CJEU - C-33/22 - Österreichische Datenschutzbehörde

From GDPRhub
CJEU - C-33/22 Österreichische Datenschutzbehörde
Court: CJEU
Jurisdiction: European Union
Relevant Law: Article 2(2)(a) GDPR
Article 4(7) GDPR
16(2) TFEU
Decided: 16 January 2024
Case Number/Name: C-33/22 Österreichische Datenschutzbehörde
European Case Law Identifier: ECLI:EU:C:2024:46
Reference from:
Language: 24 EU Languages
Original Source: AG Opinion
Initial Contributor: sh

The CJEU decided that the GDPR applies to national parliamentary committees. The Court clarified the concept of nationality security and held that in the abscence of evidence of a national security purpose, national courts must determine if Article 2(2)(a) GDPR applies.

English Summary


A data subject served as a witness during a committeee hearing held by the Austrian national parliament. Against his wishes a publication of the minutes of the hearing, which included his full name, were published on the website of the Austrian Parliament. The data subject complained to the DPA and requested an erasure of his data under Article 17 GDPR, stating that he was working as an undercover investigator and that a publication exposing his identity would affect his ability to do his job.

The DPA rejected the complaint. It stated that the DPA is a body of the executive. Therefore, it does not have competence to oversee the activities of the committee under national law. This is because it considered the committee (the controller) to be a part of the legislative body. Under the principle of the separation of powers[1] in Austria, the executive cannot oversee the legislature. The data subject appealed this decision.

The Federal Administrative Court anulled the DPA's decision. It held that the GDPR applies to acts done by the legislature because the GDPR concerns all data processing, irrespective of who carries it out. Therefore, the DPA was competent to review the decision. Moreover, it held that the legislature cannot rely on the exemption outlined in Article 2(2)(a) GDPR. The DPA appealed this decision.

The Supreme Administrative Court referred three questions to the CJEU:

1) Does the GDPR apply to the activities of a Parliamentary committee of a Member State?

2) If question 1 is answered in the positive, do the activities of this committee fall under national security as defined by Recital 16 GDPR, therefore, making Article 2(2)(a) GDPR applicable?

3) If question 2 is answered in the negative, does the DPA have the competence to handle the complaint?


The CJEU held that the GDPR applies to bodies established by the legislature, that the activities of the committee were unlikely to fall under the definition of national security and that the DPA had competence to handle the complaint.

On the first question:

The CJEU held that an activity cannot be regarded as being outside the scope of the GDPR for the sole reason that it is carried out by a committee of inquiry set up by the parliament of a Member State in the exercise of its power of scrutiny over the executive.

This is because the GDPR, according to Article 2(1) does not depend on the identity of the controller in order to apply (para 38). This is supported by the fact that Article 4(7) GDPR applies both to private persons and public authorities (para 36). For this reason, the court has already in the past defined Member State Parliamentary committees as controllers in C-272-19 Land Hessen.

To question whether the GDPR is applicable in the context of the exemptions it provides, courts should focus on the category of activities of the controller's processing rather than the identity of the controller itself (para 37, and 42).

On the second question:

The CJEU held that the the activities of the committee, the purpose of which was to investigate the activities of a police State-protection authority on account of a suspicion of political influence over that authority, cannot automatically be regarded as activities concerning national security under Article 2(2)(a) GDPR.

The GDPR will not apply if the activity of the controller falls outside the scope of Union Law under Article 2(2)(a). The court does not give a full definition of what acting outside the scope of Union law under Article 2(2)(a) GDPR entails. However, in this specfic case the activity related to the example outlined in Recital 16 GDPR as the referring court claimed national security. In this context, to fall outside the scope of Union Law, the activity needs to be concerned about national security. The Court determined that Article 2(2)(a) GDPR combined with Recital 16 GDPR must be interpreted strictly (para 45). National security is defined as at paragraph 46 as activities intended to protect essential State functions and the fundamental interests of society.

The court suggested that it was not apparent that the specific activity in this case was in fact related to national security (at para 52, 55, 56 and 57). The political scrutiny of the committee amounted only to political scrutiny and did not appear to include activities intended to safeguard national security (para 52). Moreover, the court struggled to accept the idea that the publication of the data subject's details were necessary for the safeguarding of national security either (para 56).

Nonetheless, as it was not apparent from the case file whether the committee was pursuing national security, the CJEU needed verification from the referring court and sent the question back for national courts to determine (at para 52).

On the third question:

The CJEU held that where a Member State has chosen, in accordance with Article 51(1) GDPR to establish a DPA and has not explicitly conferred it the powers to oversee executive committees, that the DPA will have competence to do so.

The court justified this view by referring to the principle of Direct Effect in EU Law. Article 77(1) and 55(1) are sufficiently clear for their implementation to have direct effect. Therefore, where a Member State chooses to establish a DPA, that DPA has all the powers granted to it by the GDPR.

The EU legislator, when designing the GDPR, also envisaged specific limitations for the GDPR regarding the separation of powers. Article 55(3) GDPR specifically states that DPA's are not competent to supervise processing operations of courts in their judicial capacity (para 66). It follows, that if the GDPR wanted to outline an exemption for the legislature, it would have done so within its text.


This case is the logical successor to C-272/19 Land Hessen, which is also about Parliamentary Committee's.

While the court sent the case back to the reffering court, the CJEU strongly suggested at paragraph 56 that the disclosure itself and the subsequent erasure request are not necessary for safeguarding national security.

Further Resources

Share blogs or news articles here!

  1. The system of separation of powers divides the tasks of the state into three branches: legislative, executive and judicial. These tasks are assigned to different institutions in such a way that each of them can check the other. As a result, no one institution can become so powerful in a democracy as to destroy this system.