EFTA Court - Joined Cases E-11/19 and E-12/19
From GDPRhub
| EFTA Court - Joined Cases E-11/19 and E-12/19 | |
|---|---|
 | |
| Court: | EFTA Court |
| Jurisdiction: | European Union |
| Relevant Law: | Article 57(3) GDPR Article 57(3) GDPR Article 58(2)(e) GDPR Article 58(2)(j) GDPR Article 58(2)(g) GDPR Article 58(2)(c) GDPR Article 77 GDPR Article 78 GDPR |
| Decided: | 10 December 2020 |
| Published: | |
| Parties: | Adpublisher AG J K |
| National Case Number/Name: | Joined Cases E-11/19 and E-12/19 |
| European Case Law Identifier: | |
| Appeal from: | |
| Appeal to: | |
| Original Language(s): | English |
| Original Source: | EFTA Court (The Court of Justice of the European Free Trade Association States) (in English) |
| Initial Contributor: | n/a |
The Court of Justice of the European Free Trade Association States (EFTA Court) held that a data subject cannot incur costs in a proceeding where they have become a party to the case by virtue of a controller appealing against a supervisory authority’s decision. The Court also held that the disclosure of the data subject’s personal data is necessary in instances where certain rights and obligations would otherwise be inhibited.
English Summary
Facts
By a letter of 18 December 2019, registered at the Court as Case E-11/19, the Board of Appeal for Administrative Matters (BoA) made a request (in the context of appeals against decisions of the DPA of the Principality of Liechtenstein). The BoA requested for an advisory opinion in a case pending before the DPA between Adpublisher AG (a public limited company of Liechtenstein) and "J" for alleged infringement of Articles 5, 6 and 15 GDPR. The DPA upheld J’s complaint concerning the infringement of Articles 5 and 6 GDPR. Further, on its own volition, the DPA determined that there had been an infringement of Articles 7, 15 and 32 GDPR. By a separate letter of 18 December 2019, registered at the Court as Case E-12/19, the BoA made a request for an advisory opinion in a case pending before it between Adpublisher AG and "K" (for alleged infringement of Article 15 GDPR). The DPA upheld K’s complaint in part and determined that there had been an infringement of Article 15 GDPR. Adpublisher challenged both decisions before the BoA and requested that both decisions be set aside. The Court decided, pursuant to Article 39 of the Rules of Procedure, to join the cases for the purpose of the procedure and the final judgment.
Dispute
The questions examined by the court are referring to the general procedure of hearing a complaint under the GDPR and further national appellate proceedings. The first question by the referring body, is whether the proceedings under article 77 and 78(1) GDPR may be carried out without disclosing the identity of a complainant, and whether any grounds must be provided for non disclosing the identity of the complainant. The second question set by the referring body, is whether the free of charge nature of the complaint procedure under article 77 GDPR extends to subsequent proceedings before appellate bodies, or has an impact on the liability of the data subject to be ordered to pay costs.
Holding
As per the first question examined, the court the Court held that disclosing personal data of a complainant in a procedure initiated by the complainant themselves is necessary in instances where the following would otherwise be inhibited: 1. The ability to carry out obligations under the GDPR, 2. The exercise of the right to effective judicial remedy and due process.
Further, the court held that the referring body essentially asks whether the free of charge nature of the complaint procedure under Article 77 GDPR extends to proceedings before appellate bodies or has an impact on the liability of the data subject to be ordered to pay costs. The court held that the data subject cannot be made responsible for costs incurred in relation to proceedings where: 1. They have been made party to these proceedings under Article 78(1) GDPR by virtue of a data controller appealing against a supervisory authority’s decision and, 2. National law imposes this status on a data subject automatically.
Consequently, where a data subject becomes a party to proceedings under Article 78(1) GDPR after a data controller appealing against a supervisory authority’s decision, and where national law imposes this status on a data subject automatically, the data subject may not be made responsible for any costs incurred in relation to those proceedings.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
JUDGMENT OF THE COURT
10 December 2020
(Regulation (EU) 2016/679 – Data protection – Right to lodge a complaint with a
supervisory authority – Right to an effective judicial remedy against a supervisory
authority – Anonymity – Costs incurred in appeal proceedings)
In Joined Cases E-11/19 and E-12/19,
REQUESTS to the Court under Article 34 of the Agreement between the EFTA States
on the Establishment of a Surveillance Authority and a Court of Justice by the
Liechtenstein Board of Appeal for Administrative Matters (Beschwerdekommission für
Verwaltungsangelegenheiten), in cases pending before it between
Adpublisher AG
and
J
and
Adpublisher AG
and
K,
concerning the interpretation of Regulation (EU) 2016/679 of the European Parliament
and of the Council of 27 April 2016 on the protection of natural persons with regard to
the processing of personal data and on the free movement of such data, and repealing
Directive 95/46/EC (General Data Protection Regulation),
Language of the request: German. Translations of national provisions are unofficial and based on those
contained in the documents of the case. – 2 –
THE COURT,
composed of: Páll Hreinsson, President (Judge-Rapporteur), Per Christiansen, and
Bernd Hammermann, Judges,
Registrar: Ólafur Jóhannes Einarsson,
having considered the written observations submitted on behalf of:
− Adpublisher AG (“Adpublisher”), represented by Stefan Ritter, attorney;
− the Government of Liechtenstein, represented by Dr Andrea Entner-Koch, and
Romina Schobel, acting as Agents;
− the Government of Austria, represented by Dr Albert Posch and Dr Julia
Schmoll, acting as Agents;
− Ireland, represented by Marie Browne and Tony Joyce, acting as Agents;
− the EFTA Surveillance Authority (“ESA”), represented by Ewa Gromnicka,
Stewart Watson and Carsten Zatschler, acting as Agents; and
− the European Commission (“the Commission”), represented by Friedrich
Erlbacher and Herke Kranenborg, acting as Agents;
having regard to the Report for the Hearing,
