# CJEU - C‑199/24 - Legal Newsdesk Sweden AB

- Type: Case Law
- Source: GDPRhub
- Date: 2026-07-09
- Original: https://gdprhub.eu/index.php?title=CJEU_-_C‑199/24_-_Legal_Newsdesk_Sweden_AB
- Canonical: https://overview.legal/posts/108998
- Topics: Law Enforcement, Criminal Data, Integrity and Confidentiality Principle, Types of Special Categories of Personal Data, Risk Management System, Special Categories of Data, Supervisory Authorities, Personal Data, Processing, Controllers

## Summary

Facts — The legal context: Article 85 GDPR and Swedish law — Under Swedish law the Swedish Agency for the Media can issue publications certificates which confers constitutional protection to the activities of the holder. Such certificates can also be issued for the publication and maintenance of databases of personal data . Swedish law provides for broad GDPR derogations for certain activities covered by the permit, as an implementation of Article 85 GDPR ("Processing and freedom of expression and information"): The GDPR and the Swedish Law on data protection do not apply when they would conflict with the constitutional protection afforded by a publication certificate. Additionally, specific Articles of the GDPR and the Law on data protection - including all of Chapter VIII of the GDPR (Remedies, liabilities and penalties)- do not apply to the processing of personal data that takes place for journalistic purposes or for academic, artistic or literary creation. As a result of these broad exemption, data subjects have limited remedies available when the processing of their data is covered by a publication certificate. In particular, Swedish law provides that in such cases, controllers can only be held liable for damages when the processing of personal data constitutes defamation. The case at hand — Legal Newdesk Sweden AB, formerly Garrapatica AB (the controller), holds such a certificate. The controller maintained a database (Lexbase) where personal data, including criminal convictions, are stored. The data were made available to third parties for payment. A data subject challenged the processing of his data on Lexbase. In particular, he claimed that the controller could not lawfully make information about his criminal convictions available after the same information was removed from the public register of criminal records. After sending an unsuccessful erasure request, the data subject initiated civil proceedings before the District Court of Attunda and requested SEK 300,000 (about €26,000) in damages over the allegedly unlawful processing of their data on the Lexbase database. The controller, on the other hand, claimed that its activities were exempt from the GDPR because they were covered by the constitutional protection of the publishing certificate. The questions referred — The District Court referred three somewhat complex questions to the Court of Justice about the interpretation of Article 85 GDPR: Does Article 85(1) of the GDPR make it possible for the Member States to adopt legislative measures in addition to those which they must adopt under Article 85(2) of the regulation relating to the processing of personal data for purposes other than journalistic ones or the purposes of academic, artistic or literary expression? If the previous question is answered in the affirmative: Does Article 85(1) of the GDPR allow a reconciliation of the right to the protection of personal data pursuant to that regulation with the freedom of expression and of information which means that the only legal remedy available to a person whose personal data are processed by making criminal convictions involving that person available to the public on the internet in return for payment is the initiation of criminal proceedings for defamation or the claiming of damages for defamation? If the first question is answered in the negative or the second question is answered in the negative: Can an activity which consists of making available to the public on the internet in return for payment, without any processing or editing, public documents in the form of criminal convictions constitute processing of personal data for the purposes set out in Article 85(2) of the GDPR? Advocate General Opinion — The Advocate General opined that a data processing activity, such as that carried out by the controller in the case at hand, did not constitute a journalistic activity and did not fall under Article 85(2) GDPR. Furthermore, the Advocate General opined that Article 85(2) GDPR did not allow for legal derogations to Chapter VIII GDPR. Finally, the Advocate opined that neither paragraph (1) nor (2) of Article 85 allowed for derogations to all of the GDPR. Holding — The CJEU held that Article 85(1) GDPR does not allow Member States to create derogations from the GDPR beyond those expressly permitted by Article 85(2). Article 85(1) requires Member States to reconcile data protection with freedom of expression and information. However, it does not itself authorise exemptions from the GDPR. Such exemptions may only be introduced under Article 85(2) and only for processing carried out for journalistic purposes or for academic, artistic or literary expression. The CJEU therefore found that Member States cannot rely on Article 85(1) to exclude other forms of processing from the application of the GDPR. The CJEU also held that Article 85 GDPR does not permit Member States to restrict the remedies available to data subjects under Chapter VIII GDPR. National law cannot limit a data subject whose criminal-conviction data is published online to defamation proceedings only. Accordingly, the data subject must retain access to the remedies provided under Articles 77, 78, 79 and 82 GDPR, including the right to lodge a complaint with the DPA, seek an effective judicial remedy and claim compensation. Regarding journalistic purposes, the CJEU confirmed that the concept must be interpreted broadly. The fact that processing is carried out online, for payment or in relation to criminal convictions does not, by itself, exclude the application of Article 85(2). However, the mere publication of information is not sufficient. Processing qualifies as journalistic only where it is intended to inform the public and is carried out in accordance with journalistic professional and ethical standards. It must involve editorial work or adaptation, or at least follow an editorial policy, and the relevant factual information must be verified. The CJEU found that making unedited criminal judgements available to any paying user did not appear to satisfy those requirements. In particular, the activity did not appear to involve editorial assessment, adaptation or a journalistic policy. The fact that the documents could be useful to journalists was not enough to bring the processing within Article 85(2). It was for the referring Court to verify whether the controller’s activity met the conditions for processing for journalistic purposes. The CJEU did not impose a fine, award compensation or order corrective measures. Those issues remained for the referring Court to decide.

