Information duty (Art. 14 GDPR): the legal exception clarified in 2026

Summary — On 29 January 2026, the French Court of Cassation confirmed that a controller may be exempted from individually informing the data subject where the law expressly provides for the disclosure and sets out appropriate safeguards (Art. 14(5)(c) GDPR). This is relevant for tax/social data flows and certain B2G sharing in Luxembourg.

The case

URSSAF v. R. (Cass. civ. 2e, 29 January 2026, No. 23-21.589). In France, URSSAF calculated a supplementary health contribution based on tax data transmitted by the administration. The contributor challenged this, alleging URSSAF failed to personally inform him under GDPR Articles 13–14 about processing of data received from the administration. The Court of Cassation partially quashed the appellate ruling, holding that the information duty is excepted where disclosure is expressly provided by law and “appropriate measures” protect the individual’s interests (referring to Art. 14(5)(c) GDPR and national rules governing the processing). Practical take-away: in this scenario, publication of normative texts with sufficient safeguards obviated an additional individual notice. Source: French Court of Cassation, 2nd Civ., 29 January 2026, No. 23-21.589 (Legifrance). See point 5 of the judgment. Link (legifrance.gouv.fr).

Legal reasoning

• Applicable text. The GDPR requires information to be provided where personal data are not obtained from the data subject (Article 14). There are limited derogations, including Article 14(5)(c) where “the obtaining or disclosure is expressly laid down by Union or Member State law to which the controller is subject” and such law “provides appropriate measures to protect the data subject’s legitimate interests.” Official text: EUR‑Lex (GDPR Art. 14). Link (eur-lex.europa.eu).
• Court’s interpretation (2026). The Court combined: (i) an explicit legal basis for the transfer (social security statutes) + (ii) a decree organizing the processing and “appropriate measures” = exception to individual information. It censured the appellate court for requiring a personalized notice in addition to this legal framework. See paragraphs 5–7. Link (legifrance.gouv.fr).
• Alignment with the EDPB. The EDPB (ex‑WP29) clarifies that 14(5)(c) applies where the law “directly targets” the controller, makes obtaining/disclosure mandatory, and provides safeguards for data subject rights (residual transparency, documentation, public access to general information, etc.). See EDPB — Transparency (ref. to WP29 Transparency Guidelines) and the “COVID‑19 research” Guidelines §5.1.2.4 (strict conditions of 14(5)(c)). Link 1 ; Link 2, p. 9 ff. (edpb.europa.eu).
• CNPD’s position. The CNPD has long emphasized Articles 13–14 information requirements (layered approach, Art. 12) and mentions exemptions (including 14(5)) in its materials. See “Chapter III — Rights of the data subject” and the thematic note on retention (illustrating the expected level of precision). Link 1 ; Link 2 (cnpd.public.lu).

In short, the 29 January 2026 ruling fits within the GDPR framework: the Article 14(5)(c) exception is narrowly construed and requires a clear legal basis and effective safeguards. It does not “abolish” transparency; it reshapes it via general, law‑organized information (publication, legal framework, redress paths).

What this changes in practice (Luxembourg, BE/FR/DE cross‑border)

• Law‑mandated B2G/G2G flows. Where EU or national law mandates disclosure (e.g., tax/social, prudential supervision, anti‑fraud) and sets safeguards (specified purposes, data categories, security, retention, rights and redress), individual notices are not always required. However:
  • The law must “directly target” your entity and make obtaining/disclosure mandatory. Otherwise 14(5)(c) does not apply. EDPB, op. cit. (edpb.europa.eu)
  • Appropriate measures must be demonstrable: published legal basis, accessible institutional notices, rights mechanisms (Arts. 12–22 GDPR). CNPD, “Chapter III”. (cnpd.public.lu)
• Luxembourg groups and intra‑group transfers. This ruling concerns interactions with a public authority, not intra‑group sharing. Intra‑group, Art. 14(5)(c) will not apply unless a law explicitly compels the sharing (rare). In practice, keep Articles 13/14 notices (group privacy policy, purpose‑specific notices).
• Financial/PSF sector and regulatory duties. Where a prudential text mandates reporting (e.g., to the CSSF) with safeguards, individual information may be provided via the institutional notice and contractual documents (layer 1 + layer 2), without case‑by‑case emails. Keep evidence of the legal basis and safeguards (Art. 30 records and internal framework). Structuring this effort through a DPO mandate and institutional notices is recommended.
• Art. 15 access requests. The ruling does not affect the right of access: relying on 14(5)(c) for initial information does not curtail rights 15–22. Access requests remain admissible and must be handled (subject to legal exceptions). See CNPD “Chapter III”. (cnpd.public.lu)

