Difference between revisions of "Article 78 GDPR"

From GDPRhub
 
(5 intermediate revisions by 2 users not shown)
Line 185: Line 185:
  
 
== Legal Text ==
 
== Legal Text ==
<br /><center>'''Article 78 - Right to an effective judicial remedy against a supervisory authority'''</center><br />
+
<center>'''Article 78 - Right to an effective judicial remedy against a supervisory authority'''</center><br /><span id="1">1.   Without prejudice to any other administrative or non-judicial remedy, each natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them.</span>
  
<span id="1">1.   Without prejudice to any other administrative or non-judicial remedy, each natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them.</span>
+
<span id="1">2.   Without prejudice to any other administrative or non-judicial remedy, each data subject shall have the right to a an effective judicial remedy where the supervisory authority which is competent pursuant to Articles 55 and 56 does not handle a complaint or does not inform the data subject within three months on the progress or outcome of the complaint lodged pursuant to Article 77.</span>
  
<span id="2">2.   Without prejudice to any other administrative or non-judicial remedy, each data subject shall have the right to a an effective judicial remedy where the supervisory authority which is competent pursuant to Articles 55 and 56 does not handle a complaint or does not inform the data subject within three months on the progress or outcome of the complaint lodged pursuant to Article 77.</span>
+
<span id="1">3.   Proceedings against a supervisory authority shall be brought before the courts of the Member State where the supervisory authority is established.</span>
  
<span id="3">3.   Proceedings against a supervisory authority shall be brought before the courts of the Member State where the supervisory authority is established.</span>
+
<span id="1">4.   Where proceedings are brought against a decision of a supervisory authority which was preceded by an opinion or a decision of the Board in the consistency mechanism, the supervisory authority shall forward that opinion or decision to the court.</span>
  
<span id="4">4.   Where proceedings are brought against a decision of a supervisory authority which was preceded by an opinion or a decision of the Board in the consistency mechanism, the supervisory authority shall forward that opinion or decision to the court.</span>
+
== Relevant Recitals==
 +
{{Recital/143 GDPR}}{{Recital/144 GDPR}}{{Recital/145 GDPR}}
 +
 
 +
== Commentary ==
 +
Article 78 GDPR provides for judicial redress against a DPA’s decision (Article 78(1) GDPR) or its inactivity (Article 78(2) GDPR). The legal redress must be filed with the competent courts of the Member State where the DPA is established.
 +
 
 +
=== (1) Right to Judicial Remedy against DPA Decision ===
 +
 
 +
==== Requirements ====
 +
Article 78(1) GDPR has two requirements: (1) A natural or legal person must be concerned by (2) a legally binding decision of a DPA.
 +
 
 +
==== Concerned Legal or Natural Person ====
 +
Article 78(1) addresses both natural and legal persons as potential claimants for a legal action against a DPA decision:
 +
 
 +
* A natural person under that provision is usually a data subject (see Article 4(1) GDPR), although it is of course possible that a controller or processor is a natural person.
 +
* A legal person would usually be the controller or processor with regard to a certain processing activity or a legal entity that is otherwise concerned (see below) by a binding DPA decision. The term “legal person” also encompasses other public authorities/bodies, as DPAs can issue decisions with legal effect on such entities.<ref>''Mundil'' in BeckOK DatenschutzR'','' Article 78 GDPR, margin number 8 (Beck 2020, 36th ed.) (accessed 6 May 2021); ''Körffer'' in Paal, Pauly, DS-GVO BDSG, Article 78 GDPR, margin number 2, (Beck 2021, 3rd ed.) (accessed 6 May 2021).</ref>
 +
 
 +
The natural or legal person must be concerned by the DPA decision:
 +
 
 +
* This is the case, if the natural or legal person (i) has been a party to the proceedings before the DPA, either as a complainant or respondent, (ii) has been subject to ex-officio investigations by the DPA, (iii) has been fined under Article 83 GDPR or (iv) subject to a penalty under Article 84 GDPR.
 +
* If a data subject’s personal data is otherwise affected by the DPA decision (e.g. in case of a data breach in which the data subject’s data was disclosed) he/she is also concerned by the DPA decision.
 +
* Bergt argues that a data subject could even bring a legal action if a DPA rejects the complaint of another data subject on the general illegitimacy of a certain processing activity that also affects the data subject.<ref>Bergt in Kühling, Buchner, DS-GVO BDSG, Article 78 GDPR, margin number 10 (Beck 2020, 3rd ed.) (accessed 6 May 2021).</ref>
 +
* A controller or processor is also concerned by a DPA decision that addresses a third party or does not have an addressee but has a legally binding general effect<ref>Bergt in Kühling, Buchner, DS-GVO BDSG, Article 78 GDPR, margin number 10 (Beck 2020, 3rd ed.) (accessed 6 May 2021); ''Pötters'' in Gola DS-GVO, Article 78 GDPR, margin number 10 (Beck, 2018, 2<sup>nd</sup> ed.) (accessed 6 May 2021).</ref> such as for example a DPA's orders regarding withdrawal or non-issuing of certifications under Articles 58(2)(h), 42 and 43.<ref>See ''Boehm'', in Simitis, Hornung, Spiecker, Datenschutzrecht, Article 78 GDPR, margin numbers 6-19 (Beck 2019, 1st ed.) (accessed 6 May 2021).</ref>
 +
 
