Article 78 GDPR: Difference between revisions
(7 intermediate revisions by 3 users not shown) | |||
Line 191: | Line 191: | ||
<span id="1">2. Without prejudice to any other administrative or non-judicial remedy, each data subject shall have the right to a an effective judicial remedy where the supervisory authority which is competent pursuant to Articles 55 and 56 does not handle a complaint or does not inform the data subject within three months on the progress or outcome of the complaint lodged pursuant to Article 77.</span> | <span id="1">2. Without prejudice to any other administrative or non-judicial remedy, each data subject shall have the right to a an effective judicial remedy where the supervisory authority which is competent pursuant to Articles 55 and 56 does not handle a complaint or does not inform the data subject within three months on the progress or outcome of the complaint lodged pursuant to Article 77.</span> | ||
<span id="1">3. Proceedings against a supervisory authority shall be brought before the courts of the Member State where the supervisory authority is | <span id="1">3. Proceedings against a supervisory authority shall be brought before the courts of the Member State where the supervisory authority is established.</span> | ||
<span id="1">4. Where proceedings are brought against a decision of a supervisory authority which was preceded by an opinion or a decision of the Board in the consistency mechanism, the supervisory authority shall forward that opinion or decision to the court.</span> | <span id="1">4. Where proceedings are brought against a decision of a supervisory authority which was preceded by an opinion or a decision of the Board in the consistency mechanism, the supervisory authority shall forward that opinion or decision to the court.</span> | ||
Line 199: | Line 199: | ||
== Commentary == | == Commentary == | ||
Article 78 | Article 78 GDPR, titled "''Right to an effective judicial remedy against a supervisory authority''", embodies the general principle of judicial protection against actions or omissions by public authorities in general, and in particular, guarantees a right of judicial review against the decisions of data protection authorities. This approach, in line with Article 47 of the Charter of Fundamental Rights of the European Union ("''CFR''"), ultimately assigns the role of "''guardians of the EU legal order''" to the judiciary.<ref>''Tambou'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 78 GDPR, margin numbers 3 and 7 (C.H. Beck 2019). The Author also points out that "''The right to an effective remedy is inspired by Art. 6 and 13 ECHR. It is a core element of the EU legal order based on the rule of law''." </ref> In essence, Article 78(1) GDPR recognises an effective judicial remedy for anyone affected by a binding decision of the supervisory authority ("''SA"''). | ||
Paragraph 2 of the provision guarantees the same remedy to data subjects in cases of inactivity by a supervisory authority, following the submission of a complaint under Article 77. | |||
Paragraph 3 clarifies that these proceedings must be initiated in the jurisdiction where the supervisory authority is established. | |||
Finally, paragraph 4 obligates the supervisory authority to inform the court seized of the matter when the challenged decision is the result of a binding decision by the European Data Protection Board ("''EDPB''"). | |||
=== (1) Right to an effective judicial remedy against an SA's decision === | === (1) Right to an effective judicial remedy against an SA's decision === | ||
Article 78(1) | Article 78(1) GDPR grants natural and legal persons the right to a judicial remedy against a "legally binding decision" of a supervisory authority. Therefore, the legal system establishes an additional avenue of protection in cases where the supervisory authority, through its decision, fails to correctly apply or infringes the GDPR or any other applicable laws, including national ones. | ||
==== Without prejudice to any other administrative or non judicial remedy ==== | ==== Without prejudice to any other administrative or non judicial remedy ==== | ||
See commentary under Article 77 GDPR. | See commentary under [[Article 77 GDPR]]. Equally, the existence of the right to an effective judicial remedy against a controller or processor in accordance with [[Article 79 GDPR|Article 79(1) GDPR]] does not affect the right to an effective judicial remedy under Article 78(1) GDPR. | ||
{{Quote-CJEU|"[...] the existence of the right to an effective judicial remedy against a controller or processor, provided for in Article 79(1) of the GDPR, does not affect the scope of the judicial review exercised, in the context of an action brought under Article 78(1) of that regulation, over a decision on a complaint adopted by a supervisory authority."|CJEU - Joined Cases C‑26/22 and C‑64/22 - SCHUFA|67.}} | |||
==== Each natural or legal person ==== | ==== Each natural or legal person ==== | ||
Article 78(1) GDPR | Article 78(1) GDPR establishes both natural and legal persons as potential claimants for legal actions against a SA decision. A natural person under that provision is usually a data subject (see Article 4(1) GDPR), although it is also possible that a controller or processor is a natural person. A legal person would usually be the controller or processor with regard to a certain processing activity, or a legal entity that is otherwise bound by a SA decision. The term “''legal person''” also encompasses other public authorities/bodies, as SAs can issue decisions with legal effect on such entities.<ref>''Mundil'' in BeckOK DatenschutzR'','' Article 78 GDPR, margin number 8 (C.H. Beck 2020, 36th edition); ''Körffer'' in Paal, Pauly, DS-GVO BDSG, Article 78 GDPR, margin number 2, C.H. (C.H. Beck 2021, 3rd edition).</ref> | ||
==== Concerned ==== | ==== Concerned ==== | ||
