EFTA Court - Joined Cases E-11/19 and E-12/19

From GDPRhub
Revision as of 15:17, 23 February 2021 by MB (talk | contribs) (→‎English Summary)
EFTA Court - Joined Cases E-11/19 and E-12/19
Courts logo1.png
Court: EFTA Court (European Union)
Jurisdiction: European Union
Relevant Law: Article 57(3) GDPR
Article 57(3) GDPR
Article 58(2)(e) GDPR
Article 58(2)(j) GDPR
Article 58(2)(g) GDPR
Article 58(2)(c) GDPR
Article 77 GDPR
Article 78 GDPR
Decided:
Published:
Parties:
National Case Number/Name: Joined Cases E-11/19 and E-12/19
European Case Law Identifier:
Appeal from:
Appeal to:
Original Language(s): English
Original Source: EFTA Court (in English)
Initial Contributor: n/a

EFTA Court advises upon disclosure of personal data of complainants and upon the free of charge nature of the proceedings even before appellate bodies.

English Summary

Facts

By a letter of 18 December 2019, registered at the Court as Case E-11/19 on 23 December 2019, the Board of Appeal for Administrative Matters (“the Board of Appeal”) made a request (in the context of appeals against decisions of the Data Protection Authority of the Principality of Liechtenstein) for an advisory opinion in a case pending before it between Adpublisher AG (a public limited company registered under the laws of Liechtenstein) and J for alleged infringement of articles 5, 6 and 15 GDPR. The DPA upheld J’s complaint concerning the infringement of Articles 5 and 6 GDPR. Further, of its own motion, the Authority determined that there had been an infringement of Articles 7, 15 and 32 GDPR By a separate letter of 18 December 2019, registered at the Court as Case E-12/19 on 23 December 2019, the Board of Appeal made a request for an advisory opinion in a case pending before it between Adpublisher AG and K (for alleged infringement of article 15 GDPR). The DPA upheld K’s complaint in part and determined that there had been an infringement of Article 15 GDPR. Adpublisher challenged both decisions before the Board of Appeal and requested that both decisions be set aside. The Court decided, pursuant to Article 39 of the Rules of Procedure (“RoP”), to join Cases E-11/19 and E-12/19 for the purpose of the procedure and the final judgment.


Dispute

The questions examined by the court are referring to general procedure of hearing a complaint under the GDPR and further national appellate proceedings. The first question by the referring body, is whether the proceedings under article 77 and 78(1) may be carried out without disclosing the identity of a complainant, and whether any grounds must be provided for non disclosing the identity of the complainant. The second question set by the referring body. Is whether the free of charge nature of the complaint procedure under article 77 GDPR extends to subsequent proceedings before appellate bodies, or has an impact on the liability of the data subject to be ordered to pay costs.

Holding

The court held that the referring body addresses the refusal to disclose personal data relating to the complainants as “anonymisation”. The GDPR does not explicitly define “anonymisation”, but recital 26 refers to data “… rendered anonymous in such a manner that the data subject is not or no longer identifiable” and may require disclosing the complainant’s personal data to the data controller if the data subject, in accordance with Article 58(2)(c) GDPR, requests to exercise his or her rights or alleges infringement of his or her rights by the controller and the authority may need to disclose the identity of a complainant to the controller to fulfil the order. Also according to Article 58(2)(e) to (g) and (j) the authority may necessitate disclosing the identity of the complainants to the controller. The referring body can determine whether the nature of the case requires disclosure of the identity of the data subject to the controller. Non-disclosure of a complainant’s personal data must be examined in the light of the principles for processing personal data under Articles 5 and 6 GDPR. “Non-disclosure should not be granted if it would inhibit the performance of the obligations provided in the GDPR, or the exercise of the right to effective judicial remedy and due process as set out in Article 58(4) GDPR and under the fundamental right to an effective judicial remedy”. Further, the court held that the referring body essentially asks whether the free of charge nature of the complaint procedure under Article 77 GDPR extends to proceedings before appellate bodies or has an impact on the liability of the data subject to be ordered to pay costs. Article 57(3) provides that the tasks of the supervisory authority, including the handling of complaints, are to be free of charge for the data subject. If the data subject does not initiate proceedings under Article 78(1) GDPR, the potential order to reimburse costs would have an effect equivalent to charging fees for the tasks of the authority, which does not comply with the right to file a complaint free of charge under Article 77(1) and 57(3) GDPR and opposes to the purpose to create a strong enforcement mechanism and enhance legal and practical certainty for data subjects. Consequently, it follows from Articles 77(1) and 57(3) GDPR that where a data subject becomes a party to proceedings under Article 78(1) GDPR after a data controller appealing against a supervisory authority’s decision, and where national law imposes this status on a data subject automatically, the data subject may not be made responsible for any costs incurred in relation to those proceedings.


Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.

