CJEU says observed personal data is collected directly from the data subject — what it means in practice

In December 2025, the Court of Justice of the European Union clarified when personal data should be regarded as being "collected from the data subject" — a judgment important not only for application of the EU General Data Protection Regulation, but several other EU data regulations that rely on a similar distinction.

Decision followed body-worn cameras used to tackle public transport fare evasions

In 2018, Stockholm, Sweden's public transportation authority, Storstockholms Lokaltrafik, equipped ticket inspectors with body-worn cameras. The camera monitoring and related data processing was intended to prevent and document threats and violence against inspectors, and verify the identity of passengers required to pay a fine for traveling without a valid ticket.

SL designed the camera system with privacy safeguards in mind. The cameras operated with a so-called "memory loop," meaning all recorded footage was automatically deleted after a predefined period. Initially, recordings were retained for two minutes, which was later reduced to one minute. Inspectors could interrupt the automatic deletion by pressing a button if a fine was imposed or if they felt threatened.

Observed data is collected directly from the data subject

Sweden's data protection authority, the Integritetsskyddsmyndigheten, reviewed the use of cameras in Stockholm's public transportation system in 2021, determining that, among other issues, passengers had not been provided sufficient information about the processing of their personal data.

SL challenged the decision in court. Ultimately, the case reached the CJEU, which was asked to determine whether monitoring individuals via cameras constitutes collecting personal data directly from the data subject.

Why does it matter?

The GDPR distinguishes between two situations of data collection: personal data collected directly from the data subject; and personal data collected from other sources — such as another data controller, public sources, etc.

Depending on the source of the data, controllers are subject to different transparency obligations. Where personal data is collected directly from the data subject, the data controller must provide the data subjects with the information listed in Article 13 of the GDPR. Where data is collected from other sources, Article 14 of the GDPR applies.

The CJEU's conclusion

Considering the structure, context and purpose of the GDPR, the CJEU concluded that personal data obtained through direct observation of a data subject or monitoring of their activity is considered collected from the data subject.

This situation involves any direct interaction between the controller and the data subject, without an intermediary such as another controller. This distinguishes it from cases where personal data is obtained indirectly from another controller with whom the data subject has or had a separate relationship — for example, as a customer or employee.

As a result, personal data collected through cameras or other tools and technologies — like trail cameras, drones, smart devices or wearables — must be considered as data obtained directly from the data subject. Controllers must therefore comply with the transparency requirements set out in Article 13 of the GDPR.

How should data subjects be informed?

The CJEU emphasized that applying Article 13 of the GDPR in this context does not mean that ticket inspectors must verbally provide full privacy information to every passenger they check.

The court referred to the concept of layered information, as described in the European Data Protection Board's Guidelines 3/2019 of 29 Jan. 2020 on the processing of personal data through video devices. Essential information — such as the fact that processing takes place, who the controller is, and for what purpose the data is processed — may be provided on information notices or signage, while more detailed information can be made available, for example, on the controller's website.

Impact of the judgment on other EU data regulations

The clarification of what constitutes "data collected from the data subject" is relevant beyond the GDPR.

EU institutions' data protection regulation. Regulation (EU) 2018/1725, which governs the processing of personal data by EU institutions, bodies, offices and agencies, follows a structure very similar to the GDPR. Article 15 applies where personal data is collected directly from the data subject, while Article 16 applies where data is obtained otherwise.

The CJEU's conclusions are therefore fully applicable to the processing of personal data by EU institutions and bodies under this regulation, for example by closed-circuit television or similar security equipment.

Law Enforcement Directive. Transposed into national law by EU member states, the Law Enforcement Directive does not distinguish between data obtained directly from the data subject and data obtained from other sources.

Given the specific nature of law enforcement activities, Article 13 of the directive sets out a uniform transparency obligation, regardless of how the data is collected.

Regulation on transparency and targeting of political advertising. Regulation (EU) 2024/900 establishes specific conditions under which personal data may be used for political advertising. One of these conditions is that the personal data is collected directly from the data subject. Other conditions include the data subject's consent and a prohibition on profiling.

The CJEU's interpretation in the SL case will therefore also affect the use of personal data for political advertising, potentially including, subject to additional conditions, data collected through recordings of political gatherings or events.

Data Act. Among other objectives, the Data Act aims to ensure access for users to data generated by connected products and related services.

In light of the CJEU judgment, such data will typically be considered as collected directly from the data subject through monitoring of their use of the product or service. Controllers — including manufacturers and service providers — will therefore be subject to the transparency obligations under Article 13 of the GDPR.

Artificial Intelligence Act. The AI Act also relies on transparency principles, including transparency toward individuals affected by the use of AI tools. However, it does not distinguish between personal data collected directly from the data subject and data obtained from other sources.

As a result, transparency obligations concerning personal data processing in AI contexts — for example, employee monitoring or anti-fraud systems in financial institutions — continue to be governed by the GDPR as such. Deployers — data controllers — must therefore assess whether personal data is obtained directly from the data subject or from another source and apply Article 13 or Article 14 of the GDPR accordingly.

Other EU data regulations

Most other EU data-related regulations — such as the Digital Markets Act, Digital Services Act or Data Governance Act — primarily refer back to the GDPR without introducing a separate distinction based on the source of personal data.

Entities subject to these regulations must therefore independently assess whether they collect personal data directly from the data subject or indirectly, from other sources, and comply with the corresponding transparency obligations under Article 13 or Article 14 of the GDPR.

František Nonnemann is a compliance, cybersecurity and operational risk consultant cooperating with compliance startup Myriad AI.

This content is eligible for Continuing Professional Education credits. Please self-submit according to CPE policy guidelines.

Submit for CPEs

Interested in writing for us? Visit our Contributor Guidelines Page