Data protection case law Court of Justice

Powers

5 pending referrals

Referral C-768/21 (Land Hessen, 14 Dec 2021)


Referral C-552/21 (SCHUFA Holding and Others, 7 Sep 2021)


Referral C-132/21 (Nemzeti Adatvédelmi és Információszabadság Hatóság, 3 Mar 2021)


Referral C-701/20 (Avis Autovermietung, 22 Dec 2020)


Referral C-319/20 (Meta Platforms Ireland, 15 Jul 2020)


3 preliminary rulings

of 15 Jun 2021, C-645/19 (Facebook Ireland and Others)

Article 55(1), Articles 56 to 58 and Articles 60 to 66 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), read together with Articles 7, 8 and 47 of the Charter of Fundamental Rights of the European Union, must be interpreted as meaning that a supervisory authority of a Member State which, under the national legislation adopted in order to transpose Article 58(5) of that regulation, has the power to bring any alleged infringement of that regulation to the attention of a court of that Member State and, where necessary, to initiate or engage in legal proceedings, may exercise that power in relation to an instance of cross-border data processing even though it is not the ‘lead supervisory authority’, within the meaning of Article 56(1) of that regulation, with respect to that data processing, provided that that power is exercised in one of the situations where Regulation 2016/679 confers on that supervisory authority a competence to adopt a decision finding that such processing is in breach of the rules contained in that regulation and that the cooperation and consistency procedures laid down by that regulation are respected.

Article 58(5) of Regulation 2016/679 must be interpreted as meaning that, in the event of cross-border data processing, it is not a prerequisite for the exercise of the power of a supervisory authority of a Member State, other than the lead supervisory authority, to initiate or engage in legal proceedings, within the meaning of that provision, that the controller with respect to the cross-border processing of personal data against whom such proceedings are brought has a main establishment or another establishment on the territory of that Member State.

Article 58(5) of Regulation 2016/679 must be interpreted as meaning that the power of a supervisory authority of a Member State, other than the lead supervisory authority, to bring any alleged infringement of that regulation to the attention of a court of that Member State and, where appropriate, to initiate or engage in legal proceedings, within the meaning of that provision, may be exercised both with respect to the main establishment of the controller which is located in that authority’s own Member State and with respect to another establishment of that controller, provided that the object of the legal proceedings is a processing of data carried out in the context of the activities of that establishment and that that authority is competent to exercise that power, in accordance with the terms of the answer to the first question referred.

Article 58(5) of Regulation 2016/679 must be interpreted as meaning that, where a supervisory authority of a Member State which is not the ‘lead supervisory authority’, within the meaning of Article 56(1) of that regulation, has brought a legal action, the object of which is an instance of cross-border processing of personal data, before 25 May 2018, that is, before the date when that regulation became applicable, that action may, from the perspective of EU law, be continued on the basis of the provisions of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, which remains applicable in relation to infringements of the rules laid down in that directive committed up to the date when that directive was repealed. That action may, in addition, be brought by that authority with respect to infringements committed after that date, on the basis of Article 58(5) of Regulation 2016/679, provided that that action is brought in one of the situations where, exceptionally, that regulation confers on a supervisory authority of a Member State which is not the ‘lead supervisory authority’ a competence to adopt a decision finding that the processing of data in question is in breach of the rules contained in that regulation with respect to the protection of the rights of natural persons as regards the processing of personal data, and that the cooperation and consistency procedures laid down by that regulation are respected, which it is for the referring court to determine.

Article 58(5) of Regulation 2016/679 must be interpreted as meaning that that provision has direct effect, with the result that a national supervisory authority may rely on that provision in order to bring or continue a legal action against private parties, even where that provision has not been specifically implemented in the legislation of the Member State concerned.

of 16 Jul 2020, C-311/18 (Facebook Ireland and Schrems)

Article 58(2)(f) and (j) of Regulation 2016/679 must be interpreted as meaning that, unless there is a valid European Commission adequacy decision, the competent supervisory authority is required to suspend or prohibit a transfer of data to a third country pursuant to standard data protection clauses adopted by the Commission, if, in the view of that supervisory authority and in the light of all the circumstances of that transfer, those clauses are not or cannot be complied with in that third country and the protection of the data transferred that is required by EU law, in particular by Articles 45 and 46 of that regulation and by the Charter of Fundamental Rights, cannot be ensured by other means, where the controller or a processor has not itself suspended or put an end to the transfer.

Judgment of 13 May 2014, C-131/12 (Google Spain and Google)

Article 12(b) and subparagraph (a) of the first paragraph of Article 14 of Directive 95/46 are to be interpreted as meaning that, in order to comply with the rights laid down in those provisions and in so far as the conditions laid down by those provisions are in fact satisfied, the operator of a search engine is obliged to remove from the list of results displayed following a search made on the basis of a person’s name links to web pages, published by third parties and containing information relating to that person, also in a case where that name or information is not erased beforehand or simultaneously from those web pages, and even, as the case may be, when its publication in itself on those pages is lawful.


Disclaimer