                         JUDGMENT OF THE COURT
                                                  
                                10 December 2020
  (Regulation (EU) 2016/679 – Data protection – Right to lodge a complaint with a
  supervisory authority – Right to an effective judicial remedy against a supervisory

           authority – Anonymity – Costs incurred in appeal proceedings)




In Joined Cases E-11/19 and E-12/19,


REQUESTS to the Court under Article 34 of the Agreement between the EFTA States

on the Establishment of a Surveillance Authority and a Court of Justice by the
Liechtenstein Board of Appeal for Administrative Matters (Beschwerdekommission für
Verwaltungsangelegenheiten), in cases pending before it between



Adpublisher AG

                                        and


J

                                        and



Adpublisher AG

                                        and

K,





concerning the interpretation of Regulation (EU) 2016/679 of the European Parliament
and of the Council of 27 April 2016 on the protection of natural persons with regard to

the processing of personal data and on the free movement of such data, and repealing
Directive 95/46/EC (General Data Protection Regulation),






  Language of the request: German. Translations of national provisions are unofficial and based on those
   contained in the documents of the case.                                            – 2 –


                                       THE COURT,

     composed of: Páll Hreinsson, President (Judge-Rapporteur), Per Christiansen, and

     Bernd Hammermann, Judges,

     Registrar: Ólafur Jóhannes Einarsson,

     having considered the written observations submitted on behalf of:


        − Adpublisher AG (“Adpublisher”), represented by Stefan Ritter, attorney;

        − the Government of Liechtenstein, represented by Dr Andrea Entner-Koch, and
            Romina Schobel, acting as Agents;


        − the Government of Austria, represented by Dr Albert Posch and Dr Julia
            Schmoll, acting as Agents;

        − Ireland, represented by Marie Browne and Tony Joyce, acting as Agents;


        − the EFTA Surveillance Authority (“ESA”), represented by Ewa Gromnicka,
            Stewart Watson and Carsten Zatschler, acting as Agents; and

        − the European Commission (“the Commission”), represented by Friedrich

            Erlbacher and Herke Kranenborg, acting as Agents;

     having regard to the Report for the Hearing,

     having heard oral argument of Adpublisher, represented by Stefan Ritter; the
     Government of Liechtenstein, represented by Dr Andrea Entner-Koch and Romina

     Schobel; Ireland, represented by Tony Joyce and David Fennelly; ESA, represented by
     Ewa Gromnicka, Stewart Watson and Carsten Zatschler; and the Commission,
     represented by Friedrich Erlbacher and Herke Kranenborg; at the hearing on 16 June
     2020,




     gives the following



                                         Judgment


     I      Legal background


     EEA law

1    Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April
     2016 on the protection of natural persons with regard to the processing of personal data                                               – 3 –


     and on the free movement of such data, and repealing Directive 95/46/EC (General Data
     Protection Regulation) (“GDPR”) (OJ 2016 L 119, p. 1) was incorporated into the EEA
     Agreement by Decision of the EEA Joint Committee No 154/2018 of 6 July 2018 (OJ

     2018 L 183, p. 23) (“the Joint Committee Decision”), and is referred to at point 5e of
     Annex XI (Electronic communication, audiovisual services and information society) to
     the EEA Agreement. Constitutional requirements were indicated by Liechtenstein and
     the decision entered into force on 20 July 2018.


2    Recital 7 of the GDPR reads:

            Those developments require a strong and more coherent data protection
            framework in the Union, backed by strong enforcement, given the importance of

            creating the trust that will allow the digital economy to develop across the
            internal market. Natural persons should have control of their own personal data.
            Legal and practical certainty for natural persons, economic operators and
            public authorities should be enhanced.


3    Recital 26 of the GDPR reads:

            The principles of data protection should apply to any information concerning an
            identified or identifiable natural person. Personal data which have undergone
            pseudonymisation, which could be attributed to a natural person by the use of

            additional information should be considered to be information on an identifiable
            natural person. To determine whether a natural person is identifiable, account
            should be taken of all the means reasonably likely to be used, such as singling
            out, either by the controller or by another person to identify the natural person

            directly or indirectly. To ascertain whether means are reasonably likely to be
            used to identify the natural person, account should be taken of all objective
            factors, such as the costs of and the amount of time required for identification,
            taking into consideration the available technology at the time of the processing

            and technological developments. The principles of data protection should
            therefore not apply to anonymous information, namely information which does
            not relate to an identified or identifiable natural person or to personal data
            rendered anonymous in such a manner that the data subject is not or no longer

            identifiable. This Regulation does not therefore concern the processing of such
            anonymous information, including for statistical or research purposes.

4    Recital 69 of the GDPR reads:


            Where personal data might lawfully be processed because processing is
            necessary for the performance of a task carried out in the public interest or in
            the exercise of official authority vested in the controller, or on grounds of the
            legitimate interests of a controller or a third party, a data subject should,
            nevertheless, be entitled to object to the processing of any personal data relating

            to his or her particular situation. It should be for the controller to demonstrate
            that its compelling legitimate interest overrides the interests or the fundamental
            rights and freedoms of the data subject.                                           – 4 –


5    Article 4 of the GDPR, headed “Definitions”, reads, in extract:

           ...


           (1)    ‘personal data’ means any information relating to an identified or
           identifiable natural person (‘data subject’); an identifiable natural person is one
           who can be identified, directly or indirectly, in particular by reference to an
           identifier such as a name, an identification number, location data, an online

           identifier or to one or more factors specific to the physical, physiological,
           genetic, mental, economic, cultural or social identity of that natural person;

           (2)    ‘processing’ means any operation or set of operations which is performed
           onpersonal data or on setsof personal data, whether ornotby automatedmeans,

           such as collection, recording, organisation, structuring, storage, adaptation or
           alteration, retrieval, consultation, use, disclosure by transmission, dissemination
           or otherwise making available, alignment or combination, restriction, erasure
           or destruction;


           …

           (7)    ‘controller’ means the natural or legal person, public authority, agency
           or other body which, alone or jointly with others, determines the purposes and
           means of the processing of personal data; where the purposes and means of such

           processing are determined by Union or Member State law, the controller or the
           specific criteria for its nomination may be provided for by Union or Member
           State law;

           …


6    Article 5 of the GDPR, headed “Principles relating to processing of personal data”,
     reads, in extract:

           1.     Personal data shall be:


                  (a)   processed lawfully, fairly and in a transparent manner in relation
                  to the data subject (‘lawfulness, fairness and transparency’);

