Provisional text
OPINION OF ADVOCATE GENERAL
RICHARD DE LA TOUR
delivered on 4 September 2025 (1)
Case C‑414/24
Datenschutzbehörde,
Dr. G S
Other party:
Bundesministerin für Justiz,
D GmbH
(Request for a preliminary ruling from the Verwaltungsgerichtshof (Supreme Administrative Court, Austria))
( Reference for a preliminary ruling – Protection of personal data – Regulation (EU) 2016/679 – Articles 77 and 79 – Remedies – Parallel exercise – Relationship between an administrative complaint and a judicial remedy – Procedural autonomy of the Member States – Principle of effectiveness )
I. Introduction
1. The present request for a preliminary ruling concerns the interpretation of Article 77(1) and Article 79(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). (2)
2. This request was made in the context of a dispute between Dr GS (‘GS’) and the Österreichische Datenschutzbehörde (Data Protection Authority, Austria) (‘the DSB’) concerning the rejection of the complaint lodged with the DSB by GS, on the ground that GS had previously brought the same matter before a court.
3. The request for a preliminary ruling follows the judgment of 12 January 2023, Nemzeti Adatvédelmi és Információszabadság Hatóság [(3)], by which the Court of Justice held that the remedies provided for in Article 77(1) and Article 78(1) of the GDPR, on the one hand, and Article 79(1) thereof, on the other, may be exercised concurrently with and independently of each other. Article 77(1) and Article 78(1) of that regulation concern, respectively, the right to lodge a complaint with a supervisory authority (4) and the right to a judicial remedy against the decision of that authority. Article 79(1) concerns the right to judicial remedy against a controller or processor.
4. The Verwaltungsgerichtshof (Supreme Administrative Court, Austria), which is the referring court, wishes to obtain clarification from the Court as to the relationship between those remedies and, more specifically, as to whether the supervisory authority may reject a complaint where judicial proceedings concerning the same subject matter have already been brought, even though those proceedings are still pending or the decision given in those proceedings is not yet final.
5. That question is of great importance, having regard to the EU legislature’s intention, on the one hand, to impose a special duty of diligence on the supervisory authority and, on the other, to strengthen the right to effective judicial protection enshrined in Article 47 of the Charter of Fundamental Rights of the European Union. (5)
6. In this Opinion, I shall propose that the Court rule that Article 77(1) and Article 79(1) of the GDPR must be interpreted as meaning that they preclude a supervisory authority, with which a complaint has been lodged in accordance with Article 77(1) of that regulation, from rejecting that complaint on the ground that judicial proceedings under Article 79(1) of that regulation, concerning the same subject matter, have already been brought and where the decision given in those proceedings is not yet final.
7. I shall begin my analysis by recalling that the remedies provided for, in Article 77(1) and Article 78(1) of the GDPR, on the one hand, and Article 79(1) thereof, on the other, can be exercised concurrently with and independently of each other. I shall also note the Member States’ obligation to coordinate those remedies in order to avoid contradictory decisions. I shall show that that obligation to coordinate those remedies cannot affect the possibility to exercise the remedies available under the GDPR concurrently with and independently of each other by allowing the supervisory authority to reject the complaint it has received rather than suspend its investigation of that complaint until the judicial proceedings brought under Article 79(1) of the GDPR have been definitively closed.
II. Legal framework
A. European Union law
8. Article 17 of the GDPR, entitled ‘Right to erasure (“right to be forgotten”)’ provides, in paragraph 1(d):
‘The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
…
(d) the personal data have been unlawfully processed.’
9. Within Chapter VI of the GDPR, entitled ‘Independent supervisory authorities’, Section 1, on ‘independent status’, comprises Articles 51 to 54. Under Article 51(1) of the GDPR:
‘Each Member State shall provide for one or more independent public authorities to be responsible for monitoring the application of this Regulation, in order to protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data within the Union …’
10. Article 52(1) of the GDPR is worded as follows:
‘Each supervisory authority shall act with complete independence in performing its tasks and exercising its powers in accordance with this Regulation.’
11. Within Chapter VI, Section 2, of the GDPR, which is entitled ‘Competence, tasks and powers’ and comprises Articles 55 to 59, Article 57(1)(a) and (f) provides:
‘Without prejudice to other tasks set out under this Regulation, each supervisory authority shall on its territory:
(a) monitor and enforce the application of this Regulation;
…
(f) handle complaints lodged by a data subject, or by a body, organisation or association in accordance with Article 80, and investigate, to the extent appropriate, the subject matter of the complaint and inform the complainant of the progress and the outcome of the investigation within a reasonable period, in particular if further investigation or coordination with another supervisory authority is necessary.’
12. Article 58(4) of the GDPR provides:
‘The exercise of the powers conferred on the supervisory authority pursuant to this Article shall be subject to appropriate safeguards, including effective judicial remedy and due process, set out in Union and Member State law in accordance with the Charter.’
13. Under Article 77 of the GDPR, entitled ‘Right to lodge a complaint with a supervisory authority’:
‘1. Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes this Regulation.
2. The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78.’
14. Article 78 of the GDPR, entitled ‘Right to an effective judicial remedy against a supervisory authority’ provides in paragraph 1 thereof:
‘Without prejudice to any other administrative or non-judicial remedy, each natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them.’