The natural or legal person must be concerned by the SA decision. This is the case if the natural or legal person (i) has been a party to the proceedings before the SA, either as a complainant or respondent, (ii) has been subject to ex-officio investigations by the SA, (iii) has been fined under Article 83 GDPR or (iv) is subject to a penalty under Article 84 GDPR. If a data subject’s personal data is otherwise affected by the SA decision | The natural or legal person must be concerned by the SA decision. This requirement is the case if the natural or legal person (i) has been a party to the proceedings before the SA, either as a complainant or respondent, (ii) has been subject to ex-officio investigations by the SA, (iii) has been fined under Article 83 GDPR or (iv) is subject to a penalty under Article 84 GDPR. If a data subject’s personal data is otherwise affected by the SA decision, for example in case of a data breach in which the data subject’s data was disclosed, they are also concerned by the SA decision. Bergt argues that a data subject could even bring a legal action if a SA rejects the complaint of another data subject on the general illegitimacy of a certain processing activity that also affects the data subject.<ref>''Bergt'' in Kühling, Buchner, DS-GVO BDSG, Article 78 GDPR, margin number 10 (C.H. Beck 2020, 3rd edition).</ref> A controller or processor is also concerned by a SA decision that addresses a third party or does not have an addressee, but has a legally binding general effect.<ref>''Bergt'' in Kühling, Buchner, DS-GVO BDSG, Article 78 GDPR, margin number 10 (C.H. Beck 2020, 3rd edition); ''Pötters'' in Gola DS-GVO, Article 78 GDPR, margin number 10 (C.H. Beck, 2018, 2<sup>nd</sup> edition).</ref> For instance, an example of this would be a SA’s orders regarding withdrawal or non-issuing of certifications under Articles 58(2)(h), 42 and 43 GDPR.<ref>''Boehm'', in Simitis, Hornung, Spiecker, Datenschutzrecht, Article 78 GDPR, margin numbers 6-19 (C.H. Beck 2019, 1st edition)</ref> | ||
==== (Shall have a right to) An effective judicial remedy ==== | ==== (Shall have a right to) An effective judicial remedy ==== | ||
The point | The point of consideration is certainly one of the most relevant aspects of the entire provision. An individual affected by the decision has the right to an effective judicial remedy. However, what makes this remedy "''effective''"? In general terms, an "''effective''" remedy should either halt the alleged violation or its ongoing occurrence, or offer suitable remedy for any violation that has already taken place. Recital 143 of the GDPR specifies that that the courts seized of the matter "''should exercise full jurisdiction, which should include jurisdiction to examine all questions of fact and law relevant to the dispute before them''." | ||
Therefore, in order for a remedy to be effective, the court seised of an action against a decision of a SA has to be competent to examine all questions of fact and law relevant to the dispute before them.<ref>CJEU, Joined Cases C‑26/22 and C‑64/22, SCHUFA, 7 December 2023, margin number 52 (available [[CJEU - Joined Cases C‑26/22 and C‑64/22 - SCHUFA|here]]).</ref> | |||
Finally, a remedy is considered effective when an individual | {{Quote-CJEU|"Thus, […] it follows from Article 78(1) of the GDPR, read in the light of recital 143 of that regulation, that courts seised of an action against a decision of a supervisory authority should exercise full jurisdiction, which should include jurisdiction to examine all questions of fact and law relevant to the dispute before them […] | ||
Therefore, Article 78(1) of the GDPR cannot be interpreted as meaning that judicial review of a decision on a complaint taken by a supervisory authority is limited to the question of whether the authority has handled the complaint, investigated the subject matter of the complaint to the extent appropriate and informed the complainant of the outcome of the investigation. On the contrary, for a judicial remedy to be ‘effective’, as required by that provision, such a decision must be subject to full judicial review."|CJEU - Joined Cases C‑26/22 and C‑64/22 - SCHUFA|52 et seq.}} | |||
Considering the extensive investigative and corrective powers of the SA (see commentary on [[Article 58 GDPR]]) it would not meet the requirements of an effective judicial remedy if decisions concerning the exercise of these powers were subject only to limited judicial review.<ref>CJEU, Joined Cases C‑26/22 and C‑64/22, SCHUFA, 7 December 2023, margin number 59 (available [[CJEU - C-26/22 - SCHUFA Holding|here]]).</ref> The CJEU already emphasised that the fact that decisions by SAs are subject to full judicial review does not call into question the SAs' guarantee of independence.<ref>CJEU, Joined Cases C‑26/22 and C‑64/22, SCHUFA, 7 December 2023, margin number 63 (available [[CJEU - C-26/22 - SCHUFA Holding|here]]).</ref> | |||
At the same time the full judicial review by court does not mean that the SA does not enjoy a certain degree of discretion regarding the usage of its powers (see commentary on [[Article 58 GDPR]]). Therefore, the the right to an effective judicial remedy does not mean that the court seised can just substitute its assessment for that of that SA, but requires that the court examines whether the SA has complied with the limits of its discretion.<ref>CJEU, Joined Cases C‑26/22 and C‑64/22, SCHUFA, 7 December 2023, margin number 69 (available [[CJEU - Joined Cases C‑26/22 and C‑64/22 - SCHUFA|here]]).</ref> | |||
More information as to what "''effective''" means can be found in the CJEU's case-law regarding Article 47 CFR. The case-law includes statutory rules about appointment of the judges, length of service and the grounds for abstention, rejection and dismissal of its members, permanence in functioning, organizational independence from all parties of a dispute, impartiality and competence in adjudication. Only when all of the above mentioned standards are fulfilled it is possible to evaluate a state power as a court. | |||
Finally, a remedy is considered effective when an individual has the genuine opportunity to protect their rights and make their arguments in a specific case. On this point, the European Court of Human Rights has clarified that "''individuals concerned must receive sufficient information concerning their situations to be able to make use of the appropriate remedies and to substantiate their complaints, and to have access to interpreters and legal assistance''."<ref>ECHR, Abdolkhani and Karimnia v. Turkey, 2009, §§ 114-115; M.S.S. v. Belgium and Greece [GC], 2011, §§ 301-304 and 319; Hirsi Jamaa and Others v. Italy [GC], 2012, § 204</ref> This principle plays a major role in cases where a SA adopts a decision concerning the controller/processor and 'notifies' the data subject without any specific remark regarding the issues raised in the complaint. In this case the data subject should be granted access to the entire administrative file. Otherwise, it would be challenging to conceive of an "''effective''" judicial remedy, as the appellant would be forced into a defence in the dark, so to speak. <blockquote><u>Case-law</u>: This conclusion can also be drawn from the CJEU case law, which identifies a violation of the right to a fair hearing (Article 47 of the Charter) "''where a judicial decision is founded on facts and documents which the parties, or one of them, have not had an opportunity to examine and on which they have therefore been unable to comment''."<ref>CJEU, [https://curia.europa.eu/juris/liste.jsf?language=en&num=C-89/08 Case C-89/08 P], ''EU Commission v Ireland'', para 52</ref></blockquote> | |||