                  …


                  (c)   adequate, relevant and limited to what is necessary in relation to
                  the purposes for which they are processed (‘data minimisation’);

                  …

7    Article 6 of the GDPR, headed “Lawfulness of processing”, reads, in extract:


           1.     Processing shall be lawful only if and to the extent that at least one of the
           following applies:                                           – 5 –


                  …

                  (e)   processing is necessary for the performance of a task carried out

                  in the public interest or in the exercise of official authority vested in the
                  controller;

                  …

8    Article 18 of the GDPR, headed “Right to restriction of processing”, reads, in extract:


           1.     The data subject shall have the right to obtain from the controller
           restriction of processing where one of the following applies:

                  …


                  (c) the controller no longer needs the personal data for the purposes of
                  the processing, but they are required by the data subject for the
                  establishment, exercise or defence of legal claims;

                  …


           2.     Where processing has been restricted under paragraph 1, such personal
           data shall, with the exception of storage, only be processed with the data
           subject's consent or for the establishment, exercise or defence of legal claims or

           for the protection of the rights of another natural or legal person or for reasons
           of important public interest of the Union or of a Member State.

           ...

9    Article 21(1) of the GDPR, headed “Right to object”, reads:


           The data subject shall have the right to object, on grounds relating to his or her
           particular situation, at any time to processing of personal data concerning him
           or her which is based on point (e) or (f) of Article 6(1), including profiling based
           on those provisions. The controller shall no longer process the personal data

           unless the controller demonstrates compelling legitimate grounds for the
           processing which override the interests, rights and freedoms of the data subject
           or for the establishment, exercise or defence of legal claims.


10   Article 55(1) of the GDPR, headed “Competence”, reads:

           Each supervisory authority shall be competent for the performance of the tasks
           assigned to and the exercise of the powers conferred on it in accordance with
           this Regulation on the territory of its own Member State.                                           – 6 –


11   Article 56(1) of the GDPR, headed “Competence of the lead supervisory authority”,
     reads:


           Without prejudice to Article 55, the supervisory authority of the main
           establishment or of the single establishment of the controller or processor shall
           be competent to act as lead supervisory authority for the cross-border processing
           carried out by that controller or processor in accordance with the procedure

           provided in Article 60.

12   Article 57 of the GDPR, headed “Tasks”, reads, in extract:

           1.     Without prejudice to other tasks set out under this Regulation, each
           supervisory authority shall on its territory:


                  (a)   monitor and enforce the application of this Regulation;

                  …

                  (f)   handle complaints lodged by a data subject, or by a body,

                  organisation or association in accordance with Article 80, and
                  investigate, to the extent appropriate, the subject matter of the complaint
                  and inform the complainant of the progress and the outcome of the
                  investigation within a reasonable period, in particular if further

                  investigation or coordination with another supervisory authority is
                  necessary;

                  …


                  (h)   conduct investigations on the application of this Regulation,
                  including on the basis of information received from another supervisory
                  authority or other public authority;

                  …


           3.     The performance of the tasks of each supervisory authority shall be free
           of charge for the data subject and, where applicable, for the data protection
           officer.

           4.     Where requests are manifestly unfounded or excessive, in particular

           because of their repetitive character, the supervisory authority may charge a
           reasonable fee based on administrative costs, or refuse to act on the request. The
           supervisory authority shall bear the burden of demonstrating the manifestly
           unfounded or excessive character of the request.


13   Article 58 of the GDPR, headed “Powers”, reads, in extract:

           1.     Each supervisory authority shall have all of the following investigative
           powers:                                  – 7 –


       (a)    to order the controller and the processor, and, where applicable,
       the controller’s or the processor’s representative to provide any
       information it requires for the performance of its tasks;


       …

       (d)    to notify the controller or the processor of an alleged infringement
       of this Regulation;


       (e)    to obtain, from the controller and the processor, access to all
       personal data and to all information necessary for the performance of its
       tasks;


       (f)    to obtain access to any premises of the controller and the
       processor, including to any data processing equipment and means, in
       accordance with Union or Member State procedural law.

2.     Each supervisory authority shall have all of the following corrective

powers:

       (a)    to issue warnings to a controller or processor that intended
       processing operations are likely to infringe provisions of this Regulation;

       (b)    to issue reprimands to a controller or a processor where

       processing operations have infringed provisions of this Regulation;

       (c)    to order the controller or the processor to comply with the data
       subject’s requests to exercise his or her rights pursuant to this

       Regulation;

       (d)    to order the controller or processor to bring processing operations
       into compliance with the provisions of this Regulation, where
       appropriate, in a specified manner and within a specified period;


       (e)    to order the controller to communicate a personal data breach to
       the data subject;

       (f)    to impose a temporary or definitive limitation including a ban on
       processing;


       (g)    to order the rectification or erasure of personal data or restriction
       of processing pursuant to Articles 16, 17 and 18 and the notification of
       such actions to recipients to whom the personal data have been disclosed

       pursuant to Article 17(2) and Article 19;

       …                                              – 8 –


                   (i)    to impose an administrative fine pursuant to Article 83, in addition
                   to, or instead of measures referred to in this paragraph, depending on the
                   circumstances of each individual case;


                   …

            4.     The exercise of the powers conferred on the supervisory authority
            pursuant to this Article shall be subject to appropriate safeguards, including

            effective judicial remedy and due process, set out in Union and Member State
            law in accordance with the Charter.

            5.     Each Member State shall provide by law that its supervisory authority
            shall have the power to bring infringements of this Regulation to the attention of

            the judicial authorities and where appropriate, to commence or engage
            otherwise in legal proceedings, in order to enforce the provisions of this
            Regulation.