## Full text

Facts — The legal context: Article 85 GDPR and Swedish law — Under Swedish law the Swedish Agency for the Media can issue publications certificates which confers constitutional protection to the activities of the holder. Such certificates can also be issued for the publication and maintenance of databases of personal data . Swedish law provides for broad GDPR derogations for certain activities covered by the permit, as an implementation of Article 85 GDPR ("Processing and freedom of expression and information"): The GDPR and the Swedish Law on data protection do not apply when they would conflict with the constitutional protection afforded by a publication certificate. Additionally, specific Articles of the GDPR and the Law on data protection - including all of Chapter VIII of the GDPR (Remedies, liabilities and penalties)- do not apply to the processing of personal data that takes place for journalistic purposes or for academic, artistic or literary creation. As a result of these broad exemption, data subjects have limited remedies available when the processing of their data is covered by a publication certificate. In particular, Swedish law provides that in such cases, controllers can only be held liable for damages when the processing of personal data constitutes defamation. The case at hand — Legal Newdesk Sweden AB, formerly Garrapatica AB (the controller), holds such a certificate. The controller maintained a database (Lexbase) where personal data, including criminal convictions, are stored. The data were made available to third parties for payment. A data subject challenged the processing of his data on Lexbase. In particular, he claimed that the controller could not lawfully make information about his criminal convictions available after the same information was removed from the public register of criminal records. After sending an unsuccessful erasure request, the data subject initiated civil proceedings before the District Court of Attunda and requested SEK 300,000 (about €26,000) in damages over the allegedly unlawful processing of their data on the Lexbase database. The controller, on the other hand, claimed that its activities were exempt from the GDPR because they were covered by the constitutional protection of the publishing certificate. The questions referred — The District Court referred three somewhat complex questions to the Court of Justice about the interpretation of Article 85 GDPR: Does Article 85(1) of the GDPR make it possible for the Member States to adopt legislative measures in addition to those which they must adopt under Article 85(2) of the regulation relating to the processing of personal data for purposes other than journalistic ones or the purposes of academic, artistic or literary expression? If the previous question is answered in the affirmative: Does Article 85(1) of the GDPR allow a reconciliation of the right to the protection of personal data pursuant to that regulation with the freedom of expression and of information which means that the only legal remedy available to a person whose personal data are processed by making criminal convictions involving that person available to the public on the internet in return for payment is the initiation of criminal proceedings for defamation or the claiming of damages for defamation? If the first question is answered in the negative or the second question is answered in the negative: Can an activity which consists of making available to the public on the internet in return for payment, without any processing or editing, public documents in the form of criminal convictions constitute processing of personal data for the purposes set out in Article 85(2) of the GDPR? Advocate General Opinion — The Advocate General opined that a data processing activity, such as that carried out by the controller in the case at hand, did not constitute a journalistic activity and did not fall under Article 85(2) GDPR. Furthermore, the Advocate General opined that Article 85(2) GDPR did not allow for legal derogations to Chapter VIII GDPR. Finally, the Advocate opined that neither paragraph (1) nor (2) of Article 85 allowed for derogations to all of the GDPR. Holding — The CJEU held that Article 85(1) GDPR does not allow Member States to create derogations from the GDPR beyond those expressly permitted by Article 85(2). Article 85(1) requires Member States to reconcile data protection with freedom of expression and information. However, it does not itself authorise exemptions from the GDPR. Such exemptions may only be introduced