Difference between revisions of "Article 77 GDPR"

From GDPRhub
 
(6 intermediate revisions by one other user not shown)
Line 192: Line 192:
  
 
== Relevant Recitals==
 
== Relevant Recitals==
<span id="r40">
+
<span id="r141">
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><div>'''Recital 141:''' Right of lodging a complaint - Article 77(1)</div>
+
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><div>'''Recital 141:''' Right to lodge a complaint - Article 77(1) and information on outcome/progress of the complaint - Article 77(2)</div>
 
<div class="mw-collapsible-content">
 
<div class="mw-collapsible-content">
 
Every data subject should have the right to lodge a complaint with a single supervisory authority, in particular in the Member State of his or her habitual residence, and the right to an effective judicial remedy in accordance with Article 47 of the Charter if the data subject considers that his or her rights under this Regulation are infringed or where the supervisory authority does not act on a complaint, partially or wholly rejects or dismisses a complaint or does not act where such action is necessary to protect the rights of the data subject. The investigation following a complaint should be carried out, subject to judicial review, to the extent that is appropriate in the specific case. The supervisory authority should inform the data subject of the progress and the outcome of the complaint within a reasonable period. If the case requires further investigation or coordination with another supervisory authority, intermediate information should be given to the data subject. In order to facilitate the submission of complaints, each supervisory authority should take measures such as providing a complaint submission form which can also be completed electronically, without excluding other means of communication.
 
Every data subject should have the right to lodge a complaint with a single supervisory authority, in particular in the Member State of his or her habitual residence, and the right to an effective judicial remedy in accordance with Article 47 of the Charter if the data subject considers that his or her rights under this Regulation are infringed or where the supervisory authority does not act on a complaint, partially or wholly rejects or dismisses a complaint or does not act where such action is necessary to protect the rights of the data subject. The investigation following a complaint should be carried out, subject to judicial review, to the extent that is appropriate in the specific case. The supervisory authority should inform the data subject of the progress and the outcome of the complaint within a reasonable period. If the case requires further investigation or coordination with another supervisory authority, intermediate information should be given to the data subject. In order to facilitate the submission of complaints, each supervisory authority should take measures such as providing a complaint submission form which can also be completed electronically, without excluding other means of communication.
Line 200: Line 200:
 
== Commentary ==
 
== Commentary ==
  
=== (1) Right to a formal complaint ===
+
=== Overview ===
 +
Article 77'''(1)''' GDPR stipulates the data subject’s right to lodge a complaint with a DPA if the data subject suspects a GDPR violation regarding personal data relating to him or her; Article 77'''(2)''' GDPR places the DPA with which the complaint has been lodged under an obligation to inform the complainant on the progress and the outcome of the complaint.
 +
 
 +
Both Article 77(1) and (2) GDPR are directly applicable and do not require transposition into national law. However, the details of the complaints procedure are subject to Member State law, which must observe the requirements and objectives of the GDPR.<ref>Kühling/Buchner/Bergt GDPR Art. 77 margin number 26.</ref>
 +
 
 +
Under Article 57(3) GDPR, the lodging of a complaint and its handling by a DPA shall be free of charge for the data subject, which must be respected by the national procedural law.
 +
 
 +
Many DPAs provide forms that ensure that a complainant includes all relevant information as suggested in the last sentence of Recital 141 GDPR.
 +
 
 +
=== Right to a formal complaint ===
  
 
==== Requirements ====
 
==== Requirements ====
Article 77(1) only has two requirements: (1) A data subject must consider that (2) his or her personal data was processed in violation of GDPR.
+
Article 77(1) GDPR only has two requirements: (1) A data subject must consider that (2) his or her personal data has been processed in violation of GDPR.
  
 
===== Data subject =====
 
===== Data subject =====
The complainant must be a data subject within the meaning of [[Article 4 GDPR#2| Article 4(2) GDPR]].
+
The complainant must be a data subject within the meaning of Article 4(1) GDPR, i.e. an identified or identifiable natural person.
  
