Meta Platforms v noyb
C-252/21 (Meta Platforms (noyb))
Case Summary
EUR-Lex - 62021CJ0252 - EN - EUR-Lex × Skip to main content Log in My EUR-Lex My EUR-Lex Sign in Register My recent searches (0) English English Select your language Official EU languages: bg български es Español cs Čeština da Dansk de Deutsch et Eesti keel el Ελληνικά en English fr Français ga Gaeilge hr Hrvatski it Italiano lv Latviešu valoda lt Lietuvių kalba hu Magyar mt Malti nl Nederlands pl Polski pt Português ro Română sk Slovenčina sl Slovenščina fi Suomi sv Svenska EUR-Lex Access to European Union law <a href="https://eur-lex.europa.eu/content/help/eurlex-content/experimental-features.html" target="_blank">More about the experimental features corner</a> Experimental features × Choose the experimental features you want to try Do you want to help improving EUR-Lex ? This is a list of experimental features that you can enable. These features are still under development; they are not fully tested, and might reduce EUR-Lex stability. Don't forget to give your feedback! Warning! Experimental feature conflicts detected. Replacement of CELEX identifiers by short titles - experimental feature. It replaces clickable CELEX identifiers of treaties and case-law by short titles. Visualisation of document relationships. It displays a dynamic graph with relations between the act and related documents. It is currently only available for legal acts. Deep linking. It enables links to other legal acts referred to within the documents. It is currently only available for documents smaller than 900 KB. Apply EUR-Lex Access to European Union law This document is an excerpt from the EUR-Lex website You are here EUROPA EUR-Lex home EUR-Lex - 62021CJ0252 - EN Help Print Menu EU law Treaties Treaties currently in force Founding Treaties Accession Treaties Other treaties and protocols Chronological overview Legal acts Consolidated texts International agreements Preparatory documents EFTA documents Lawmaking procedures Summaries of EU legislation Browse by EU institutions European Parliament European Council Council of the European Union European Commission Court of Justice of the European Union European Central Bank European Court of Auditors European Economic and Social Committee European Committee of the Regions Browse by EuroVoc EU case-law Case-law Reports of cases Directory of case-law Official Journal Access to the Official Journal Official Journal L series daily view Official Journal C series daily view Browse the Official Journal Legally binding printed editions Special edition National law and case-law National transposition National case-law JURE case-law Information Themes in focus EUR-Lex developments Statistics ELI register What is ELI ELI background Why implement ELI Countries implementing ELI Testimonials Implementing ELI Glossary EU budget online Quick search Use quotation marks to search for an "exact phrase". Append an asterisk ( * ) to a search term to find variations of it (transp * , 32019R * ). Use a question mark ( ? ) instead of a single character in your search term to find variations of it (ca ? e finds case, cane, care). Search tips Need more search options? Use the Advanced search Document 62021CJ0252 Help Print Text Document information Abstract Case file Permanent link Download notice Save to My items Create an email alert Create an RSS alert Judgment of the Court (Grand Chamber) of 4 July 2023.#Meta Platforms Inc and Others v Bundeskartellamt.#Request for a preliminary ruling from the Oberlandesgericht Düsseldorf.#Reference for a preliminary ruling – Protection of natural persons with regard to the processing of personal data – Regulation (EU) 2016/679 – Social networks – Abuse of a dominant position by the operator of such a network – Abuse which entails the processing of the personal data of the users of that network as provided for in its general terms of use – Powers of a competition authority of a Member State to find that processing is not consistent with that regulation – Reconciliation with the powers of the national data protection supervisory authorities – Article 4(3) TEU – Principle of sincere cooperation – Points (a) to (f) of the first subparagraph of Article 6(1) of Regulation 2016/679 – Whether the processing is lawful – Article 9(1) and (2) – Processing of special categories of personal data – Article 4(11) – Concept of ‘consent’.#Case C-252/21. Judgment of the Court (Grand Chamber) of 4 July 2023. Meta Platforms Inc and Others v Bundeskartellamt. Request for a preliminary ruling from the Oberlandesgericht Düsseldorf. Reference for a preliminary ruling – Protection of natural persons with regard to the processing of personal data – Regulation (EU) 2016/679 – Social networks – Abuse of a dominant position by the operator of such a network – Abuse which entails the processing of the personal data of the users of that network as provided for in its general terms of use – Powers of a competition authority of a Member State to find that processing is not consistent with that regulation – Reconciliation with the powers of the national data protection supervisory authorities – Article 4(3) TEU – Principle of sincere cooperation – Points (a) to (f) of the first subparagraph of Article 6(1) of Regulation 2016/679 – Whether the processing is lawful – Article 9(1) and (2) – Processing of special categories of personal data – Article 4(11) – Concept of ‘consent’. Case C-252/21. Judgment of the