under Article 85(2) and only for processing carried out for journalistic purposes or for academic, artistic or literary expression. The CJEU therefore found that Member States cannot rely on Article 85(1) to exclude other forms of processing from the application of the GDPR. The CJEU also held that Article 85 GDPR does not permit Member States to restrict the remedies available to data subjects under Chapter VIII GDPR. National law cannot limit a data subject whose criminal-conviction data is published online to defamation proceedings only. Accordingly, the data subject must retain access to the remedies provided under Articles 77, 78, 79 and 82 GDPR, including the right to lodge a complaint with the DPA, seek an effective judicial remedy and claim compensation. Regarding journalistic purposes, the CJEU confirmed that the concept must be interpreted broadly. The fact that processing is carried out online, for payment or in relation to criminal convictions does not, by itself, exclude the application of Article 85(2). However, the mere publication of information is not sufficient. Processing qualifies as journalistic only where it is intended to inform the public and is carried out in accordance with journalistic professional and ethical standards. It must involve editorial work or adaptation, or at least follow an editorial policy, and the relevant factual information must be verified. The CJEU found that making unedited criminal judgements available to any paying user did not appear to satisfy those requirements. In particular, the activity did not appear to involve editorial assessment, adaptation or a journalistic policy. The fact that the documents could be useful to journalists was not enough to bring the processing within Article 85(2). It was for the referring Court to verify whether the controller’s activity met the conditions for processing for journalistic purposes. The CJEU did not impose a fine, award compensation or order corrective measures. Those issues remained for the referring Court to decide. Holding — The CJEU held that Article 85(1) GDPR does not allow Member States to create derogations from the GDPR beyond those expressly permitted by Article 85(2). Article 85(1) requires Member States to reconcile data protection with freedom of expression and information. However, it does not itself authorise exemptions from the GDPR. Such exemptions may only be introduced under Article 85(2) and only for processing carried out for journalistic purposes or for academic, artistic or literary expression. The CJEU therefore found that Member States cannot rely on Article 85(1) to exclude other forms of processing from the application of the GDPR. The CJEU also held that Article 85 GDPR does not permit Member States to restrict the remedies available to data subjects under Chapter VIII GDPR. National law cannot limit a data subject whose criminal-conviction data is published online to defamation proceedings only. Accordingly, the data subject must retain access to the remedies provided under Articles 77, 78, 79 and 82 GDPR, including the right to lodge a complaint with the DPA, seek an effective judicial remedy and claim compensation. Regarding journalistic purposes, the CJEU confirmed that the concept must be interpreted broadly. The fact that processing is carried out online, for payment or in relation to criminal convictions does not, by itself, exclude the application of Article 85(2). However, the mere publication of information is not sufficient. Processing qualifies as journalistic only where it is intended to inform the public and is carried out in accordance with journalistic professional and ethical standards. It must involve editorial work or adaptation, or at least follow an editorial policy, and the relevant factual information must be verified. The CJEU found that making unedited criminal judgements available to any paying user did not appear to satisfy those requirements. In particular, the activity did not appear to involve editorial assessment, adaptation or a journalistic policy. The fact that the documents could be useful to journalists was not enough to bring the processing within Article 85(2). It was for the referring Court to verify whether the controller’s activity met the conditions for processing for journalistic purposes. The CJEU did not impose a fine, award compensation or order corrective measures. Those issues remained for the referring Court to decide. Comment — Share your comments here!

---
Generated by overview.legal · https://overview.legal/posts/108998 · 2026-07-16