 +
==== Legally Binding Decision ====
 +
Article 78(1) GDPR only allows for remedies against legally binding decisions,<ref>See Rectital 143, sentence 5 GDPR: "Such a decision concerns in particular the exercise of investigative, corrective and authorisation powers by the supervisory authority or the dismissal or rejection of complaints.”;  Bergt in Kühling, Buchner, DS-GVO BDSG, Article 78 GDPR, margin number 6 (Beck 2020, 3rd ed.) (accessed 6 May 2021); ''Körffer'' in Paal, Pauly, DS-GVO BDSG, Article 78 GDPR, margin numbers 3-5, (Beck 2021, 3rd ed.) (accessed 6 May 2021).</ref> such as
 +
 
 +
* DPA decisions on complaints under Article 77 GDPR;
 +
* decisions following the exercise of a DPA's investigative powers under Article 58(1)(a), (b) (c), (e) and (f) GDPR;
 +
* decisions following the exercise of a DPA's corrective powers under Article 58(2) GDPR;
 +
* decisions on the approval of certain legal acts, bodies or processing activities under Article 58(3)(c) - (j) GDPR; and
 +
* decisions following the exercise of powers vested in the DPA by Member State law under Article 58(6) GDPR.  
 +
 
 +
Mere notifications, opinions or advisory acts, such as under Articles 58(1)(d) or 58(3)(a) and (b) GDPR do not qualify as decisions and cannot be subject to legal actions under Article 78(1) GDPR.<ref>See Recital 143, sentence 7 GDPR: “However, the right to an effective judicial remedy does not encompass measures taken by supervisory authorities which are not legally binding, such as opinions issued by or advice provided by the supervisory authority.”</ref>
 +
 
 +
=== (2) Right to Judicial Remedy Against DPA Inactivity ===
 +
 
 +
==== Requirements ====
 +
Other than Article 78(1) GDPR, Article 78(2) GDPR provides a legal remedy only for data subjects (but not for other parties such a controller).<ref>Bergt in Kühling, Buchner, DS-GVO BDSG, Article 78 GDPR, margin number 16 (Beck 2020, 3rd ed.) (accessed 6 May 2021).</ref> A data subject has the right to an effective judicial remedy where the DPA that is competent under Article 55 and 56 GDPR (i) does not handle a complaint or (ii) fails to inform the data subject within three months on the progress or outcome of a complaint.
 +
 
 +
==== DPA Competent under Article 55 and 56 GDPR ====
 +
Article 78(2) GDPR imposes a duty to act on both the authority under Article 55 and the lead DPA that is competent under Article 56 GDPR. This includes the following scenarios:
 +
 
 +
* The DPA that is competent to handle the case under Article 55(1) or (2) GDPR or under Article 56(5) GDPR (“local DPA”) does not handle the complaint.
 +
* The local DPA does not inform the data subject within three months on the progress or outcome of the complaint.
 +
* The DPA that is competent to handle the case under Article 56(1) and (2) GDPR (“lead DPA”) does not handle the complaint.
 +
* The lead DPA does not inform the data subject within three months on the progress or outcome of the complaint.
  