Court (Grand Chamber) of 4 July 2023. Meta Platforms Inc and Others v Bundeskartellamt. Request for a preliminary ruling from the Oberlandesgericht Düsseldorf. Reference for a preliminary ruling – Protection of natural persons with regard to the processing of personal data – Regulation (EU) 2016/679 – Social networks – Abuse of a dominant position by the operator of such a network – Abuse which entails the processing of the personal data of the users of that network as provided for in its general terms of use – Powers of a competition authority of a Member State to find that processing is not consistent with that regulation – Reconciliation with the powers of the national data protection supervisory authorities – Article 4(3) TEU – Principle of sincere cooperation – Points (a) to (f) of the first subparagraph of Article 6(1) of Regulation 2016/679 – Whether the processing is lawful – Article 9(1) and (2) – Processing of special categories of personal data – Article 4(11) – Concept of ‘consent’. Case C-252/21. Court reports – general ECLI identifier: ECLI:EU:C:2023:537 Expand all Collapse all Languages and formats available Language of the case Language BG ES CS DA DE ET EL EN FR GA HR IT LV LT HU MT NL PL PT RO SK SL FI SV HTML EN Toggle Dropdown BG ES CS DA DE ET EL EN FR GA HR IT LV LT HU MT NL PL PT RO SK SL FI SV PDF EN Toggle Dropdown BG ES CS DA DE ET EL EN FR GA HR IT LV LT HU MT NL PL PT RO SK SL FI SV Document published in the digital reports of cases. They have official status. Multilingual display Language 1 English (en) Bulgarian (bg) Spanish (es) Czech (cs) Danish (da) German (de) Estonian (et) Greek (el) English (en) French (fr) Irish (ga) Croatian (hr) Italian (it) Latvian (lv) Lithuanian (lt) Hungarian (hu) Maltese (mt) Dutch (nl) Polish (pl) Portuguese (pt) Romanian (ro) Slovak (sk) Slovenian (sl) Finnish (fi) Swedish (sv) Language 2 Please choose Bulgarian (bg) Spanish (es) Czech (cs) Danish (da) German (de) Estonian (et) Greek (el) English (en) French (fr) Irish (ga) Croatian (hr) Italian (it) Latvian (lv) Lithuanian (lt) Hungarian (hu) Maltese (mt) Dutch (nl) Polish (pl) Portuguese (pt) Romanian (ro) Slovak (sk) Slovenian (sl) Finnish (fi) Swedish (sv) Language 3 Please choose Bulgarian (bg) Spanish (es) Czech (cs) Danish (da) German (de) Estonian (et) Greek (el) English (en) French (fr) Irish (ga) Croatian (hr) Italian (it) Latvian (lv) Lithuanian (lt) Hungarian (hu) Maltese (mt) Dutch (nl) Polish (pl) Portuguese (pt) Romanian (ro) Slovak (sk) Slovenian (sl) Finnish (fi) Swedish (sv) Display Text JUDGMENT OF THE COURT (Grand Chamber) 4 July 2023 ( *1 ) Table of contents Legal context European Union law Regulation No 1/2003 The GDPR German law The dispute in the main proceedings and the questions referred for a preliminary ruling The questions referred Questions 1 and 7 Question 2 Question 2(a) Question 2(b) Questions 3 to 5 Preliminary observations Questions 3 and 4 Question 5 Question 6 Costs (Reference for a preliminary ruling – Protection of natural persons with regard to the processing of personal data – Regulation (EU) 2016/679 – Social networks – Abuse of a dominant position by the operator of such a network – Abuse which entails the processing of the personal data of the users of that network as provided for in its general terms of use – Powers of a competition authority of a Member State to find that processing is not consistent with that regulation – Reconciliation with the powers of the national data protection supervisory authorities – Article 4(3) TEU – Principle of sincere cooperation – Points (a) to (f) of the first subparagraph of Article 6(1) of Regulation 2016/679 – Whether the processing is lawful – Article 9(1) and (2) – Processing of special categories of personal data – Article 4(11) – Concept of ‘consent’) In Case C‑252/21, REQUEST for a preliminary ruling under Article 267 TFEU from the Oberlandesgericht Düsseldorf (Higher Regional Court, Düsseldorf, Germany), made by decision of 24 March 2021, received at the Court on 22 April 2021, in the proceedings Meta Platforms Inc ., formerly Facebook Inc., Meta Platforms Ireland Ltd , formerly Facebook Ireland Ltd, Facebook Deutschland GmbH v Bundeskartellamt, intervener: Verbraucherzentrale Bundesverband eV, THE COURT (Grand Chamber), composed of K. Lenaerts, President, L. Bay Larsen, Vice-President, A. Prechal, K. Jürimäe, C. Lycourgos, M. Safjan, L.S. Rossi (Rapporteur), D. Gratsias and M.L. Arastey Sahún, Presidents of Chambers, J.-C. Bonichot, S. Rodin, F. Biltgen, M. Gavalec, Z. Csehi and O. Spineanu-Matei, Judges, Advocate General: A. Rantos, Registrar: D. Dittert, Head of Unit, having regard to the written procedure and further to the hearing on 10 May 2022, after considering the observations submitted on behalf of: – Meta Platforms Inc., formerly Facebook Inc., Meta Platforms Ireland Ltd, formerly Facebook Ireland Ltd, and Facebook Deutschland GmbH, by M. Braun, M. Esser, L. Hesse, J. Höft and H.-G. Kamann, Rechtsanwälte, – the Bundeskartellamt, by J. Nothdurft, K. Ost, I. Sewczyk and J. Topel, acting as Agents, – Verbraucherzentrale Bundesverband eV, by S. Louven, Rechtsanwalt, – the German Government, by J. Möller and P.