==== Against a legally binding decision ==== | ==== Against a legally binding decision ==== | ||
Article 78(1) GDPR only allows for remedies against legally binding decisions | Article 78(1) GDPR only allows for remedies against legally binding decisions.<ref>See Rectital 143, sentence 5 GDPR: “''Such a decision concerns in particular the exercise of investigative, corrective and authorisation powers by the supervisory authority or the dismissal or rejection of complaints''.”; ''Bergt'' in Kühling, Buchner, DS-GVO BDSG, Article 78 GDPR, margin number 6 (C.H. Beck 2020, 3rd edition); ''Körffer'' in Paal, Pauly, DS-GVO BDSG, Article 78 GDPR, margin numbers 3-5, (C.H. Beck 2021, 3rd edition).</ref> These include SA decisions on complaints made under Article 77 GDPR; decisions following the exercise of a SA's investigative powers under Articles 58(1)(a), (b), (c), (e) and (f) GDPR; decisions following the exercise of a SA's corrective powers under Article 58(2) GDPR; decisions on the approval of certain legal acts, bodies or processing activities under Article 58(3)(c)-(j) GDPR; and decisions following the exercise of powers vested in the SA by Member State law under Article 58(6) GDPR. Mere notifications, opinions or advisory acts, such as under Articles 58(1)(d) or 58(3)(a) and 58(3)(b) GDPR do not qualify as decisions and cannot be subject to legal actions under Article 78(1) GDPR.<ref>See Recital 143, sentence 7 GDPR: “''However, the right to an effective judicial remedy does not encompass measures taken by supervisory authorities which are not legally binding, such as opinions issued by or advice provided by the supervisory authority''.”</ref><blockquote><u>Example</u>: After examining the merits of a complaint longed with it, the SA found a processing activity to be lawful under the GDPR. This rejection of the complaint by the SA constitutes a legally binding decision which produces legal effects with regard to the complainant. Therefore, the complainant has has the right to an effective judicial remedy against this decision.<ref>CJEU, Joined Cases C‑26/22 and C‑64/22, SCHUFA, 7 December 2023, margin number 50 (available [[CJEU - Joined Cases C‑26/22 and C‑64/22 - SCHUFA|here]]).</ref> </blockquote> | ||
=== (2) Right to judicial remedy against DPA inactivity === | === (2) Right to judicial remedy against DPA inactivity === | ||
A data subject has the right to an effective judicial remedy | A data subject has the right to an effective judicial remedy,<ref>The effective remedy under Article 78(2) GDPR is only available for the data subject and for any other interested party, as provided for in Article 78(1). Such difference should not be disregarded. When affording such right to the data subject only, the law-maker shows a clear intention of protecting his or her interests, allowing a certain degree of overview about how the supervisory authority is (not) handling the case. See also among the others, ''Bergt'' in Kühling, Buchner, DS-GVO BDSG, Article 78 GDPR, margin number 16 (C.H. Beck 2020, 3rd edition).</ref> where the competent SA under Articles 55 and 56 GDPR (i) does not handle a complaint or (ii) fails to inform the data subject within three months on the progress or outcome of a complaint.<ref>Thus, inactivity includes the following scenarios: The SA that is competent to handle the case under Article 55(1) or (2) GDPR or under Article 56(5) GDPR (“''local SA''”) does not handle the complaint. The local SA does not inform the data subject within three months on the progress or outcome of the complaint. The SA that is competent to handle the case under Article 56(1) and (2) GDPR (LSA) does not handle the complaint. The LSA does not inform the data subject within three months on the progress or outcome of the complaint.</ref> | ||
==== Non-handling of complaint by the SA ==== | ==== Non-handling of complaint by the SA ==== | ||
The data subject has the right to an effective judicial remedy if the SA does not handle the complaint. The GDPR contains no definition of the | The data subject has the right to an effective judicial remedy if the SA does not handle the complaint. The GDPR contains no definition of what constitutes the “[non] ''handling''” of a complaint, although the language can be found in other parts of the GDPR. To begin with, Recital 141 GDPR clarifies that an SA must “''act on a complaint''”.<ref>Recital 141 GDPR: “''Every data subject should have'' […] ''the right to an effective judicial remedy in accordance with Article 47 of the Charter'' […] ''where the supervisory authority does not act on a complaint, partially or wholly rejects or dismisses a complaint or does not act where such action is necessary to protect the rights of the data subject. The investigation following a complaint should be carried out, subject to judicial review, to the extent that is appropriate in the specific case''.”</ref> Article 57(1)(f) GDPR, in turns, establishes that the SA has to “''handle complaints lodged by a data subject'' […], ''and investigate, to the extent appropriate, the subject matter of the complaint'' […]”. | ||
The use of the conjunction "''and'' [investigate]" indicates that the "handling" of the complaint must involve an investigative activity, understood as the process of ascertaining the facts. This does not mean that the SA must always | The use of the conjunction "''and'' [investigate]" indicates that the "''handling''" of the complaint must involve an investigative activity, understood as the process of ascertaining the facts. This phrasing does not mean that the SA must always undertake complex investigative activities. Sometimes, to address the complaint, it will be sufficient to verify whether a privacy policy complies with the requirements specified in Article 13 GDPR. Similarly, in the case of cookie banners, it should be ensured that the user dialogue window contains all the necessary elements to render consent valid under the GDPR. | ||
In turn, the investigative activity, whether simple or complex, must lead to the adoption of a final decision that can be challenged under Article 78(1) | In turn, the investigative activity, whether simple or complex, must lead to the adoption of a final decision that can be challenged under Article 78(1) GDPR. Again, Article 57(1)(f) GDPR is instructive regarding the SA's obligation "[to reach] ''the outcome of the investigation within a reasonable period''". The EDPB confirms that the investigation must have an "''outcome''," and such an "''outcome''" must specify "''the facts and legal considerations for, e.g., rejecting the complaint or dismissing the complaint, i.e., not investigating it further, with a view to make it a legally attackable act''."<ref>Internal EDPB Document 02/2021 on SAs duties in relation to alleged GDPR infringements, p. 13 and 15 (available [https://edpb.europa.eu/system/files/2022-07/internal_edpb_document_022021_on_sas_duties_in_relation_to_alleged_gdpr_infringements_en.pdf here]).</ref> In other words, what is necessary for the handling of a complaint is not only an investigation, but also the adoption of a legally challengeable act, being the latter a decision in the merits or just a procedural dismissal. | ||
