CJEU says observed personal data is collected directly from the data subject — what it means in practice

In December 2025, the Court of Justice of the European Union clarified when personal data should be regarded as being "collected from the data subject" — a judgment important not only for application of the EU General Data Protection Regulation, but several other EU data regulations that rely on a similar distinction.

Decision followed body-worn cameras used to tackle public transport fare evasions

In 2018, Stockholm, Sweden's public transportation authority, Storstockholms Lokaltrafik, equipped ticket inspectors with body-worn cameras. The camera monitoring and related data processing was intended to prevent and document threats and violence against inspectors, and verify the identity of passengers required to pay a fine for traveling without a valid ticket.

SL designed the camera system with privacy safeguards in mind. The cameras operated with a so-called "memory loop," meaning all recorded footage was automatically deleted after a predefined period. Initially, recordings were retained for two minutes, which was later reduced to one minute. Inspectors could interrupt the automatic deletion by pressing a button if a fine was imposed or if they felt threatened.

Observed data is collected directly from the data subject

Sweden's data protection authority, the Integritetsskyddsmyndigheten, reviewed the use of cameras in Stockholm's public transportation system in 2021, determining that, among other issues, passengers had not been provided sufficient information about the processing of their personal data.

SL challenged the decision in court. Ultimately, the case reached the CJEU, which was asked to determine whether monitoring individuals via cameras constitutes collecting personal data directly from the data subject.

Why does it matter?

The GDPR distinguishes between two situations of data collection: personal data collected directly from the data subject; and personal data collected from other sources — such as another data controller, public sources, etc.