having heard oral argument of Adpublisher, represented by Stefan Ritter; the
Government of Liechtenstein, represented by Dr Andrea Entner-Koch and Romina
Schobel; Ireland, represented by Tony Joyce and David Fennelly; ESA, represented by
Ewa Gromnicka, Stewart Watson and Carsten Zatschler; and the Commission,
represented by Friedrich Erlbacher and Herke Kranenborg; at the hearing on 16 June
2020,
gives the following
Judgment
I Legal background
EEA law
1 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April
2016 on the protection of natural persons with regard to the processing of personal data – 3 –
and on the free movement of such data, and repealing Directive 95/46/EC (General Data
Protection Regulation) (“GDPR”) (OJ 2016 L 119, p. 1) was incorporated into the EEA
Agreement by Decision of the EEA Joint Committee No 154/2018 of 6 July 2018 (OJ
2018 L 183, p. 23) (“the Joint Committee Decision”), and is referred to at point 5e of
Annex XI (Electronic communication, audiovisual services and information society) to
the EEA Agreement. Constitutional requirements were indicated by Liechtenstein and
the decision entered into force on 20 July 2018.
2 Recital 7 of the GDPR reads:
Those developments require a strong and more coherent data protection
framework in the Union, backed by strong enforcement, given the importance of
creating the trust that will allow the digital economy to develop across the
internal market. Natural persons should have control of their own personal data.
Legal and practical certainty for natural persons, economic operators and
public authorities should be enhanced.
3 Recital 26 of the GDPR reads:
The principles of data protection should apply to any information concerning an
identified or identifiable natural person. Personal data which have undergone
pseudonymisation, which could be attributed to a natural person by the use of
additional information should be considered to be information on an identifiable
natural person. To determine whether a natural person is identifiable, account
should be taken of all the means reasonably likely to be used, such as singling
out, either by the controller or by another person to identify the natural person
directly or indirectly. To ascertain whether means are reasonably likely to be
used to identify the natural person, account should be taken of all objective
factors, such as the costs of and the amount of time required for identification,
taking into consideration the available technology at the time of the processing
and technological developments. The principles of data protection should
therefore not apply to anonymous information, namely information which does
not relate to an identified or identifiable natural person or to personal data
rendered anonymous in such a manner that the data subject is not or no longer
identifiable. This Regulation does not therefore concern the processing of such
anonymous information, including for statistical or research purposes.
4 Recital 69 of the GDPR reads:
Where personal data might lawfully be processed because processing is
necessary for the performance of a task carried out in the public interest or in
the exercise of official authority vested in the controller, or on grounds of the
legitimate interests of a controller or a third party, a data subject should,
nevertheless, be entitled to object to the processing of any personal data relating
to his or her particular situation. It should be for the controller to demonstrate
that its compelling legitimate interest overrides the interests or the fundamental
rights and freedoms of the data subject. – 4 –
5 Article 4 of the GDPR, headed “Definitions”, reads, in extract:
...
(1) ‘personal data’ means any information relating to an identified or
identifiable natural person (‘data subject’); an identifiable natural person is one
who can be identified, directly or indirectly, in particular by reference to an
identifier such as a name, an identification number, location data, an online
identifier or to one or more factors specific to the physical, physiological,
genetic, mental, economic, cultural or social identity of that natural person;
(2) ‘processing’ means any operation or set of operations which is performed
onpersonal data or on setsof personal data, whether ornotby automatedmeans,
such as collection, recording, organisation, structuring, storage, adaptation or
alteration, retrieval, consultation, use, disclosure by transmission, dissemination
or otherwise making available, alignment or combination, restriction, erasure
or destruction;
…
(7) ‘controller’ means the natural or legal person, public authority, agency
or other body which, alone or jointly with others, determines the purposes and
means of the processing of personal data; where the purposes and means of such
processing are determined by Union or Member State law, the controller or the
specific criteria for its nomination may be provided for by Union or Member
State law;
…
6 Article 5 of the GDPR, headed “Principles relating to processing of personal data”,
reads, in extract:
1. Personal data shall be:
(a) processed lawfully, fairly and in a transparent manner in relation
to the data subject (‘lawfulness, fairness and transparency’);
…
(c) adequate, relevant and limited to what is necessary in relation to
the purposes for which they are processed (‘data minimisation’);
…
7 Article 6 of the GDPR, headed “Lawfulness of processing”, reads, in extract:
1. Processing shall be lawful only if and to the extent that at least one of the
following applies: – 5 –
…
(e) processing is necessary for the performance of a task carried out
in the public interest or in the exercise of official authority vested in the
controller;
…
8 Article 18 of the GDPR, headed “Right to restriction of processing”, reads, in extract:
1. The data subject shall have the right to obtain from the controller
restriction of processing where one of the following applies:
…
(c) the controller no longer needs the personal data for the purposes of
the processing, but they are required by the data subject for the
establishment, exercise or defence of legal claims;
…
2. Where processing has been restricted under paragraph 1, such personal
data shall, with the exception of storage, only be processed with the data
subject's consent or for the establishment, exercise or defence of legal claims or
for the protection of the rights of another natural or legal person or for reasons
of important public interest of the Union or of a Member State.