It may also be that the case is settled between the parties and | It may also be that the case is settled between the parties and, or the data subject withdraws the complaint. In those cases there is no room to claim that the SA did not handle the complaint, as the complaint ceased to exist. Finally, a SA cannot take an indefinite amount of time to decide on the merits of the case. In light of the principle of effectiveness under Article 4(3) of the Treaty on the European Union ("''TEU''"), Articles 8, 41 and 47 CFR, and Article 6 of the European Convention on Human Rights ("''ECHR''"), the SA must issue a decision within a reasonable time. Some Member States foresee decision periods in their national law.<ref>For example, the Austrian SA is under the obligation to decide within six months after receiving the complaint (see § 8 Austrian Administrative Courts Procedural Act (Verwaltungsgerichtsverfahrensgesetz – VwGVG); in Germany, there is a three-month deadline for SAs that can be extended by the court (§ 75 German Administrative Courts Procedural Act (Verwaltungsgerichtsordnung).</ref> | ||
==== Lack of information by the SA ==== | ==== Lack of information by the SA ==== | ||
Article 78(2) GDPR also provides for a remedy where a SA fails to inform the data subject on the progress or outcome of the complaint lodged pursuant to Article 77 GDPR. The SA with which the complaint has been lodged has a duty to inform the data subject under Article 77(2) GDPR but not under Article 78(2) GDPR – unless it is also competent to handle the case under Article 55 or 56 GDPR. Taking into account Recital 141 | Article 78(2) GDPR also provides for a remedy where a SA fails to inform the data subject on the progress or outcome of the complaint lodged pursuant to Article 77 GDPR. The SA with which the complaint has been lodged has a duty to inform the data subject under Article 77(2) GDPR but not under Article 78(2) GDPR – unless it is also competent to handle the case under Article 55 or 56 GDPR. Taking into account of the fourth sentence of Recital 141 GDPR, the SA must provide the information at least every three months (“''If the case requires further investigation or coordination with another supervisory authority, intermediate information should be given to the data subject''”). Consequently, if a SA manages to decide on a complaint within three months or less, it must only inform the data subject on the outcome of the complaint procedure. Should the procedure take longer, the SA must proactively provide an update on the state of play every three months. If the SA fails to do so, it can be subject to legal actions under Article 78(2) GDPR. | ||
=== (3) Competent courts and national procedural requirements === | === (3) Competent courts and national procedural requirements === | ||
Under Article 78(3) GDPR, proceedings against a SA shall be brought before the courts of the Member State where the SA is established. The procedural details of such judicial remedies are subject to Member State law.<ref>See Recital 143 sentence 7 GDPR</ref> It is up to Member State law to foresee which national court is competent. In some Member States, civil courts are competent for legal remedies under Article 78 GDPR, in other Member States administrative courts have jurisdiction. | Under Article 78(3) GDPR, proceedings against a SA shall be brought before the courts of the Member State where the SA is established. The procedural details of such judicial remedies are subject to Member State law.<ref>See Recital 143 sentence 7 GDPR</ref> It is up to Member State law to foresee which national court is competent. In some Member States, civil courts are competent for legal remedies under Article 78 GDPR, in other Member States administrative courts have jurisdiction. | ||
Article 78(1) GDPR requires an ''effective'' judicial remedy – a term already used in Article 47(1) CFR. Hence, | Article 78(1) GDPR requires an ''effective'' judicial remedy – a term already used in Article 47(1) CFR. Hence, a Member State's law must not impose inappropriate restrictions that hinder the effectiveness of a remedy under Article 78 GDPR (such as very short deadlines to appeal a SA’s decision under Article 78(2) GDPR).<ref>''Souhrada-Kirchmayer'' in Knyrim, DatKomm Art 78 GDPR, margin number 11 (as of 1.6.2021, rdb.at).</ref> These remedies do not necessarily have to be free of charge, as Article 57(3) GDPR only concerns the performance of the tasks of SAs. However, imposing inadequately high court fees on the claimant – especially if they are a data subject – may violate primary EU law, namely Article 47 CFR in connection with Article 16 TFEU and Article 8 CFR. | ||
In Joined Cases E-11/19 and E-12/1, the EFTA Court held that there are cases in which proceedings under Article 78(1) GDPR that were not initiated by the data subject must be free of charge for the data subject: “''It follows from Articles77(1) and 57(3) of Regulation(EU) 2016/679 that where a data subject becomes a party to proceedings under Article 78(1) as a result of a data controller appealing against a supervisory authority’s decision, and where national law imposes this status on a data subject automatically, the data subject may not be made responsible for any costs incurred in relation to those proceedings''."<ref>''Souhrada-Kirchmayer'' in Knyrim, DatKomm Art 78 GDPR, margin number 11 (as of 1.6.2021, rdb.at).</ref> | In Joined Cases E-11/19 and E-12/1, the EFTA Court held that there are cases in which proceedings under Article 78(1) GDPR that were not initiated by the data subject must be free of charge for the data subject: “''It follows from Articles77(1) and 57(3) of Regulation(EU) 2016/679 that where a data subject becomes a party to proceedings under Article 78(1) as a result of a data controller appealing against a supervisory authority’s decision, and where national law imposes this status on a data subject automatically, the data subject may not be made responsible for any costs incurred in relation to those proceedings''."<ref>''Souhrada-Kirchmayer'' in Knyrim, DatKomm Art 78 GDPR, margin number 11 (as of 1.6.2021, rdb.at).</ref> | ||
