In the era of digital communication and widespread internet use, the collection of personal data has become a routine practice, often without deeper consideration of whether such data is truly necessary.

One common example is the requirement to indicate gender when creating an online account, purchasing products and services via online platforms, or for personalizing communication in promotional emails.

However, the question arises: is collecting such data truly necessary, and is this practice in line with the principles of personal data protection?

Legal Framework in Serbia: The Principle of Data Minimization

The domestic legal framework recognizes the importance of limiting data processing to what is necessary for a specific purpose. The Law on Personal Data Protection (Official Gazette of the RS No. 87/2018) (“LPDP”) establishes the principle of minimization as one of the key principles of personal data processing. This principle requires that personal data must be adequate, relevant, and limited to what is necessary for the purpose of processing.

In practice, the question often arises: where is the boundary of necessity in data processing? Is specifying a user’s gender necessary for online registration or a purchase?

A strict interpretation of the LPDP suggests that if a particular piece of data is not necessary for achieving a specific purpose, its processing does not comply with the minimization principle and may be considered unlawful.

Given that a user’s gender is not essential for providing this type of service, collecting and further processing such data is excessive and incompatible with the fundamental principles of personal data processing.

EU Regulation and Case Law: European Court of Justice Judgment in the SNCF Case

The European Court of Justice (“CJEU”) has recently rendered a judgment against the French railway operator (SNCF), which required passengers to indicate whether they were “Monsieur” or “Madame” when purchasing train tickets online.

In its decision, the Court emphasized that the data being processed must be adequate, relevant, and limited to what is necessary for the purpose of processing. In this specific case, CJEU concluded that the data controller failed to demonstrate that gender designation was necessary for completing the transaction, confirming that such a practice is not in compliance with the General Data Protection Regulation (“GDPR”).

Significance of the Judgment for Domestic Practice

Although Serbia is not an EU member, its legislation is mostly aligned with European regulations, meaning that judgments like this could influence the practices of domestic companies and regulatory authorities.

The CJEU’s judgment may serve as a guideline for reviewing existing practices in Serbia, particularly regarding the application of the principle of data minimization.

Companies that collect gender data for promotional or administrative purposes should reassess its actual necessity and ensure that their business processes comply with personal data protection legal standards.

This article is to be considered as exclusively informative, with no intention to provide legal advice. If you should need additional information, please contact us directly.