Referral C-222/25 (Rahapesu Andmebüroo, 21 Mar 2025)

Must Article 2(2)(d) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, GDPR) and Article 2(1) in conjunction with Article 1 of Directive (EU) 2016/680 2 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Framework Decision 2008/977/JHA, be interpreted as meaning that the possible processing of personal data by a financial intelligence unit constitutes processing of personal data by the competent authority for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security, even if the financial intelligence unit is not an investigative body as referred to in the Code of Criminal Procedure?

Must Article 23(2)(h) GDPR and Article 15(3) of Directive 2016/680 be interpreted as meaning that in administrative or judicial proceedings it is possible to refuse to disclose to the data subject the legal act on the basis of which a refusal to provide information regarding personal data of that data subject has been made, in order to prevent confirming or denying the fact that personal data related to that data subject has been processed, where that data subject has no knowledge of any such processing, and, in such a situation, may data subjects also be refused information as to whether it is possible for them to exercise the right referred to in Article 17(1) of Directive 2016/680?

Must Article 15 of Directive 2016/680 and Article 23 of the GDPR be interpreted as meaning that national legislation which confers on the head of a financial intelligence unit the power to restrict the rights of data subjects and which specifies the purpose, conditions, and temporal and geographical scope of the restriction of data subjects’ rights in conjunction with other legal provision, including subordinate legal provisions, is compatible with those articles?

Must Article 15 of Directive 2016/680 and Article 23 of the GDPR be interpreted as meaning that a national provision which restricts completely the exercise of the right provided for in Article 14 of Directive 2016/680 and Article 15 of the GDPR until the data is destroyed, such that the data subject can never obtain information regarding that data is compatible with those articles?