CJEU - C-132/21 - Nemzeti Adatvédelmi és Információszabadság Hatóság

From GDPRhub
CJEU - C-132/21 Nemzeti Adatvédelmi és Információszabadság Hatóság
Cjeulogo.png
Court: CJEU
Jurisdiction: European Union
Relevant Law: Article 77(1) GDPR
Article 78(1) GDPR
Article 79(1) GDPR
Decided: 12.01.2023
Parties: Nemzeti Adatvédelmi és Információszabadság Hatóság
Budapesti Elektromos Művek Zrt.
Case Number/Name: C-132/21 Nemzeti Adatvédelmi és Információszabadság Hatóság
European Case Law Identifier:
Reference from: Metropolitan Court of Budapest (Hungary)
Language: 24 EU Languages
Original Source: Judgement
Initial Contributor: Bernardo Armentano

The CJEU held that the remdies in Articles 77(1), 78(1) and 79(1) GDPR can be exercised concurrently with and independently of each other, even when referring to the same facts abd that Member States must create procedural rules that ensure the consistent and homogeneous application of these provisions.

English Summary

Facts

On 26 April 2019, a shareholder of a Hungarian public limited company attended its general meeting. The meeting was recorded and the shareholder, as a data subject, asked the company, as the controller, to send him the recording. The controller only provided him with the excerpts which reproduced his contributions, excluding those of the other persons attending the general meeting.

The data subject filed a complaint with the Hungarian DPA asking it to order the controller to provide the complete recording, which the DPA refused in its decision of 29 November 2019. After this, the data subject started two proceedings at the same time, one against the controller and one against the Hungarian DPA.

The first proceeding was filed with the Budapest Regional Court based on Article 79(1) GDPR. In this proceeding, the data subject asked the Court to order the controller to provide him the entire recording. The Regional Court found that the controller had violated the data subject's right of access and upheld his request. This decision became final.

The second proceeding was filed with the Budapest High Court pursuant to Article 78(1) GPDR. In this proceeding, the data subject asked the High Court to anull the DPA's decision. This Court would later ask the preliminary questions to the CJEU which resulted in this ruling.

As the decision of the Regional Court had already become final, the High Court was faced with a problem when it had to decide the request for annulment of the DPA decision. This is because both procedures referred to the same facts, which could lead to contradictory decisions and, consequently, to legal uncertainty. According to the High Court, the DPA's independence would be compromised if it were bound by the decision of the Regional Court.

In those circumstances, the High Court decided to stay the proceedings and to refer the following questions to the CJEU for a preliminary ruling:

‘(1) Must Articles 77(1) and 79(1) GDPR be interpreted as meaning that the administrative appeal provided for in Article 77 GDPR constitutes an instrument for the exercise of public rights, whereas the legal action provided for in Article 79 GDPR constitutes an instrument for the exercise of private rights? If so, does this support the inference that the supervisory authority, which is responsible for hearing and determining administrative appeals, has priority competence to determine the existence of an infringement?

(2) In the event that the data subject – in whose opinion the processing of personal data relating to him has infringed the GDPR – simultaneously exercises his right to lodge a complaint under Article 77(1) of that regulation and his right to bring a legal action under Article 79(1) of the same regulation, may an interpretation in accordance with Article 47 of the Charter of Fundamental Rights be regarded as meaning:

(a) that the supervisory authority and the court have an obligation to examine the existence of an infringement independently and may therefore even arrive at different outcomes; or

(b) that the supervisory authority’s decision takes priority when it comes to the assessment as to whether an infringement has been committed, regard being had to the powers provided for in Article 51(1) GDPR and those conferred by Article 58(2)(b) and (d) of that regulation?

(3) Must the independence of the supervisory authority, ensured by Articles 51(1) and 52(1) GDPR, be interpreted as meaning that that authority, when conducting and adjudicating upon complaint proceedings under Article 77, is independent of whatever ruling may be given by final judgment by the court having jurisdiction under Article 79, with the result that it may even adopt a different decision in respect of the same alleged infringement?’

Holding

This ruling is mainly about the relationship between Articles 77(1), 78(1) and 79(1) GDPR.

After the CJEU determined that the preliminary questions were admissible, the CJEU started by interpreting the wording of these GDPR articles and verified that they did not provide for any type of priority or exclusion rule in case both a Court and a DPA are deciding on a possible violation regarding the same facts.

The CJEU continued by stating that the relationship between Articles 77 and 79 GDPR was not extensively regulated by EU law. Also, tthe GDPR does not establish rules for the case in which a claim before a DPA and an action filed before a Court in the same Member State refer to the same facts. According to the CJEU, Article 78(1) GDPR, in light of Recital 143, enables courts to exercise their full jurisdiction, which should include competence to examine all relevant facts and relevant law. With this in mind, the CJEU stated that the decision of the EU legislature to leave it up to data subjects to decide which remedy they wanted to use was indeed consistent with the objective of the GDPR, namely, to ensure a high level of protection of personal data and to strengthen rights of data subjects (Recitals 10 and 11). Due to the absence of EU rules regarding the relationship between these GDPR articles, the CJEU determined that it was up to the Member States to provide detailed administrative and judicial procedures in order to ensure a high level of data protection rights, including rules on how to deal with the present situation. It was therefore for the referring court to determine how the GDPR remedies should be implemented in the present situation, according to national law.

However, the CJEU emphasised that certain safeguards needed to be applied while implementing these rules. For instance, these rules had to be compliant with the principles of equivalence (they must not be less favourable than rules governing similar domestic actions) and effectiveness (they must not render it impossible or excessively difficult the exercise rights). According to Article 4(3) TEU, it is the task of national courts to ensure judicial protections of a data subjects under EU law. Article 19(1) TEU requires Member States to make sure that the remedies provided are sufficient to ensure effective judicial protection covered by EU law. Member States also have to ensure that Article 47 of the Charter is safeguarded (principle of effective judicial protection). Therefore, Member States have to ensure that the new practical arrangements do not disproportionately affect a data subjects right to an effective remedy before a court or tribunal.

In the present case, the CJEU found that Hungarian law was designed in such a way that the remedies of Articles 78(1) and 79(1) GDPR were independent of each other. Therefore, it could not be ruled out that the rulings of both courts in the present case might lead to different results. Two contradictory decisions could be in contrast with the objective of the GDPR to provide a consistent and homogeneous application. These contradictory decisions could therefore lead to legal uncertainty and inconsistency.

Based on the above, the CJEU concluded that the judicial and administrative remedies provided for by the GDPR can be exercised concurrently with and independently of each other. It was the task of the Member States, in accordance with the principle of procedural autonomy, to determine detailed rules for the relationship between those remedies in order to ensure the effective protection of the rights guaranteed by the GDPR and the consistent and homogeneous application of its provisions. Member states also had to ensure the right to an effective remedy before a court or tribunal (Article 47 of the Charter).

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!