The Court of Justice of the European Union (CJEU) has confirmed the limited competence of a national supervisory authority, that is not the lead supervisory authority (LSA), to bring legal proceedings in their national courts for alleged infringements of the GDPR. The CJEU concluded that in cases of cross-border data processing, a national supervisory authority that is not the LSA has power to bring legal proceedings in its national courts, only if: (i) that power is exercised in one of the situations where the GDPR confers on that supervisory authority a competence to adopt a decision finding that such processing infringes the rules contained in the GDPR, and (ii) that power is exercised with due regard to the cooperation and consistency procedures laid down by the GDPR.
Key highlights of the CJEU’s judgment include:
- As a general rule, with respect to cross border processing of personal data, the LSA has the principal competence to adopt a decision finding that such processing is an infringement of the GDPR. The competence of the other supervisory authorities concerned for the adoption of such a decision, even provisionally, constitutes an exception to the rule
- The GDPR’s cooperation and consistency procedures provide for limited exceptions whereby a national supervisory authority that is not the LSA is permitted to issue a decision in certain cases. For example, Article 56(2) and Article 66 of the GDPR permit a national supervisory authority to handle local complaints or an alleged infringement of the GDPR, if it relates only to an establishment in its Member State or substantially affects only data subjects in its Member State, or to adopt a provisional measure where there is an urgent need to act in order to protect the rights of data subjects.
- The application of the one-stop-shop mechanism requires, as confirmed in recital 13 of the GDPR, sincere and effective cooperation between the lead supervisory authority and the other supervisory authorities concerned. Accordingly, the LSA may not ignore the views of the other supervisory authorities, and any relevant and reasoned objection made by one of the other supervisory authorities has the effect of blocking, at least temporarily, the adoption of the draft decision of the lead supervisory authority.
- It is not a prerequisite for the exercise of the power of a national supervisory authority to bring legal proceedings, in respect of cross-border processing, that the controller has a main establishment or another establishment on the territory of the supervisory authority’s Member State, subject to certain conditions.
- A national supervisory authority may exercise its power to bring legal proceedings both in respect to the main establishment of that controller which is located in that authority’s own Member State, and with respect to another establishment of that controller, provided that the object of the legal proceedings is the processing of data carried out in the context of the activities of that establishment and that the national supervisory authority is competent to exercise that power under the GDPR.
- A national supervisory authority (which is not the LSA under the GDPR) which has brought legal proceedings concerning cross-border data processing in its Member State before the date of entry into force of the GDPR, may continue those legal proceedings under the pre-GDPR legal framework (i.e. under the Data Protection Directive 95/46/EC). In addition, an action may be brought by that national supervisory authority with respect to infringements committed after 25 May 2018 on the basis of the GDPR, provided that: (i) the proceedings relate to a situation where the GDPR, as an exception, allows a national supervisory authority (that is not the LSA) to adopt a decision finding that the data processing is in breach of the GDPR, and (ii) the cooperation and consistency procedures laid down by the GDPR are respected.
- Article 58(5) GDPR has direct effect, with the result that a national supervisory authority may rely on that provision in order to bring or continue a legal action against private parties, even where that provision has not been specifically implemented in the legislation of the Member State concerned.
In the present case, the CJEU concluded that it will be for the referring national court to determine whether the rules regarding the allocation of competences and the relevant procedures and mechanisms under the GDPR have been correctly applied in the main proceedings.