VwGH - Ra 2023/04/0002

From GDPRhub
Revision as of 13:27, 11 November 2023 by Lszabo (talk | contribs) (Comment on the text of the quoted Article 57(4))
CJEU - C-416/23 Request for interpretation of a legal provision under Article 267 TFEU
Cjeulogo.png
Court: CJEU
Jurisdiction: European Union
Relevant Law: Article 15 GDPR
Article 57(2) GDPR
Article 57(3) GDPR
Article 57(4) GDPR
Article 77(1) GDPR
Aritcle 267 TFEU
Decided:
Parties: Österreichische Datenschutzbehörde (Austrian DPA)
Case Number/Name: C-416/23 Request for interpretation of a legal provision under Article 267 TFEU
European Case Law Identifier:
Reference from: VwGH (Austria)
Language: 24 EU Languages
Original Source: Judgement
Initial Contributor: ar


The Supreme Administrative Court of Austria requested the CJEU a preliminary ruling concerning access requests pursuant to Article 15 GDPR. The Court asked whether the concept of ‘request’ in Article 57(4) GDPR could be interpreted as also covering ‘complaints’ under Article 77(1) GDPR, as well as to elaborate on the meaning of 'excessive requests' and at what point a DPA can charge for a complaint.

English Summary

Facts

On 17 February 2020, a data subject (the complainant) lodged a data protection complaint under Article 77(1) GDPR for breach of the right of access under Article 15 GDPR by a company.

By decision of 22 April 2020, the DPA refused to deal with the data protection complaint under Article 57(4) GDPR on the basis that between 28 August 2018 and 7 April 2020, the complainant had submitted 77 data protection complaints that were essentially the same and regularly contacted by phone the DPA.

Thus, the complainant brought an action against the decision before the Austrian Administrative Court, which, on 22 December 2022, upheld the complaint and annulled the DPA decision because it could not be said with certainty from Article 57(4) GDPR when a request is ‘excessive’, but it could be derived that they had to be frequent but also ‘manifestly vexatious or abusive in nature’, which the DPA had not demonstrated.

The DPA challenged this judgement before the Supreme Administrative Court (Supreme Court).

Holding

On 6 July 2023, the Austrian DPA requested the Supreme Court to refer a question to the CJEU, namely, whether the concept of ‘request’ in Article 57(4) GDPR could be interpreted as also covering ‘complaints’ under Article 77(1) GDPR.

The Supreme Court stated that the concept of ‘requests’ within the meaning of Article 57(4) GDPR is not defined more precisely in the GDPR. Nonetheless, Article 57(2) GDPR and Article 57(3) GDPR suggest that the concept also includes complaints under Article 77(1) GDPR since the handling of complaints is a primary task of any supervisory authority, which should facilitate their submission and provide services free of charge.

Additionally, if the CJEU would answer affirmatively, the following questions were referred.

Firstly, the Supreme Court noted that carrying out an extremely large number of complaints does not constitute an abusive assertion of rights. However, an abuse of the right conferred by Article 77(1) GDPR could be claimed if a data subject pursues objectives such as lodging a complaint to harm the controller or placing an undue burden on the supervisory authority. However, it referred the question to the CJEU because the concept of ‘excessive’ in Article 57(4) GDPR cannot be answered beyond doubt based on its wording or context. Thus, it asked if Article 57(4) GDPR must be interpreted as meaning that, for requests to be ‘excessive’, it is sufficient that a data subject has merely carried out a certain number of requests, complaints under Article 77(1) GDPR, to a supervisory authority within a certain period, irrespective of whether the facts are different or the complaints concern different controllers, or whether a data subject must also have an abusive intention on top of the frequent complaints.

Secondly, the Supreme Court expressed doubts concerning the application and interpretation of Article 57(4) GDPR since they are not obvious. It asked if Article 57(4) GDPR must be interpreted as meaning that the supervisory authority can freely choose whether to charge a fee based on the administrative costs of processing it or refuse to process from the outset in situations of ‘excessive’ complaint. If not, what circumstances and criteria must the supervisory authority consider.

Comment

Once the judgement comes out, we will update this GDPRhub page.

The EDPB Guidelines 01/2022 on data subject rights - Right of access states that Article 12(5) GDPR allows controllers to reject manifestly unfounded or excessive requests or charge a reasonable fee for such requests. These concepts have to be interpreted narrowly. According to the Guidelines, 'excessive requests' depend on the specifics of the sector in which the controller operates: the more often changes occur in the controller’s database, the more often the data subject may be permitted to request access without it being excessive. Instead of refusing access, the controller may charge a fee to cover the administrative costs such requests may cause. To do so, the controller must be able to demonstrate the manifestly unfounded or excessive character of a request.

Let me note that the text of Article 57 (4) quoted continues: ...unfounded or excessive -> "in particular because of their repetitive character".

Further Resources

Share blogs or news articles here!