As only an actual investigation can determine if the data of a complainant is or was actually processed, the data subject must ''de facto'' only allege that he or she is a data subject.  
+
As only an investigation of the facts can determine if the data of the complainant has actually been processed, the complainant must de facto only allege that he or she qualifies as a data subject. This is especially relevant in cases where the complainant is not even capable of assessing his or her status as a data subject – e.g. when a controller has simply ignored an access request under Article 15 GDPR and the complainant has no knowledge on whether the controller actually processes his or her personal data.
  
The requirement to be a data subject makes third party complaints ((''actio popularis'')) impossible under Article 77.
+
===== Alleged infringement =====
 +
The data subject must at least allege that his or her data is processed in violation of the GDPR. The letter of the law requires that the processing of personal data relating to the data subject infringe the GDPR.  
  
→ See below for [[Article 77 GDPR#Alternative forms of submissions|alternative forms of submissions]]
+
Contrary to the prevailing opinion among legal scholars,<ref>Kühling/Buchner/Bergt GDPR Art. 77 margin number 10; Ehmann/Selmayr/Nemitz DS-GVO Art. 77 margin number 16; Auernhammer/von Lewinksi GDPR Art. 77 margin number 2; DatKomm/Schweiger GDPR Art. 77 margin number 11.</ref> some DPAs have taken the stance that the right to lodge a complaint is limited to violations of data subject rights under Chapter III of the GDPR (“Rights of the data subject“)<ref>E.g. the Austrian DPA, 13.09.2018, DSB-D123.070/0005-DSB/2018 (ECLI:AT:DSB:2018:DSB.D123.070.0005.DSB.2018).</ref>. The academic opinion seems more convincing for the following reasons:
  
===== Alleged processing in violation of the GDPR =====
+
First, the language of Article 77(1) GDPR does not contain any limitations to violations of Chapter III rights.
The data subject must at least allege that his or her data is processed in violation of the GDPR.
 
  
===== National procedural requirements =====
+
Second, Article 8(2) CFR already foresees that personal data “''must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law.''” These requirements are laid down in detail in Article 5 to 10 GDPR. In light of Article 41 and Article 47 CFR, limiting complaints to the violation of Chapter III GDPR would therefore violate not only the GDPR but also primary EU law.
National procedural laws may require further elements in a submission. Any such requirements may however not undermine the effectiveness of Article 77(1) and may not more burdensome than requirements in equivalent national procedures.
 
  
Many DPAs provide forms that ensure that a complainant includes all relevant information in a complaint as suggested in the last sentence of Recital 141.
+
Third, a limitation to violations of Chapter III rights would also result in massive enforcement deficiencies. A data subject would have no possibility to have certain processing activities reviewed by a DPA. For example, a processing activity that is based on an algorithm that produces incorrect data on a regular basis could not be addressed under Article 16 GDPR as Article 16 can only be invoked to rectify existing inaccurate data but not to stop the ongoing creation of incorrect data that is based on existing correct data. In this case, the data subject would have to rely directly on the principle of accuracy under Article 5(1)(d) GDPR in connection with Article 24, 25 GDPR and ask the DPA to order the controller to bring the processing operation into compliance with the GDPR under Article 58(2)(d) GDPR or even ban it under Article 58(2)(f) GDPR.
 +
 
 +
Therefore, complaints under Article 77 GDPR should extend to a broad range of violations concerning, amongst the others:<ref>See especially DatKomm/Schweiger GDPR Art. 77 margin number 11.</ref>
 +
 
 +
* the principles of data processing (Article 5 GDPR),
 +
* the lawfulness of processing (Article 6, 9 and 10 GDPR),
 +
* the conditions for consent (Article 7 and 8 GDPR),
 +
* information under Article 11(2) GDPR,
 +
* provisions of Chapter III of the GDPR (Article 12 to 22 GDPR),
 +
* the duty to communicate a personal data breach to the data subject (Article 34 GDPR),
 +
* the provisions on data transfers to a third countries or international organisations under Chapter V of the GDPR (Article 44 et seqq. GDPR).
  
