VwGH - Ra 2023/04/0002

From GDPRhub
Revision as of 14:18, 29 September 2023 by Ar (talk | contribs) (Created page with "{{CJEUdecisionBOX |Case_Number_Name=C-416/23 Request for interpretation of a legal provision under Article 267 TFEU |ECLI= |Opinion_Link= |Judgement_Link=https://curia.europa.eu/juris/showPdf.jsf?text=2016%252F679&docid=276682&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=1672473 |Date_Decided= |Year= |GDPR_Article_1=Article 15 GDPR |GDPR_Article_Link_1=Article 15 GDPR |GDPR_Article_2=Article 57(2) GDPR |GDPR_Article_Link_2=Article 57 GDPR#2 |GDPR_Article...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
CJEU - C-416/23 Request for interpretation of a legal provision under Article 267 TFEU
Cjeulogo.png
Court: CJEU
Jurisdiction: European Union
Relevant Law: Article 15 GDPR
Article 57(2) GDPR
Article 57(3) GDPR
Article 57(4) GDPR
Article 77(1) GDPR
Aritcle 267 TFEU
Decided:
Parties: Österreichische Datenschutzbehörde (Austrian DPA)
Case Number/Name: C-416/23 Request for interpretation of a legal provision under Article 267 TFEU
European Case Law Identifier:
Reference from: Verwaltungsgerichtshof (Supreme Administrative Court, Austria)
Language: 24 EU Languages
Original Source: Judgement
Initial Contributor: ar


The Supreme Administrative Court of Austria requested the CJEU a preliminary ruling concerning access requests. Among other questions, the request deals with the meaning of an 'excessive request' and at what point a DPA can charge for a complaint.

English Summary

Facts

On 17 February 2020, a data subject (the complainant) lodged a data protection complaint with the Austrian DPA pursuant to Article 77(1) GDPR for breach of the right of access under Article 15 GDPR by a company.

By decision of 22 April 2020, the DPA refused to deal with the data protection complaint under Article 57(4) GDPR on the basis that between 28 August 2018 and 7 April 2020, the complainant had submitted 77 data protection complaints that were essentially the same and regularly contacted by phone the DPA.

Thus, the interested party brought an action against the decision before the Austrian Administrative Court, which, on 22 December 2022, upheld the complaint and annulled the DPA decision because it could not be said with certainty from Article 57(4) GDPR when ‘a request’ is ‘excessive’. But it could be derived that for requests to be ‘excessive’, they had to be frequent but also ‘manifestly vexatious or abusive in nature’, which the DPA had not demonstrated.

The DPA challenged this judgement before the Supreme Administrative Court (Supreme Court).

Holding

On 6 July 2023, the Austrian DPA requested the Supreme Court to refer a question to the CJEU, namely whether the concept of ‘request’ in Article 57(4) GDPR could be interpreted as also covering ‘complaints’ under Article 77(1) GDPR.

The Supreme Court stated that the concept of ‘requests’ within the meaning of Article 57(4) GDPR is not defined more precisely in the GDPR. Nonetheless, Article 57(2) GDPR and Article 57(3) GDPR suggest that the concept also includes complaints under Article 77(1) GDPR since the handling of complaints is a primary task of any supervisory authority, which should facilitate their submission and provide services free of charge.

Additionally, if the Supreme Court would answer affirmatively, the following questions would be referred.

Firstly, the Supreme Court noted that carrying out an extremely large number of complaints does not constitute an abusive assertion of rights. However, an abuse of the right conferred by Article 77(1) GDPR could be claimed if the data subject does not seek the protection of their personal data but pursues objectives such as lodging a complaint to harm the controller or placing an undue burden on the supervisory authority. However, it referred the question to the CJEU because the concept of ‘excessive’ in Article 57(4) GDPR cannot be answered beyond doubt based on its wording or context. Thus, it asked if Article 57(4) GDPR must be interpreted as meaning that, for requests to be ‘excessive’, it is sufficient that a data subject has merely carried out a certain number of requests, complaints under Article 77(1) GDPR, to a supervisory authority within a certain period, irrespective of whether the facts are different or the complaints concern different controllers, or whether the data subject must also have an abusive intention on top of the frequent complaints.

Secondly, the Supreme Court expressed doubts concerning the application of Article 57(4) GDPR since its application and interpretation are not obvious. Hence, it asked if Article 57(4) GDPR must be interpreted as meaning that the supervisory authority can freely choose whether to charge a fee based on the administrative costs of processing it or refuse to process from the outset in situations of ‘excessive’ complaint. If not, what circumstances and criteria must the supervisory authority consider.

Comment

Once the judgement comes out, we will update this GDPRhub page.

Further Resources

Share blogs or news articles here!