constitutes ‘personal data’, within the meaning of Article 4(1) of the GDPR, and whether that disclosure constitutes ‘processing’ of such data, within the meaning of Article 4(2) of that regulation, that comes under its material scope as defined in Article 2.

57In the first place, it is apparent from the order for reference that Latvian legislation provides for the imposition of penalty points on drivers of vehicles who have committed a road traffic offence and upon whom a financial or other penalty has been imposed. Those points are entered by a public body, the CSDD, in the national register of vehicles and their drivers on the day upon which the period for appealing against the decision imposing that penalty expires.