 
==== Jurisdiction for filing the case ====
 
==== Jurisdiction for filing the case ====
  
 
===== A(ny) DPA =====
 
===== A(ny) DPA =====
The GDPR only requires that ''a'' supervisory authority (DPA) is addressed by the complaint. This general rule is only expanded by a non-exhaustive (''in particular'') list of possible DPAs. In summary this means, that a complainant may file a complaint with any DPA in Europe, independent of location.
+
The GDPR only requires that a supervisory authority (DPA) is addressed by the complaint. This general rule is only limited by a non-exhaustive list of possible DPAs. This means that a complainant may file a complaint with any DPA in the EEA, independent of location.<ref>Kühling/Buchner/Bergt GDPR Art. 77 margin number 9.</ref>
  
 
===== Habitual residence =====
 
===== Habitual residence =====
The most common place to file a complaint is the home jurisdiction of the complainant. The habitual residence is defined in different EU laws and requires a legal right to residence and an objective assessment of the factual residence.  
+
The most common place to lodge a complaint is the home jurisdiction of the complainant. The habitual residence is defined in different EU laws and requires a legal right to residence and an objective assessment of the factual residence. Especially in cross border cases, data subjects might want to choose to lodge complaints at the place of their habitual residence, at this allows for the data subject to file the complaint in (one of) the official languages of the relevant Member State, rather than the official language of the Member State that the controller is based in.  
 
 
This option allows to file a complaint in the local language of the data subject.
 
  
 
===== Place of work =====
 
===== Place of work =====
Similar to the habitual residence, complainants can file a complaint at their work place. This may be relevant for cases in employment cases, but it is not required that the complaint has any connection to the work place.
+
Similar to the habitual residence, complainants can lodge a complaint at their work place. It is not required that the complaint has any connection to the place of work.
  
 
===== Place of alleged infringement =====
 
===== Place of alleged infringement =====
The complaint can be brought at the place of the alleged infringement. This clause is a typical form of jurisdiction, that is aimed to align location of the decision maker with the location of facts.
+
The complaint can be lodged at the place of the alleged infringement. This clause is a typical form of jurisdiction that is aimed at aligning location of the decision maker with the location of facts.<blockquote><u>Example:</u> The DPA that is close to a CCTV camera may be best placed to gather factual evidence on the CCTV system, without the need to request mutual assistance from other DPAs.</blockquote>
 
 
::<u>Example:</u> The DPA that is close to a CCTV camera may be best placed to gather factual evidence on the CCTV system, without the need to request mutual assistance from other DPAs.
 
  
 
===== Cross country cases =====
 
===== Cross country cases =====
The option to file a case with any DPA does not mean that this DPA necessarily decides about the case.  
+
The option to lodge a case with any DPA does not mean that the DPA with which the case has been lodged necessarily decides about the case. Which DPA actually handles the case is subject to Article 55 and 56 GDPR. In any case the DPA with which the complaint has been lodged remains a “supervisory authority concerned” under Article 4(22)(c) GDPR and the point of contact for the data subject (“one stop shop”).  
 
 
→ See [[Article 56 GDPR]] for the definition of the lead supervisory authority.
 
 
 
==== Alternative forms of submissions ====
 
 
 
===== Opening Clause =====
 
 
 
Article 77(1) GDPR explicitly recognizes that Member States may provide for additional forms of submissions and redress. They may however not replace the right to launch a formal complaint.
 
 
 
===== Informal Petitions =====
 
Some DPAs also allow different form of informal submissions that can be best described as "petitions". Petitions are informal submissions that inform the DPA of an issue. Anyone can petition a DPA, without the need to be a data subject. At the same time petitions do not require the DPA to take any action and the petitioner is usually not a party to the procedure. The petitioner usually has no right to appeal under [[Article 78 GDPR]].
 
 
 
GDPR does not know petitions. Petitions may have a legal basis in national law, such as a general "right to petition" any government authority.
 
  
=== (2) Duty to inform the data subject ===
+
=== Duty to inform the data subject ===
  
==== Progress ====
+
==== Progress and outcome ====
''You can help us fill this section!''
+
Under Article 77(2) GDPR “''the supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78.''” This provision only addresses the DPA with which the complaint has been lodged but not the DPA ultimately handling the case under Article 55 and 56 GDPR (which might be the same or a different DPA).
  