<span id="8">8.   By derogation from paragraph 7, where a complaint is dismissed or rejected, the supervisory authority with which the complaint was lodged shall adopt the decision and notify it to the complainant and shall inform the controller thereof.</span>
+
==== Non-handling of Complaint by the DPA ====
 +
The data subject has the right to an effective judicial remedy if the DPA does not handle the complaint. The GDPR contains no definition of the requirement of “(not) handling” a complaint, although the term “not handling a case/complaint” can be found in other provisions such as Articles 56(2) to (5) GDPR and 57(1)(f) GDPR as well.  Under Article 57(1)(f) GDPR the DPA has to “handle complaints lodged by a data subject […], and investigate, to the extent appropriate, the subject matter of the complaint […]”. Recital 141 GDPR uses the term “act on a complaint”.<ref>Recital 141 GDPR: “Every data subject should have […] the right to an effective judicial remedy in accordance with Article 47 of the Charter […] where the supervisory authority does not act on a complaint, partially or wholly rejects or dismisses a complaint or does not act where such action is necessary to protect the rights of the data subject. The investigation following a complaint should be carried out, subject to judicial review, to the extent that is appropriate in the specific case.</ref>
  
<span id="9">9.  Where the lead supervisory authority and the supervisory authorities concerned agree to dismiss or reject parts of a complaint and to act on other parts of that complaint, a separate decision shall be adopted for each of those parts of the matter. The lead supervisory authority shall adopt the decision for the part concerning actions in relation to the controller, shall notify it to the main establishment or single establishment of the controller or processor on the territory of its Member State and shall inform the complainant thereof, while the supervisory authority of the complainant shall adopt the decision for the part concerning dismissal or rejection of that complaint, and shall notify it to that complainant and shall inform the controller or processor thereof.</span>
+
In light of this, handling a complaint is not the same as taking a decision on the merits of the case. Just as in Article 56(5) GDPR (“Lead DPA not handling the case”), a DPA is not handling a complaint if it fails to act on it by investigating the subject matter of the complaint to the extent appropriate to protect the rights of the data subject.
  
<span id="10">10.   After being notified of the decision of the lead supervisory authority pursuant to paragraphs 7 and 9, the controller or processor shall take the necessary measures to ensure compliance with the decision as regards processing activities in the context of all its establishments in the Union. The controller or processor shall notify the measures taken for complying with the decision to the lead supervisory authority, which shall inform the other supervisory authorities concerned.</span>
+
This does of course not mean that a DPA can take forever to decide on the merits of the case. In light of the principle of effectiveness under Article 4(3) TEU, Articles 8, 41 and 47 CFR, and Article 6 ECHR, the DPA must issue a decision within reasonable time. A few Member States foresee decision periods in their national law.<ref>For example, the Austrian DPA is under the obligation to decide within six months after receiving the complaint (see § 8 Austrian Administrative Courts Procedural Act (Verwaltungsgerichtsverfahrensgesetz – VwGVG); in Germany, there is a three-month deadline for DPAs that can be extended by the court (§ 75 German Administrative Courts Procedural Act (Verwaltungsgerichtsordnung).</ref>
  
<span id="11">11.  Where, in exceptional circumstances, a supervisory authority concerned has reasons to consider that there is an urgent need to act in order to protect the interests of data subjects, the urgency procedure referred to in Article 66 shall apply.</span>
+
A DPA's formal rejection of a complaint does not mean that the DPA does “not handle the complaint”. Such rejection can be subject to a judicial remedy not under Article 78(2) but under Article 78(1) GDPR.
  
<span id="12">12.   The lead supervisory authority and the other supervisory authorities concerned shall supply the information required under this Article to each other by electronic means, using a standardised format.</span>
+
==== Lack of Information by the DPA ====
 +
Besides a judicial remedy against the non-handling of a complaint, Article 78(2) GDPR also provides for a remedy where a DPA fails to inform the data subject on the progress or outcome of the complaint lodged pursuant to Article 77 GDPR. This also applies to the local DPA and the lead DPA (Article 55 and 56 GDPR).
  
== Relevant Recitals==
+
The DPA with which the complaint has been lodged has a duty to inform the data subject under Article 77(2) GDPR but not under Article 78(2) GDPR – unless it is also competent to handle the case under Article 55 or 56 GDPR.
<span id="r143">
+
 
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><div>'''Recital 141:''' Right to effective judicial remedy - Article 78(1)</div>
+
Taking into account Recital 141, sentence 4, the DPA must provide the information at least every three months (“If the case requires further investigation or coordination with another supervisory authority, intermediate information should be given to the data subject”). Consequently, if a DPA manages to decide on a complaint within three months or less, it must only inform the data subject on the outcome of the complaint procedure; should the procedure take longer, the DPA must proactively provide an update on the state of play every three months. If the DPA fails to do so, it can be subject to legal actions under Article 78(2) GDPR.
<div class="mw-collapsible-content">
+
 