            6.     Each Member State may provide by law that its supervisory authority

            shall have additional powers to those referred to in paragraphs 1, 2 and 3. The
            exercise of those powers shall not impair the effective operation of Chapter VII.

14   Article 77 of the GDPR, headed “Right to lodge a complaint with a supervisory

     authority”, reads:

            1.     Without prejudice to any other administrative or judicial remedy, every
            data subject shall have the right to lodge a complaint with a supervisory
            authority, in particular in the Member State of his or her habitual residence,

            place of work or place of the alleged infringement if the data subject considers
            that the processing of personal data relating to him or her infringes this
            Regulation.

            2.     The supervisory authority with which the complaint has been lodged shall

            inform the complainant on the progress and the outcome of the complaint
            including the possibility of a judicial remedy pursuant to Article 78.

15   Article 78 of the GDPR, headed “Right to an effective judicial remedy against a
     supervisory authority”, reads, in extract:


            1.     Without prejudice to any other administrative or non-judicial remedy,
            each natural or legal person shall have the right to an effective judicial remedy
            against a legally binding decision of a supervisory authority concerning them.


            2.     Without prejudice to any other administrative or non-judicial remedy,
            each data subject shall have the right to a an effective judicial remedy where the
            supervisory authority which is competent pursuant to Articles 55 and 56 does
            not handle a complaint or does not inform the data subject within three months

            on the progress or outcome of the complaint lodged pursuant to Article 77.                                         – 9 –


           3.    Proceedings against a supervisory authority shall be brought before the
           courts of the Member State where the supervisory authority is established.


           …

16   Article 1 of the Joint Committee Decision reads, in extract:

           …


           The provisions of the Regulation shall, for the purposes of this Agreement, be
           read with the following adaptations:

                 …

                 (i)   In Article 58(4), as regards the EFTA States, the words “in

                 accordance with the Charter” shall not apply.


     National law

17   The Act of 4 October 2018 on Data Protection (Datenschutzgesetz, LR 235.1) (“the

     Data Protection Act”) implements the GDPR in the Liechtenstein legal order.

18   Article 15 of the Data Protection Act, headed “Tasks”, reads, in extract:

           1)    The Data Protection Authority has the following tasks in addition to those

           mentioned in Regulation (EU) 2016/679:

           a) monitor and enforce the application of this Act and other provisions on data
              protection, including the laws enacted to implement Directive (EU)
              2016/680;


           …

           h) conduct investigations into the application of this Act and other provisions
              on data protection, including the laws enacted to implement Directive (EU)
              2016/680, also on the basis of information from another supervisory

              authority or another authority;

           …

           5)    Theperformance of the DataProtection Authority’stasksis free ofcharge

           for the data subject. Where requests are manifestly unfounded or excessive, in
           particular because of their repetitive character, the Data Protection Authority
           may charge a reasonable fee based on the effort or refuse to act on the request.
           The Data Protection Authority bears the burden of demonstrating the manifestly

           unfounded or excessive character of the request. The government regulates the
           details of the fee by ordinance.                                              – 10 –


19    Article 20 of the Data Protection Act, headed “Legal remedies”, reads:

            1)      Appeals against decisions and orders of the Data Protection Authority

            may be lodged with the Board of Appeal for Administrative Matters within four
            weeks of service.

            2)      Appeals against decisions and orders of the Board of Appeal for
            Administrative Matters may be lodged with the Administrative Court within four

            weeks of service; the Data Protection Authority also has this right.

            3)      The Data Protection Authority may not deprive decisions and orders
            against a public body of suspensive effect.


20    Article 31(1) of the General Administrative Procedures Act (“the Liechtenstein
      Administrative Procedures Act”) (Landesverwaltungspflegegesetz, LR 172.020),
      headed “Parties” in the section “Parties and their representatives and advocates” in the
      first chapter “General provisions”, reads:


            1)      A person who approaches the administrative authority (official) with the
            request that it undertake or refrain from a sovereign administrative act in the
            legal interest of the applicant (interested party), or who as a possible subject of
            a public obligation or a public right is subjected to a procedure intended to

            determine the obliged or entitled person, or finally to whom the authority directs
            an order or decision as a result of a procedure is to be considered a party
            (intervening party, party involved, interested party, opposing party). In the case
            of doubt, the status as a party (beneficiary, interested party, etc.) is to be

            determined with due regard to the subject matter and on the basis of the
            applicable laws.

21    Article 35 of the Liechtenstein Administrative Procedures Act, headed “Principles for
      the obligation to pay costs” in the section “Costs in administrative procedures”, reads:


            1)      In a procedure that may only be initiated at the request of a party, such
            as granting a permit, initiating expropriation, concession, etc., all costs and fees
            of the procedure, as well as those of the other parties, shall be paid by the party
            initiating the procedure.


            2)      If a procedure is initiated by the authority ex officio, due to an unlawful
            situation, the costs caused by the procedure shall be borne by the party who is
            responsible for the unlawful situation through his own unlawful acts; if fault is
            not present or it is impossible to identify the person responsible, the costs shall

            be borne by the owner.

            3)      In all cases, however, each party shall bear the costs which have been
            caused by their wilful requests, their wilful objections to requests by the other
            party or other acts aimed at delaying the procedure, or by such requests that are                                             – 11 –


            capable of forming the basis for an independent procedure that may only be
            initiated at the request of a party.


            4)     If a procedure aims at a decision on a claim to financial benefits, which
            is requested by one party against another party, the issue of the costs shall be
            decided according to the relevant provisions of the Code of Civil Procedure
            regarding the costs of litigation.