...
9 Article 21(1) of the GDPR, headed “Right to object”, reads:
The data subject shall have the right to object, on grounds relating to his or her
particular situation, at any time to processing of personal data concerning him
or her which is based on point (e) or (f) of Article 6(1), including profiling based
on those provisions. The controller shall no longer process the personal data
unless the controller demonstrates compelling legitimate grounds for the
processing which override the interests, rights and freedoms of the data subject
or for the establishment, exercise or defence of legal claims.
10 Article 55(1) of the GDPR, headed “Competence”, reads:
Each supervisory authority shall be competent for the performance of the tasks
assigned to and the exercise of the powers conferred on it in accordance with
this Regulation on the territory of its own Member State. – 6 –
11 Article 56(1) of the GDPR, headed “Competence of the lead supervisory authority”,
reads:
Without prejudice to Article 55, the supervisory authority of the main
establishment or of the single establishment of the controller or processor shall
be competent to act as lead supervisory authority for the cross-border processing
carried out by that controller or processor in accordance with the procedure
provided in Article 60.
12 Article 57 of the GDPR, headed “Tasks”, reads, in extract:
1. Without prejudice to other tasks set out under this Regulation, each
supervisory authority shall on its territory:
(a) monitor and enforce the application of this Regulation;
…
(f) handle complaints lodged by a data subject, or by a body,
organisation or association in accordance with Article 80, and
investigate, to the extent appropriate, the subject matter of the complaint
and inform the complainant of the progress and the outcome of the
investigation within a reasonable period, in particular if further
investigation or coordination with another supervisory authority is
necessary;
…
(h) conduct investigations on the application of this Regulation,
including on the basis of information received from another supervisory
authority or other public authority;
…
3. The performance of the tasks of each supervisory authority shall be free
of charge for the data subject and, where applicable, for the data protection
officer.
4. Where requests are manifestly unfounded or excessive, in particular
because of their repetitive character, the supervisory authority may charge a
reasonable fee based on administrative costs, or refuse to act on the request. The
supervisory authority shall bear the burden of demonstrating the manifestly
unfounded or excessive character of the request.
13 Article 58 of the GDPR, headed “Powers”, reads, in extract:
1. Each supervisory authority shall have all of the following investigative
powers: – 7 –
(a) to order the controller and the processor, and, where applicable,
the controller’s or the processor’s representative to provide any
information it requires for the performance of its tasks;
…
(d) to notify the controller or the processor of an alleged infringement
of this Regulation;
(e) to obtain, from the controller and the processor, access to all
personal data and to all information necessary for the performance of its
tasks;
(f) to obtain access to any premises of the controller and the
processor, including to any data processing equipment and means, in
accordance with Union or Member State procedural law.
2. Each supervisory authority shall have all of the following corrective
powers:
(a) to issue warnings to a controller or processor that intended
processing operations are likely to infringe provisions of this Regulation;
(b) to issue reprimands to a controller or a processor where
processing operations have infringed provisions of this Regulation;
(c) to order the controller or the processor to comply with the data
subject’s requests to exercise his or her rights pursuant to this
Regulation;
(d) to order the controller or processor to bring processing operations
into compliance with the provisions of this Regulation, where
appropriate, in a specified manner and within a specified period;
(e) to order the controller to communicate a personal data breach to
the data subject;
(f) to impose a temporary or definitive limitation including a ban on
processing;
(g) to order the rectification or erasure of personal data or restriction
of processing pursuant to Articles 16, 17 and 18 and the notification of
such actions to recipients to whom the personal data have been disclosed
pursuant to Article 17(2) and Article 19;
… – 8 –
(i) to impose an administrative fine pursuant to Article 83, in addition
to, or instead of measures referred to in this paragraph, depending on the
circumstances of each individual case;
…
4. The exercise of the powers conferred on the supervisory authority
pursuant to this Article shall be subject to appropriate safeguards, including
effective judicial remedy and due process, set out in Union and Member State
law in accordance with the Charter.
5. Each Member State shall provide by law that its supervisory authority
shall have the power to bring infringements of this Regulation to the attention of
the judicial authorities and where appropriate, to commence or engage
otherwise in legal proceedings, in order to enforce the provisions of this
Regulation.
6. Each Member State may provide by law that its supervisory authority
shall have additional powers to those referred to in paragraphs 1, 2 and 3. The
exercise of those powers shall not impair the effective operation of Chapter VII.
14 Article 77 of the GDPR, headed “Right to lodge a complaint with a supervisory
authority”, reads:
1. Without prejudice to any other administrative or judicial remedy, every
data subject shall have the right to lodge a complaint with a supervisory
authority, in particular in the Member State of his or her habitual residence,
place of work or place of the alleged infringement if the data subject considers
that the processing of personal data relating to him or her infringes this
Regulation.