-L. Krüger, acting as Agents, – the Czech Government, by M. Smolek and J. Vláčil, acting as Agents, – the Italian Government, by G. Palmieri, acting as Agent, and E. De Bonis and P. Gentili, avvocati dello Stato, – the Austrian Government, by A. Posch, J. Schmoll and G. Kunnert, acting as Agents, – the European Commission, by F. Erlbacher, H. Kranenborg and G. Meessen, acting as Agents, after hearing the Opinion of the Advocate General at the sitting on 20 September 2022, gives the following Judgment 1 This request for a preliminary ruling concerns the interpretation of Article 4(3) TEU and of Article 6(1), Article 9(1) and (2), Article 51(1) and Article 56(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) ( OJ 2016 L 119, p. 1 , and corrigendum OJ 2018 L 127, p. 2 ; ‘the GDPR’). 2 The request has been made in proceedings between Meta Platforms Inc., formerly Facebook Inc., Meta Platforms Ireland Ltd, formerly Facebook Ireland Ltd, and Facebook Deutschland GmbH, on the one hand, and the Bundeskartellamt (Federal Cartel Office, Germany), on the other, concerning the decision by which the latter prohibited those companies from processing certain personal data as provided for in the general terms of use of the social network Facebook (‘the general terms’). Legal context European Union law Regulation (EC) No 1/2003 3 Article 5 of Council Regulation (EC) No 1/2003 of 16 December 2002 on the implementation of the rules on competition laid down in Articles [101 and 102 TFEU] ( OJ 2003 L 1, p. 1 ), entitled ‘Powers of the competition authorities of the Member States’, provides: ‘The competition authorities of the Member States shall have the power to apply Articles [101 and 102 TFEU] in individual cases. For this purpose, acting on their own initiative or on a complaint, they may take the following decisions: – requiring that an infringement be brought to an end, – ordering interim measures, – accepting commitments, – imposing fines, periodic penalty payments or any other penalty provided for in their national law. Where on the basis of the information in their possession the conditions for prohibition are not met they may likewise decide that there are no grounds for action on their part.’ The GDPR 4 Recitals 1, 4, 38, 42, 43, 46, 47, 49 and 51 of the GDPR state: ‘(1) The protection of natural persons in relation to the processing of personal data is a fundamental right. Article 8(1) of the Charter of Fundamental Rights of the European Union (the “Charter”) and Article 16(1) [TFEU] provide that everyone has the right to the protection of personal data concerning him or her. … (4) The processing of personal data should be designed to serve mankind. The right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality. This Regulation respects all fundamental rights and observes the freedoms and principles recognised in the Charter as enshrined in the Treaties, in particular the respect for private and family life, home and communications, the protection of personal data, freedom of thought, conscience and religion, freedom of expression and information, freedom to conduct a business, the right to an effective remedy and to a fair trial, and cultural, religious and linguistic diversity. … (38) Children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data. Such specific protection should, in particular, apply to the use of personal data of children for the purposes of marketing or creating personality or user profiles and the collection of personal data with regard to children when using services offered directly to a child. The consent of the holder of parental responsibility should not be necessary in the context of preventive or counselling services offered directly to a child. … (42) Where processing is based on the data subject’s consent, the controller should be able to demonstrate that the data subject has given consent to the processing operation. … For consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended. Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment. (43) In order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority and it is therefore unlikely that consent was freely given in all the circumstances of that specific situation. Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance. … (46) The processing of personal data should also be regarded to be lawful where it is necessary to protect an interest which is essential for the life of the data subject or that of another natural person. Processing of personal data based on the vital interest of another natural person should in principle take place only where the processing cannot be manifestly based on another legal basis. Some types of processing may serve both important grounds of public interest and the vital interests of the data subject as for instance when processing is necessary for humanitarian purposes, including for monitoring epidemics and their spread or in situations of humanitarian emergencies, in particular in situations of natural and man-made disasters. (47) The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller. … At any rate the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place. The interests and fundamental rights of the data subject could in particular override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing. … The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest. … (49) The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems … constitutes a legitimate interest of the data controller concerned. … … (51) Personal data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms. Those personal data should include personal data revealing racial or ethnic origin, whereby the use of the term “racial origin” in