Any natural or legal person has the right to bring an action for annulment of decisions of the Board before the Court of Justice under the conditions provided for in Article 263 TFEU. As addressees of such decisions, the supervisory authorities concerned which wish to challenge them have to bring action within two months of being notified of them, in accordance with Article 263 TFEU. Where decisions of the Board are of direct and individual concern to a controller, processor or complainant, the latter may bring an action for annulment against those decisions within two months of their publication on the website of the Board, in accordance with Article 263 TFEU. Without prejudice to this right under Article 263 TFEU, each natural or legal person should have an effective judicial remedy before the competent national court against a decision of a supervisory authority which produces legal effects concerning that person. Such a decision concerns in particular the exercise of investigative, corrective and authorisation powers by the supervisory authority or the dismissal or rejection of complaints. However, the right to an effective judicial remedy does not encompass measures taken by supervisory authorities which are not legally binding, such as opinions issued by or advice provided by the supervisory authority. Proceedings against a supervisory authority should be brought before the courts of the Member State where the supervisory authority is established and should be conducted in accordance with that Member State's procedural law. Those courts should exercise full jurisdiction, which should include jurisdiction to examine all questions of fact and law relevant to the dispute before them.
+
=== (3) Competent Courts and National Procedural Requirements ===
Where a complaint has been rejected or dismissed by a supervisory authority, the complainant may bring proceedings before the courts in the same Member State. In the context of judicial remedies relating to the application of this Regulation, national courts which consider a decision on the question necessary to enable them to give judgment, may, or in the case provided for in Article 267 TFEU, must, request the Court of Justice to give a preliminary ruling on the interpretation of Union law, including this Regulation. Furthermore, where a decision of a supervisory authority implementing a decision of the Board is challenged before a national court and the validity of the decision of the Board is at issue, that national court does not have the power to declare the Board's decision invalid but must refer the question of validity to the Court of Justice in accordance with Article 267 TFEU as interpreted by the Court of Justice, where it considers the decision invalid. However, a national court may not refer a question on the validity of the decision of the Board at the request of a natural or legal person which had the opportunity to bring an action for annulment of that decision, in particular if it was directly and individually concerned by that decision, but had not done so within the period laid down in Article 263 TFEU.
+
The details of the judicial remedies under Article 78(1) and (2) GDPR are subject to Member State law (See Recital 143 sentence 7 GDPR). Article 78 GDPR requires an ''effective'' judicial remedy – a term already used in Article 47(1) CFR. Hence, the member state law must not impose inappropriate restrictions that hinder the filing of a remedy under Article 78 GDPR (such as very short deadlines to appeal a DPA’s decision under Article 78(2) GDPR).<ref>DatKomm/Souhrada-Kirchmayer GDPR Art. 78 margin number 11.</ref>
</div></div>
 
  
<span id="r144">
+
Pursuant to Article 78(3) GDPR, proceedings against a DPA under Article 78(1) and (2) GDPR shall be brought before the courts of the Member State where DPA is established. It is up to Member State law to foresee which national court is competent. In some Member States, civil courts are competent for legal remedies under Article 78 GDPR, in other Member States it is administrative courts.
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><div>'''Recital 141:''' Parallel proceeding - Article 78(1)</div>
 
<div class="mw-collapsible-content">
 
Where a court seized of proceedings against a decision by a supervisory authority has reason to believe that proceedings concerning the same processing, such as the same subject matter as regards processing by the same controller or processor, or the same cause of action, are brought before a competent court in another Member State, it should contact that court in order to confirm the existence of such related proceedings. If related proceedings are pending before a court in another Member State, any court other than the court first seized may stay its proceedings or may, on request of one of the parties, decline jurisdiction in favour of the court first seized if that court has jurisdiction over the proceedings in question and its law permits the consolidation of such related proceedings. Proceedings are deemed to be related where they are so closely connected that it is expedient to hear and determine them together in order to avoid the risk of irreconcilable judgments resulting from separate proceedings.
 
</div></div>
 
  
<span id="r145">
+
Other than complaints under Article 77(1) GDPR, remedies under Article 78(1) must not necessarily be free of charge, as Article 57(3) GDPR only concerns the performance of the tasks of DPAs. However, imposing inadequately high court fees on the claimant – especially if he/she is a data subject – might violate primary EU law, namely Article 47 CFR in connection with Article 16 TFEU and Article 8 CFR. In Joined Cases E-11/19 and E-12/1<ref>EFTA Court, 10 December 2020, Joined Cases E-11/19 and E-12/19 (available [https://eftacourt.int/download/11-19-12-19-judgment/?wpdmdl=6966 here]).</ref>, the EFTA Court held that there are cases in which proceedings under Article 78(1) GDPR that were not initiated by the data subject must be free of charge for the data subject:<blockquote>“It follows from Articles77(1) and 57(3) of Regulation(EU) 2016/679 that where a data subject becomes a party to proceedings under Article 78(1) as a result of a data controller appealing against a supervisory authority’s decision, and where national law imposes this status on a data subject automatically, the data subject may not be made responsible for any costs incurred in relation to those proceedings."<ref>EFTA Court, 10 December 2020, Joined Cases E-11/19 and E-12/19 (available [https://eftacourt.int/download/11-19-12-19-judgment/?wpdmdl=6966 here]).</ref></blockquote>
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><div>'''Recital 141:''' Competent courts - Article 78(3)</div>
 