2. The supervisory authority with which the complaint has been lodged shall
inform the complainant on the progress and the outcome of the complaint
including the possibility of a judicial remedy pursuant to Article 78.
15 Article 78 of the GDPR, headed “Right to an effective judicial remedy against a
supervisory authority”, reads, in extract:
1. Without prejudice to any other administrative or non-judicial remedy,
each natural or legal person shall have the right to an effective judicial remedy
against a legally binding decision of a supervisory authority concerning them.
2. Without prejudice to any other administrative or non-judicial remedy,
each data subject shall have the right to a an effective judicial remedy where the
supervisory authority which is competent pursuant to Articles 55 and 56 does
not handle a complaint or does not inform the data subject within three months
on the progress or outcome of the complaint lodged pursuant to Article 77. – 9 –
3. Proceedings against a supervisory authority shall be brought before the
courts of the Member State where the supervisory authority is established.
…
16 Article 1 of the Joint Committee Decision reads, in extract:
…
The provisions of the Regulation shall, for the purposes of this Agreement, be
read with the following adaptations:
…
(i) In Article 58(4), as regards the EFTA States, the words “in
accordance with the Charter” shall not apply.
National law
17 The Act of 4 October 2018 on Data Protection (Datenschutzgesetz, LR 235.1) (“the
Data Protection Act”) implements the GDPR in the Liechtenstein legal order.
18 Article 15 of the Data Protection Act, headed “Tasks”, reads, in extract:
1) The Data Protection Authority has the following tasks in addition to those
mentioned in Regulation (EU) 2016/679:
a) monitor and enforce the application of this Act and other provisions on data
protection, including the laws enacted to implement Directive (EU)
2016/680;
…
h) conduct investigations into the application of this Act and other provisions
on data protection, including the laws enacted to implement Directive (EU)
2016/680, also on the basis of information from another supervisory
authority or another authority;
…
5) Theperformance of the DataProtection Authority’stasksis free ofcharge
for the data subject. Where requests are manifestly unfounded or excessive, in
particular because of their repetitive character, the Data Protection Authority
may charge a reasonable fee based on the effort or refuse to act on the request.
The Data Protection Authority bears the burden of demonstrating the manifestly
unfounded or excessive character of the request. The government regulates the
details of the fee by ordinance. – 10 –
19 Article 20 of the Data Protection Act, headed “Legal remedies”, reads:
1) Appeals against decisions and orders of the Data Protection Authority
may be lodged with the Board of Appeal for Administrative Matters within four
weeks of service.
2) Appeals against decisions and orders of the Board of Appeal for
Administrative Matters may be lodged with the Administrative Court within four
weeks of service; the Data Protection Authority also has this right.
3) The Data Protection Authority may not deprive decisions and orders
against a public body of suspensive effect.
20 Article 31(1) of the General Administrative Procedures Act (“the Liechtenstein
Administrative Procedures Act”) (Landesverwaltungspflegegesetz, LR 172.020),
headed “Parties” in the section “Parties and their representatives and advocates” in the
first chapter “General provisions”, reads:
1) A person who approaches the administrative authority (official) with the
request that it undertake or refrain from a sovereign administrative act in the
legal interest of the applicant (interested party), or who as a possible subject of
a public obligation or a public right is subjected to a procedure intended to
determine the obliged or entitled person, or finally to whom the authority directs
an order or decision as a result of a procedure is to be considered a party
(intervening party, party involved, interested party, opposing party). In the case
of doubt, the status as a party (beneficiary, interested party, etc.) is to be
determined with due regard to the subject matter and on the basis of the
applicable laws.
21 Article 35 of the Liechtenstein Administrative Procedures Act, headed “Principles for
the obligation to pay costs” in the section “Costs in administrative procedures”, reads:
1) In a procedure that may only be initiated at the request of a party, such
as granting a permit, initiating expropriation, concession, etc., all costs and fees
of the procedure, as well as those of the other parties, shall be paid by the party
initiating the procedure.
2) If a procedure is initiated by the authority ex officio, due to an unlawful
situation, the costs caused by the procedure shall be borne by the party who is
responsible for the unlawful situation through his own unlawful acts; if fault is
not present or it is impossible to identify the person responsible, the costs shall
be borne by the owner.
3) In all cases, however, each party shall bear the costs which have been
caused by their wilful requests, their wilful objections to requests by the other
party or other acts aimed at delaying the procedure, or by such requests that are – 11 –
capable of forming the basis for an independent procedure that may only be
initiated at the request of a party.
4) If a procedure aims at a decision on a claim to financial benefits, which
is requested by one party against another party, the issue of the costs shall be
decided according to the relevant provisions of the Code of Civil Procedure
regarding the costs of litigation.
