Ever wondered if your name, work email address and signature on a work contract could count as personal data? The Court of Justice of the European Union (CJEU) just delivered a surprising answer in a case that pits privacy against public transparency.

🏛️ Court: Court of Justice of the European Union (CJEU), First Chamber
🗓️ Judgment Date: 3 April 2025
🗂️ Case Number: Celex 62023CJ0710, C‑710/23

Legal Issues

📜 L.H. v. Ministerstvo Zdravotnictví case involves a privacy law suit between public transparency 🧾 and personal data protection 🔐 under the General Data Protection Regulation (GDPR) in the European Union.

Here’s the main issue:

Should the signatures, email address, and contact details of individuals who sign documents on behalf of companies, like contracts for COVID-19 tests, be kept private or disclosed to the public? Even if they’re just acting in their professional roles?

Imagine you are the director of a company and you sign a deal with the government. Later, someone requests public records related to that deal.

Should your personal details, like your full name, email address and signature, be revealed, even though it was “just business”? And if yes, should you be notified first before the government releases that info?

This case dives deep into the definition of “personal data” 🧑‍💼 and whether it still counts as private if shared in a work setting. It also questions whether national laws can go beyond the GDPR by requiring extra steps, like informing people before their data is shared, even when GDPR doesn’t mandate it.

The challenge? Balancing openness in government with the individual’s right to privacy. Should public interest in knowing “who signed what” overshadow an individual’s control over their own data?

💡 This case is important because it shapes how much personal information about professionals especially in public contracts should be available to the public in the name of transparency.

🤔 Would you be okay with your work identity being made public without your say?

📕 Material Facts

During the COVID-19 pandemic 🦠, governments rushed to secure testing kits to protect public health. In the Czech Republic 🇨🇿, the Ministry of Health signed contracts with various companies to purchase COVID-19 screening tests 🧪. These contracts included certificates confirming the tests could be used within the European Union.

A concerned citizen, known as L.H., wanted more transparency. He submitted a request under Czech freedom of information law to the Ministry of Health, asking for the names, signatures, and contact details of the individuals who signed the contracts and certificates on behalf of these companies. Essentially, L.H. was trying to find out who exactly authorized these deals.

The Ministry partially complied. It sent the documents, but with crucial information redacted, names, positions, and signatures of the signatories, and sometimes their email addresses and phone numbers were blacked out. The reason? The Ministry claimed this data was protected under the General Data Protection Regulation (GDPR) because it related to identifiable natural persons, even though they were acting in a professional role.

Not happy with the redaction, L.H. took legal action ⚖️. He argued that the Ministry should have disclosed the full information or at least consulted with the people involved before refusing. A lower court agreed with him, saying that national case-law required such consultation before withholding information.

However, the Ministry disagreed and appealed. They said it was impossible to contact those individuals, many lived abroad (in China 🇨🇳 and the United Kingdom 🇬🇧), and that they didn’t even know their current addresses.

Stuck between privacy concerns and transparency demands, the Czech Supreme Administrative Court hit pause, and referred the issue to the European Court of Justice (ECJ) 🇪🇺. The Court was asked to decide:

Is this type of business-related identity data considered personal data under the GDPR? And can national laws demand extra steps (like notifying the people involved) even when the GDPR doesn’t require it?

This case arose from a real-world tension between the public’s right to know and individuals' right to data privacy 🔐, especially in high-stakes situations like public procurement during a global health crisis.

🧑‍⚖️ Judgment

Delivered on April 3, 2025, the Court of Justice of the European Union (CJEU) ruled on the case.

The Court made two key rulings 📌:

1️⃣ Disclosure of names, signatures, email address, and contact details of people representing companies, even when done solely for identifying who signed a document, is considered “processing of personal data” under the GDPR 🧑‍💼🔐. Therefore, even when someone is acting on behalf of a company, their identity (like their email address and signature) still counts as personal information. So, yes, it’s personal data even if it’s “just business”.

2️⃣ The Court also ruled that national rules or case law that require public authorities to inform or consult individuals before releasing documents with their personal data are not automatically in conflict with EU law, as long as 🧭:

• They are possible to implement 🧑‍💻;

• They don’t create excessive burdens 🚫📉;

• And they don’t block public access to official documents altogether 🧾.