<div class="mw-collapsible-content">
 
For proceedings against a controller or processor, the plaintiff should have the choice to bring the action before the courts of the Member States where the controller or processor has an establishment or where the data subject resides, unless the controller is a public authority of a Member State acting in the exercise of its public powers.
 
</div></div>
 
  
== Commentary ==
+
=== (4) Information on Preceding EDPB Opinion or Decision ===
 +
If a legal remedy under Article 78(1) GDPR is filed against a DPA decision that was preceded by an opinion or a decision of the EDPB in the consistency mechanism (Articles 63 ''et seq.'' GDPR), the DPA must forward that opinion or decision to the court that is handling the legal remedy. This provision ensures that the court does not ignore the EDPB’s opinion or decision when assessing the case.
  
''You can help us fill this section!''
+
As a national court lacks the competence to waive a decision by the EDPB, it must request the CJEU’s preliminary ruling under Article 267 TFEU, if it considers the EDPB’s decision invalid (Recital 143 sentence 11 GDPR). However, the court may not refer a question on the validity of the EDPR decision at the request of a natural or legal person, which had missed the opportunity to bring an action for annulment of the EDBB decision under Article 263 TFEU (Recital 143 sentence 12 GDPR).
  
 
== Decisions ==
 
== Decisions ==

Latest revision as of 15:06, 26 August 2021

Article 78 - Right to an effective judicial remedy against a supervisory authority
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text[edit | edit source]

Article 78 - Right to an effective judicial remedy against a supervisory authority


1.   Without prejudice to any other administrative or non-judicial remedy, each natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them.

2.   Without prejudice to any other administrative or non-judicial remedy, each data subject shall have the right to a an effective judicial remedy where the supervisory authority which is competent pursuant to Articles 55 and 56 does not handle a complaint or does not inform the data subject within three months on the progress or outcome of the complaint lodged pursuant to Article 77.

3.   Proceedings against a supervisory authority shall be brought before the courts of the Member State where the supervisory authority is established.

4.   Where proceedings are brought against a decision of a supervisory authority which was preceded by an opinion or a decision of the Board in the consistency mechanism, the supervisory authority shall forward that opinion or decision to the court.

Relevant Recitals[edit | edit source]

Recital 143: Action for Annulment of Decisions of the EDPB and Right to an Effective Judicial Remedy

Any natural or legal person has the right to bring an action for annulment of decisions of the Board before the Court of Justice under the conditions provided for in Article 263 TFEU. As addressees of such decisions, the supervisory authorities concerned which wish to challenge them have to bring action within two months of being notified of them, in accordance with Article 263 TFEU. Where decisions of the Board are of direct and individual concern to a controller, processor or complainant, the latter may bring an action for annulment against those decisions within two months of their publication on the website of the Board, in accordance with Article 263 TFEU. Without prejudice to this right under Article 263 TFEU, each natural or legal person should have an effective judicial remedy before the competent national court against a decision of a supervisory authority which produces legal effects concerning that person. Such a decision concerns in particular the exercise of investigative, corrective and authorisation powers by the supervisory authority or the dismissal or rejection of complaints. However, the right to an effective judicial remedy does not encompass measures taken by supervisory authorities which are not legally binding, such as opinions issued by or advice provided by the supervisory authority. Proceedings against a supervisory authority should be brought before the courts of the Member State where the supervisory authority is established and should be conducted in accordance with that Member State's procedural law. Those courts should exercise full jurisdiction, which should include jurisdiction to examine all questions of fact and law relevant to the dispute before them.

