Case C-804/25 - Request for Preliminary Ruling on International Data Transfers and GDPR Compatibility

An official website of the European Union How do you know?
1. EUROPA
2. EUR-Lex home
3. EUR-Lex - 62025CN0804 - EN

• Help
• Print
• Share Menu Search tips Need more search options? Use the Advanced search Document 62025CN0804

Case C-804/25, Autorité de protection des données: Request for a preliminary ruling from the Cour d’appel de Bruxelles (Belgium) lodged on 10 December 2025 – État belge v Autorité de protection des données

OJ C, C/2026/2199, 27.4.2026, ELI: http://data.europa.eu/eli/C/2026/2199/oj (BG, ES, CS, DA, DE, ET, EL, EN, FR, GA, HR, IT, LV, LT, HU, MT, NL, PL, PT, RO, SK, SL, FI, SV)

ELI: http://data.europa.eu/eli/C/2026/2199/oj

Expand all Collapse all Languages, formats and authentic version

• BG
• ES
• CS
• DA
• DE
• ET
• EL
• EN
• FR
• GA
• HR
• IT
• LV
• LT
• HU
• MT
• NL
• PL
• PT
• RO
• SK
• SL
• FI
• SV HTML

-

-

-

-

-

-

-

-

-

-

-

-

PDF - authentic OJ

-

-

-

-

-

-

-

-

-

-

-

• e-signature

-

-

-

-

-

-

-

-

-

-

-

-

How to verify the authenticity of the Official Journal Multilingual display

Display Text

| | Official Journal
of the European Union | EN

C series |

| | C/2026/2199 | 27.4.2026 |
Request for a preliminary ruling from the Cour d’appel de Bruxelles (Belgium) lodged on 10 December 2025 – État belge v Autorité de protection des données

(Case C-804/25, Autorité de protection des données)

(C/2026/2199)

Language of the case: French

Referring court

Cour d’appel de Bruxelles

Parties to the main proceedings

Applicant: État belge

Defendant: Autorité de protection des données

Other parties to the proceedings: JC, Accidental Americans Association of Belgium (AAAB)

Questions referred

| 1. | Having regard to Article 96 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR) (1), does an international agreement concluded by a Member State before 24 May 2016 involving the transfer of personal data to a third country comply with EU law as applicable before 24 May 2016 and, more specifically, with Article 6(1)(b), (c) and (e) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (2), read, where appropriate, in conjunction with Articles 7, 8 and 52 of the Charter of Fundamental Rights, in so far as that agreement provides, for tax purposes and in order to ensure compliance with international tax rules and the implementation of obligations under the US FATCA to combat tax avoidance by US nationals, for the automatic transfer in accordance with the rules on confidentiality to that third country of data relating to the financial accounts of all nationals of that State (data which, in practice, includes, inter alia, the name, address, tax identification number (TIN) assigned to the account holder by his or her State of residence, date of birth, account number, balance or value on the account at the end of the calendar year concerned or another appropriate reference period, particular data in the case of a securities account, deposit account or other type of account) without prior selection of accounts posing a risk of tax avoidance, without any time limit for the retention of data provided for in that agreement, and with the USD 50 000 threshold provided for in Annex I being subject to the goodwill of the financial institutions? |

| 2. | Can such an agreement be justified on the basis of Article 26(1)(d) of Directive 95/46/EC if the third State concerned does not guarantee effective reciprocity? |
3.

Is Article 26(2) of Directive 95/46/EC, read in conjunction with Articles 7, 8 and 52 of the Charter of Fundamental Rights, to be interpreted as meaning that the adequate safeguards mentioned in that provision:

| — | relate in particular to the reference to the period for which the data is kept for the purposes of Article 6(1)(e) of the directive and to the rights to information referred to in Articles 10 and 11 thereof? |

| — | include the definition of the scope of the limitation of the right to privacy and the right to the protection of personal data? |

| — | must, in the case of an agreement providing for the transfer of personal data, be explicitly included in that agreement? |

| 4. | If the answer to all or part of Question 3 is in the affirmative, in the light of Article 96 of the GDPR, does an international agreement concluded by a Member State before 24 May 2016 that involves the transfer of personal data to a third country comply with EU law as it applied before 24 May 2016 and, more specifically, Article 26(2) of Directive 95/46/EC, read, where appropriate, in conjunction with Articles 7, 8 and 52 of the Charter of Fundamental Rights, if it does not expressly provide for the sufficient safeguards referred to in that provision? |

| 5. | If Questions 1 and/or 2 and/or 4 are answered in the affirmative, must the transfer of personal data pursuant to that international agreement nevertheless comply, from 24 May 2018, with the provisions of the GDPR as regards matters not specifically covered or excluded by that agreement, in particular Articles 5(2), 12, 14, 24 and 35 thereof? |

| 6. | Does the controller bear the burden of proving the conditions set out in Article 96 of the GDPR are met? |
7.