22 Article 82 of the Liechtenstein Administrative Procedures Act headed “Written copy”
in the section “The conclusion procedure” reads, in extract:
1) The written copy of the decision must contain:
(a) the title: decision;
(b) the names of the members of the government and of the official who
carried out the investigation and, if the hearing was conducted on
different administrative days and by different officials, the names of
the same, specifying the hearings they chaired;
the designation of the parties to the procedure by first and last name,
employment and place of residence, as well as the designation of the
legal representatives of the parties present at the hearing, their
representatives, and technical or other advocates;
as well as any representatives of authorities or advisory experts or
specialists;
…
II Facts and procedure
Introduction
23 By a letter of 18 December 2019, registered at the Court as Case E-11/19 on 23
December 2019, the Board of Appeal for Administrative Matters (“the Board of
Appeal”)made a request for an advisory opinion in a case pending before it between
Adpublisher AG and J. By a separate letter of 18 December 2019, registered at the Court
as Case E-12/19 on 23 December 2019, the Board of Appeal made a request for an
advisory opinion in a case pending before it between Adpublisher AG and K.
24 The questions referred by the Board of Appeal arise in the context of appeals against
decisions of the Data Protection Authority of the Principality of Liechtenstein (“the
Data Protection Authority”), which have been brought before the Board of Appeal by
Adpublisher, a public limited company registered under the laws of Liechtenstein. – 12 –
Background
25 According to the request for an advisory opinion in Case E-11/19, the Board of Appeal
has under review a challenge by Adpublisher to a decision of the Data Protection
Authority, in response to a complaint brought by the data subject J for alleged
infringement of Articles 5, 6 and 15 of the GDPR. Data subject J remains anonymous
in the proceedings before the Board of Appeal.
26 In Case E-12/19, the Board of Appeal has under review a challenge by Adpublisher to
a decision of the Data Protection Authority, in response to a complaint brought by the
data subject K for alleged infringement of Article 15 of the GDPR. Data subject K also
remains anonymous in the proceedings before the Board of Appeal.
27 In both cases, the original complaints were brought to the Commissioner for Data
Protection for Lower Saxony, on 16 September 2018 and 18 November 2018,
respectively. Both complaints questioned the sourcing and subsequent processing of
personal data by Adpublisher as a data controller pursuant to Article 4(7) of the GDPR,
in the context of online marketing.
28 Adpublisher is a public limited company under Liechtenstein law, with a registered
office in Liechtenstein. Given the cross-border character of the complaints, pursuant to
Article 56 of the GDPR, the Data Protection Authority was designated to deal with the
cases as the lead supervisory authority.
29 The Data Protection Authority upheld J’s complaint concerning the infringement of
Articles 5 and 6 of the GDPR. Further, of its own motion, the Data Protection Authority
determined that there had been an infringement of Articles 7, 15 and 32 of the GDPR.
In addition, the Data Protection Authority upheld K’s complaint in part and determined
that there had been an infringement of Article 15 of the GDPR.
The proceedings before the Board of Appeal
30 Adpublisher challenged both decisions before the Board of Appeal and requested that
both decisions be set aside.
31 In its requests for advisory opinions, the Board of Appeal notes, first, that, pursuant to
Article 31(1) of the Liechtenstein Administrative Procedures Act, in the context of the
cases before it, each data subject is regarded as a party to the respective appeal
procedure. Pursuant to point (b) of Article 82(1) of the Liechtenstein Administrative
Procedures Act, the written version of decisions taken by the Board of Appeal must
include the designation of the parties to the procedure stating, inter alia, their first and
last names, profession and place of residence.
32 According to the Board of Appeal, the question, therefore, arises whether it results from
the GDPR or another provision of EEA law, that an anonymisation of the complainant
is permissible. Furthermore, the subsequent question arises as to whether particular
reasons for the anonymisation must be prima facie established. – 13 –
33 Second, the Board of Appeal notes in its requests that Article 57(3) of the GDPR
provides that the performance of the tasks of each supervisory authority shall be free of
charge for the data subject. Procedures before the Board of Appeal are governed by the
Liechtenstein Administrative Procedures Act. While Article 35 of the Liechtenstein
Administrative Procedures Act provides for different possibilities for the determination
of costs, no express provision is made for a complaint procedure brought in accordance
with Article 77 of the GDPR to be free of charge for the data subject. Hence, if a data
subject brings a complaint to a data protection authority in accordance with Article
57(3) of the GDPR and the decision of the data protection authority is challenged on
appeal, as a matter of Liechtenstein law, the data subject may come under an obligation
to reimburse costs.
34 Lastly, the Board of Appeal notes that the question arises regarding how to proceed if
an anonymised complaint procedure is permissible and an obligation to reimburse costs
is not precluded.
35 On this basis, the Board of Appeal decided to stay both proceedings and make requests
to the Court for advisory opinions pursuant to Article 34 of the Agreement between the
EFTA States on the Establishment of a Surveillance Authority and a Court of Justice.
The Board of Appeal has in both requests asked the following questions:
1. Does it follow from Regulation (EU) 2016/679 of the European
Parliament and of the Council of 27 April 2016 on the protection of natural
persons with regard to the processing of personal data and on the free movement
of such data, and repealing Directive 95/46/EC (General Data Protection
Regulation, GDPR) or from another provision of EEA law that an adversarial
general procedure to hear a complaint may be carried out under the GDPR
without disclosing the name and address of the complainant in the complaint
procedure?
If the answer to the question is in the affirmative: Is it necessary in this case that
a legitimate reason for the anonymisation is at least prima facie established or
are no reasons required for the anonymisation?
2. Must a Member State ensure in its national procedural law that in a
procedure to hear a complaint in accordance with Article 77 of the GDPR all
further national appellate bodies are free of charge for the data subject and that
the data subject may also not be ordered to reimburse the costs?
