Data protection case law Court of Justice

Tasks

Home > General data protection law > Chapter VI - Independent supervisory authorities > Tasks
3 pending referrals

Referral C-563/23 (Natsionalnata agentsia za prihodite, 12 Sep 2023)


Referral C-563/23 (Natsionalnata agentsia za prihodite, 12 Sep 2023)


Referral C-332/23 (Inspektorat kam Visshia sadeben savet, 25 May 2023)


3 preliminary rulings

of 9 Jan 2025, C-416/23 (Österreichische Datenschutzbehörde)

Article 57(4) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), must be interpreted as meaning that the concept of a ‘request’ contained in that provision covers the complaints referred to in Article 57(1)(f) and Article 77(1) of that regulation.

Article 57(4) of Regulation 2016/679must be interpreted as meaning that requests cannot be classified as ‘excessive’, within the meaning of that provision, solely on account of their number during a specific period, since the exercise of the option provided for in that provision is subject to the supervisory authority’s demonstrating the existence of an abusive intention on the part of the person who submitted those requests.

Article 57(4) of Regulation 2016/679must be interpreted as meaning that, when faced with excessive requests, a supervisory authority may choose, by reasoned decision, between charging a reasonable fee based on administrative costs and refusing to act on those requests, taking account of all the relevant circumstances and satisfying itself that the chosen option is appropriate, necessary and proportionate.

of 26 Sep 2024, C-768/21 (Land Hessen)

Article 57(1)(a) and (f), Article 58(2) and Article 77(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation),must be interpreted as meaning that when a breach of personal data has been established, the supervisory authority is not required to exercise a corrective power, in particular the power to impose an administrative fine, under that Article 58(2) where such action is not appropriate, necessary or proportionate to remedy the shortcoming found and to ensure that that regulation is fully enforced.

of 15 Jun 2021, C-645/19 (Facebook Ireland and Others)

Article 55(1), Articles 56 to 58 and Articles 60 to 66 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), read together with Articles 7, 8 and 47 of the Charter of Fundamental Rights of the European Union, must be interpreted as meaning that a supervisory authority of a Member State which, under the national legislation adopted in order to transpose Article 58(5) of that regulation, has the power to bring any alleged infringement of that regulation to the attention of a court of that Member State and, where necessary, to initiate or engage in legal proceedings, may exercise that power in relation to an instance of cross-border data processing even though it is not the ‘lead supervisory authority’, within the meaning of Article 56(1) of that regulation, with respect to that data processing, provided that that power is exercised in one of the situations where Regulation 2016/679 confers on that supervisory authority a competence to adopt a decision finding that such processing is in breach of the rules contained in that regulation and that the cooperation and consistency procedures laid down by that regulation are respected.

Disclaimer