==== Outcome ====
+
The DPA’s report on the progress must include information on the possibility for a judicial remedy under Article 78(2) GDPR, its report on the outcome should contain information on the possibility for a judicial remedy under Article 78(1) GDPR.
''You can help us fill this section!''
 
  
==== Every three Months ====
+
==== Timeline and frequency of information ====
''You can help us fill this section!''
+
Article 77(2) does not stipulate a deadline by which the data subject has to be initially informed about the progress of the complaint, nor does it contain rules on the frequency of such “progress reports”. Read in connection with Article 57(1)(f) GDPR (“[…] ''inform the complainant of the progress and the outcome of the investigation within a reasonable period,'' […]”) , the DPA must inform the data subject within a reasonable period.
  
==== Information about Article 78 ====
+
Moreover, under Article 78(2) GDPR a data subject has the right to an effective judicial remedy where the DPA which is competent pursuant to Article 55 and 56 GDPR does not inform the data subject within three months on the progress or outcome of the complaint lodged pursuant to Article 77 GDPR. It must be noted, that other than Article 77(2) GDPR, Article 78(2) does not address the DPA with which the complaint has been lodged but rather the DPA that is competent to handle the case under Article 55 and 56 GDPR.
''You can help us fill this section!''
 
  
=== National procedural law ===
+
This results in the following scenarios:
In addition to the requirements of Article 77, the procedural law of the Member States defines all further details of the procedure. National procedural laws are only applicable as far as they comply with the EU principles of equivalence and effectiveness.
 
  
You can find more details about the applicable national procedural laws in the [[:Category:DPA|DPA profiles]].
+
* The DPA with which the complaint has been lodged is also competent to handle the case under Article 55 GDPR: In this case, the DPA has to inform the data within three months after receipt of the complaint on its progress or outcome under Article 78(2) GDPR.
 +
* The DPA with which the complaint has been lodged is not competent to handle the case but rather the lead DPA under Article 56 is:
 +
** The DPA with which the complaint has been lodged must inform the data subject under Article 77(2) GDPR. The first information usually is an acknowledgement of receipt and a notice that the case has been forwarded to an (alleged) lead LSA. Although there is no specific deadline for this information, the three-month period of Article 78(2) GDPR should be applied ''per analogiam.''
 +
** As soon as the lead DPA is established (which very often takes longer than three months), it must inform the data subject within three months after receipt of the complaint on its progress or outcome under Article 78(2) GDPR. For practical reasons the DPA with which the complaint has been lodged usually informs the data subject on behalf of the lead DPA on this.
  
 
== Decisions ==
 
== Decisions ==

Latest revision as of 07:50, 1 June 2021

Article 77 - Right to lodge a complaint with a supervisory authority
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text[edit | edit source]


Article 77 - Right to lodge a complaint with a supervisory authority


1. Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes this Regulation.

2. The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78.

Relevant Recitals[edit | edit source]

Recital 141: Right to lodge a complaint - Article 77(1) and information on outcome/progress of the complaint - Article 77(2)

Every data subject should have the right to lodge a complaint with a single supervisory authority, in particular in the Member State of his or her habitual residence, and the right to an effective judicial remedy in accordance with Article 47 of the Charter if the data subject considers that his or her rights under this Regulation are infringed or where the supervisory authority does not act on a complaint, partially or wholly rejects or dismisses a complaint or does not act where such action is necessary to protect the rights of the data subject. The investigation following a complaint should be carried out, subject to judicial review, to the extent that is appropriate in the specific case. The supervisory authority should inform the data subject of the progress and the outcome of the complaint within a reasonable period. If the case requires further investigation or coordination with another supervisory authority, intermediate information should be given to the data subject. In order to facilitate the submission of complaints, each supervisory authority should take measures such as providing a complaint submission form which can also be completed electronically, without excluding other means of communication.

Commentary[edit | edit source]

Overview[edit | edit source]

Article 77(1) GDPR stipulates the data subject’s right to lodge a complaint with a DPA if the data subject suspects a GDPR violation regarding personal data relating to him or her; Article 77(2) GDPR places the DPA with which the complaint has been lodged under an obligation to inform the complainant on the progress and the outcome of the complaint.

