Vice-President, acting as Judge of the First Chamber, L Bay Larsen,
Judges PG Xuereb, A Kumin, I Ziemele (Rapporteur)
Advocate General J Richard de la Tour
In Hungary, the data subject attended the general meeting of a company of which he was a shareholder, during which he asked various questions. Subsequently he asked the company, as the personal data controller, to send him the sound recording made at the meeting. The company made available to him only the excerpts from that recording which reproduced his contributions, excluding the answers given by other attendees. The data subject then asked the Hungarian supervisory authority to, inter alia, declare that the company had acted unlawfully by failing to provide him with the full recording, and had breached provisions of Parliament and Council Regulation (EU) 2016/679 (the General Data Protection Regulation or “GDPR”), article 77(1) of which provided that, “without prejudice to any other administrative or judicial remedy”, every data subject had the right to lodge a complaint with a supervisory authority if they considered that the processing of personal data relating to them had infringed the Regulation. The supervisory authority refused that request and the data subject brought proceedings before an administrative court seeking the variation or annulment of the controller’s decision, on the basis of article 78(1) of the GDPR, the purpose of which was to examine the lawfulness of the decision of a supervisory authority adopted on the basis of article 77. At the same time, the data subject initiated a parallel action against the data controller’s decision before a civil court, on the basis of article 79(1) of the Regulation which gave data subjects the right to “an effective judicial remedy”. Although the first proceedings were still pending before the administrative court, the civil court allowed the second action, on the ground that the controller had infringed the data subject’s right of access to his personal data. In his action before the administrative court, the data controller asked that that finding court be taken into account. Under the relevant Hungarian procedural rules, the decision of the civil court was not binding on the administrative court. In so far as the supervisory authority and the civil court had adopted contrary decisions, the administrative court questioned how it should treat the relationship between the civil court’s assessment of the lawfulness of a data controller’s decision and the procedure which led to the adoption of the supervisory authority’s decision, which formed the subject matter of the action pending before the administrative court. In those circumstances, the Hungarian administrative court stayed the proceedings and referred to the Court of Justice of the European Union for a preliminary ruling the question, in essence, whether articles 77(1), 78(1) and 79(1) of the General Data Protection Regulation, read in the light of the right to an effective judicial remedy under article 47 of the Charter of Fundamental Rights (“the Charter”), meant that the remedies provided for in articles 77(1) and 78(1) of the Regulation, on the one hand, and article 79(1), on the other, could be exercised concurrently with, and independently of, each other, or whether one of them had priority over the other.
On the reference—
Held, (1) each of the remedies under articles 77(1), 78(1) and 79(1) of the General Data Protection Regulation (“GDPR”) were exercised “without prejudice” to the others. The Regulation did not provide for any priority or exclusive competence or jurisdiction, or for any rule of precedence, in respect of the assessment as to whether there had been an infringement of a data subject’s rights under the Regulation. Accordingly, the provisions of the GDPR read in the light of article 47 of the Charter, permitted the remedies provided for by articles 77(1) and 78(1) of the Regulation, and article 79(1) thereof, to be exercised concurrently with, and independently of, each other, with neither remedy having priority over the other (judgment, paras 34, 35, operative part).
(2) Since, in the absence of EU rules governing the matter, it was for each member state to lay down the procedural rules necessary to ensure that an individual’s EU law rights were protected, it was for the referring court to determine, on the basis of national procedural rules, how the remedies provided for by the GDPR had to be implemented in a situation such as that at issue. The member states had to ensure that their rules did not disproportionately affect the right to an effective remedy before a court or tribunal referred to in article 47 of the Charter. Further, the national rules had to ensure that contradictory decisions were not adopted in relation to the same processing of personal data. In the present case, the Hungarian rules were worded in such a way that the remedies provided for by articles 78(1) and 79(1) of the GDPR were independent of each other, so that the referring court was not bound by the decision of the civil court, even though the facts of the actions were the same. Therefore, it could not be ruled out that the decisions given by those two courts might be contradictory, with one finding that the provisions of Regulation 2016/679 had been infringed and the other that there had been no infringement. Accordingly, it was for the member states, in accordance with the principle of procedural autonomy, to lay down detailed rules on the relationship between the remedies under articles 77(1), 78(1) and 79(1) of the GDPR in order to ensure the effective protection of the rights guaranteed by that Regulation and the consistent and homogeneous application of its provisions, as well as the right to an effective remedy under article 47 of the Charter (judgment, paras 45, 46, 51, 52–55, 56, 57, operative part).
I Kulcsár for the data subject.
G Barabás, GJ Dudás and Á Hargitathe for the Hungarian supervisory authority.
Zs Biró-Tóth and MZ Fehér, agents, for the Hungarian Government.
O Serdula, M Smolek and J Vláčil, agents, for the Czech Government.
G Palmieri, agent, and E De Bonis and MF Severi, for the Italian Government.
B Majczyna and J Sawicka, agents, for the Polish Government.
H Kranenborg, Zs Teleki and PJO Van Nuffel, agents, for the European Commission.