Update: On January 12, 2023, the Court of Justice of the European Union sided with the Advocate General’s opinion, confirming that a data subject can lodge a complaint with a Supervisory Authority and, concurrently, lodge judicial redress proceedings against the same controller/processor for damages resulting from the alleged GDPR violation.

More specifically, the CJEU held that the remedies provided for in Article 77(1) and Article 78(1) GDPR, on the one hand, and Article 79(1) GDPR, on the other, can be exercised in parallel and are independent of each other.  Concerning the material outcome of the case, the referring court must determine how to implement the remedies, in line with national procedural law.

*                             *                             *

On September 8, 2022, the Advocate General (“AG”) of the Court of Justice of the European Union (“CJEU”) opined that data subjects should be able to lodge a complaint with a Supervisory Authority against a controller/processor for allegedly breaching the GDPR and, in parallel, lodge judicial redress proceedings against the same controller/processor for damages resulting from the alleged GDPR violation.

The case that was referred to the CJEU relates to a shareholder’s request to access audio recordings of a company meeting.  The company provided the shareholder only with extracts of his/her interventions.  Subsequently, the shareholder filed a complaint with the Hungarian Supervisory Authority for a breach of his/her right of access and asking the Supervisory Authority to order the company to disclose additional recordings.  The Supervisory Authority rejected the complaint.  As a result, the shareholder appealed the Supervisory Authority’s decision before a court and in parallel initiated separate judicial proceedings against the company asking for remedies for damages suffered.

The GDPR provides that a data subject may take any of the following actions:

  • lodge a complaint against a controller or a processor for non-compliance with the GDPR with a Supervisory Authority (Article 77);
  • lodge judicial proceedings appealing a decision of a Supervisory Authority (Article 78); and
  • lodge judicial proceedings against a controller or a processor claiming remedies for damages resulting from a GDPR violation (Article 79).

According to the AG, each of these proceedings may run independently from one another.  The GDPR only provides rules for parallel actions in different Member States, but not within the same Member State.

The AG found that the Supervisory Authority’s investigation of a controller or processor’s GDPR violation (pursuant to Article 77) and the court’s redress proceedings (pursuant to Article 79) run in parallel and their outcomes are independent from one another.  For example, that means that even if a Supervisory Authority decides that there is no GDPR violation, a court may decide to the contrary and grant a data subject remedies for the damages he or she suffered.

The AG is also of the opinion that when a data subject appeals a Supervisory Authority’s decision before a court (pursuant to Article 78), this court is not bound by any (separate) court’s decision on whether to grant the data subject remedies for damages suffered from a GDPR violation (pursuant to Article 79).

However, the AG recognised that parallel actions may result in conflicting outcomes and create legal uncertainty.  Therefore, the AG found that Member States should adopt the necessary procedural safeguards to prevent conflicting decisions within the same Member State relating to the same processing of personal data, as far as possible and in accordance with Article 47 of the EU Charter of Fundamental Rights.  However, the AG pointed out that these safeguards may not: (i) be less favourable than those safeguards in national law governing similar situations and (ii) make it practically impossible or excessively difficult for data subjects to exercise their GDPR rights.

The AG provides the following examples of such safeguards: (i) requiring a data subject to exhaust administrative remedies (e.g., before a Supervisory Authority) before initiating proceedings before a court; or (ii) obliging a court that is asked to decide on whether to grant a data subject remedies for damages resulting from a GDPR violation (pursuant to Article 79) to stay its proceedings until the Supervisory Authority issues its decision on whether there was a GDPR violation or, if the Supervisory Authority’s decision is appealed, until a court renders its decision on the appeal.

*                             *                             *

The AG’s opinion is not binding on the CJEU.  The Covington team will report back once the CJEU’s renders its judgment.

Photo of Dan Cooper Dan Cooper

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing…

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing clients in regulatory proceedings before privacy authorities in Europe and counseling them on their global compliance and government affairs strategies. Dan regularly lectures on the topic, and was instrumental in drafting the privacy standards applied in professional sport.

According to Chambers UK, his “level of expertise is second to none, but it’s also equally paired with a keen understanding of our business and direction.” It was noted that “he is very good at calibrating and helping to gauge risk.”

Dan is qualified to practice law in the United States, the United Kingdom, Ireland and Belgium. He has also been appointed to the advisory and expert boards of privacy NGOs and agencies, such as Privacy International and the European security agency, ENISA.

Read more about Dan Cooper
Show more Show less
Photo of Anna Oberschelp de Meneses Anna Oberschelp de Meneses

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.  Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.  Anna advises companies on European data protection law and helps clients coordinate…

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.  Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.  Anna advises companies on European data protection law and helps clients coordinate international data protection law projects.  She has obtained a certificate for “corporate data protection officer” by the German Association for Data Protection and Data Security (“Gesellschaft für Datenschutz und Datensicherheit e.V.”). She is also Certified Information Privacy Professional Europe (CIPPE/EU) by the International Association of Privacy Professionals (IAPP).  Anna also advises companies in the field of EU consumer law and has been closely tracking the developments in this area.  Her extensive language skills allow her to monitor developments and help clients tackle EU Data Privacy, Cybersecurity and Consumer Law issues in various EU and ROW jurisdictions.

Read more about Anna Oberschelp de Meneses
Show more Show less