To frame your processing in Luxembourg, revisit Article 14 GDPR and ensure CNPD compliance in Luxembourg when invoking 14(5)(c).

Operational examples

• Payroll/charges: where a statute requires disclosure to an authority and provides safeguards, rely on 14(5)(c) to avoid duplicate individual notices, but document the legal basis and keep a clear public notice.
• Telecom/energy: if a law compels sending consumption data to a regulator with safeguards, same logic — robust “general” information rather than individual emails.

Common pitfalls seen in audits

1. Confusing “provided by law” with “allowed by contract”. A contractual clause, internal policy or legitimate interest is not enough for 14(5)(c). You need an explicit legal obligation on the controller. EDPB — Transparency. (edpb.europa.eu)
2. Forgetting “appropriate measures”. A law alone is not sufficient: you must evidence safeguards (purpose limitation, minimization, retention, redress). Otherwise, the exception falls and individual information becomes required. EDPB, Guidelines (5.1.2.4). (edpb.europa.eu)
3. Over‑extending to intra‑group sharing. Without a statute compelling the sharing, 14(5)(c) is inapplicable: keep Articles 13/14 notices.
4. Neglecting residual transparency. Even with an exception, a clear public information layer (privacy policy, categories of recipients, cited legal bases) is expected by the CNPD (layered approach, Art. 12). CNPD — “Transparency principle” (video surveillance, transposable rationale). (cnpd.public.lu)
5. Assuming the exception blocks rights 15–22. It does not — the exception concerns initial information only, not downstream rights. Maintain robust Art. 15–22 response procedures. CNPD — Chapter III. (cnpd.public.lu)

Official sources

• French Court of Cassation, 2nd Civ., 29 January 2026, No. 23-21.589 (URSSAF) — full text on Legifrance. https://www.legifrance.gouv.fr/juri/id/JURITEXT000053452152 (legifrance.gouv.fr)
• Regulation (EU) 2016/679 (GDPR) — Article 14 (EUR‑Lex). https://eur-lex.europa.eu/legal-content/FR/TXT/?uri=CELEX%3A32016R0679 (eur-lex.europa.eu)
• EDPB — Transparency (ref. to WP29 Transparency Guidelines endorsed by the EDPB). https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/transparency_en (edpb.europa.eu)
• EDPB — “COVID‑19 scientific research” Guidelines (conditions for Art. 14(5)(c), §5.1.2.4). https://www.edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202003_healthdatascientificresearchcovid19_en.pdf (edpb.europa.eu)
• CNPD Luxembourg — Chapter III (data subject rights; Arts. 12–14). https://cnpd.public.lu/fr/legislation/droit-europ/union-europeenne/rgpd/chapitre-3.html (cnpd.public.lu)
• CNPD Luxembourg — Duty to inform on retention periods (illustrative expectations). https://cnpd.public.lu/fr/dossiers-thematiques/psp/duree-conservation-donnes-service-paiement/obligation-informer.html

Practical tip (Luxembourg leaders/DPOs, 2026)

Document in your records of processing (Art. 30) any processing grounded on a “law‑mandated disclosure”, cite the exact legal basis, list the “appropriate measures”, and keep your public privacy notice up to date. Otherwise, a 14(5)(c) claim may not withstand a CNPD inspection. For hands‑on support, see our DPO certified page.

Luxgap regulatory expertise article. For personalised guidance on this topic, contact us or configure your online quote.