Where a complaint has been rejected or dismissed by a supervisory authority, the complainant may bring proceedings before the courts in the same Member State. In the context of judicial remedies relating to the application of this Regulation, national courts which consider a decision on the question necessary to enable them to give judgment, may, or in the case provided for in Article 267 TFEU, must, request the Court of Justice to give a preliminary ruling on the interpretation of Union law, including this Regulation. Furthermore, where a decision of a supervisory authority implementing a decision of the Board is challenged before a national court and the validity of the decision of the Board is at issue, that national court does not have the power to declare the Board's decision invalid but must refer the question of validity to the Court of Justice in accordance with Article 267 TFEU as interpreted by the Court of Justice, where it considers the decision invalid. However, a national court may not refer a question on the validity of the decision of the Board at the request of a natural or legal person which had the opportunity to bring an action for annulment of that decision, in particular if it was directly and individually concerned by that decision, but had not done so within the period laid down in Article 263 TFEU.

Recital 144: Lis Alibi Pendens
Where a court seized of proceedings against a decision by a supervisory authority has reason to believe that proceedings concerning the same processing, such as the same subject matter as regards processing by the same controller or processor, or the same cause of action, are brought before a competent court in another Member State, it should contact that court in order to confirm the existence of such related proceedings. If related proceedings are pending before a court in another Member State, any court other than the court first seized may stay its proceedings or may, on request of one of the parties, decline jurisdiction in favour of the court first seized if that court has jurisdiction over the proceedings in question and its law permits the consolidation of such related proceedings. Proceedings are deemed to be related where they are so closely connected that it is expedient to hear and determine them together in order to avoid the risk of irreconcilable judgments resulting from separate proceedings.

Recital 145: Plaintiff's Right to Choose the Place of Jurisdiction
For proceedings against a controller or processor, the plaintiff should have the choice to bring the action before the courts of the Member States where the controller or processor has an establishment or where the data subject resides, unless the controller is a public authority of a Member State acting in the exercise of its public powers.

Commentary[edit | edit source]

Article 78 GDPR provides for judicial redress against a DPA’s decision (Article 78(1) GDPR) or its inactivity (Article 78(2) GDPR). The legal redress must be filed with the competent courts of the Member State where the DPA is established.

(1) Right to Judicial Remedy against DPA Decision[edit | edit source]

Requirements[edit | edit source]

Article 78(1) GDPR has two requirements: (1) A natural or legal person must be concerned by (2) a legally binding decision of a DPA.

Concerned Legal or Natural Person[edit | edit source]

Article 78(1) addresses both natural and legal persons as potential claimants for a legal action against a DPA decision:

  • A natural person under that provision is usually a data subject (see Article 4(1) GDPR), although it is of course possible that a controller or processor is a natural person.
  • A legal person would usually be the controller or processor with regard to a certain processing activity or a legal entity that is otherwise concerned (see below) by a binding DPA decision. The term “legal person” also encompasses other public authorities/bodies, as DPAs can issue decisions with legal effect on such entities.[1]

The natural or legal person must be concerned by the DPA decision:

  • This is the case, if the natural or legal person (i) has been a party to the proceedings before the DPA, either as a complainant or respondent, (ii) has been subject to ex-officio investigations by the DPA, (iii) has been fined under Article 83 GDPR or (iv) subject to a penalty under Article 84 GDPR.
  • If a data subject’s personal data is otherwise affected by the DPA decision (e.g. in case of a data breach in which the data subject’s data was disclosed) he/she is also concerned by the DPA decision.
  • Bergt argues that a data subject could even bring a legal action if a DPA rejects the complaint of another data subject on the general illegitimacy of a certain processing activity that also affects the data subject.[2]
  • A controller or processor is also concerned by a DPA decision that addresses a third party or does not have an addressee but has a legally binding general effect[3] such as for example a DPA's orders regarding withdrawal or non-issuing of certifications under Articles 58(2)(h), 42 and 43.[4]

Legally Binding Decision[edit | edit source]

Article 78(1) GDPR only allows for remedies against legally binding decisions,[5] such as

  • DPA decisions on complaints under Article 77 GDPR;
  • decisions following the exercise of a DPA's investigative powers under Article 58(1)(a), (b) (c), (e) and (f) GDPR;
  • decisions following the exercise of a DPA's corrective powers under Article 58(2) GDPR;
  • decisions on the approval of certain legal acts, bodies or processing activities under Article 58(3)(c) - (j) GDPR; and
  • decisions following the exercise of powers vested in the DPA by Member State law under Article 58(6) GDPR.  

Mere notifications, opinions or advisory acts, such as under Articles 58(1)(d) or 58(3)(a) and (b) GDPR do not qualify as decisions and cannot be subject to legal actions under Article 78(1) GDPR.[6]

(2) Right to Judicial Remedy Against DPA Inactivity[edit | edit source]

Requirements[edit | edit source]

Other than Article 78(1) GDPR, Article 78(2) GDPR provides a legal remedy only for data subjects (but not for other parties such a controller).[7] A data subject has the right to an effective judicial remedy where the DPA that is competent under Article 55 and 56 GDPR (i) does not handle a complaint or (ii) fails to inform the data subject within three months on the progress or outcome of a complaint.