=== (4) Information on preceding EDPB opinion or decision === | === (4) Information on preceding EDPB opinion or decision === | ||
If a legal remedy under Article 78(1) GDPR is filed against a SA decision that was preceded by an opinion or a decision of the EDPB in the consistency mechanism (Articles 63 ''et seq.'' GDPR), the SA must forward that opinion or decision to the court that is handling the case. This provision ensures that the court does not ignore the EDPB’s opinion or decision when assessing the case. As a national court lacks the competence to waive a decision by the EDPB | If a legal remedy under Article 78(1) GDPR is filed against a SA decision that was preceded by an opinion or a decision of the EDPB in the consistency mechanism (Articles 63 ''et seq.'' GDPR), the SA must forward that opinion or decision to the court that is handling the case. This provision ensures that the court does not ignore the EDPB’s opinion or decision when assessing the case. As a national court lacks the competence to waive a decision by the EDPB, if it considers the EDPB’s decision invalid (Recital 143 sentence 11 GDPR), it must request a preliminary ruling from the CJEU under Article 267 TFEU. However, the court may not refer a question on the validity of the EDPB decision at the request of a natural or legal person, which had missed the opportunity to bring an action for annulment of the EDPB decision under Article 263 TFEU.<ref>Recital 143 sentence 12 GDPR.</ref> | ||
== Decisions == | == Decisions == |
Latest revision as of 09:23, 2 October 2024
Legal Text
1. Without prejudice to any other administrative or non-judicial remedy, each natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them.
2. Without prejudice to any other administrative or non-judicial remedy, each data subject shall have the right to a an effective judicial remedy where the supervisory authority which is competent pursuant to Articles 55 and 56 does not handle a complaint or does not inform the data subject within three months on the progress or outcome of the complaint lodged pursuant to Article 77.
3. Proceedings against a supervisory authority shall be brought before the courts of the Member State where the supervisory authority is established.
4. Where proceedings are brought against a decision of a supervisory authority which was preceded by an opinion or a decision of the Board in the consistency mechanism, the supervisory authority shall forward that opinion or decision to the court.
Relevant Recitals
Any natural or legal person has the right to bring an action for annulment of decisions of the Board before the Court of Justice under the conditions provided for in Article 263 TFEU. As addressees of such decisions, the supervisory authorities concerned which wish to challenge them have to bring action within two months of being notified of them, in accordance with Article 263 TFEU. Where decisions of the Board are of direct and individual concern to a controller, processor or complainant, the latter may bring an action for annulment against those decisions within two months of their publication on the website of the Board, in accordance with Article 263 TFEU. Without prejudice to this right under Article 263 TFEU, each natural or legal person should have an effective judicial remedy before the competent national court against a decision of a supervisory authority which produces legal effects concerning that person. Such a decision concerns in particular the exercise of investigative, corrective and authorisation powers by the supervisory authority or the dismissal or rejection of complaints. However, the right to an effective judicial remedy does not encompass measures taken by supervisory authorities which are not legally binding, such as opinions issued by or advice provided by the supervisory authority. Proceedings against a supervisory authority should be brought before the courts of the Member State where the supervisory authority is established and should be conducted in accordance with that Member State's procedural law. Those courts should exercise full jurisdiction, which should include jurisdiction to examine all questions of fact and law relevant to the dispute before them.
Where a complaint has been rejected or dismissed by a supervisory authority, the complainant may bring proceedings before the courts in the same Member State. In the context of judicial remedies relating to the application of this Regulation, national courts which consider a decision on the question necessary to enable them to give judgment, may, or in the case provided for in Article 267 TFEU, must, request the Court of Justice to give a preliminary ruling on the interpretation of Union law, including this Regulation. Furthermore, where a decision of a supervisory authority implementing a decision of the Board is challenged before a national court and the validity of the decision of the Board is at issue, that national court does not have the power to declare the Board's decision invalid but must refer the question of validity to the Court of Justice in accordance with Article 267 TFEU as interpreted by the Court of Justice, where it considers the decision invalid. However, a national court may not refer a question on the validity of the decision of the Board at the request of a natural or legal person which had the opportunity to bring an action for annulment of that decision, in particular if it was directly and individually concerned by that decision, but had not done so within the period laid down in Article 263 TFEU.Commentary
Article 78 GDPR, titled "Right to an effective judicial remedy against a supervisory authority", embodies the general principle of judicial protection against actions or omissions by public authorities in general, and in particular, guarantees a right of judicial review against the decisions of data protection authorities. This approach, in line with Article 47 of the Charter of Fundamental Rights of the European Union ("CFR"), ultimately assigns the role of "guardians of the EU legal order" to the judiciary.[1] In essence, Article 78(1) GDPR recognises an effective judicial remedy for anyone affected by a binding decision of the supervisory authority ("SA").
Paragraph 2 of the provision guarantees the same remedy to data subjects in cases of inactivity by a supervisory authority, following the submission of a complaint under Article 77.
Paragraph 3 clarifies that these proceedings must be initiated in the jurisdiction where the supervisory authority is established.
Finally, paragraph 4 obligates the supervisory authority to inform the court seized of the matter when the challenged decision is the result of a binding decision by the European Data Protection Board ("EDPB").