this Regulation does not imply an acceptance by the [European] Union of theories which attempt to determine the existence of separate human races. The processing of photographs should not systematically be considered to be processing of special categories of personal data as they are covered by the definition of biometric data only when processed through a specific technical means allowing the unique identification or authentication of a natural person. Such personal data should not be processed, unless processing is allowed in specific cases set out in this Regulation, taking into account that Member States law may lay down specific provisions on data protection in order to adapt the application of the rules of this Regulation for compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. In addition to the specific requirements for such processing, the general principles and other rules of this Regulation should apply, in particular as regards the conditions for lawful processing. Derogations from the general prohibition for processing such special categories of personal data should be explicitly provided, inter alia, where the data subject gives his or her explicit consent or in respect of specific needs in particular where the processing is carried out in the course of legitimate activities by certain associations or foundations the purpose of which is to permit the exercise of fundamental freedoms.’ 5 Article 4 of that regulation provides: ‘For the purposes of this Regulation: (1) “personal data” means any information relating to an identified or identifiable natural person (“data subject”); … (2) “processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; … (7) “controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law; … (11) “consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her; … (23) “cross-border processing” means either: (a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or (b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State. …’ 6 Article 5 of that regulation, headed ‘Principles relating to processing of personal data’, provides: ‘1. Personal data shall be: (a) processed lawfully, fairly and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”); (b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; … (c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimisation”); … 2. The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (“accountability”).’ 7 Article 6 of the regulation, entitled ‘Lawfulness of processing’, reads as follows: ‘1. Processing shall be lawful only if and to the extent that at least one of the following applies: (a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes; (b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; (c) processing is necessary for compliance with a legal obligation to which the controller is subject; (d) processing is necessary in order to protect the vital interests of the data subject or of another natural person; (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks. … 3. The basis for the processing referred to in point (c) and (e) of paragraph 1 shall be laid down by: (a) Union law; or (b) Member State law to which the controller is subject. … … The Union or the Member State law shall meet an objective of public interest and be proportionate to the legitimate aim pursued.’ 8 Article 7 of the GDPR, entitled ‘Conditions for consent’, states: ‘1. Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data. … 4. When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.’ 9 Article 9 of that regulation, entitled ‘Processing of special categories of personal data’, provides: ‘1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited. 2. Paragraph 1 shall not apply if one of the following applies: (a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law [provides] that the prohibition referred to in paragraph 1 may not be lifted by the data subject; … (e) processing relates to personal data which are manifestly made public by the data subject; (f) processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity; …’ 10 Article 13 of that regulation, ‘Information to be provided where personal data are collected from the data subject’, provides, in its paragraph 1, as follows: ‘Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information: … (c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing; (d) where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party; …’ 11 Chapter VI of the GDPR, ‘Independent supervisory authorities’, comprises Articles 51 to 59 of the regulation. 12 Under Article 51(1) and (2) of the GDPR, that article being entitled ‘Supervisory authority’: ‘1. Each Member State shall provide for one or more independent public authorities to be responsible for monitoring the application of this Regulation, in order to protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data within the Union … 2. Each supervisory authority shall contribute to the consistent application of this Regulation throughout the Union. For that purpose, the supervisory authorities shall cooperate with each other and the [European] Commission in accordance with Chapter VII.’ 13 As set out in Article 55 of the GDPR, headed ‘Competence’: ‘1. Each supervisory authority shall be competent for the performance of the tasks assigned to and the exercise of the powers conferred on it in accordance with this Regulation on the territory of its own Member State. 