This blog discusses two recent judgments addressing the scope of data protection obligations. The Court of Justice of the European Union clarified when video surveillance constitutes the “collection of personal data from the data subject” within the meaning of Article 13 GDPR and which information obligations follow from that qualification. In addition, the Administrative Jurisdiction Division of the Dutch Council of State ruled on whether excluding cash payments in a cinema is compatible with the GDPR and to what extent organisations must substantiate the necessity of such processing activities.
CJEU: Inform Data Subjects
At the end of last year, the Court of Justice of the European Union (hereinafter: “the Court”) delivered a judgment concerning the use of body-worn cameras in Swedish public transport. These cameras were used by ticket inspectors when checking tickets. The question referred to the Court concerned the applicability of Article 13 GDPR and Article 14 GDPR. Both provisions relate to the obligation to inform data subjects whose personal data are collected. The distinction between Article 13 and Article 14 GDPR lies in whether the personal data are obtained from the data subject (Article 13) or not obtained from the data subject (Article 14).
Background of the Case
A public transport operator in Stockholm, AB Storstockholms Lokaltrafik (the controller), equipped its ticket inspectors with bodycams. During inspections, the bodycams continuously recorded audio and video. The purpose of the deployment was to prevent and document threats and acts of violence and to identify passengers to whom fines were issued.
As a precautionary measure, the bodycams operated with a circular buffer system. Recordings were automatically overwritten after one minute unless the inspector pressed a button. In that event, the recording, including the minute preceding activation, was preserved. Inspectors were instructed to activate the recording function when issuing a fine or when confronted with a threatening situation.
The Swedish supervisory authority, the Integritetsskyddsmyndigheten, investigated the use of the bodycams and concluded that the controller had infringed its obligation to inform data subjects under Article 13 GDPR. An administrative fine was imposed. On appeal, the Swedish appellate court held that Article 13 GDPR was not applicable. The matter was subsequently referred to the Swedish Supreme Administrative Court, which submitted preliminary questions to the Court of Justice.
Article 13 or Article 14?
The question before the Court was whether personal data collected by means of bodycams must be regarded as data:
-
obtained from the data subject (within the meaning of Article 13 GDPR), or
-
not obtained from the data subject (within the meaning of Article 14 GDPR).
This distinction is relevant because the information obligation differs. Under Article 13 GDPR, the controller must provide information at the time the data are obtained. Article 14 GDPR, by contrast, allows, under certain circumstances, for information to be provided at a later stage.
The Court’s Judgment
The Court confirmed that the distinction between Articles 13 and 14 GDPR depends on the source of the personal data. It emphasised that the concept of personal data “collected from the data subject” does not require an active act on the part of the data subject. Where personal data are obtained through camera observation, the data are collected directly from the data subject. The fact that the data subject does not actively provide the data is not decisive.
The Court therefore held that, in the case of bodycams used in Swedish public transport, the situation falls within the scope of Article 13 GDPR, as the personal data are obtained directly from the filmed individual.
The Court further observed that a different interpretation would create a risk that data subjects would not be informed at the moment of recording. This could lead to forms of covert surveillance, which would be contrary to the principle of transparency laid down in Article 5(1)(a) GDPR.
Layered Information
The Court also addressed the practical implementation of the information obligation. The obligation must be fulfilled in a proportionate manner. Referring to relevant guidelines, the Court accepted that layered information may be provided. Essential information may, for example, be displayed by means of a warning sign, while more detailed information may be made available through a website or another accessible channel.
The judgment therefore does not imply that each individual passenger must receive a full explanation on the spot. However, data subjects must be made aware that video recordings may be made.
Practical Implications
This judgment has consequences for organisations using video recordings for monitoring or control purposes. This includes organisations deploying cameras for workplace or retail security, as well as those using bodycams, dashcams, or other mobile cameras.
Where video footage is recorded directly from individuals, Article 13 GDPR will in principle apply. Controllers must therefore inform data subjects about the processing, including at least:
-
the identity of the controller;
-
the purposes of the processing;
-
the legal basis for the processing;
-
the retention period; and
-
the rights of the data subject under the GDPR.
