Case Study: Gender Identity, Data Collection, and GDPR Compliance

The digitalization of services has led to increasingly complex interactions between data protection law and business practices. At the core of Mousse v. CNIL & SNCF Connect, the Court of Justice of the European Union (CJEU) was asked to determine whether a company can require customers to select a gendered title (“Mr.” or “Ms.”) when purchasing travel tickets.

CJEU Case C-394/23 – Mousse v. CNIL & SNCF Connect

The case touches on three fundamental GDPR issues:

  • Data minimization (Article 5(1)(c) GDPR): can businesses collect gender-related data purely for personalization or customer communication?
  • Lawfulness of processing (Article 6(1) GDPR): is title selection necessary for contract performance or a legitimate business interest?
  • Right to object (Article 21 GDPR): can a company justify collecting personal data by arguing that customers can object later?

The Background

SNCF Connect, the online ticketing platform of France’s national railway operator, required customers to select a title (“Mr.” or “Ms.”) when booking travel tickets online. The company claimed this was necessary for:

  • Personalization: ensuring clear and polite communication with customers.
  • Operational reasons: including organizing gender-specific train compartments on night trains and assisting passengers with disabilities.

However, Mousse, a French advocacy group, filed a complaint with CNIL, the French Data Protection Authority, arguing that:

  • Title selection was unnecessary for purchasing tickets and violated GDPR’s data minimization principle (Article 5(1)(c)).
  • No valid legal basis under Article 6 GDPR existed, as personalization was neither necessary for contract performance nor a legitimate interest overriding customer privacy rights.
  • The binary “Mr./Ms.” options discriminated against non-binary and gender-diverse individuals.

CNIL dismissed the complaint, prompting Mousse to appeal to the Conseil d’État (Council of State, France), which referred the case to the CJEU for a preliminary ruling.


The CJEU was asked to determine whether SNCF Connect’s title selection requirement complied with GDPR, focusing on two key issues:

  1. Can requiring a title for the purpose of personalizing customer communication be justified under GDPR’s lawfulness principles?
    • Is this processing necessary for the performance of a contract (Article 6(1)(b)), or?
    • Can it be justified as a legitimate business interest (Article 6(1)(f))?
    • Does it comply with the principle of data minimization (Article 5(1)(c))?
  2. When assessing the necessity of such data processing under Article 6(1)(f), should businesses consider that customers potentially have the right to object (Article 21 GDPR)?

The CJEU’s Judgment

On January 9, 2025, the CJEU ruled against SNCF Connect, concluding that requiring customers to select a title was not justified under GDPR.


  1. Contractual necessity (Article 6(1)(b) GDPR) is not satisfied:
    • The Court reaffirmed that necessity must be interpreted narrowly. The standard is not whether data collection is useful or efficient, but whether it is indispensable for fulfilling a contract.
    • A train ticket can be issued without knowing a customer’s title, meaning the data was not essential for contract performance.
  2. Legitimate interest (Article 6(1)(f) GDPR) does not outweigh privacy concerns:
    • While customer personalization can be a legitimate business goal, it does not automatically justify personal data collection.
    • The Court emphasized that business convenience does not override fundamental privacy rights under GDPR.
    • SNCF Connect failed to demonstrate that title-based personalization could not be achieved through less intrusive means, such as using gender-neutral alternatives.
  3. Operational justifications (gender-specific train compartments and accessibility services) were rejected:
    • The Court recognized that some customers may require gender-specific services (e.g., night trains or accessibility accommodations).
    • However, it ruled that this did not justify the systematic collection of gendered titles from all customers.
    • A targeted approach should have been used—only collecting gender identity from those who specifically required those services.
    • This broad-based collection of gendered data was disproportionate and violated GDPR’s principle of data minimization (Article 5(1)(c)).
  4. Right to object (Article 21 GDPR) cannot justify unnecessary data collection
    • SNCF Connect argued that customers who objected to providing a title could later exercise their right to object under Article 21 GDPR.
    • The Court rejected this argument, holding that necessity must be assessed at the time of data collection.
    • Businesses cannot shift the burden to customers by collecting data without justification and relying on objections afterward.

Conclusion

This judgment aligns with the CJEU’s trend of interpreting GDPR restrictively in favor of individual privacy rights. The ruling establishes that:

  • Necessity is an objective standard: it is not enough for businesses to claim a process is helpful or efficient—it must be strictly required for the service provided.
  • Legitimate interest is not absolute: companies must weigh business interests against privacy rights and ensure that less intrusive alternatives are fully explored.
  • Specific use cases do not justify generalized data collection: if gender identity data is required for certain services, it must be collected only from customers who actually need those services.
  • Relying on the right to object is legally insufficient: companies cannot justify unnecessary data collection by suggesting that customers can opt out later.

Fancy cat

Written By

Anastasiia Klymenko