2. Where processing is carried out by public authorities or private bodies acting on the basis of point (c) or (e) of Article 6(1), the supervisory authority of the Member State concerned shall be competent. In such cases Article 56 does not apply.’ 14 Article 56(1) of that regulation, that article being entitled ‘Competence of the lead supervisory authority’, states: ‘Without prejudice to Article 55, the supervisory authority of the main establishment or of the single establishment of the controller or processor shall be competent to act as lead supervisory authority for the cross-border processing carried out by that controller or processor in accordance with the procedure provided in Article 60.’ 15 Article 57(1) of that regulation, that article being entitled ‘Tasks’, provides: ‘Without prejudice to other tasks set out under this Regulation, each supervisory authority shall on its territory: (a) monitor and enforce the application of this Regulation; … (g) cooperate with, including sharing information[,] and provide mutual assistance to, other supervisory authorities with a view to ensuring the consistency of application and enforcement of this Regulation; …’ 16 Article 58 of the regulation lists, in paragraph 1, the investigative powers available to each supervisory authority and states, in paragraph 5, that ‘each Member State shall provide by law that its supervisory authority shall have the power to bring infringements of this Regulation to the attention of the judicial authorities and where appropriate, to commence or engage otherwise in legal proceedings, in order to enforce the provisions of this Regulation’. 17 Section 1, entitled ‘Cooperation’, of Chapter VII of the GDPR comprises Articles 60 to 62 of that regulation. Article 60, ‘Cooperation between the lead supervisory authority and the other supervisory authorities concerned’, provides in paragraph 1: ‘The lead supervisory authority shall cooperate with the other supervisory authorities concerned in accordance with this Article in an endeavour to reach consensus. The lead supervisory authority and the supervisory authorities concerned shall exchange all relevant information with each other.’ 18 Article 61(1) of the GDPR, that article being headed ‘Mutual assistance’, states: ‘Supervisory authorities shall provide each other with relevant information and mutual assistance in order to implement and apply this Regulation in a consistent manner, and shall put in place measures for effective cooperation with one another. Mutual assistance shall cover, in particular, information requests and supervisory measures, such as requests to carry out prior authorisations and consultations, inspections and investigations.’ 19 Article 62 of that regulation, headed ‘Joint operations of supervisory authorities’, provides in paragraphs 1 and 2: ‘1. The supervisory authorities shall, where appropriate, conduct joint operations including joint investigations and joint enforcement measures in which members or staff of the supervisory authorities of other Member States are involved. 2. Where the controller or processor has establishments in several Member States or where a significant number of data subjects in more than one Member State are likely to be substantially affected by processing operations, a supervisory authority of each of those Member States shall have the right to participate in joint operations. …’ 20 Section 2, entitled ‘Consistency’, of Chapter VII of the GDPR comprises Articles 63 to 67 of that regulation. Article 63, headed ‘Consistency mechanism’, is worded as follows: ‘In order to contribute to the consistent application of this Regulation throughout the Union, the supervisory authorities shall cooperate with each other and, where relevant, with the Commission, through the consistency mechanism as set out in this Section.’ 21 Article 64(2) of that regulation is worded as follows: ‘Any supervisory authority, the Chair of the [European Data Protection] Board or the Commission may request that any matter of general application or producing effects in more than one Member State be examined by the [European Data Protection] Board with a view to obtaining an opinion, in particular where a competent supervisory authority does not comply with the obligations for mutual assistance in accordance with Article 61 or for joint operations in accordance with Article 62.’ 22 Article 65(1) of that regulation, that article being headed ‘Dispute resolution by the Board’, provides: ‘In order to ensure the correct and consistent application of this Regulation in individual cases, the [European Data Protection] Board shall adopt a binding decision in the following cases: (a) where, in a case referred to in Article 60(4), a supervisory authority concerned has raised a relevant and reasoned objection to a draft decision of the lead supervisory authority and the lead supervisory authority has not followed the objection or has rejected such an objection as being not relevant or reasoned. The binding decision shall concern all the matters which are the subject of the relevant and reasoned objection, in particular whether there is an infringement of this Regulation; (b) where there are conflicting views on which of the supervisory authorities concerned is competent for the main establishment; …’ German law 23 Paragraph 19(1) of the Gesetz gegen Wettbewerbsbeschränkungen (Law against restrictions on competition), in its version published on 26 June 2013 (BGBl. 2013 I, p. 1750, 3245), last amended by Paragraph 2 of the Law of 16 July 2021 (BGBl. 2021 I, p. 2959) (‘the GWB’), provides: ‘The abuse of a dominant position by one or more undertakings is prohibited.’ 