(1) Right to an effective judicial remedy against an SA's decision
Article 78(1) GDPR grants natural and legal persons the right to a judicial remedy against a "legally binding decision" of a supervisory authority. Therefore, the legal system establishes an additional avenue of protection in cases where the supervisory authority, through its decision, fails to correctly apply or infringes the GDPR or any other applicable laws, including national ones.
Without prejudice to any other administrative or non judicial remedy
See commentary under Article 77 GDPR. Equally, the existence of the right to an effective judicial remedy against a controller or processor in accordance with Article 79(1) GDPR does not affect the right to an effective judicial remedy under Article 78(1) GDPR.
"[...] the existence of the right to an effective judicial remedy against a controller or processor, provided for in Article 79(1) of the GDPR, does not affect the scope of the judicial review exercised, in the context of an action brought under Article 78(1) of that regulation, over a decision on a complaint adopted by a supervisory authority."
CJEU - Joined Cases C‑26/22 and C‑64/22 - SCHUFA, margin number 67..
Each natural or legal person
Article 78(1) GDPR establishes both natural and legal persons as potential claimants for legal actions against a SA decision. A natural person under that provision is usually a data subject (see Article 4(1) GDPR), although it is also possible that a controller or processor is a natural person. A legal person would usually be the controller or processor with regard to a certain processing activity, or a legal entity that is otherwise bound by a SA decision. The term “legal person” also encompasses other public authorities/bodies, as SAs can issue decisions with legal effect on such entities.[2]
Concerned
The natural or legal person must be concerned by the SA decision. This requirement is the case if the natural or legal person (i) has been a party to the proceedings before the SA, either as a complainant or respondent, (ii) has been subject to ex-officio investigations by the SA, (iii) has been fined under Article 83 GDPR or (iv) is subject to a penalty under Article 84 GDPR. If a data subject’s personal data is otherwise affected by the SA decision, for example in case of a data breach in which the data subject’s data was disclosed, they are also concerned by the SA decision. Bergt argues that a data subject could even bring a legal action if a SA rejects the complaint of another data subject on the general illegitimacy of a certain processing activity that also affects the data subject.[3] A controller or processor is also concerned by a SA decision that addresses a third party or does not have an addressee, but has a legally binding general effect.[4] For instance, an example of this would be a SA’s orders regarding withdrawal or non-issuing of certifications under Articles 58(2)(h), 42 and 43 GDPR.[5]
(Shall have a right to) An effective judicial remedy
The point of consideration is certainly one of the most relevant aspects of the entire provision. An individual affected by the decision has the right to an effective judicial remedy. However, what makes this remedy "effective"? In general terms, an "effective" remedy should either halt the alleged violation or its ongoing occurrence, or offer suitable remedy for any violation that has already taken place. Recital 143 of the GDPR specifies that that the courts seized of the matter "should exercise full jurisdiction, which should include jurisdiction to examine all questions of fact and law relevant to the dispute before them."
Therefore, in order for a remedy to be effective, the court seised of an action against a decision of a SA has to be competent to examine all questions of fact and law relevant to the dispute before them.[6]
"Thus, […] it follows from Article 78(1) of the GDPR, read in the light of recital 143 of that regulation, that courts seised of an action against a decision of a supervisory authority should exercise full jurisdiction, which should include jurisdiction to examine all questions of fact and law relevant to the dispute before them […]
Therefore, Article 78(1) of the GDPR cannot be interpreted as meaning that judicial review of a decision on a complaint taken by a supervisory authority is limited to the question of whether the authority has handled the complaint, investigated the subject matter of the complaint to the extent appropriate and informed the complainant of the outcome of the investigation. On the contrary, for a judicial remedy to be ‘effective’, as required by that provision, such a decision must be subject to full judicial review."
CJEU - Joined Cases C‑26/22 and C‑64/22 - SCHUFA, margin number 52 et seq..
Considering the extensive investigative and corrective powers of the SA (see commentary on Article 58 GDPR) it would not meet the requirements of an effective judicial remedy if decisions concerning the exercise of these powers were subject only to limited judicial review.[7] The CJEU already emphasised that the fact that decisions by SAs are subject to full judicial review does not call into question the SAs' guarantee of independence.[8]
At the same time the full judicial review by court does not mean that the SA does not enjoy a certain degree of discretion regarding the usage of its powers (see commentary on Article 58 GDPR). Therefore, the the right to an effective judicial remedy does not mean that the court seised can just substitute its assessment for that of that SA, but requires that the court examines whether the SA has complied with the limits of its discretion.[9]
More information as to what "effective" means can be found in the CJEU's case-law regarding Article 47 CFR. The case-law includes statutory rules about appointment of the judges, length of service and the grounds for abstention, rejection and dismissal of its members, permanence in functioning, organizational independence from all parties of a dispute, impartiality and competence in adjudication. Only when all of the above mentioned standards are fulfilled it is possible to evaluate a state power as a court.
Finally, a remedy is considered effective when an individual has the genuine opportunity to protect their rights and make their arguments in a specific case. On this point, the European Court of Human Rights has clarified that "individuals concerned must receive sufficient information concerning their situations to be able to make use of the appropriate remedies and to substantiate their complaints, and to have access to interpreters and legal assistance."[10] This principle plays a major role in cases where a SA adopts a decision concerning the controller/processor and 'notifies' the data subject without any specific remark regarding the issues raised in the complaint. In this case the data subject should be granted access to the entire administrative file. Otherwise, it would be challenging to conceive of an "effective" judicial remedy, as the appellant would be forced into a defence in the dark, so to speak.
