
According to the CJEU, the gender identity of the customer is not a necessary piece of information for the purchase of a transport ticket
The Court of Justice of the European Union (CJEU) has issued a key judgment in Case C-394/23, Mousse, which reinforces the principle of data minimisation within the framework of the General Data Protection Regulation (GDPR). In this decision, the CJEU established that the obligation to indicate a term of courtesy based on gender identity for the purchase of a transport ticket is not objectively indispensable and therefore does not comply with the requirements of the GDPR.
This ruling has important implications for digital law and data protection, as it confirms that companies must limit the collection of personal information to the minimum necessary for the provision of a service. As lawyers specialising in data protection and intellectual property, we highlight the relevance of this decision in the regulation of data processing by companies and public administrations.
Consumer data protection in transport
The GDPR requires that the processing of personal data must be adequate, relevant and limited to what is necessary for the purposes for which it is processed. In this case, the French railway company SNCF Connect required its customers to select a courtesy term (“Sir” or “Madam”) when purchasing tickets online. The Mousse association challenged this practice before the French Commission Nationale de l’Informatique et des Libertés (CNIL), arguing that it violated the GDPR’s data minimisation principle.
The CJEU ruled that gender identification is not necessary for the purchase of a transport ticket and that companies can use generic and inclusive terms of courtesy without affecting the provision of the service. This ruling reinforces the obligation of companies to justify any collection of personal data and to avoid unnecessary processing that may generate discrimination based on gender identity.
What does this mean for companies and public administrations?
For companies and public administrations, this decision implies the need to review their practices for collecting and processing personal data. Data protection lawyers recommend carrying out GDPR compliance audits and assessing whether the information requested from clients is strictly necessary for the provision of a service.
The main implications of this ruling include:
- Modification of forms and processes: companies must eliminate the collection of gender identity data in cases where it is not essential.
- Improved transparency: users must be clearly informed about the use of their personal data and any additional processing must be justified.
- Reducing the risk of sanctions: complying with the GDPR helps avoid fines and litigation arising from improper data processing.
At Letslaw, as lawyers specialising in digital law and intellectual property, we advise companies on compliance with the GDPR and the adaptation of their privacy policies to European regulations. If you need legal advice on data protection and privacy, do not hesitate to contact us.