The opinion of Advocate General (AG) Priit Pikamae refers to a case where a Polish court is deciding on a dispute between companies involving debt. A board member of one company could be personally liable if the debtor company lacks assets. However, they argue otherwise, citing ownership of databases containing user data. These databases raise concerns as they include the personal information of individuals who haven't consented to sharing their data with third parties. As a result, the Polish court asked the Court of the Justice of the EU (CJEU) whether selling those databases by an enforcement court officer complies with the General Data Protection Regulation (GDPR).
While the decision on the case has not yet been delivered, AG Priit Pikamae delivered his opinion and stated:
"The operations carried out by the court enforcement officer to estimate the value of the databases concerned and sell them by public auction come within the scope of the GDPR."
The AG explained that processes falling under GDPR include the retrieval, consultation, use, and making available to the purchaser of those personal data while also considering the enforcement officer as the personal data controller.
In a nutshell, for the processing and selling of personal data to fall under the scope of the GDPR, the processing shall be lawful, meaning that an enforcement court officer shall perform the performance. Additionally, it should be necessary and proportionate in a democratic society, meaning that the Polish court, in this case, shall balance the creditor company's right to property and users' right to privacy.
AG Priit Pikamae's opinion is not binding but could serve as a guiding tool for the Court when delivering its judgement.