On September 8, 2022, the Advocate General (“AG”) of the Court of Justice of the European Union (“CJEU”) opined that data subjects should be able to lodge a complaint with a Supervisory Authority against a controller/processor for allegedly breaching the GDPR and, in parallel, lodge judicial redress proceedings against the same controller/processor for damages resulting from the alleged GDPR violation.
The case that was referred to the CJEU relates to a shareholder’s request to access audio recordings of a company meeting. The company provided the shareholder only with extracts of his/her interventions. Subsequently, the shareholder filed a complaint with the Hungarian Supervisory Authority for a breach of his/her right of access and asking the Supervisory Authority to order the company to disclose additional recordings. The Supervisory Authority rejected the complaint. As a result, the shareholder appealed the Supervisory Authority’s decision before a court and in parallel initiated separate judicial proceedings against the company asking for remedies for damages suffered.
The GDPR provides that a data subject may take any of the following actions:
- lodge a complaint against a controller or a processor for non-compliance with the GDPR with a Supervisory Authority (Article 77);
- lodge judicial proceedings appealing a decision of a Supervisory Authority (Article 78); and
- lodge judicial proceedings against a controller or a processor claiming remedies for damages resulting from a GDPR violation (Article 79).
According to the AG, each of these proceedings may run independently from one another. The GDPR only provides rules for parallel actions in different Member States, but not within the same Member State.
The AG found that the Supervisory Authority’s investigation of a controller or processor’s GDPR violation (pursuant to Article 77) and the court’s redress proceedings (pursuant to Article 79) run in parallel and their outcomes are independent from one another. For example, that means that even if a Supervisory Authority decides that there is no GDPR violation, a court may decide to the contrary and grant a data subject remedies for the damages he or she suffered.
The AG is also of the opinion that when a data subject appeals a Supervisory Authority’s decision before a court (pursuant to Article 78), this court is not bound by any (separate) court’s decision on whether to grant the data subject remedies for damages suffered from a GDPR violation (pursuant to Article 79).
However, the AG recognised that parallel actions may result in conflicting outcomes and create legal uncertainty. Therefore, the AG found that Member States should adopt the necessary procedural safeguards to prevent conflicting decisions within the same Member State relating to the same processing of personal data, as far as possible and in accordance with Article 47 of the EU Charter of Fundamental Rights. However, the AG pointed out that these safeguards may not: (i) be less favourable than those safeguards in national law governing similar situations and (ii) make it practically impossible or excessively difficult for data subjects to exercise their GDPR rights.
The AG provides the following examples of such safeguards: (i) requiring a data subject to exhaust administrative remedies (e.g., before a Supervisory Authority) before initiating proceedings before a court; or (ii) obliging a court that is asked to decide on whether to grant a data subject remedies for damages resulting from a GDPR violation (pursuant to Article 79) to stay its proceedings until the Supervisory Authority issues its decision on whether there was a GDPR violation or, if the Supervisory Authority’s decision is appealed, until a court renders its decision on the appeal.
* * *
The AG’s opinion is not binding on the CJEU. The Covington team will report back once the CJEU’s renders its judgment.