The judgment once again underlines that transparency is a core obligation in the context of video surveillance. Covert or insufficiently disclosed monitoring is difficult to reconcile with the GDPR. Organisations using video surveillance must therefore continue to critically assess their information practices. Not only the technical deployment of cameras, but also the visibility and accessibility of the information provided, determine whether the GDPR is complied with.
Anonymous Cinema Visits
The question of whether organisations may still refuse to accept cash payments has now also acquired a data protection dimension. In a recent judgment, the Administrative Jurisdiction Division of the Council of State (hereinafter: ABRvS or the Division) ruled on whether a cinema’s decision to exclude cash payments is compatible with data protection law.
Case Summary
A visitor to the Focus Filmtheater in Arnhem (hereinafter: Focus) wished to purchase a cinema ticket using cash. This turned out to be impossible: since 2018, Focus has accepted only debit or credit card payments, both at the box office and in its adjoining hospitality facilities. The visitor argued that this policy infringed upon his right to privacy. Card payments inevitably involve the processing of personal data, whereas cash payments do not.
He therefore filed a complaint with the Dutch Data Protection Authority (hereinafter: AP), requesting enforcement action. The AP rejected that request, holding that there was no indication that Focus, by abolishing cash payments, had breached the General Data Protection Regulation (GDPR). The complainant lodged an objection, then an appeal with the District Court, and eventually a further appeal with the ABRvS. On 11 February 2026, the ABRvS partially upheld his appeal, ordering the AP to reconsider its decision.
Privacy infringement through card payments?
The core of the complaint was that those who are required to pay by card can no longer attend the cinema anonymously. Each card transaction involves the processing of personal data, such as card and account details, transaction data and identifying information of the payer. According to the complainant, such processing was unnecessary and disproportionate, particularly since payment in cash would have been possible without any processing of personal data.
He further argued that in some circumstances, special categories of personal data might be processed, as it could be inferred from attendance at certain films that a visitor holds particular political or sexual preferences. Special category data may, in principle, not be processed without explicit consent. The complainant therefore relied on both the European Convention on Human Rights (ECHR) and the GDPR.
The AP’s position
The AP agreed with Focus’s policy. The cinema had argued that the prohibition of cash payments had been introduced to protect the safety of its employees. The AP considered this to be a clear and legitimate purpose. Moreover, it held that processing payment data was necessary for the performance of a contract with the customer, namely, the sale of a ticket or a beverage. The AP therefore considered the processing lawful under the GDPR’s legal basis of necessity for the performance of a contract (Article 6(1)(b) GDPR), and on that ground rejected the enforcement request.
The judgment of the ABRvS
The Division took a more critical stance. It first confirmed that the GDPR constitutes the correct standard of review: if the conditions of the GDPR are satisfied, the right to privacy under the EU Charter and the ECHR is, in principle, also respected.
The ABRvS held that processing the last four digits of a bank account number together with the transaction amount does not qualify as the processing of special categories of personal data. The suggestion that a cinema visit could indirectly reveal political or sexual preferences was, in the Division’s view, too speculative.
However, the ABRvS concluded that the AP had insufficiently substantiated its decision. The supervisory authority had simply assumed that the safety of employees constituted a legitimate aim, without examining whether there were concrete grounds for that assumption in this particular case. There was no evidence that employee safety had actually been at risk or that eliminating cash payments made a material contribution to safety. The mere assumption that cash is more susceptible to theft was, according to the Division, insufficient.
Implications for practice
The ABRvS did not hold that card payments are inherently unlawful. It did, however, stress that organisations must be able to demonstrate why the processing is necessary and why there are no less intrusive alternatives. A proper balancing of interests between the organisation’s legitimate objectives and the customer’s privacy rights must be undertaken.
For Focus, this means that the AP must adopt a new decision within eight weeks. For other organisations, the judgment serves as a reminder that the necessity and proportionality of data processing activities should never be taken lightly. Even in everyday contexts such as payment transactions, every processing operation of personal data must be demonstrably justified.
Would you like to read more case law? View our privacy case law blog for januari 2025 here.
