CURIA - Documents

Home > Search form > List of results > Documents

Start printing

Language of document :

Request for a preliminary ruling from the Sofiyski rayonen sad (Bulgaria) lodged on 12 September 2023 – Teritorialna direktsia na Natsionalnata agentsia za prihodite – Sofia

(Case C-563/23, Natsionalna agentsia za prihodite)

Language of the case: Bulgarian

Referring court

Sofiyski rayonen sad

Parties to the main proceedings

Applicant in the main proceedings: Teritorialna direktsia na Natsionalnata agentsia za prihodite – Sofia

Questions referred

Must Article 4(7) of Regulation (EU) 2016/679 ¹ (‘the General Data Protection Regulation’ or ‘the GDPR’) be interpreted as meaning that a judicial authority which allows another State authority to access data concerning the account balances of taxable persons determines the purposes or means of the processing of personal data and is therefore a ‘controller’ for the purposes of the processing of personal data?

If the first question is answered in the negative, must Article 51 of GDPR be interpreted as meaning that a judicial authority which allows another State authority to access data concerning the account balances of taxable persons is responsible for monitoring [the application of] that regulation and must therefore be classified as a ‘supervisory authority’ in relation to those data?

If either of the above questions is answered in the affirmative, must Article 32(1)(b) of the GDPR and Article 57(1)(a) of that regulation be interpreted as meaning that a judicial authority which allows another State authority to access data concerning the account balances of taxable persons is obliged, in the presence of data concerning a personal data breach committed in the past by the body to which such access is to be granted, to obtain information on the data protection measures taken and to assess the appropriateness of those measures in its decision to permit access?

Irrespective of the answers to the [second] and [third] questions, must Article 79(1) of the GDPR, read in conjunction with Article 47 of the Charter of Fundamental Rights of the European Union, be interpreted as meaning that, where the national law of a Member State provides that certain categories of data may be disclosed only after permission to do so has been granted by a court, the court so competent must of its own motion grant legal protection to the persons whose data are to be disclosed, by requiring the authority which has applied for access to the data in question, and which is known to have received binding instructions from the authority under Article 51(1) of the GDPR following a personal data breach, to provide information on the implementation of the measures imposed on it by administrative decision pursuant to Article 58(2)(d) of the GDPR?

____________

¹ Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016 L 119, p. 1).