22   Article 82 of the Liechtenstein Administrative Procedures Act headed “Written copy”
     in the section “The conclusion procedure” reads, in extract:

            1)     The written copy of the decision must contain:


                   (a) the title: decision;

                   (b) the names of the members of the government and of the official who
                       carried out the investigation and, if the hearing was conducted on
                       different administrative days and by different officials, the names of

                       the same, specifying the hearings they chaired;

                       the designation of the parties to the procedure by first and last name,
                       employment and place of residence, as well as the designation of the
                       legal representatives of the parties present at the hearing, their

                       representatives, and technical or other advocates;

                       as well as any representatives of authorities or advisory experts or
                       specialists;


                   …


     II     Facts and procedure

     Introduction

23   By a letter of 18 December 2019, registered at the Court as Case E-11/19 on 23

     December 2019, the Board of Appeal for Administrative Matters (“the Board of
     Appeal”)made a request for an advisory opinion in a case pending before it between
     Adpublisher AG and J. By a separate letter of 18 December 2019, registered at the Court
     as Case E-12/19 on 23 December 2019, the Board of Appeal made a request for an

     advisory opinion in a case pending before it between Adpublisher AG and K.

24   The questions referred by the Board of Appeal arise in the context of appeals against
     decisions of the Data Protection Authority of the Principality of Liechtenstein (“the

     Data Protection Authority”), which have been brought before the Board of Appeal by
     Adpublisher, a public limited company registered under the laws of Liechtenstein.                                             – 12 –


     Background

25   According to the request for an advisory opinion in Case E-11/19, the Board of Appeal
     has under review a challenge by Adpublisher to a decision of the Data Protection

     Authority, in response to a complaint brought by the data subject J for alleged
     infringement of Articles 5, 6 and 15 of the GDPR. Data subject J remains anonymous
     in the proceedings before the Board of Appeal.


26   In Case E-12/19, the Board of Appeal has under review a challenge by Adpublisher to
     a decision of the Data Protection Authority, in response to a complaint brought by the
     data subject K for alleged infringement of Article 15 of the GDPR. Data subject K also
     remains anonymous in the proceedings before the Board of Appeal.


27   In both cases, the original complaints were brought to the Commissioner for Data
     Protection for Lower Saxony, on 16 September 2018 and 18 November 2018,
     respectively. Both complaints questioned the sourcing and subsequent processing of
     personal data by Adpublisher as a data controller pursuant to Article 4(7) of the GDPR,

     in the context of online marketing.

28   Adpublisher is a public limited company under Liechtenstein law, with a registered
     office in Liechtenstein. Given the cross-border character of the complaints, pursuant to
     Article 56 of the GDPR, the Data Protection Authority was designated to deal with the

     cases as the lead supervisory authority.

29   The Data Protection Authority upheld J’s complaint concerning the infringement of
     Articles 5 and 6 of the GDPR. Further, of its own motion, the Data Protection Authority
     determined that there had been an infringement of Articles 7, 15 and 32 of the GDPR.

     In addition, the Data Protection Authority upheld K’s complaint in part and determined
     that there had been an infringement of Article 15 of the GDPR.

     The proceedings before the Board of Appeal


30   Adpublisher challenged both decisions before the Board of Appeal and requested that
     both decisions be set aside.

31   In its requests for advisory opinions, the Board of Appeal notes, first, that, pursuant to
     Article 31(1) of the Liechtenstein Administrative Procedures Act, in the context of the

     cases before it, each data subject is regarded as a party to the respective appeal
     procedure. Pursuant to point (b) of Article 82(1) of the Liechtenstein Administrative
     Procedures Act, the written version of decisions taken by the Board of Appeal must
     include the designation of the parties to the procedure stating, inter alia, their first and

     last names, profession and place of residence.

32   According to the Board of Appeal, the question, therefore, arises whether it results from
     the GDPR or another provision of EEA law, that an anonymisation of the complainant
     is permissible. Furthermore, the subsequent question arises as to whether particular

     reasons for the anonymisation must be prima facie established.                                              – 13 –


33   Second, the Board of Appeal notes in its requests that Article 57(3) of the GDPR
     provides that the performance of the tasks of each supervisory authority shall be free of
     charge for the data subject. Procedures before the Board of Appeal are governed by the

     Liechtenstein Administrative Procedures Act. While Article 35 of the Liechtenstein
     Administrative Procedures Act provides for different possibilities for the determination
     of costs, no express provision is made for a complaint procedure brought in accordance
     with Article 77 of the GDPR to be free of charge for the data subject. Hence, if a data

     subject brings a complaint to a data protection authority in accordance with Article
     57(3) of the GDPR and the decision of the data protection authority is challenged on
     appeal, as a matter of Liechtenstein law, the data subject may come under an obligation
     to reimburse costs.


34   Lastly, the Board of Appeal notes that the question arises regarding how to proceed if
     an anonymised complaint procedure is permissible and an obligation to reimburse costs
     is not precluded.


35   On this basis, the Board of Appeal decided to stay both proceedings and make requests
     to the Court for advisory opinions pursuant to Article 34 of the Agreement between the
     EFTA States on the Establishment of a Surveillance Authority and a Court of Justice.
     The Board of Appeal has in both requests asked the following questions:


            1.     Does it follow from Regulation (EU) 2016/679 of the European
            Parliament and of the Council of 27 April 2016 on the protection of natural
            persons with regard to the processing of personal data and on the free movement
            of such data, and repealing Directive 95/46/EC (General Data Protection

            Regulation, GDPR) or from another provision of EEA law that an adversarial
            general procedure to hear a complaint may be carried out under the GDPR
            without disclosing the name and address of the complainant in the complaint
            procedure?


