DATA PROTECTION
Court of Justice of the European Union: an administrative complaint to the Data Protection Authority and a judicial appeal on the same subject may proceed in parallel.
In its judgment in Case C-414/24, Datenschutzbehörde, the Court of Justice of the European Union clarified that a supervisory authority cannot reject a complaint under Article 77 of the GDPR solely on the grounds that civil proceedings brought under Article 79 of the GDPR are already pending in relation to the same matter.
The case concerned a medical professional who had requested the erasure of her data from a platform for evaluating doctors. Following the operator’s refusal, the data subject first brought the matter before the civil court and subsequently lodged a complaint with the Austrian data protection authority. The latter had declared the complaint inadmissible precisely because of the pending court proceedings.
The Court held that this approach was incompatible with the GDPR. A complaint to the supervisory authority and a judicial appeal are, in fact, independent and concurrent remedies, designed to fulfil different functions: the former triggers the authority’s powers of investigation, correction and sanction; the latter ensures protection before the courts, including for the purposes of injunctions and compensation for damages.
The risk of conflicting decisions does not, in itself, justify the rejection of the complaint. Such an approach could leave the data subject without protection if the civil proceedings were to conclude without a decision on the merits – for example, for procedural reasons – whilst the time limit for lodging a complaint had, in the meantime, expired.
The ruling therefore confirms that Member States may regulate the arrangements for coordination between the two remedies, but may not limit their effectiveness or undermine the level of protection guaranteed by the GDPR and Article 47 of the Charter of Fundamental Rights of the European Union.
Although the judgment follows in the footsteps of the previous Hatóság judgments of 12 January 2023, Case C-132/21, and the Schufa Holding (Debt Relief) judgment of 7 December 2023, joined cases C-26/22 and C-64/22, is set to reignite the debate on the coordination between complaints to the supervisory authority and judicial remedies provided for by the GDPR. The decision is also of particular significance for the Italian legal system, as Article 140-bis of the Privacy Code provides for an alternative regime between complaints to the Data Protection Authority and judicial redress. In light of the judgment, this provision may require a fresh assessment of its compatibility with EU law.