When are personal data collected directly from the data subject, and when are they obtained indirectly?
This distinction is not semantic. It determines which transparency regime applies under the GDPR and therefore whether a processing operation is lawful from the outset.
In a landmark ruling of 18 December 2025 (CJEU, Case C‑422/24), the Court of Justice of the European Union provided long‑awaited clarification, with immediate implications for video surveillance, body‑worn cameras, biometric systems and other observation‑based technologies.
The legal framework: two regimes, one decisive criterion
The GDPR establishes two distinct information regimes:
• Article 13 GDPR applies when personal data are collected from the data subject.
• Article 14 GDPR applies when data are obtained from another source.
The obligations are not equivalent. Article 13 requires immediate information at the time of collection, whereas Article 14 allows delayed information and contains exemptions, including cases involving disproportionate effort.
The key question addressed by the Court was therefore simple but decisive:
Does passive observation mean indirect collection?
The argument rejected by the Court
The data controller argued that data captured via body‑worn cameras were collected indirectly because the individuals concerned did not actively provide their data.
On that basis, it sought to rely on Article 14 GDPR, and in particular the exception relating to disproportionate effort, to relax its transparency obligations.
The Court firmly rejected this reasoning.
The CJEU’s core holding: the source of the data is decisive
The Court clarified a fundamental principle of EU data protection law:
➡️ The distinction between direct and indirect collection does not depend on whether the data subject acts actively or passively.
➡️ It depends exclusively on the source from which the controller obtains the data.
Where personal data are captured directly from the person their image, voice, movements or behaviour the data subject is the source.
This remains true even if the collection occurs through observation, recording or automated sensing.
As a result:
• Video surveillance
• Body‑worn cameras
• Audio recording
• Biometric capture
• Behavioural monitoring
all constitute direct collection within the meaning of Article 13 GDPR.
Transparency as a structural safeguard
The Court explicitly linked this interpretation to the principle of transparency enshrined in Article 5(1)(a) GDPR.
Allowing controllers to classify observation‑based processing as indirect collection would enable individuals to be monitored without being informed at the moment their data are captured a result incompatible with the GDPR’s objective of a high level of protection of fundamental rights.
The ruling therefore closes the door on attempts to dilute transparency obligations through formalistic classifications.
A pragmatic clarification: layered information remains possible
Importantly, the Court adopted a realistic and operational approach.
While Article 13 requires information at the time of collection, this obligation is not rigid. The Court confirmed the legitimacy of layered information:
• A first layer providing essential information at the point of capture (signage, visual or audio notice).
• A second layer providing full details through an easily accessible medium.
This clarification is particularly relevant for security, transport and public‑facing environments, and may have broader implications for other GDPR mechanisms relying on informed user interaction.
Conclusion:
This judgment definitively anchors the notion of direct collection in the technical reality of data capture, not in the perceived behaviour of individuals.
From a compliance perspective, the message is clear:
If your system captures personal data directly from a person even passively Article 13 GDPR applies.
Misclassifying the source of data is no longer a grey area. It is a compliance risk.
For organisations deploying surveillance, monitoring or sensing technologies, transparency must be designed into the system not retrofitted after deployment.
Source : https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:62024CJ0422
