An online marketplace operator that is the controller of the personal data in advertisements published on its marketplace cannot rely on Articles 12 to 15 of Directive 2000/31 on the liability of intermediary providers in relation to an infringement of its obligations under Article 5(2), Articles 24 to 26, and Article 32 of Regulation 2016/679.

A national authority responsible for keeping a public register must rectify personal data on a natural person's gender identity where those data are inaccurate within the meaning of Article 5(1)(d) of Regulation 2016/679.

Processing customers' title data by a transport undertaking in order to personalise commercial communications based on gender identity does not appear to be objectively indispensable or essential to the proper performance of a contract and therefore cannot be regarded as necessary for performing that contract. The same processing cannot be regarded as necessary for the legitimate interests pursued by the controller or by a third party where those customers were not informed of the legitimate interest pursued when the data were collected. The same processing cannot be so regarded where it is not carried out only in so far as is strictly necessary to attain that legitimate interest. The same processing cannot be so regarded where, in the light of all the relevant circumstances, those customers' fundamental freedoms and rights prevail over that legitimate interest, in particular because of a risk of discrimination on grounds of gender identity.

Under Article 88(1) and (2) of Regulation 2016/679, a national-law provision on the processing of personal data for the purposes of employment relationships that was adopted pursuant to Article 88(1) must require its addressees to comply not only with Article 88(2), but also with Article 5, Article 6(1), and Article 9(1) and (2).

Where a collective agreement falls within Article 88(1) of Regulation 2016/679, the parties' discretion to decide whether processing is 'necessary' under Articles 5, 6(1) and 9(1) and (2) does not prevent the national court from carrying out a full judicial review of that question.

The data minimisation principle in Article 5(1)(c) of Regulation 2016/679 bars a controller, such as the operator of an online social network platform, from aggregating, analysing and processing for targeted advertising any personal data obtained from the data subject or from third parties and collected on or outside that platform, without any time limit and without distinguishing by type of data.

An agency or body responsible for a Member State's official journal that qualifies as a controller is solely responsible for compliance with the Article 5(1) principles for the processing operations it must carry out under national law, unless that law makes it jointly responsible with other entities for those operations.

Article 9(3) of Regulation 2016/679 does not itself require a controller processing health data on the basis of Article 9(2)(h) to ensure that no colleague of the data subject can access the data. That obligation may nonetheless arise under national rules adopted under Article 9(4) or under the integrity and confidentiality principles in Article 5(1)(f), as defined in Article 32(1)(a) and (b).

A private credit information agency may not keep, in its own database, information taken from a public register about a natural person's discharge from remaining debts for longer than that information remains in the public register, even if it does so to provide information on that person's solvency.

A controller's failure to comply with Articles 26 or 30 of Regulation 2016/679 does not by itself make the processing unlawful or give the data subject a right to erasure under Article 17(1)(d) or restriction under Article 18(1)(b). That remains so provided that the failure does not, as such, amount to an infringement of the principle of accountability in Article 5(2), read with Article 5(1)(a) and the first subparagraph of Article 6(1).

When deciding whether to order production of a document containing personal data, the national court must consider the interests of the data subjects and balance them in light of all the circumstances, the type of proceedings, and the requirements of proportionality, in particular the data-minimisation principle in Article 5(1)(c) of Regulation 2016/679.

A national supervisory authority may require a provider of publicly available telephone directories and directory enquiry services, acting as controller, to take appropriate technical and organisational measures to inform third-party controllers that the subscriber has withdrawn consent. Those third-party controllers may include the telephone operator that supplied the subscriber's data to that provider and other directory or directory enquiry providers to whom that provider supplied the data.

The storage-limitation principle precludes a controller from storing, in a database created for testing and error correction, personal data previously collected for other purposes for longer than is necessary for those tests and corrections.

The collection by a Member State's tax authorities, from an economic operator, of information involving a significant amount of personal data is subject to Regulation 2016/679, in particular Article 5(1).

A Member State's tax authorities may not derogate from Article 5(1) of Regulation 2016/679 unless a legislative measure within the meaning of Article 23(1) grants them that right.

Regulation (EU) 2016/679, in particular Article 5(1), Article 6(1)(e) and Article 10, precludes national legislation that requires the public body responsible for the register of penalty points imposed on drivers of vehicles for road traffic offences to make those data accessible to the public, where the person requesting access does not have to establish a specific interest in obtaining them.

Regulation (EU) 2016/679, in particular Article 5(1), Article 6(1)(e) and Article 10, precludes national legislation that authorises the public body responsible for the register of penalty points imposed on drivers of vehicles for road traffic offences to disclose those data to economic operators for re-use.