            If the answer to the question is in the affirmative: Is it necessary in this case that
            a legitimate reason for the anonymisation is at least prima facie established or
            are no reasons required for the anonymisation?

            2.     Must a Member State ensure in its national procedural law that in a

            procedure to hear a complaint in accordance with Article 77 of the GDPR all
            further national appellate bodies are free of charge for the data subject and that
            the data subject may also not be ordered to reimburse the costs?


            3.     If Question 1 is answered in the affirmative and Question 2 is answered
            in the negative, in other words, an adversarial general procedure to hear a
            complaint may be carried out under the GDPR without identifying the name and
            address of the complainant in the complaint procedure and national procedural
            law is not required to ensure that in a procedure to hear a complaint in

            accordance with Article 77 of the GDPR all further national appellate bodies
            are free of charge for the data subject, the question arises how a decision                                             – 14 –


            resulting from a complaint procedure and ordering the data subject – who
            remains, however, anonymous – can be effected to reimburse the costs?


36   Both requests for advisory opinions were registered at the Court on 23 December 2019.
     On 22 January 2020, the Court informed the parties that it was considering joining the
     two cases. No objections were raised and, consequently, the Court decided, pursuant to
     Article 39 of the Rules of Procedure (“RoP”), to join Cases E-11/19 and E-12/19 for the

     purpose of the procedure and the final judgment. The parties were informed of this
     decision on 5 February 2020.

37   By a letter dated 25 March 2020, the Court made a request for clarification to the Board
     of Appeal under Article 96(4) RoP concerning the facts set out in the orders for

     reference. The Board of Appeal replied to these questions by two letters dated 20 April
     and 4 May 2020.

38   On 14 April 2020, the Court prescribed measures of organization of procedure pursuant
     to Article 49(1) and in accordance with point (a) of Article 49(3) RoP. The measures of

     organization of procedure invited those who are entitled to submit statements or
     observations to supplement the written procedure on the following matters by 14 May
     2020:

            To recall, if necessary, by way of a highly condensed summary, the positions

            taken by their submissions, with emphasis on the essential submission in support
            of the written arguments presented; to submit any new arguments prompted by
            recent events occurring after the close of the written procedure which, for that
            reason, could not be set out in the pleadings; to explain and expound the more

            complex points and highlight the most important points; to reply briefly to the
            main arguments set out in other written observations.



39   Responses to the measures of organization of procedure were received from
     Adpublisher, the Data Protection Authority, the Government of Liechtenstein, Ireland,
     ESA and the Commission. These responses are mentioned or discussed hereinafter only

     insofar as is necessary for the reasoning of the Court.

40   Reference is made to the Report for the Hearing for a fuller account of the legal
     framework, the facts, the procedure and the written observations submitted to the Court,

     which are mentioned or discussed hereinafter only insofar as is necessary for the
     reasoning of the Court.                                             – 15 –


     III    Answer of the Court

     Preliminary remarks


41   The questions, as they have been formulated by the referring body, concern an
     adversarial general procedure to hear a complaint under the GDPR and further national
     appellate proceedings. In the present case, the supervisory authority has already granted
     “anonymisation” of the complainantsduring proceedings under Article 77 of the GDPR,

     and “anonymisation” is also sought in the proceedings within the scope of Article 78 of
     the GDPR.

     Question 1


42   By its first question, the referring body asks, in essence, whether it follows from the
     provisions of the GDPR or any other provision of EEA law, that the proceedings under
     Articles 77 and 78(1) may be carried out without disclosing the identity of a
     complainant; and whether any grounds must be provided for not disclosing the identity
     of the complainant.


43   The Court understands that the referring body addresses the refusal to disclose personal
     data relating to the complainants as “anonymisation”. Recital 26 of the GDPR clarifies
     that anonymous information does not fall within the scope of the GDPR. The GDPR

     does not explicitly define “anonymisation”, but recital 26 refers to data “… rendered
     anonymous in such a manner that the data subject is not or no longer identifiable”. Since
     the Court is not able to determine the precise nature of the data processing in question
     on the basis of the requests, the Court refers to disclosure as disclosure to the data

     controller of the complainants’ personal data within the meaning of Article 4(2) in the
     course of proceedings under both Articles 77 and 78 of the GDPR. Article 4(2) refers
     to disclosure as a type of data processing by which personal data is made available by
     transmission, dissemination or other means.


44   Neither Article 77 nor Article 78(1) of the GDPR lays down specific rules concerning
     the disclosure of the identity of the complainants, or whether requests for disclosure
     should be granted.

45   The Court recalls that, under the principle of procedural autonomy, matters concerning

     the regulation of the procedure governing complaints and the proceedings arising
     therefrom are to be regulated at national level, provided the requirements of equivalence
     and effectiveness are respected. This means that the rules must not render practically
     impossible or excessively difficult the exercise of rights conferred by EEA law (see

     Case E-6/17 Fjarskipti [2018] EFTA Ct. Rep. 78, paragraph 31).

46   The Court notes that the main principle of the GDPR is that any data processing,
     including disclosure of data, can only take place if data processing is lawful in
     accordance with Articles 5 and 6 of the GDPR. Furthermore, according to point (c) of

     Article 5(1), personal data shall be adequate, relevant and limited to what is necessary
     in relation to the purposes for which they are processed.                                              – 16 –


47   The Court notes that, at the moment of receiving a complaint from an identified or
     identifiable natural person, the supervisory authority becomes the controller of any
     processing of the complainant’s personal data necessary to handle the complaint.