24 In accordance with Paragraph 32(1) of the GWB: ‘The competition authority may require undertakings or associations of undertakings to bring to an end an infringement of a provision of this Part or of Articles 101 or 102 [TFEU].’ 25 Paragraph 50f(1) of the GWB provides: ‘The competition authorities, the regulatory authorities, the federal data protection and freedom of information officer, the regional data protection officers and the competent authorities within the meaning of Paragraph 2 of the EU-Verbraucherschutzdurchführungsgesetz [(Law on the implementation of EU consumer protection law)] may, irrespective of the procedure chosen, exchange information, including personal data and trade and business secrets, to the extent necessary for the performance of their respective tasks and may use that information in the course of their proceedings. …’ The dispute in the main proceedings and the questions referred for a preliminary ruling 26 Meta Platforms Ireland operates the online social network Facebook within the European Union and promotes, inter alia via www.facebook.com, services that are free of charge for private users. Other undertakings of the Meta group offer, within the European Union, other online services, including Instagram, WhatsApp, Oculus and – until 13 March 2020 – Masquerade. 27 The business model of the online social network Facebook is based on financing through online advertising, which is tailored to the individual users of the social network according, inter alia, to their consumer behaviour, interests, purchasing power and personal situation. Such advertising is made possible in technical terms by the automated production of detailed profiles in respect of the network users and the users of the online services offered at the level of the Meta group. To that end, in addition to the data provided by the users directly when they sign up for the online services concerned, other user- and device-related data are also collected on and off that social network and the online services provided by the Meta group, and linked to their various user accounts. The aggregate view of the data allows detailed conclusions to be drawn about those users’ preferences and interests. 28 For the processing of those data, Meta Platforms Ireland relies on the user agreement to which the users of the social network Facebook adhere when they click on the ‘Sign up’ button, thereby accepting the general terms drawn up by that company. Acceptance of those terms is necessary in order to be able to use the social network Facebook. With regard to the processing of personal data, the general terms refer to that company’s data and cookies policies. According to those policies, Meta Platforms Ireland collects user- and device-related data about user activities on and off the social network and links the data with the Facebook accounts of the users concerned. The latter data, relating to activities outside the social network (‘the off-Facebook data’), are data concerning visits to third-party webpages and apps, which are linked to Facebook through programming interfaces – ‘Facebook Business Tools’ – as well as data concerning the use of other online services belonging to the Meta group, including Instagram, WhatsApp, Oculus and – until 13 March 2020 – Masquerade. 29 The Federal Cartel Office brought proceedings against Meta Platforms, Meta Platforms Ireland and Facebook Deutschland, as a result of which, by decision of 6 February 2019, based on Paragraph 19(1) and Paragraph 32 of the GWB, it essentially prohibited those companies from making, in the general terms, the use of the social network Facebook by private users resident in Germany subject to the processing of their off-Facebook data and from processing the data without their consent on the basis of the general terms in force at the time. In addition, it required them to adapt those general terms in such a way that it is made clear that those data will neither be collected, nor linked with Facebook user accounts nor used without the consent of the user concerned, and it clarified the fact that such a consent is not valid if it is a condition for using the social network. 30 The Federal Cartel Office based its decision on the fact that the processing of the data of the users concerned, as provided for in the general terms and implemented by Meta Platforms Ireland, constituted an abuse of that company’s dominant position on the market for online social networks for private users in Germany, within the meaning of Paragraph 19(1) of the GWB. In particular, according to the Federal Cartel Office, those general terms, as a result of that dominant position, constitute an abuse since the processing of the off-Facebook data that they provide for is not consistent with the underlying values of the GDPR and, in particular, it cannot be justified in the light of Article 6(1) and Article 9(2) of that regulation. 31 On 11 February 2019, Meta Platforms, Meta Platforms Ireland and Facebook Deutschland brought an action against the decision of the Federal Cartel Office before the Oberlandesgericht Düsseldorf (Higher Regional Court, Düsseldorf, Germany). 32 On 31 July 2019, Meta Platforms Ireland introduced new general terms expressly stating that the user, instead of paying to use Facebook products, agrees to being shown advertisements. 