3. If Question 1 is answered in the affirmative and Question 2 is answered
in the negative, in other words, an adversarial general procedure to hear a
complaint may be carried out under the GDPR without identifying the name and
address of the complainant in the complaint procedure and national procedural
law is not required to ensure that in a procedure to hear a complaint in
accordance with Article 77 of the GDPR all further national appellate bodies
are free of charge for the data subject, the question arises how a decision – 14 –
resulting from a complaint procedure and ordering the data subject – who
remains, however, anonymous – can be effected to reimburse the costs?
36 Both requests for advisory opinions were registered at the Court on 23 December 2019.
On 22 January 2020, the Court informed the parties that it was considering joining the
two cases. No objections were raised and, consequently, the Court decided, pursuant to
Article 39 of the Rules of Procedure (“RoP”), to join Cases E-11/19 and E-12/19 for the
purpose of the procedure and the final judgment. The parties were informed of this
decision on 5 February 2020.
37 By a letter dated 25 March 2020, the Court made a request for clarification to the Board
of Appeal under Article 96(4) RoP concerning the facts set out in the orders for
reference. The Board of Appeal replied to these questions by two letters dated 20 April
and 4 May 2020.
38 On 14 April 2020, the Court prescribed measures of organization of procedure pursuant
to Article 49(1) and in accordance with point (a) of Article 49(3) RoP. The measures of
organization of procedure invited those who are entitled to submit statements or
observations to supplement the written procedure on the following matters by 14 May
2020:
To recall, if necessary, by way of a highly condensed summary, the positions
taken by their submissions, with emphasis on the essential submission in support
of the written arguments presented; to submit any new arguments prompted by
recent events occurring after the close of the written procedure which, for that
reason, could not be set out in the pleadings; to explain and expound the more
complex points and highlight the most important points; to reply briefly to the
main arguments set out in other written observations.
39 Responses to the measures of organization of procedure were received from
Adpublisher, the Data Protection Authority, the Government of Liechtenstein, Ireland,
ESA and the Commission. These responses are mentioned or discussed hereinafter only
insofar as is necessary for the reasoning of the Court.
40 Reference is made to the Report for the Hearing for a fuller account of the legal
framework, the facts, the procedure and the written observations submitted to the Court,
which are mentioned or discussed hereinafter only insofar as is necessary for the
reasoning of the Court. – 15 –
III Answer of the Court
Preliminary remarks
41 The questions, as they have been formulated by the referring body, concern an
adversarial general procedure to hear a complaint under the GDPR and further national
appellate proceedings. In the present case, the supervisory authority has already granted
“anonymisation” of the complainantsduring proceedings under Article 77 of the GDPR,
and “anonymisation” is also sought in the proceedings within the scope of Article 78 of
the GDPR.
Question 1
42 By its first question, the referring body asks, in essence, whether it follows from the
provisions of the GDPR or any other provision of EEA law, that the proceedings under
Articles 77 and 78(1) may be carried out without disclosing the identity of a
complainant; and whether any grounds must be provided for not disclosing the identity
of the complainant.
43 The Court understands that the referring body addresses the refusal to disclose personal
data relating to the complainants as “anonymisation”. Recital 26 of the GDPR clarifies
that anonymous information does not fall within the scope of the GDPR. The GDPR
does not explicitly define “anonymisation”, but recital 26 refers to data “… rendered
anonymous in such a manner that the data subject is not or no longer identifiable”. Since
the Court is not able to determine the precise nature of the data processing in question
on the basis of the requests, the Court refers to disclosure as disclosure to the data
controller of the complainants’ personal data within the meaning of Article 4(2) in the
course of proceedings under both Articles 77 and 78 of the GDPR. Article 4(2) refers
to disclosure as a type of data processing by which personal data is made available by
transmission, dissemination or other means.
44 Neither Article 77 nor Article 78(1) of the GDPR lays down specific rules concerning
the disclosure of the identity of the complainants, or whether requests for disclosure
should be granted.
45 The Court recalls that, under the principle of procedural autonomy, matters concerning
the regulation of the procedure governing complaints and the proceedings arising
therefrom are to be regulated at national level, provided the requirements of equivalence
and effectiveness are respected. This means that the rules must not render practically
impossible or excessively difficult the exercise of rights conferred by EEA law (see
Case E-6/17 Fjarskipti [2018] EFTA Ct. Rep. 78, paragraph 31).
46 The Court notes that the main principle of the GDPR is that any data processing,
including disclosure of data, can only take place if data processing is lawful in
accordance with Articles 5 and 6 of the GDPR. Furthermore, according to point (c) of
Article 5(1), personal data shall be adequate, relevant and limited to what is necessary
in relation to the purposes for which they are processed. – 16 –
47 The Court notes that, at the moment of receiving a complaint from an identified or
identifiable natural person, the supervisory authority becomes the controller of any
processing of the complainant’s personal data necessary to handle the complaint.
Similarly, the referring body, in a case such as that in question, becomes a controller of
any processing of personal data when it receives an appeal against a decision. The
supervisory authority and appellate body’s processing of personal data for handling a
complaint or appeal will generally have a lawful basis and be necessary in the public
interest pursuant to point (e) of Article 6(1) of the GDPR.