Case-law: This conclusion can also be drawn from the CJEU case law, which identifies a violation of the right to a fair hearing (Article 47 of the Charter) "where a judicial decision is founded on facts and documents which the parties, or one of them, have not had an opportunity to examine and on which they have therefore been unable to comment."[11]
Against a legally binding decision
Article 78(1) GDPR only allows for remedies against legally binding decisions.[12] These include SA decisions on complaints made under Article 77 GDPR; decisions following the exercise of a SA's investigative powers under Articles 58(1)(a), (b), (c), (e) and (f) GDPR; decisions following the exercise of a SA's corrective powers under Article 58(2) GDPR; decisions on the approval of certain legal acts, bodies or processing activities under Article 58(3)(c)-(j) GDPR; and decisions following the exercise of powers vested in the SA by Member State law under Article 58(6) GDPR. Mere notifications, opinions or advisory acts, such as under Articles 58(1)(d) or 58(3)(a) and 58(3)(b) GDPR do not qualify as decisions and cannot be subject to legal actions under Article 78(1) GDPR.[13]
Example: After examining the merits of a complaint longed with it, the SA found a processing activity to be lawful under the GDPR. This rejection of the complaint by the SA constitutes a legally binding decision which produces legal effects with regard to the complainant. Therefore, the complainant has has the right to an effective judicial remedy against this decision.[14]
(2) Right to judicial remedy against DPA inactivity
A data subject has the right to an effective judicial remedy,[15] where the competent SA under Articles 55 and 56 GDPR (i) does not handle a complaint or (ii) fails to inform the data subject within three months on the progress or outcome of a complaint.[16]
Non-handling of complaint by the SA
The data subject has the right to an effective judicial remedy if the SA does not handle the complaint. The GDPR contains no definition of what constitutes the “[non] handling” of a complaint, although the language can be found in other parts of the GDPR. To begin with, Recital 141 GDPR clarifies that an SA must “act on a complaint”.[17] Article 57(1)(f) GDPR, in turns, establishes that the SA has to “handle complaints lodged by a data subject […], and investigate, to the extent appropriate, the subject matter of the complaint […]”.
The use of the conjunction "and [investigate]" indicates that the "handling" of the complaint must involve an investigative activity, understood as the process of ascertaining the facts. This phrasing does not mean that the SA must always undertake complex investigative activities. Sometimes, to address the complaint, it will be sufficient to verify whether a privacy policy complies with the requirements specified in Article 13 GDPR. Similarly, in the case of cookie banners, it should be ensured that the user dialogue window contains all the necessary elements to render consent valid under the GDPR.
In turn, the investigative activity, whether simple or complex, must lead to the adoption of a final decision that can be challenged under Article 78(1) GDPR. Again, Article 57(1)(f) GDPR is instructive regarding the SA's obligation "[to reach] the outcome of the investigation within a reasonable period". The EDPB confirms that the investigation must have an "outcome," and such an "outcome" must specify "the facts and legal considerations for, e.g., rejecting the complaint or dismissing the complaint, i.e., not investigating it further, with a view to make it a legally attackable act."[18] In other words, what is necessary for the handling of a complaint is not only an investigation, but also the adoption of a legally challengeable act, being the latter a decision in the merits or just a procedural dismissal.
It may also be that the case is settled between the parties and, or the data subject withdraws the complaint. In those cases there is no room to claim that the SA did not handle the complaint, as the complaint ceased to exist. Finally, a SA cannot take an indefinite amount of time to decide on the merits of the case. In light of the principle of effectiveness under Article 4(3) of the Treaty on the European Union ("TEU"), Articles 8, 41 and 47 CFR, and Article 6 of the European Convention on Human Rights ("ECHR"), the SA must issue a decision within a reasonable time. Some Member States foresee decision periods in their national law.[19]
Lack of information by the SA
Article 78(2) GDPR also provides for a remedy where a SA fails to inform the data subject on the progress or outcome of the complaint lodged pursuant to Article 77 GDPR. The SA with which the complaint has been lodged has a duty to inform the data subject under Article 77(2) GDPR but not under Article 78(2) GDPR – unless it is also competent to handle the case under Article 55 or 56 GDPR. Taking into account of the fourth sentence of Recital 141 GDPR, the SA must provide the information at least every three months (“If the case requires further investigation or coordination with another supervisory authority, intermediate information should be given to the data subject”). Consequently, if a SA manages to decide on a complaint within three months or less, it must only inform the data subject on the outcome of the complaint procedure. Should the procedure take longer, the SA must proactively provide an update on the state of play every three months. If the SA fails to do so, it can be subject to legal actions under Article 78(2) GDPR.
(3) Competent courts and national procedural requirements
Under Article 78(3) GDPR, proceedings against a SA shall be brought before the courts of the Member State where the SA is established. The procedural details of such judicial remedies are subject to Member State law.[20] It is up to Member State law to foresee which national court is competent. In some Member States, civil courts are competent for legal remedies under Article 78 GDPR, in other Member States administrative courts have jurisdiction.
Article 78(1) GDPR requires an effective judicial remedy – a term already used in Article 47(1) CFR. Hence, a Member State's law must not impose inappropriate restrictions that hinder the effectiveness of a remedy under Article 78 GDPR (such as very short deadlines to appeal a SA’s decision under Article 78(2) GDPR).[21] These remedies do not necessarily have to be free of charge, as Article 57(3) GDPR only concerns the performance of the tasks of SAs. However, imposing inadequately high court fees on the claimant – especially if they are a data subject – may violate primary EU law, namely Article 47 CFR in connection with Article 16 TFEU and Article 8 CFR.
