VwGH - Ra 2023/04/0002: Difference between revisions
(Created page with "{{CJEUdecisionBOX |Case_Number_Name=C-416/23 Request for interpretation of a legal provision under Article 267 TFEU |ECLI= |Opinion_Link= |Judgement_Link=https://curia.europa.eu/juris/showPdf.jsf?text=2016%252F679&docid=276682&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=1672473 |Date_Decided= |Year= |GDPR_Article_1=Article 15 GDPR |GDPR_Article_Link_1=Article 15 GDPR |GDPR_Article_2=Article 57(2) GDPR |GDPR_Article_Link_2=Article 57 GDPR#2 |GDPR_Article...") |
No edit summary |
||
Line 60: | Line 60: | ||
By decision of 22 April 2020, the DPA refused to deal with the data protection complaint under [[Article 57 GDPR#4|Article 57(4) GDPR]] on the basis that between 28 August 2018 and 7 April 2020, the complainant had submitted 77 data protection complaints that were essentially the same and regularly contacted by phone the DPA. | By decision of 22 April 2020, the DPA refused to deal with the data protection complaint under [[Article 57 GDPR#4|Article 57(4) GDPR]] on the basis that between 28 August 2018 and 7 April 2020, the complainant had submitted 77 data protection complaints that were essentially the same and regularly contacted by phone the DPA. | ||
Thus, the | Thus, the complainant brought an action against the decision before the Austrian Administrative Court, which, on 22 December 2022, upheld the complaint and annulled the DPA decision because it could not be said with certainty from [[Article 57 GDPR#4|Article 57(4) GDPR]] when a request is ‘excessive’, but it could be derived that they had to be frequent but also ‘manifestly vexatious or abusive in nature’, which the DPA had not demonstrated. | ||
The DPA challenged this judgement before the Supreme Administrative Court (Supreme Court). | The DPA challenged this judgement before the Supreme Administrative Court (Supreme Court). | ||
=== Holding === | === Holding === | ||
On 6 July 2023, the Austrian DPA requested the Supreme Court to refer a question to the CJEU, namely whether the concept of ‘request’ in [[Article 57 GDPR#4|Article 57(4) GDPR]] could be interpreted as also covering ‘complaints’ under [[Article 77 GDPR#1|Article 77(1) GDPR]]. | On 6 July 2023, the Austrian DPA requested the Supreme Court to refer a question to the CJEU, namely, whether the concept of ‘request’ in [[Article 57 GDPR#4|Article 57(4) GDPR]] could be interpreted as also covering ‘complaints’ under [[Article 77 GDPR#1|Article 77(1) GDPR]]. | ||
The Supreme Court stated that the concept of ‘requests’ within the meaning of [[Article 57 GDPR#4|Article 57(4) GDPR]] is not defined more precisely in the GDPR. Nonetheless, [[Article 57 GDPR#2|Article 57(2) GDPR]] and [[Article 57 GDPR#3|Article 57(3) GDPR]] suggest that the concept also includes complaints under [[Article 77 GDPR#1|Article 77(1) GDPR]] since the handling of complaints is a primary task of any supervisory authority, which should facilitate their submission and provide services free of charge. | The Supreme Court stated that the concept of ‘requests’ within the meaning of [[Article 57 GDPR#4|Article 57(4) GDPR]] is not defined more precisely in the GDPR. Nonetheless, [[Article 57 GDPR#2|Article 57(2) GDPR]] and [[Article 57 GDPR#3|Article 57(3) GDPR]] suggest that the concept also includes complaints under [[Article 77 GDPR#1|Article 77(1) GDPR]] since the handling of complaints is a primary task of any supervisory authority, which should facilitate their submission and provide services free of charge. | ||
Additionally, if the | Additionally, if the CJEU would answer affirmatively, the following questions were referred. | ||
Firstly, the Supreme Court noted that carrying out an extremely large number of complaints does not constitute an abusive assertion of rights. However, an abuse of the right conferred by [[Article 77 GDPR#1|Article 77(1) GDPR]] could be claimed if | Firstly, the Supreme Court noted that carrying out an extremely large number of complaints does not constitute an abusive assertion of rights. However, an abuse of the right conferred by [[Article 77 GDPR#1|Article 77(1) GDPR]] could be claimed if a data subject pursues objectives such as lodging a complaint to harm the controller or placing an undue burden on the supervisory authority. However, it referred the question to the CJEU because the concept of ‘excessive’ in [[Article 57 GDPR#4|Article 57(4) GDPR]] cannot be answered beyond doubt based on its wording or context. Thus, it asked if [[Article 57 GDPR#4|Article 57(4) GDPR]] must be interpreted as meaning that, for requests to be ‘excessive’, it is sufficient that a data subject has merely carried out a certain number of requests, complaints under [[Article 77 GDPR#1|Article 77(1) GDPR]], to a supervisory authority within a certain period, irrespective of whether the facts are different or the complaints concern different controllers, or whether a data subject must also have an abusive intention on top of the frequent complaints. | ||
