In its judgment 2021:504 in Case C 439/19, the Court of Justice of the European Union stated that those national rules that oblige the public bodies registering penalty points to disclose such information to persons requesting access without a specific interest, is contrary to GDPR.
The penalty points for Latvian citizens are registered by the national register of vehicles and their drivers. Since the information relating to penalty points in the register was accessible to the public and had been disclosed, for purposes of re-use, to a number of economic operators, a Latvian citizen lodged a constitutional complaint with the Latvijas Republikas Satversmes ties (Constitutional Court) to examine whether the Latvian Law on road traffic is consistent with the fundamental right to respect for private life.
According to the Latvian Constitutional Court, it must take the GDPR into account in its assessment of the constitutional right at stake in the case. Therefore, it asked the Court of Justice to clarify the scope of several provisions of the GDPR and to determine whether the Latvian legislation is compatible with EU law.
The Court of Justice stated that GDPR must be interpreted as applying to the processing of personal data relating to penalty points imposed on drivers of vehicles for road traffic offences. Hence the provisions of the GDPR must be interpreted as precluding national legislation which authorises the public body responsible for the register in which penalty points imposed on drivers of vehicles for road traffic offences are entered to disclose those data to economic operators for re-use.
In the context of the main proceedings, the Latvian Parliament had confirmed that any person may obtain information relating to penalty points imposed on another person, either by enquiring directly at the Road Safety Directorate of Latvia or by using the services provided by commercial re-users. It stated that that provision is lawful, since it is justified by the objective of improving road safety. The public interest requires that persons infringing traffic regulations, in particular those disregarding them systematically and in bad faith, be openly identified and that drivers of vehicles, by means of that transparency, be deterred from committing offences.
In the present judgment, the Court of Justice has ruled that the Latvian legislation is contrary to the GDPR. The Court of Justice stated that it had not been proven that it was necessary to disclose personal data relating to penalty points for road traffic offences, in particular in view of the objective of improving road safety as invoked by the Latvian government.