Data protection case law Court of Justice

Chapter VII - Cooperation and consistency

3 preliminary rulings

of 15 Jun 2021, C-645/19 (Facebook Ireland and Others)

Article 55(1), Articles 56 to 58 and Articles 60 to 66 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), read together with Articles 7, 8 and 47 of the Charter of Fundamental Rights of the European Union, must be interpreted as meaning that a supervisory authority of a Member State which, under the national legislation adopted in order to transpose Article 58(5) of that regulation, has the power to bring any alleged infringement of that regulation to the attention of a court of that Member State and, where necessary, to initiate or engage in legal proceedings, may exercise that power in relation to an instance of cross-border data processing even though it is not the ‘lead supervisory authority’, within the meaning of Article 56(1) of that regulation, with respect to that data processing, provided that that power is exercised in one of the situations where Regulation 2016/679 confers on that supervisory authority a competence to adopt a decision finding that such processing is in breach of the rules contained in that regulation and that the cooperation and consistency procedures laid down by that regulation are respected.

Judgment of 5 Jun 2018, C-210/16 (Wirtschaftsakademie Schleswig-Holstein)

Article 4(1)(a) and Article 28(3) and (6) of Directive 95/46 must be interpreted as meaning that, where the supervisory authority of a Member State intends to exercise with respect to an entity established in the territory of that Member State the powers of intervention referred to in Article 28(3) of that directive, on the ground of infringements of the rules on the protection of personal data committed by a third party responsible for the processing of that data whose seat is in another Member State, that supervisory authority is competent to assess, independently of the supervisory authority of the other Member State, the lawfulness of such data processing and may exercise its powers of intervention with respect to the entity established in its territory without first calling on the supervisory authority of the other Member State to intervene.

Judgment of 1 Oct 2015, C-230/14 (Weltimmo)

Where the supervisory authority of a Member State, to which complaints have been submitted in accordance with Article 28(4) of Directive 95/46, reaches the conclusion that the law applicable to the processing of the personal data concerned is not the law of that Member State, but the law of another Member State, Article 28(1), (3) and (6) of that directive must be interpreted as meaning that that supervisory authority will be able to exercise the effective powers of intervention conferred on it in accordance with Article 28(3) of that directive only within the territory of its own Member State. Accordingly, it cannot impose penalties on the basis of the law of that Member State on the controller with respect to the processing of those data who is not established in that territory, but should, in accordance with Article 28(6) of that directive, request the supervisory authority within the Member State whose law is applicable to act.