Secondly, the Supreme Court expressed doubts concerning the application of [[Article 57 GDPR#4|Article 57(4) GDPR]] since | Secondly, the Supreme Court expressed doubts concerning the application and interpretation of [[Article 57 GDPR#4|Article 57(4) GDPR]] since they are not obvious. It asked if [[Article 57 GDPR#4|Article 57(4) GDPR]] must be interpreted as meaning that the supervisory authority can freely choose whether to charge a fee based on the administrative costs of processing it or refuse to process from the outset in situations of ‘excessive’ complaint. If not, what circumstances and criteria must the supervisory authority consider. | ||
== Comment == | == Comment == |
Revision as of 08:48, 3 October 2023
CJEU - C-416/23 Request for interpretation of a legal provision under Article 267 TFEU | |
---|---|
Court: | CJEU |
Jurisdiction: | European Union |
Relevant Law: | Article 15 GDPR Article 57(2) GDPR Article 57(3) GDPR Article 57(4) GDPR Article 77(1) GDPR Aritcle 267 TFEU |
Decided: | |
Parties: | Österreichische Datenschutzbehörde (Austrian DPA) |
Case Number/Name: | C-416/23 Request for interpretation of a legal provision under Article 267 TFEU |
European Case Law Identifier: | |
Reference from: | Verwaltungsgerichtshof (Supreme Administrative Court, Austria) |
Language: | 24 EU Languages |
Original Source: | Judgement |
Initial Contributor: | ar |
The Supreme Administrative Court of Austria requested the CJEU a preliminary ruling concerning access requests. Among other questions, the request deals with the meaning of an 'excessive request' and at what point a DPA can charge for a complaint.
English Summary
Facts
On 17 February 2020, a data subject (the complainant) lodged a data protection complaint with the Austrian DPA pursuant to Article 77(1) GDPR for breach of the right of access under Article 15 GDPR by a company.
By decision of 22 April 2020, the DPA refused to deal with the data protection complaint under Article 57(4) GDPR on the basis that between 28 August 2018 and 7 April 2020, the complainant had submitted 77 data protection complaints that were essentially the same and regularly contacted by phone the DPA.
Thus, the complainant brought an action against the decision before the Austrian Administrative Court, which, on 22 December 2022, upheld the complaint and annulled the DPA decision because it could not be said with certainty from Article 57(4) GDPR when a request is ‘excessive’, but it could be derived that they had to be frequent but also ‘manifestly vexatious or abusive in nature’, which the DPA had not demonstrated.
The DPA challenged this judgement before the Supreme Administrative Court (Supreme Court).
Holding
On 6 July 2023, the Austrian DPA requested the Supreme Court to refer a question to the CJEU, namely, whether the concept of ‘request’ in Article 57(4) GDPR could be interpreted as also covering ‘complaints’ under Article 77(1) GDPR.
The Supreme Court stated that the concept of ‘requests’ within the meaning of Article 57(4) GDPR is not defined more precisely in the GDPR. Nonetheless, Article 57(2) GDPR and Article 57(3) GDPR suggest that the concept also includes complaints under Article 77(1) GDPR since the handling of complaints is a primary task of any supervisory authority, which should facilitate their submission and provide services free of charge.
Additionally, if the CJEU would answer affirmatively, the following questions were referred.
Firstly, the Supreme Court noted that carrying out an extremely large number of complaints does not constitute an abusive assertion of rights. However, an abuse of the right conferred by Article 77(1) GDPR could be claimed if a data subject pursues objectives such as lodging a complaint to harm the controller or placing an undue burden on the supervisory authority. However, it referred the question to the CJEU because the concept of ‘excessive’ in Article 57(4) GDPR cannot be answered beyond doubt based on its wording or context. Thus, it asked if Article 57(4) GDPR must be interpreted as meaning that, for requests to be ‘excessive’, it is sufficient that a data subject has merely carried out a certain number of requests, complaints under Article 77(1) GDPR, to a supervisory authority within a certain period, irrespective of whether the facts are different or the complaints concern different controllers, or whether a data subject must also have an abusive intention on top of the frequent complaints.
Secondly, the Supreme Court expressed doubts concerning the application and interpretation of Article 57(4) GDPR since they are not obvious. It asked if Article 57(4) GDPR must be interpreted as meaning that the supervisory authority can freely choose whether to charge a fee based on the administrative costs of processing it or refuse to process from the outset in situations of ‘excessive’ complaint. If not, what circumstances and criteria must the supervisory authority consider.
Comment
Once the judgement comes out, we will update this GDPRhub page.
Further Resources
Share blogs or news articles here!