In Joined Cases E-11/19 and E-12/1, the EFTA Court held that there are cases in which proceedings under Article 78(1) GDPR that were not initiated by the data subject must be free of charge for the data subject: “It follows from Articles77(1) and 57(3) of Regulation(EU) 2016/679 that where a data subject becomes a party to proceedings under Article 78(1) as a result of a data controller appealing against a supervisory authority’s decision, and where national law imposes this status on a data subject automatically, the data subject may not be made responsible for any costs incurred in relation to those proceedings."[22]
(4) Information on preceding EDPB opinion or decision
If a legal remedy under Article 78(1) GDPR is filed against a SA decision that was preceded by an opinion or a decision of the EDPB in the consistency mechanism (Articles 63 et seq. GDPR), the SA must forward that opinion or decision to the court that is handling the case. This provision ensures that the court does not ignore the EDPB’s opinion or decision when assessing the case. As a national court lacks the competence to waive a decision by the EDPB, if it considers the EDPB’s decision invalid (Recital 143 sentence 11 GDPR), it must request a preliminary ruling from the CJEU under Article 267 TFEU. However, the court may not refer a question on the validity of the EDPB decision at the request of a natural or legal person, which had missed the opportunity to bring an action for annulment of the EDPB decision under Article 263 TFEU.[23]
Decisions
→ You can find all related decisions in Category:Article 78 GDPR
References
- ↑ Tambou, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 78 GDPR, margin numbers 3 and 7 (C.H. Beck 2019). The Author also points out that "The right to an effective remedy is inspired by Art. 6 and 13 ECHR. It is a core element of the EU legal order based on the rule of law."
- ↑ Mundil in BeckOK DatenschutzR, Article 78 GDPR, margin number 8 (C.H. Beck 2020, 36th edition); Körffer in Paal, Pauly, DS-GVO BDSG, Article 78 GDPR, margin number 2, C.H. (C.H. Beck 2021, 3rd edition).
- ↑ Bergt in Kühling, Buchner, DS-GVO BDSG, Article 78 GDPR, margin number 10 (C.H. Beck 2020, 3rd edition).
- ↑ Bergt in Kühling, Buchner, DS-GVO BDSG, Article 78 GDPR, margin number 10 (C.H. Beck 2020, 3rd edition); Pötters in Gola DS-GVO, Article 78 GDPR, margin number 10 (C.H. Beck, 2018, 2nd edition).
- ↑ Boehm, in Simitis, Hornung, Spiecker, Datenschutzrecht, Article 78 GDPR, margin numbers 6-19 (C.H. Beck 2019, 1st edition)
- ↑ CJEU, Joined Cases C‑26/22 and C‑64/22, SCHUFA, 7 December 2023, margin number 52 (available here).
- ↑ CJEU, Joined Cases C‑26/22 and C‑64/22, SCHUFA, 7 December 2023, margin number 59 (available here).
- ↑ CJEU, Joined Cases C‑26/22 and C‑64/22, SCHUFA, 7 December 2023, margin number 63 (available here).
- ↑ CJEU, Joined Cases C‑26/22 and C‑64/22, SCHUFA, 7 December 2023, margin number 69 (available here).
- ↑ ECHR, Abdolkhani and Karimnia v. Turkey, 2009, §§ 114-115; M.S.S. v. Belgium and Greece [GC], 2011, §§ 301-304 and 319; Hirsi Jamaa and Others v. Italy [GC], 2012, § 204
- ↑ CJEU, Case C-89/08 P, EU Commission v Ireland, para 52
- ↑ See Rectital 143, sentence 5 GDPR: “Such a decision concerns in particular the exercise of investigative, corrective and authorisation powers by the supervisory authority or the dismissal or rejection of complaints.”; Bergt in Kühling, Buchner, DS-GVO BDSG, Article 78 GDPR, margin number 6 (C.H. Beck 2020, 3rd edition); Körffer in Paal, Pauly, DS-GVO BDSG, Article 78 GDPR, margin numbers 3-5, (C.H. Beck 2021, 3rd edition).
- ↑ See Recital 143, sentence 7 GDPR: “However, the right to an effective judicial remedy does not encompass measures taken by supervisory authorities which are not legally binding, such as opinions issued by or advice provided by the supervisory authority.”
- ↑ CJEU, Joined Cases C‑26/22 and C‑64/22, SCHUFA, 7 December 2023, margin number 50 (available here).
- ↑ The effective remedy under Article 78(2) GDPR is only available for the data subject and for any other interested party, as provided for in Article 78(1). Such difference should not be disregarded. When affording such right to the data subject only, the law-maker shows a clear intention of protecting his or her interests, allowing a certain degree of overview about how the supervisory authority is (not) handling the case. See also among the others, Bergt in Kühling, Buchner, DS-GVO BDSG, Article 78 GDPR, margin number 16 (C.H. Beck 2020, 3rd edition).
- ↑ Thus, inactivity includes the following scenarios: The SA that is competent to handle the case under Article 55(1) or (2) GDPR or under Article 56(5) GDPR (“local SA”) does not handle the complaint. The local SA does not inform the data subject within three months on the progress or outcome of the complaint. The SA that is competent to handle the case under Article 56(1) and (2) GDPR (LSA) does not handle the complaint. The LSA does not inform the data subject within three months on the progress or outcome of the complaint.
- ↑ Recital 141 GDPR: “Every data subject should have […] the right to an effective judicial remedy in accordance with Article 47 of the Charter […] where the supervisory authority does not act on a complaint, partially or wholly rejects or dismisses a complaint or does not act where such action is necessary to protect the rights of the data subject. The investigation following a complaint should be carried out, subject to judicial review, to the extent that is appropriate in the specific case.”
- ↑ Internal EDPB Document 02/2021 on SAs duties in relation to alleged GDPR infringements, p. 13 and 15 (available here).
- ↑ For example, the Austrian SA is under the obligation to decide within six months after receiving the complaint (see § 8 Austrian Administrative Courts Procedural Act (Verwaltungsgerichtsverfahrensgesetz – VwGVG); in Germany, there is a three-month deadline for SAs that can be extended by the court (§ 75 German Administrative Courts Procedural Act (Verwaltungsgerichtsordnung).
- ↑ See Recital 143 sentence 7 GDPR
- ↑ Souhrada-Kirchmayer in Knyrim, DatKomm Art 78 GDPR, margin number 11 (as of 1.6.2021, rdb.at).
- ↑ Souhrada-Kirchmayer in Knyrim, DatKomm Art 78 GDPR, margin number 11 (as of 1.6.2021, rdb.at).
- ↑ Recital 143 sentence 12 GDPR.