Both Article 77(1) and (2) GDPR are directly applicable and do not require transposition into national law. However, the details of the complaints procedure are subject to Member State law, which must observe the requirements and objectives of the GDPR.[1]

Under Article 57(3) GDPR, the lodging of a complaint and its handling by a DPA shall be free of charge for the data subject, which must be respected by the national procedural law.

Many DPAs provide forms that ensure that a complainant includes all relevant information as suggested in the last sentence of Recital 141 GDPR.

Right to a formal complaint[edit | edit source]

Requirements[edit | edit source]

Article 77(1) GDPR only has two requirements: (1) A data subject must consider that (2) his or her personal data has been processed in violation of GDPR.

Data subject[edit | edit source]

The complainant must be a data subject within the meaning of Article 4(1) GDPR, i.e. an identified or identifiable natural person.

As only an investigation of the facts can determine if the data of the complainant has actually been processed, the complainant must de facto only allege that he or she qualifies as a data subject. This is especially relevant in cases where the complainant is not even capable of assessing his or her status as a data subject – e.g. when a controller has simply ignored an access request under Article 15 GDPR and the complainant has no knowledge on whether the controller actually processes his or her personal data.

Alleged infringement[edit | edit source]

The data subject must at least allege that his or her data is processed in violation of the GDPR. The letter of the law requires that the processing of personal data relating to the data subject infringe the GDPR.

Contrary to the prevailing opinion among legal scholars,[2] some DPAs have taken the stance that the right to lodge a complaint is limited to violations of data subject rights under Chapter III of the GDPR (“Rights of the data subject“)[3]. The academic opinion seems more convincing for the following reasons:

First, the language of Article 77(1) GDPR does not contain any limitations to violations of Chapter III rights.

Second, Article 8(2) CFR already foresees that personal data “must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law.” These requirements are laid down in detail in Article 5 to 10 GDPR. In light of Article 41 and Article 47 CFR, limiting complaints to the violation of Chapter III GDPR would therefore violate not only the GDPR but also primary EU law.

Third, a limitation to violations of Chapter III rights would also result in massive enforcement deficiencies. A data subject would have no possibility to have certain processing activities reviewed by a DPA. For example, a processing activity that is based on an algorithm that produces incorrect data on a regular basis could not be addressed under Article 16 GDPR as Article 16 can only be invoked to rectify existing inaccurate data but not to stop the ongoing creation of incorrect data that is based on existing correct data. In this case, the data subject would have to rely directly on the principle of accuracy under Article 5(1)(d) GDPR in connection with Article 24, 25 GDPR and ask the DPA to order the controller to bring the processing operation into compliance with the GDPR under Article 58(2)(d) GDPR or even ban it under Article 58(2)(f) GDPR.

Therefore, complaints under Article 77 GDPR should extend to a broad range of violations concerning, amongst the others:[4]

  • the principles of data processing (Article 5 GDPR),
  • the lawfulness of processing (Article 6, 9 and 10 GDPR),
  • the conditions for consent (Article 7 and 8 GDPR),
  • information under Article 11(2) GDPR,
  • provisions of Chapter III of the GDPR (Article 12 to 22 GDPR),
  • the duty to communicate a personal data breach to the data subject (Article 34 GDPR),
  • the provisions on data transfers to a third countries or international organisations under Chapter V of the GDPR (Article 44 et seqq. GDPR).

Jurisdiction for filing the case[edit | edit source]

A(ny) DPA[edit | edit source]

The GDPR only requires that a supervisory authority (DPA) is addressed by the complaint. This general rule is only limited by a non-exhaustive list of possible DPAs. This means that a complainant may file a complaint with any DPA in the EEA, independent of location.[5]

Habitual residence[edit | edit source]

The most common place to lodge a complaint is the home jurisdiction of the complainant. The habitual residence is defined in different EU laws and requires a legal right to residence and an objective assessment of the factual residence. Especially in cross border cases, data subjects might want to choose to lodge complaints at the place of their habitual residence, at this allows for the data subject to file the complaint in (one of) the official languages of the relevant Member State, rather than the official language of the Member State that the controller is based in.