48 If a data subject has objected to the data processing, it follows from Article 21(1) of the
GDPR that compelling legitimate grounds for the processing, which override the
interests, rights and freedoms of the data subject or for the establishment, exercise or
defence of legal claims must be demonstrated (compare also point (c) of Article 18(1),
Article 18(2) and recital 69 of the GDPR). The assessment of whether it is necessary to
disclose the identity of complainants to other parties must strike a balance between the
data subject’s interests, rights and freedoms, and the parties’ rights of defence and fair
procedures.
49 It should be recalled that Article 58(4) of the GDPR prescribes that the exercise of the
powers conferred on the supervisory authority shall be subject to appropriate procedural
safeguards, including effective judicial remedy and due process, set out in EEA law and
national law. This express guarantee of due process requires that a decision to disclose
the identity of the complainants should generally be made if withholding the identity of
the data subject would hinder the data controller from establishing the exact
circumstances of the case, and consequently inhibit the possibility of an effective
exercise of its right to a judicial remedy.
50 According to Article 1(i) of the Joint Committee Decision, the words “in accordance
with the Charter” in Article 58(4) of the GDPR shall not apply as regards the EFTA
States. However, fundamental rights form part of the general principles of EEA law.
The Court has held that the provisions of the European Convention on Human Rights
(“ECHR”) and the judgments of the European Court of Human Rights are important
sources for determining the scope of these fundamental rights (see Case E-14/15
Holship [2016] EFTA Ct. Rep. 240, paragraph 123). Effective judicial protection
including the right to a fair trial, which is a general principle of EEA law, provides for
a level of protection equivalent to Article 6(1) of the ECHR (see Case E-15/10 Posten
Norge AS [2012] EFTA Ct. Rep. 246, paragraph 86 and case law cited; and Case E-4/11
Arnulf Clauder [2011] EFTA Ct. Rep. 216, paragraph 49 and case law cited). This
necessarily includes the right to mount an effective defence. Consequently, if a refusal
to disclose personal data would impair the data controller’s ability to exercise its right
of defence, then the individual’s identity must be disclosed.
51 As noted by Ireland, the Commission and ESA, the effective functioning of data
protection compliance under the GDPR may require disclosing the complainant’s
personal data to the data controller. This would be the case, inter alia, when the data
subject, in accordance with point (c) of Article 58(2) of the GDPR, requests to exercise
his or her rights or alleges infringement of his or her rights by the controller. Acting on – 17 –
this request, a supervisory authority may need to disclose the identity of a complainant
to the controller to enable the latter to fulfil the order. In turn, the supervisory authority’s
exercise of its powers, in accordance with, inter alia, points (e) to (g) and (j) of Article
58(2) of the GDPR, may necessitate disclosing the identity of the complainants to the
controller.
52 On the other hand, disclosing complainants’ identities may not be necessary for the
effective exercise of the right of defence where the investigation or decision concerns
standardised and equal data processing for an unspecified number of data subjects, or
where the investigation and decision is based on several similar complaints.
53 Further, a complaint lodged by a data subject pursuant to Article 77 of the GDPR must
be qualified in the sense that the alleged infringement of the GDPR relates to the
processing of personal data of that data subject. A data subject has certain procedural
rights concerning the complaint in accordance with Article 77(2) of the GDPR. The
supervisory authority must inform the subject of the progress and the outcome of the
complaint, including the possibility of a judicial remedy pursuant to Article 78 of the
GDPR. To effectively satisfy this obligation, the identity of the data subject must be
known to the supervisory authority.
54 It is for the referring body to determine whether the nature of the case at hand is such
as to require disclosure of the identity of the data subject to the controller in light of
those requirements.
55 Against this background, the answer to the first question must be that disclosure of a
complainant’s personal data during proceedings based on a complaint lodged under
Article 77 of the GDPR, or proceedings based on Article 78(1) of the GDPR, is not
precluded by the GDPR or any other provision of EEA law. The question of non-
disclosure of a complainant’s personal data must be examined in the light of the
principles for processing personal data under Articles 5 and 6 of the GDPR. Non-
disclosure should not be granted if it would inhibit the performance of the obligations
provided in the GDPR, or the exercise of the right to effective judicial remedy and due
process as set out in Article 58(4) of the GDPR and under the fundamental right to an
effective judicial remedy.
Question 2
56 By its second question, the referring body essentially asks whether the free of charge
nature of the complaint procedure under Article 77 of the GDPR extends to subsequent
proceedings before appellate bodies or has an impact on the liability of the data subject
to be ordered to pay costs.
57 Article 77 of the GDPR sets out the right to lodge a complaint with a supervisory
authority. Article 57(3) provides that the tasks of the supervisory authority, including
the handling of complaints, are to be free of charge for the data subject. In order to
handle complaints lodged, Article 58(1) confers extensive investigative powers on the
supervisory authority. If the supervisory authority considers that requirements of the – 18 –
GDPR have not been complied with, Article 58(2) lays down the various corrective
powers the supervisory authority may adopt (compare the judgment in Facebook
Ireland and Schrems, C-311/18, EU:C:2020:559, paragraph 111).