33 Furthermore, since 28 January 2020, Meta Platforms has been offering, at a global level, ‘ Off-Facebook Activity ’, which allows the users of the social network Facebook to view a summary of the information about them that Meta group companies obtain in relation to their activities on other websites and apps, and to disconnect the data about past and future activities from their Facebook.com account if they so wish. 34 The Oberlandesgericht Düsseldorf (Higher Regional Court, Düsseldorf) has doubts (i) as to whether national competition authorities may review, in the exercise of their powers, whether the processing of personal data complies with the requirements set out in the GDPR; (ii) as to whether the operator of an online social network may process the data subject’s sensitive personal data within the meaning of Article 9(1) and (2) of that regulation; (iii) as to the lawfulness of the processing by such an operator of the personal data of the user concerned, under Article 6(1) of that regulation; and (iv) as to the validity, in the light of point (a) of the first subparagraph of Article 6(1) and Article 9(2)(a) of that regulation, of the consent given to an undertaking with a dominant position on the national market for online social networks for the purposes of such processing. 35 In those circumstances, taking the view that the resolution of the case in the main proceedings depends on the answer to those questions, the Oberlandesgericht Düsseldorf (Higher Regional Court, Düsseldorf) decided to stay the proceedings and to refer the following questions to the Court of Justice for a preliminary ruling: ‘(1) (a) Is it compatible with Article 51 et seq. of the GDPR if a national competition authority – such as the … Federal Cartel Office – which is not a supervisory authority within the meaning of Article 51 et seq. of the GDPR, of a Member State in which an undertaking established outside the European Union has an establishment that provides the main establishment of that undertaking – which is located in another Member State and has sole responsibility for processing personal data for the entire territory of the European Union – with advertising, communication and public relations support, finds, for the purposes of monitoring abuses of competition law, that the main establishment’s contractual terms relating to data processing and their implementation breach the GDPR and issues an order to end that breach? (b) If so: is that compatible with Article 4(3) TEU if, at the same time, the lead supervisory authority in the Member State in which the main establishment, within the meaning of Article 56(1) of the GDPR, is located is investigating the undertaking’s contractual terms relating to data processing? If the answer to Question 1 is “yes”: (2) (a) If an internet user merely visits websites or apps to which the criteria of Article 9(1) of the GDPR relate, such as flirting apps, gay dating sites, political party websites or health-related websites, or also enters information into them, for example when registering or when placing orders, and [an] undertaking, such as [Meta Platforms Ireland], uses interfaces integrated into those websites and apps, such as “Facebook Business Tools”, or cookies or similar storage technologies placed on the internet user’s computer or mobile device, to collect data about those visits to the websites and apps and the information entered by the user, and links those data with the data from the user’s Facebook.com account and uses them, does this collection and/or linking and/or use involve the processing of sensitive data for the purpose of that provision? (b) If so: does visiting those websites or apps and/or entering information and/or clicking or tapping on the buttons integrated into them by a provider such as [Meta Platforms Ireland] (social plugins such as “Like”, “Share” or “Facebook Login” or “Account Kit”) constitute manifestly making the data about the visits themselves and/or the information entered by the user public within the meaning of Article 9(2)(e) of the GDPR? (3) Can an undertaking, such as [Meta Platforms Ireland], which operates a digital social network funded by advertising and offers personalised content and advertising, network security, product improvement and consistent, seamless use of all of its group products in its terms of service, justify collecting data for these purposes from other group services and third-party websites and apps via integrated interfaces such as “Facebook Business Tools”, or via cookies or similar storage technologies placed on the internet user’s computer or mobile device, linking those data with the user’s Facebook.com account and using them, on the ground of necessity for the performance of the contract under Article 6(1)(b) of the GDPR or on the ground of the pursuit of legitimate interests under Article 6(1)(f) of the GDPR? (4) In those circumstances, can – the fact of users being underage, vis-à-vis the personalisation of content and advertising, product improvement, network security and non-marketing communications intended for the user; – the provision of measurements, analytics and other business services to enable advertisers, developers and other partners to evaluate and improve their services; – the provision of marketing communications intended for the user to enable the undertaking to improve its products and