DPA Competent under Article 55 and 56 GDPR[edit | edit source]

Article 78(2) GDPR imposes a duty to act on both the authority under Article 55 and the lead DPA that is competent under Article 56 GDPR. This includes the following scenarios:

  • The DPA that is competent to handle the case under Article 55(1) or (2) GDPR or under Article 56(5) GDPR (“local DPA”) does not handle the complaint.
  • The local DPA does not inform the data subject within three months on the progress or outcome of the complaint.
  • The DPA that is competent to handle the case under Article 56(1) and (2) GDPR (“lead DPA”) does not handle the complaint.
  • The lead DPA does not inform the data subject within three months on the progress or outcome of the complaint.

Non-handling of Complaint by the DPA[edit | edit source]

The data subject has the right to an effective judicial remedy if the DPA does not handle the complaint. The GDPR contains no definition of the requirement of “(not) handling” a complaint, although the term “not handling a case/complaint” can be found in other provisions such as Articles 56(2) to (5) GDPR and 57(1)(f) GDPR as well.  Under Article 57(1)(f) GDPR the DPA has to “handle complaints lodged by a data subject […], and investigate, to the extent appropriate, the subject matter of the complaint […]”. Recital 141 GDPR uses the term “act on a complaint”.[8]

In light of this, handling a complaint is not the same as taking a decision on the merits of the case. Just as in Article 56(5) GDPR (“Lead DPA not handling the case”), a DPA is not handling a complaint if it fails to act on it by investigating the subject matter of the complaint to the extent appropriate to protect the rights of the data subject.

This does of course not mean that a DPA can take forever to decide on the merits of the case. In light of the principle of effectiveness under Article 4(3) TEU, Articles 8, 41 and 47 CFR, and Article 6 ECHR, the DPA must issue a decision within reasonable time. A few Member States foresee decision periods in their national law.[9]

A DPA's formal rejection of a complaint does not mean that the DPA does “not handle the complaint”. Such rejection can be subject to a judicial remedy not under Article 78(2) but under Article 78(1) GDPR.

Lack of Information by the DPA[edit | edit source]

Besides a judicial remedy against the non-handling of a complaint, Article 78(2) GDPR also provides for a remedy where a DPA fails to inform the data subject on the progress or outcome of the complaint lodged pursuant to Article 77 GDPR. This also applies to the local DPA and the lead DPA (Article 55 and 56 GDPR).

The DPA with which the complaint has been lodged has a duty to inform the data subject under Article 77(2) GDPR but not under Article 78(2) GDPR – unless it is also competent to handle the case under Article 55 or 56 GDPR.

Taking into account Recital 141, sentence 4, the DPA must provide the information at least every three months (“If the case requires further investigation or coordination with another supervisory authority, intermediate information should be given to the data subject”). Consequently, if a DPA manages to decide on a complaint within three months or less, it must only inform the data subject on the outcome of the complaint procedure; should the procedure take longer, the DPA must proactively provide an update on the state of play every three months. If the DPA fails to do so, it can be subject to legal actions under Article 78(2) GDPR.

(3) Competent Courts and National Procedural Requirements[edit | edit source]

The details of the judicial remedies under Article 78(1) and (2) GDPR are subject to Member State law (See Recital 143 sentence 7 GDPR). Article 78 GDPR requires an effective judicial remedy – a term already used in Article 47(1) CFR. Hence, the member state law must not impose inappropriate restrictions that hinder the filing of a remedy under Article 78 GDPR (such as very short deadlines to appeal a DPA’s decision under Article 78(2) GDPR).[10]

Pursuant to Article 78(3) GDPR, proceedings against a DPA under Article 78(1) and (2) GDPR shall be brought before the courts of the Member State where DPA is established. It is up to Member State law to foresee which national court is competent. In some Member States, civil courts are competent for legal remedies under Article 78 GDPR, in other Member States it is administrative courts.