58 While Article 57(3) of the GDPR is limited to the performance of the tasks of the
supervisory authority, no other provision of the GDPR specifically addresses a legal
costs scheme. In particular, costs are not regulated in relation to proceedings under
Article 78(1) of the GDPR. The Court notes that Article 58(4) and Article 78 of the
GDPR give expression to the right to an effective judicial remedy. Under the principle
of procedural autonomy, the implementation of the judicial remedy is left to the national
legal order, provided that principles of equivalence and effectiveness are respected.
59 However, Article 78(3) of the GDPR provides that proceedings against a supervisory
authority shall be brought before the courts of the EEA State where the supervisory
authority is established. This provision presupposes that the supervisory authority
assumes the position of a defendant, defending its own decision when that decision is
challenged. However, in the absence of any specific provisions to that effect, Article
78(3) cannot be interpreted as precluding the possibility that other entities, e.g.
complainants, may also be become parties to such proceedings under the procedural law
of the EEA State in question. In the present case, as observed by the Commission and
as is apparent from the request, by lodging their complaints with the supervisory
authority under Article 77, the complainants were accorded the status of defendants
when the controller lodged an appeal against the decision of the supervisory authority
under Article 78. It also appears that the status of the complainants before the referring
body is one of defending the decision of the supervisory authority, including issues
which were not within the scope of their complaints.
60 It is important to note that, under point (h) of Article 57(1) of the GDPR, the supervisory
authority has the power to engage in investigations of its own initiative. This provides
that the supervisory authority may, in relation to its examination of the complaint,
decide on different claims or subject-matter in comparison with those raised by the data
subject in his or her complaint before the supervisory authority. The effectiveness of
the complaint procedure requires that the supervisory authority is not limited in its
investigation by how the complainant has framed the relevant points of law in his or her
complaint.
61 In a situation in which the data subject does not initiate proceedings under Article 78(1)
of the GDPR, but nevertheless is accorded the status of a defendant in those
proceedings, the potential order to reimburse costs would have an effect equivalent to
charging fees for the tasks of a supervisory authority.
62 Such an obligation to reimburse costs is not in line with the right to lodge a complaint
free of charge under Article 77(1) and 57(3) of the GDPR and moreover runs contrary
to the purpose of the GDPR to create a strong enforcement mechanism and enhance
legal and practical certainty for data subjects (see recital 7 of the GDPR). The prospect
of costs reimbursement constitutes a disincentive to lodge a complaint before a
supervisory authority. Thus, the Court finds that such a set-up undermines the scope of – 19 –
protection guaranteed by the provisions of the GDPR referred to above, and the exercise
of rights conferred by EEA law would be rendered excessively difficult, in breach of
those provisions of the GDPR.
63 Article 3 EEA requires EEA States to take all measures necessary to guarantee the
application and effectiveness of EEA law. It is inherent in the objectives of the EEA
Agreement that national courts are bound, as far as possible, to interpret national law in
conformity with EEA law. Consequently, they must, as far as possible, apply the
methods of interpretation recognised by national law in order to achieve the result
sought by the relevant rule of EEA law (see Case E-25/13 Gunnar Engilbertsson v
Íslandsbanki hf. [2014] EFTA Ct. Rep. 524, paragraph 159 and case law cited).
64 In light of the foregoing, the Court finds that the answer to the second question must be
that it follows from Articles 77(1) and 57(3) of the GDPR that where a data subject
becomes a party to proceedings under Article 78(1) of the GDPR as a result of a data
controller appealing against a supervisory authority’s decision, and where national law
imposes this status on a data subject automatically, the data subject may not be made
responsible for any costs incurred in relation to those proceedings.
65 In these circumstances, there is no need to answer the third question referred to the
Court.
IV Costs
66 The costs incurred by the Government of Liechtenstein, the Government of Austria,
Ireland, ESA and the Commission, which have submitted observations to the Court, are
not recoverable. Since these proceedings are a step in the proceedings pending before
the national court, any decision on costs for the parties to those proceedings is a matter
for that court. – 20 –
On those grounds,
THE COURT
in answer to the questions referred to it by the Liechtenstein Board of Appeal for
Administrative Matters hereby gives the following Advisory Opinion:
1. Disclosure of a complainant’s personal data during proceedings based
on a complaint lodged under Article 77 of Regulation (EU) 2016/679 of
the European Parliament and of the Council of 27 April 2016 on the
protection of natural persons with regard to the processing of personal
data and on the free movement of such data, or proceedings based on
Article 78(1) of that regulation, is not precluded by that regulation or
any other provision of EEA law. The question of non-disclosure of a
complainant’s personal data must be examined in the light of the
principles for processing personal data under Articles 5 and 6 of
Regulation (EU) 2016/679. Non-disclosure should not be granted if it
would inhibit the performance of the obligations provided in
Regulation (EU) 2016/679, or the exercise of the right to effective
judicial remedy and due process as set out in Article 58(4) and under
the fundamental right to an effective judicial remedy.
2. It follows from Articles 77(1) and 57(3) of Regulation (EU) 2016/679
that where a data subject becomes a party to proceedings under Article
78(1) as a result of a data controller appealing against a supervisory
authority’s decision, and where national law imposes this status on a
data subject automatically, the data subject may not be made
responsible for any costs incurred in relation to those proceedings.
Páll Hreinsson Per Christiansen Bernd Hammermann
Delivered in open court in Luxembourg on 10 December 2020.
Ólafur Jóhannes Einarsson Páll Hreinsson
Registrar President