     Similarly, the referring body, in a case such as that in question, becomes a controller of
     any processing of personal data when it receives an appeal against a decision. The
     supervisory authority and appellate body’s processing of personal data for handling a
     complaint or appeal will generally have a lawful basis and be necessary in the public

     interest pursuant to point (e) of Article 6(1) of the GDPR.

48   If a data subject has objected to the data processing, it follows from Article 21(1) of the
     GDPR that compelling legitimate grounds for the processing, which override the

     interests, rights and freedoms of the data subject or for the establishment, exercise or
     defence of legal claims must be demonstrated (compare also point (c) of Article 18(1),
     Article 18(2) and recital 69 of the GDPR). The assessment of whether it is necessary to
     disclose the identity of complainants to other parties must strike a balance between the
     data subject’s interests, rights and freedoms, and the parties’ rights of defence and fair

     procedures.

49   It should be recalled that Article 58(4) of the GDPR prescribes that the exercise of the
     powers conferred on the supervisory authority shall be subject to appropriate procedural

     safeguards, including effective judicial remedy and due process, set out in EEA law and
     national law. This express guarantee of due process requires that a decision to disclose
     the identity of the complainants should generally be made if withholding the identity of
     the data subject would hinder the data controller from establishing the exact

     circumstances of the case, and consequently inhibit the possibility of an effective
     exercise of its right to a judicial remedy.

50   According to Article 1(i) of the Joint Committee Decision, the words “in accordance
     with the Charter” in Article 58(4) of the GDPR shall not apply as regards the EFTA

     States. However, fundamental rights form part of the general principles of EEA law.
     The Court has held that the provisions of the European Convention on Human Rights
     (“ECHR”) and the judgments of the European Court of Human Rights are important
     sources for determining the scope of these fundamental rights (see Case E-14/15

     Holship [2016] EFTA Ct. Rep. 240, paragraph 123). Effective judicial protection
     including the right to a fair trial, which is a general principle of EEA law, provides for
     a level of protection equivalent to Article 6(1) of the ECHR (see Case E-15/10 Posten
     Norge AS [2012] EFTA Ct. Rep. 246, paragraph 86 and case law cited; and Case E-4/11

     Arnulf Clauder [2011] EFTA Ct. Rep. 216, paragraph 49 and case law cited). This
     necessarily includes the right to mount an effective defence. Consequently, if a refusal
     to disclose personal data would impair the data controller’s ability to exercise its right
     of defence, then the individual’s identity must be disclosed.


51   As noted by Ireland, the Commission and ESA, the effective functioning of data
     protection compliance under the GDPR may require disclosing the complainant’s
     personal data to the data controller. This would be the case, inter alia, when the data
     subject, in accordance with point (c) of Article 58(2) of the GDPR, requests to exercise

     his or her rights or alleges infringement of his or her rights by the controller. Acting on                                              – 17 –


     this request, a supervisory authority may need to disclose the identity of a complainant
     to the controller to enable the latter to fulfil the order. In turn, the supervisory authority’s
     exercise of its powers, in accordance with, inter alia, points (e) to (g) and (j) of Article

     58(2) of the GDPR, may necessitate disclosing the identity of the complainants to the
     controller.

52   On the other hand, disclosing complainants’ identities may not be necessary for the

     effective exercise of the right of defence where the investigation or decision concerns
     standardised and equal data processing for an unspecified number of data subjects, or
     where the investigation and decision is based on several similar complaints.

53   Further, a complaint lodged by a data subject pursuant to Article 77 of the GDPR must

     be qualified in the sense that the alleged infringement of the GDPR relates to the
     processing of personal data of that data subject. A data subject has certain procedural
     rights concerning the complaint in accordance with Article 77(2) of the GDPR. The
     supervisory authority must inform the subject of the progress and the outcome of the

     complaint, including the possibility of a judicial remedy pursuant to Article 78 of the
     GDPR. To effectively satisfy this obligation, the identity of the data subject must be
     known to the supervisory authority.

54   It is for the referring body to determine whether the nature of the case at hand is such

     as to require disclosure of the identity of the data subject to the controller in light of
     those requirements.

55   Against this background, the answer to the first question must be that disclosure of a
     complainant’s personal data during proceedings based on a complaint lodged under

     Article 77 of the GDPR, or proceedings based on Article 78(1) of the GDPR, is not
     precluded by the GDPR or any other provision of EEA law. The question of non-
     disclosure of a complainant’s personal data must be examined in the light of the
     principles for processing personal data under Articles 5 and 6 of the GDPR. Non-

     disclosure should not be granted if it would inhibit the performance of the obligations
     provided in the GDPR, or the exercise of the right to effective judicial remedy and due
     process as set out in Article 58(4) of the GDPR and under the fundamental right to an
     effective judicial remedy.


     Question 2

56   By its second question, the referring body essentially asks whether the free of charge
     nature of the complaint procedure under Article 77 of the GDPR extends to subsequent
     proceedings before appellate bodies or has an impact on the liability of the data subject

     to be ordered to pay costs.

57   Article 77 of the GDPR sets out the right to lodge a complaint with a supervisory
     authority. Article 57(3) provides that the tasks of the supervisory authority, including

     the handling of complaints, are to be free of charge for the data subject. In order to
     handle complaints lodged, Article 58(1) confers extensive investigative powers on the
     supervisory authority. If the supervisory authority considers that requirements of the                                              – 18 –


     GDPR have not been complied with, Article 58(2) lays down the various corrective
     powers the supervisory authority may adopt (compare the judgment in Facebook
     Ireland and Schrems, C-311/18, EU:C:2020:559, paragraph 111).