| (a) | Must Article 96 of the GDPR, taken in isolation or read in conjunction with Article 4(3) of the Treaty on European Union, Article 351 of the Treaty on the Functioning of the European Union and Articles 7, 8 and 52 of the Charter of Fundamental Rights be interpreted as meaning that the Member States are obliged to make their best efforts to amend, replace or revoke international treaties to which they are parties that do not comply with the provisions of that regulation? |

| (b) | May a Member State which, in 2025, did not make its best efforts to amend, replace or revoke an international treaty to which it is a party which does not comply with the provisions of the GDPR rely on Article 96 of that regulation to justify conduct incompatible with that regulation? |
8.

If Questions 1, 2 or 4 are answered in the negative:

| (a) | must such an agreement be disapplied by the national court of its own motion? |

| (b) | must the national court verify whether such an agreement complies with the GDPR? |

| 9. | If Questions 1, 2 or 4 are answered in the negative and the Question 8(b) is answered in the affirmative, does an international agreement, as described in Question 1, comply with the GDPR and, more specifically, with Article 5(1)(b) and (c) thereof, read, where appropriate, in conjunction with Articles 7, 8 and 52 of the Charter of Fundamental Rights? |

| 10. | Does Implementing Decision (EU) 2023/1795 of 10 July 2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework (3) constitute an adequacy decision within the meaning of Article 45(3) of the GDPR as regards transfers of the data at issue carried out for tax purposes? |
11.

If Questions 1, 2 or 4 are answered in the negative and Question 8(b) is answered in the affirmative, must Article 46 of the GDPR be interpreted as meaning that:

—

the appropriate safeguards to which it refers include all or some of the following safeguards:

| (1) | definitions of basic concepts (which includes the following concepts: ‘personal data’, ‘processing of personal data’, ‘controller’, ‘processor’, ‘recipient’ and ‘sensitive data’), |

| (2) | basic data protection principles (including the principles of ‘purpose limitation’, ‘accuracy and minimisation’ (or proportionality), time limitation of data retention, |

| (3) | data subjects’ rights (including the right to information, the right of access, the right to rectification, the right to erasure, the right to restriction or the right to object, the right not to be subject to automated individual decision-making within the meaning of Article 22 of the GDPR, and the procedures for exercising those rights), |

| (4) | limiting onward transfer and data sharing, |

| (5) | effective remedies, |

| (6) | control mechanisms, and |

| (7) | the principle of responsibility? |

| — | those safeguards must be explicitly included in the binding legal instrument referred to in Article 46(2)(a) of the GDPR? |

| — | that binding legal instrument is, where there is a treaty governing transfers of personal data to third countries, only that treaty or may it include the instrument transposing that treaty into national law? |
12.

If Questions 1, 2 or 4 are answered in the negative and Question 8(b) is answered in the affirmative:

| (a) | must Article 49(1)(d) of the GDPR be interpreted as permitting or prohibiting an international agreement involving the transfer of personal data to a third country which provides, for tax purposes, for the automatic transfer to that third country of the financial data of all nationals of that State (as set out in the first question)? |

| (b) | is the level of reciprocity of data exchange a relevant criterion for determining the answer to that question? |
13.

If Questions 1, 2 or 4 are answered in the negative and Question 8(b) is answered in the affirmative:

| (a) | can the ‘information’ referred to in the information waiver provided for in Article 14(5)(a) of the GDPR have been provided by the controllers who collected the data directly from the data subject? |

| (b) | in that case, who bears the burden of proving that the information has been communicated, having regard in particular to Article 5(1)(a) and (2) of the GDPR? |
(1) OJ 2016 L 119, p. 1.

(2) OJ 1995 L 281, p. 31.

(3) OJ 2023 L 231, p. 118.

ELI: http://data.europa.eu/eli/C/2026/2199/oj

ISSN 1977-091X (electronic edition)

Top