Author: Olivia Tambou

 

1. Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to article 77, each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation.

2. Proceedings against a controller or a processor shall be brought before the courts of the Member State where the controller or processor has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where the data subject has his or her habitual residence, unless the controller or processor is a public authority of a Member State acting in the exercise of its public powers.

 

A. General overview

Art. 79 grants the data subject a right to an effective judicial remedy. As is the case with Art. 78, the purpose of the EU legislator is to reinforce effectiveness of the rights of the data subject and the GDPR by facilitating its enforcement. Such a judicial remedy can be exercised by the data subject or a not-for-profit body, organisation or association on his or her behalf according to Art. 80. The added value of Art. 79 is to offer an effective judicial remedy against the processor and not only the controller, as well as, to clarify the criterion for competent jurisdiction.

B. Legislative history

Art. 22 DPD only contained a very general provision on remedies reading “without prejudice to any administrative remedy for which provision may be made, inter alia before the supervisory authority referred to in Article 28, prior to referral to the judicial authority, Member States shall provide for the right of every person to a judicial remedy for any breach of the rights guaranteed him by the national law applicable to the processing in question”. Until Puškàr, Art. 22 DPD had not been mentioned in the operative part of judgements of the CJEU, but only in grounds of judgements or Opinions of the AG.

The Comm-P contained four paragraphs on this matter (Art. 75). The main changes have been introduced by the Council-R. More concretely, the Council amended the first paragraph and the title to explicitly highlight the effective nature of the judicial remedy; this was also the case with Art. 78. In addition, the Council added the possibility to combine judicial with non-judicial remedies. Furthermore, it clarified that only the data subject can enjoy this right against a controller or a processor. Finally, it removed para. 3 and para. 4 of Art. 75 Comm-P, which referred to the possibility of suspension of proceedings (when proceedings on the same measure, decision or practice are pending in the consistency mechanism) and the enforcement of final court decisions respectively. Regarding the case of suspension of proceedings (Art. 75 para. 3 Comm-P), no provision was included in Art. 81, which only refers to a situation where the same subject matter is pending in a court in another Member State. This probably means that it is up to the national court to decide whether or not it wishes to suspend proceedings, where proceedings on the same measure, decision or practice are pending in the consistency mechanism. It is unlikely that the national judge will suspend proceedings, except where he or she reasonably believes that the EDPB is about to take a binding decision according to Art. 65 GDPR. As recital 143 mentions, “where a decision of a supervisory authority implementing a decision of the Board is challenged before a national court and the validity of the decision of the Board is at issue”, a national court does not have the power to “declare the Board’s decision invalid” and must refer the question to the CJEU in accordance with Art. 267 TFEU. This is the reason why Art. 78 para. 4 GDPR introduced an obligation to inform the court when the decision of a SA was preceded by an opinion or a decision of the EDPB in the consistency mechanism.

The final version of Art. 79 para. 1 GDPR provides for an effective judicial remedy against the controller or a processor and clarifies the competent court before which proceedings can be brought by the data subject.

C. Article 79 para. 1: The right to an effective judicial remedy against the controller and the processor

Art. 79 GDPR maintains the data subject’s choice: it can choose whether to refer to a judge or lodge a complaint with the SA (under Art. 77). This right to an effective judicial remedy is attributed to a data subject, not to any person. This in principle excludes legal persons. Nevertheless, according to Art. 80 (→ mn. 7–8) a non-profit body, organisation or association can represent the data subject before courts.

I. An alternative remedy

 

The GDPR clarifies that two kinds of remedies against the controller or the processor are at the disposal of the data subject: non-judicial and judicial. The non-judicial remedy should be at least the right to lodge a complaint with a SA (under Art. 77); Art. 79 deals with judicial remedies. It is up to the data subject to choose between bringing its case before the judge or the SA. In addition, other national administrative remedies are possible.

 

 

[…]