The judgment of the Court of Justice of the European Union ( Case C 394/23 ) concerning the practices of the French rail carrier SNCF Connect is an important reference point for companies and institutions regarding compliance with personal data protection regulations. This case reveals important aspects of the interpretation of the GDPR and its practical application, which also apply to entrepreneurs operating online stores.

Context of the case

SNCF Connect introduced a requirement for customers to provide their gender when purchasing tickets online. This information was used to adapt the terms ("Mr." or "Mr.") used in communications with users. The Mousse association considered this a violation of GDPR, arguing that there was no legal basis for processing such data and that its provision was not necessary for the performance of the transport contract.

The position of data protection authorities and the CJEU

The French data protection authority (CNIL) initially found that the carrier was entitled to inquire about gender, citing the principle of data minimization and customs in commercial and administrative communications. However, the CJEU issued a different interpretation, indicating that, under the GDPR, the processing of personal data must fall within a limited set of circumstances for personal data processing that complies with applicable regulations. According to the Court, providing the customer's gender is not necessary for the performance of the transport contract.

The CJEU suggested that the carrier could use more inclusive and neutral forms of communication that would not violate the right to personal data protection and would ensure greater respect for gender diversity.

What clues should entrepreneurs take note of in this matter?

1. Data minimization as a key principle of GDPR
   The CJEU reiterated that the processing of personal data should be limited to the information necessary to achieve specific purposes. In the case of SNCF Connect, providing the customer's gender was not necessary for the provision of the transport service.
2. Protecting the fundamental rights of customers
   The Court emphasised that fundamental rights, such as the protection of gender identity and the avoidance of the risk of discrimination, override the interests of the data controller, such as the personalisation of commercial communications.
3. Alternative solutions
   The CJEU ruling indicates that companies can successfully replace traditional forms of courtesy with more universal and inclusive wording, thus minimizing the scope of personal data processed.

The CJEU ruling sets a new standard for the design of online forms that require users to provide personal data. Companies and public institutions in the EU must now exercise greater caution in assessing whether the data they collect is truly necessary to achieve their stated purposes. In cases of unjustified processing, they risk being subject to complaints to data protection authorities, which, following this ruling, will uphold such complaints.

Summary

The CJEU ruling in the SNCF Connect case demonstrates the importance of respecting personal data protection principles in practice. Adapting forms and procedures to new data protection standards not only helps avoid the risk of sanctions but also builds trust with customers, who are increasingly attentive to how their data is processed. Companies that ignore these changes risk both reputational damage and legal consequences.

Not sure if the forms in your store violate user rights?

Contact us:

📞 +48 781 906 020

📩 biuro@ecommercelegal.pl

💬 Contact form