58   While Article 57(3) of the GDPR is limited to the performance of the tasks of the
     supervisory authority, no other provision of the GDPR specifically addresses a legal
     costs scheme. In particular, costs are not regulated in relation to proceedings under

     Article 78(1) of the GDPR. The Court notes that Article 58(4) and Article 78 of the
     GDPR give expression to the right to an effective judicial remedy. Under the principle
     of procedural autonomy, the implementation of the judicial remedy is left to the national
     legal order, provided that principles of equivalence and effectiveness are respected.


59   However, Article 78(3) of the GDPR provides that proceedings against a supervisory
     authority shall be brought before the courts of the EEA State where the supervisory
     authority is established. This provision presupposes that the supervisory authority
     assumes the position of a defendant, defending its own decision when that decision is

     challenged. However, in the absence of any specific provisions to that effect, Article
     78(3) cannot be interpreted as precluding the possibility that other entities, e.g.
     complainants, may also be become parties to such proceedings under the procedural law
     of the EEA State in question. In the present case, as observed by the Commission and

     as is apparent from the request, by lodging their complaints with the supervisory
     authority under Article 77, the complainants were accorded the status of defendants
     when the controller lodged an appeal against the decision of the supervisory authority
     under Article 78. It also appears that the status of the complainants before the referring

     body is one of defending the decision of the supervisory authority, including issues
     which were not within the scope of their complaints.

60   It is important to note that, under point (h) of Article 57(1) of the GDPR, the supervisory
     authority has the power to engage in investigations of its own initiative. This provides

     that the supervisory authority may, in relation to its examination of the complaint,
     decide on different claims or subject-matter in comparison with those raised by the data
     subject in his or her complaint before the supervisory authority. The effectiveness of
     the complaint procedure requires that the supervisory authority is not limited in its

     investigation by how the complainant has framed the relevant points of law in his or her
     complaint.

61   In a situation in which the data subject does not initiate proceedings under Article 78(1)
     of the GDPR, but nevertheless is accorded the status of a defendant in those

     proceedings, the potential order to reimburse costs would have an effect equivalent to
     charging fees for the tasks of a supervisory authority.

62   Such an obligation to reimburse costs is not in line with the right to lodge a complaint
     free of charge under Article 77(1) and 57(3) of the GDPR and moreover runs contrary

     to the purpose of the GDPR to create a strong enforcement mechanism and enhance
     legal and practical certainty for data subjects (see recital 7 of the GDPR). The prospect
     of costs reimbursement constitutes a disincentive to lodge a complaint before a
     supervisory authority. Thus, the Court finds that such a set-up undermines the scope of                                             – 19 –


     protection guaranteed by the provisions of the GDPR referred to above, and the exercise
     of rights conferred by EEA law would be rendered excessively difficult, in breach of
     those provisions of the GDPR.


63   Article 3 EEA requires EEA States to take all measures necessary to guarantee the
     application and effectiveness of EEA law. It is inherent in the objectives of the EEA
     Agreement that national courts are bound, as far as possible, to interpret national law in

     conformity with EEA law. Consequently, they must, as far as possible, apply the
     methods of interpretation recognised by national law in order to achieve the result
     sought by the relevant rule of EEA law (see Case E-25/13 Gunnar Engilbertsson v
     Íslandsbanki hf. [2014] EFTA Ct. Rep. 524, paragraph 159 and case law cited).


64   In light of the foregoing, the Court finds that the answer to the second question must be
     that it follows from Articles 77(1) and 57(3) of the GDPR that where a data subject
     becomes a party to proceedings under Article 78(1) of the GDPR as a result of a data
     controller appealing against a supervisory authority’s decision, and where national law

     imposes this status on a data subject automatically, the data subject may not be made
     responsible for any costs incurred in relation to those proceedings.

65   In these circumstances, there is no need to answer the third question referred to the
     Court.



     IV    Costs

66   The costs incurred by the Government of Liechtenstein, the Government of Austria,
     Ireland, ESA and the Commission, which have submitted observations to the Court, are

     not recoverable. Since these proceedings are a step in the proceedings pending before
     the national court, any decision on costs for the parties to those proceedings is a matter
     for that court.                                      – 20 –


On those grounds,


                                  THE COURT


in answer to the questions referred to it by the Liechtenstein Board of Appeal for
Administrative Matters hereby gives the following Advisory Opinion:



        1. Disclosure of a complainant’s personal data during proceedings based

           on a complaint lodged under Article 77 of Regulation (EU) 2016/679 of
           the European Parliament and of the Council of 27 April 2016 on the
           protection of natural persons with regard to the processing of personal
           data and on the free movement of such data, or proceedings based on

           Article 78(1) of that regulation, is not precluded by that regulation or
           any other provision of EEA law. The question of non-disclosure of a
           complainant’s personal data must be examined in the light of the
           principles for processing personal data under Articles 5 and 6 of

           Regulation (EU) 2016/679. Non-disclosure should not be granted if it
           would inhibit the performance of the obligations provided in
           Regulation (EU) 2016/679, or the exercise of the right to effective
           judicial remedy and due process as set out in Article 58(4) and under

           the fundamental right to an effective judicial remedy.

        2. It follows from Articles 77(1) and 57(3) of Regulation (EU) 2016/679
           that where a data subject becomes a party to proceedings under Article

           78(1) as a result of a data controller appealing against a supervisory
           authority’s decision, and where national law imposes this status on a
           data subject automatically, the data subject may not be made
           responsible for any costs incurred in relation to those proceedings.







     Páll Hreinsson            Per Christiansen          Bernd Hammermann


Delivered in open court in Luxembourg on 10 December 2020.






Ólafur Jóhannes Einarsson                             Páll Hreinsson

Registrar                                             President