Place of work[edit | edit source]

Similar to the habitual residence, complainants can lodge a complaint at their work place. It is not required that the complaint has any connection to the place of work.

Place of alleged infringement[edit | edit source]

The complaint can be lodged at the place of the alleged infringement. This clause is a typical form of jurisdiction that is aimed at aligning location of the decision maker with the location of facts.

Example: The DPA that is close to a CCTV camera may be best placed to gather factual evidence on the CCTV system, without the need to request mutual assistance from other DPAs.

Cross country cases[edit | edit source]

The option to lodge a case with any DPA does not mean that the DPA with which the case has been lodged necessarily decides about the case. Which DPA actually handles the case is subject to Article 55 and 56 GDPR. In any case the DPA with which the complaint has been lodged remains a “supervisory authority concerned” under Article 4(22)(c) GDPR and the point of contact for the data subject (“one stop shop”).

Duty to inform the data subject[edit | edit source]

Progress and outcome[edit | edit source]

Under Article 77(2) GDPR “the supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78.” This provision only addresses the DPA with which the complaint has been lodged but not the DPA ultimately handling the case under Article 55 and 56 GDPR (which might be the same or a different DPA).

The DPA’s report on the progress must include information on the possibility for a judicial remedy under Article 78(2) GDPR, its report on the outcome should contain information on the possibility for a judicial remedy under Article 78(1) GDPR.

Timeline and frequency of information[edit | edit source]

Article 77(2) does not stipulate a deadline by which the data subject has to be initially informed about the progress of the complaint, nor does it contain rules on the frequency of such “progress reports”. Read in connection with Article 57(1)(f) GDPR (“[…] inform the complainant of the progress and the outcome of the investigation within a reasonable period, […]”) , the DPA must inform the data subject within a reasonable period.

Moreover, under Article 78(2) GDPR a data subject has the right to an effective judicial remedy where the DPA which is competent pursuant to Article 55 and 56 GDPR does not inform the data subject within three months on the progress or outcome of the complaint lodged pursuant to Article 77 GDPR. It must be noted, that other than Article 77(2) GDPR, Article 78(2) does not address the DPA with which the complaint has been lodged but rather the DPA that is competent to handle the case under Article 55 and 56 GDPR.

This results in the following scenarios:

  • The DPA with which the complaint has been lodged is also competent to handle the case under Article 55 GDPR: In this case, the DPA has to inform the data within three months after receipt of the complaint on its progress or outcome under Article 78(2) GDPR.
  • The DPA with which the complaint has been lodged is not competent to handle the case but rather the lead DPA under Article 56 is:
    • The DPA with which the complaint has been lodged must inform the data subject under Article 77(2) GDPR. The first information usually is an acknowledgement of receipt and a notice that the case has been forwarded to an (alleged) lead LSA. Although there is no specific deadline for this information, the three-month period of Article 78(2) GDPR should be applied per analogiam.
    • As soon as the lead DPA is established (which very often takes longer than three months), it must inform the data subject within three months after receipt of the complaint on its progress or outcome under Article 78(2) GDPR. For practical reasons the DPA with which the complaint has been lodged usually informs the data subject on behalf of the lead DPA on this.

Decisions[edit | edit source]

→ You can find all related decisions in Category:Article 77 GDPR

References[edit | edit source]

  1. Kühling/Buchner/Bergt GDPR Art. 77 margin number 26.
  2. Kühling/Buchner/Bergt GDPR Art. 77 margin number 10; Ehmann/Selmayr/Nemitz DS-GVO Art. 77 margin number 16; Auernhammer/von Lewinksi GDPR Art. 77 margin number 2; DatKomm/Schweiger GDPR Art. 77 margin number 11.
  3. E.g. the Austrian DPA, 13.09.2018, DSB-D123.070/0005-DSB/2018 (ECLI:AT:DSB:2018:DSB.D123.070.0005.DSB.2018).
  4. See especially DatKomm/Schweiger GDPR Art. 77 margin number 11.
  5. Kühling/Buchner/Bergt GDPR Art. 77 margin number 9.