engage in direct marketing; – research and innovation for social good, to further the state of the art or the academic understanding of important social issues and to affect society and the world in a positive way; – the sharing of information with law-enforcement agencies and responding to legal requests in order to prevent, detect and prosecute criminal offences, unlawful use, breaches of the terms of service and policies and other harmful behaviour; also constitute legitimate interests within the meaning of Article 6(1)(f) of the GDPR if, for those purposes, the undertaking [collects data from other group services and from third-party websites and apps via integrated interfaces such as “Facebook Business Tools”, or via cookies or similar storage technologies placed on the internet user’s computer or mobile device, links those data with the user’s Facebook.com account and uses them]? (5) In those circumstances, can collecting data from other group services and from third-party websites and apps via integrated interfaces such as “Facebook Business Tools”, or via cookies or similar storage technologies placed on the internet user’s computer or mobile device, linking those data with the user’s Facebook.com account and using them, or using data already collected and linked by other lawful means, also be justified under Article 6(1)(c), (d) and (e) of the GDPR in individual cases, for example to respond to a legitimate request for certain data (point (c)), to combat harmful behaviour and promote security (point (d)), to research for social good and to promote safety, integrity and security (point (e))? (6) Can consent within the meaning of Article 6(1)(a) and Article 9(2)(a) of the GDPR be given effectively and, in accordance with Article 4(11) of the GDPR in particular, freely, to a dominant undertaking such as [Meta Platforms Ireland]? If the answer to Question 1 is “no”: (7) (a) Can the national competition authority of a Member State, such as the Federal Cartel Office, which is not a supervisory authority within the meaning of Article 51 et seq. of the GDPR and which examines a breach by a dominant undertaking of the competition-law prohibition on abuse that is not a breach of the GDPR by that undertaking’s data processing terms and their implementation, make findings, when assessing the balance of interests, as to whether those data processing terms and their implementation comply with the GDPR? (b) If so: in the light of Article 4(3) TEU, does that also apply if the competent lead supervisory authority in accordance with Article 56(1) of the GDPR is investigating the undertaking’s data processing terms at the same time? If the answer to Question 7 is “yes”, Questions 3 to 5 must be answered in relation to data from the use of the group’s Instagram service.’ The questions referred Questions 1 and 7 36 By Questions 1 and 7, which it is appropriate to examine together, the referring court asks, in essence, whether Article 51 et seq. of the GDPR must be interpreted as meaning that a competition authority of a Member State can find, in the context of the examination of an abuse of a dominant position by an undertaking within the meaning of Article 102 TFEU, that that undertaking’s general terms of use relating to the processing of personal data and the implementation thereof are not consistent with the GDPR, and if so, whether Article 4(3) TEU must be interpreted as meaning that such a finding, of an incidental nature, by the competition authority is also possible where those terms are being investigated, simultaneously, by the competent lead supervisory authority in accordance with Article 56(1) of the GDPR. 37 In order to answer that question, it is important to recall at the outset that Article 55(1) of the GDPR states the general rule that each supervisory authority is to be competent for the performance of the tasks assigned to it and the exercise of the powers conferred on it, in accordance with that regulation, on the territory of its own Member State (judgment of 15 June 2021, Facebook Ireland and Others, C‑645/19 , EU:C:2021:483 , paragraph 47 and the case-law cited). 38 The tasks assigned to those supervisory authorities include monitoring and enforcing the application of the GDPR, as provided for in Article 51(1) and Article 57(1)(a) of that regulation, in order to protect the fundamental rights and freedoms of natural persons in relation to the processing of their personal data and to facilitate the free flow of such data within the European Union. In addition, in accordance with Article 51(2) and Article 57(1)(g) of that regulation, the supervisory authorities must cooperate with each other, including sharing information, and provide mutual assistance with a view to ensuring the consistency of application and enforcement of the regulation. 39 In order to carry out those tasks, Article 58 of the GDPR confers on those supervisory authorities, in paragraph 1, investigative powers, in paragraph 2, corrective powers, and in paragraph 5, the power to bring infringements of that regulation to the attention of the judicial authorities and, where appropriate, to commence legal proceedings in order to enforce the provisions of that regulation. 40 Without prejudice to the rule on competence set out in Article 55(1) of the GDPR, Article 56(1) of that regulation lays down, with respect to ‘cross-border processing’, within the meaning of Article 4(23) of that regulation, the ‘one-st