Other than complaints under Article 77(1) GDPR, remedies under Article 78(1) must not necessarily be free of charge, as Article 57(3) GDPR only concerns the performance of the tasks of DPAs. However, imposing inadequately high court fees on the claimant – especially if he/she is a data subject – might violate primary EU law, namely Article 47 CFR in connection with Article 16 TFEU and Article 8 CFR. In Joined Cases E-11/19 and E-12/1[11], the EFTA Court held that there are cases in which proceedings under Article 78(1) GDPR that were not initiated by the data subject must be free of charge for the data subject:

“It follows from Articles77(1) and 57(3) of Regulation(EU) 2016/679 that where a data subject becomes a party to proceedings under Article 78(1) as a result of a data controller appealing against a supervisory authority’s decision, and where national law imposes this status on a data subject automatically, the data subject may not be made responsible for any costs incurred in relation to those proceedings."[12]

(4) Information on Preceding EDPB Opinion or Decision[edit | edit source]

If a legal remedy under Article 78(1) GDPR is filed against a DPA decision that was preceded by an opinion or a decision of the EDPB in the consistency mechanism (Articles 63 et seq. GDPR), the DPA must forward that opinion or decision to the court that is handling the legal remedy. This provision ensures that the court does not ignore the EDPB’s opinion or decision when assessing the case.

As a national court lacks the competence to waive a decision by the EDPB, it must request the CJEU’s preliminary ruling under Article 267 TFEU, if it considers the EDPB’s decision invalid (Recital 143 sentence 11 GDPR). However, the court may not refer a question on the validity of the EDPR decision at the request of a natural or legal person, which had missed the opportunity to bring an action for annulment of the EDBB decision under Article 263 TFEU (Recital 143 sentence 12 GDPR).

Decisions[edit | edit source]

→ You can find all related decisions in Category:Article 78 GDPR

References[edit | edit source]

  1. Mundil in BeckOK DatenschutzR, Article 78 GDPR, margin number 8 (Beck 2020, 36th ed.) (accessed 6 May 2021); Körffer in Paal, Pauly, DS-GVO BDSG, Article 78 GDPR, margin number 2, (Beck 2021, 3rd ed.) (accessed 6 May 2021).
  2. Bergt in Kühling, Buchner, DS-GVO BDSG, Article 78 GDPR, margin number 10 (Beck 2020, 3rd ed.) (accessed 6 May 2021).
  3. Bergt in Kühling, Buchner, DS-GVO BDSG, Article 78 GDPR, margin number 10 (Beck 2020, 3rd ed.) (accessed 6 May 2021); Pötters in Gola DS-GVO, Article 78 GDPR, margin number 10 (Beck, 2018, 2nd ed.) (accessed 6 May 2021).
  4. See Boehm, in Simitis, Hornung, Spiecker, Datenschutzrecht, Article 78 GDPR, margin numbers 6-19 (Beck 2019, 1st ed.) (accessed 6 May 2021).
  5. See Rectital 143, sentence 5 GDPR: "Such a decision concerns in particular the exercise of investigative, corrective and authorisation powers by the supervisory authority or the dismissal or rejection of complaints.”; Bergt in Kühling, Buchner, DS-GVO BDSG, Article 78 GDPR, margin number 6 (Beck 2020, 3rd ed.) (accessed 6 May 2021); Körffer in Paal, Pauly, DS-GVO BDSG, Article 78 GDPR, margin numbers 3-5, (Beck 2021, 3rd ed.) (accessed 6 May 2021).
  6. See Recital 143, sentence 7 GDPR: “However, the right to an effective judicial remedy does not encompass measures taken by supervisory authorities which are not legally binding, such as opinions issued by or advice provided by the supervisory authority.”
  7. Bergt in Kühling, Buchner, DS-GVO BDSG, Article 78 GDPR, margin number 16 (Beck 2020, 3rd ed.) (accessed 6 May 2021).
  8. Recital 141 GDPR: “Every data subject should have […] the right to an effective judicial remedy in accordance with Article 47 of the Charter […] where the supervisory authority does not act on a complaint, partially or wholly rejects or dismisses a complaint or does not act where such action is necessary to protect the rights of the data subject. The investigation following a complaint should be carried out, subject to judicial review, to the extent that is appropriate in the specific case.”
  9. For example, the Austrian DPA is under the obligation to decide within six months after receiving the complaint (see § 8 Austrian Administrative Courts Procedural Act (Verwaltungsgerichtsverfahrensgesetz – VwGVG); in Germany, there is a three-month deadline for DPAs that can be extended by the court (§ 75 German Administrative Courts Procedural Act (Verwaltungsgerichtsordnung).
  10. DatKomm/Souhrada-Kirchmayer GDPR Art. 78 margin number 11.
  11. EFTA Court, 10 December 2020, Joined Cases E-11/19 and E-12/19 (available here).
  12. EFTA Court, 10 December 2020, Joined Cases E-11/19 and E-12/19 (available here).