The ruling allows some flexibility for Member States, but puts clear limits: protecting privacy is important, but shouldn’t be used as a blanket excuse to withhold documents from the public.

In summary: The EU’s Court of Justice court determined the effectiveness of personal privacy and public transparency, making it clear that privacy rights still apply even in a professional setting, but must be balanced fairly.

⚖️ Case closed at the EU level.

The Legal Principles

The case of Ministerstvo zdravotnictví (C-710/23) offers valuable and timely lessons for governments, businesses, and the general public with respect to data protection and transparency.

The case helps clarify the grey areas where professional roles overlap with personal data rights under EU law, particularly the General Data Protection Regulation (GDPR).

Let’s break down the key legal principles and what we can all learn from them 👇

1️⃣ Personal Data Isn’t Just “Private Life” Data

Legal Principle: Under Article 4(1) GDPR, any information that can identify a person, whether it's used in a personal, public, or professional context, is “personal data.” That includes signatures and contact details.

Takeaway: Just because someone is doing a job for a company doesn’t mean their personal data is up for grabs. For example, if you sign a contract on behalf of your company, your email address and signature are still your personal data, even though you’re acting professionally. So yes, “work identity” can still fall under GDPR protection 💼🔐.

2️⃣ Processing = More Than Just Collecting Data

Legal Principle: Article 4(2) GDPR defines “processing” in broad terms. It’s not just about collecting data—it includes storing, using, disclosing, or even deleting data. Disclosing someone’s name or contact info in a public document = processing ✔️.

Takeaway: Anyone handling data—especially public authorities—must understand that even sharing or publishing someone’s work email or signature can be a form of data processing. This means they must follow GDPR rules even if they’re simply making documents public.

3️⃣ Public Interest vs. Privacy Rights: A Balancing Act ⚖️

Legal Principle: Article 86 GDPR acknowledges that public access to official documents 🧾 is important, but it must be reconciled with the right to personal data protection. Neither side automatically outweighs the other.

Takeaway: The law doesn’t say transparency always wins, or that privacy always blocks disclosure. Instead, it requires a thoughtful balancing test. This means public bodies can’t use GDPR as an excuse to hide everything, nor can they ignore privacy just to appear open and transparent 🔍.

4️⃣ Legitimate Processing Without Consent is Possible

Legal Principle: Article 6(1)(c) and (e) GDPR allows data processing if it’s necessary for:

• Complying with a legal obligation (e.g. following a law) 🏛️;

• Performing a public task (e.g. publishing government contracts) 💡.

Takeaway: Not all data processing needs the person’s consent. For example, a government department publishing contracts may be allowed to process personal data if it’s fulfilling a legal duty or serving the public interest, so long as it's done fairly and transparently ✅.

5️⃣ Member States Can Go Further, But Not Too Far 🧭

Legal Principle: Articles 6(2) and 6(3) GDPR give EU countries some room to create additional rules for processing personal data—especially where public functions are involved. But these national laws or practices must still respect the spirit and structure of GDPR.

Takeaway: Countries like the Czech Republic can ask their public bodies to inform or consult individuals before publishing data—but they can't make this so burdensome that it undermines transparency or becomes impossible to implement.

In other words, additional protections are okay, but they must be reasonable, proportionate, and practical.

6️⃣ Proportionality is Key 🎯

Legal Principle: The principle of proportionality (highlighted in both GDPR and wider EU law) requires authorities to ensure that any data protection steps they take aren't excessive or unrealistic.

Takeaway: If it’s going to take extreme effort to contact someone before disclosing their data—especially if they live abroad, have no known address, or are part of a large dataset—it may not be required. Authorities should strive for fairness, but not at the cost of functionality 🧑‍💻🧾.

7️⃣ Transparency Still Matters for Democracy 🗳️

Underlying Principle: The EU legal framework emphasizes transparency not just for efficiency, but as a democratic value. Citizens must be able to see how decisions are made and who is involved, especially when public money or public health is at stake.

Takeaway: This case reinforces the idea that transparency isn't the enemy of privacy, they can coexist. Public institutions must learn how to walk that fine line, and digital-age citizens need to be aware that both their rights to privacy and rights to information are protected .