15. Article 79 of the GDPR, entitled ‘Right to an effective judicial remedy against a controller or processor’, provides in paragraph 1 thereof:
‘Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Article 77, each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation.’
16. Article 81 of the GDPR, entitled ‘Suspension of proceedings’ states, in paragraphs 2 and 3 thereof:
‘2. Where proceedings concerning the same subject matter as regards processing of the same controller or processor are pending in a court in another Member State, any competent court other than the court first seized may suspend its proceedings.
3. Where those proceedings are pending at first instance, any court other than the court first seized may also, on the application of one of the parties, decline jurisdiction if the court first seized has jurisdiction over the actions in question and its law permits the consolidation thereof.’
B. Austrian law
17. Paragraph 94(1) of the Bundes-Verfassungsgesetz (Federal Constitutional Law), is worded as follows:
‘The courts are independent of the executive at all levels.’
18. Paragraph 24 of the Bundesgesetz zum Schutz natürlicher Personen bei der Verarbeitung personenbezogener Daten (Federal law on the protection of natural persons with regard to the processing of personal data) (6) of 17 August 1999, in the version applicable to the dispute in the main proceedings, entitled ‘Complaints addressed to the data protection authority’, states, in paragraphs 1 and 4:
‘(1) Every data subject has the right to lodge a complaint with the data protection authority if the data subject considers that the processing of the personal data concerning him or her infringes the GDPR …
…
(4) The right to have a complaint dealt with expires if the complainant does not lodge the complaint within a year after having gained knowledge of the incident that gave rise to the complaint, and in any event within at most three years after the incident allegedly occurred. Late complaints shall be rejected.’
III. The facts of the dispute in the main proceedings and the questions referred for a preliminary ruling
19. On 3 July 2017, before the entry into force of the GDPR, (7) GS requested the erasure of personal data by D GmbH, an undertaking operating an online physician search platform enabling third parties to provide reviews and testimonials on physicians. That request for erasure of data was rejected by judgment of 10 July 2017.
20. In November 2017, GS brought an action before a civil court against D, claiming, among other things, an infringement of the right to protection of personal data and requesting the erasure of her personal data published by D and the prohibition of any further processing.
21. On 22 June 2018, after the entry into force of the GDPR, GS made another request for D to erase her personal data from its platform, which was also refused by letter of 6 July 2018.
22. Accordingly, on 26 July 2018, GS lodged a complaint under Article 77 of the GDPR with the DSB, relying primarily on Article 17 of that regulation, which enshrines the right to erasure. In that complaint, GS requested the DSB to determine that her rights had been infringed and to require D to erase all of the data from its platform and to refrain from any further processing.
23. By decision of 4 January 2019, the DSB rejected that request on the ground that the complaint and the civil action brought in November 2017 related to the same subject matter, namely the erasure of GS’ personal data from the D’s platform. The DSB took the view that, from a systemic perspective, lodging a complaint with a supervisory authority concurrently with, or consecutive to, legal proceedings in relation to the same subject matter is incompatible with the remedial mechanism of the GDPR.
24. By judgment of 4 December 2020, the Bundesverwaltungsgericht (Federal Administrative Court, Austria) dismissed the action against that decision. Previously, by a judgment of 23 July 2020, the action brought by GS before a civil court in November 2017 had been dismissed. That judgment was not yet final on 4 December 2020.
25. In its judgment, the Bundesverwaltungsgericht (Federal Administrative Court) held that the GDPR had intentionally provided for a two-track legal remedy and that, consequently, the DSB’s competence to rule on that complaint must, in principle, be acknowledged. However, that court held that the one-year limitation period set out in Paragraph 24(4) of the Austrian Law on data protection had expired. In so far as GS was aware of the publication of her personal data by D on 3 July 2017 and since no further material facts had been alleged in the subsequent course of the proceedings, the right to have her complaint dealt with on the basis of Article 77 of the GDPR had already expired by the time GS lodged it, on 26 July 2018. The change in the legal situation, namely the entry into force of the GDPR, did not result in an interruption of the limitation period. Since a complaint under Article 77 of the GDPR is also to be rejected if it is lodged out of time, the rejection of GS’ complaint was, according to the Bundesverwaltungsgericht (Federal Administrative Court), the correct decision.
26. GS and the DSB both lodged an appeal on a point of law with the Verwaltungsgerichtshof (Supreme Administrative Court) against that judgment.
27. That court does not share the view of the Bundesverwaltungsgericht (Federal Administrative Court) as regards the limitation period applicable to GS’ complaint. Indeed, given that GS exercised the right to erasure within the meaning of Article 17(1) of the GDPR for the first time on 22 June 2018, following the entry into force of that regulation, the time limit laid down in Paragraph 24(4) of the Law on data protection did not start to run until GS became aware of D’s email of 6 July 2018 notifying her of its rejection of the request for erasure. The Verwaltungsgerichtshof (Supreme Administrative Court) therefore considered that the reasoning adopted by the Bundesverwaltungsgericht (Federal Administrative Court) could not justify the DSB’s rejection of GS’ complaint, lodged in accordance with Article 77(1) of the GDPR.
28. Nevertheless, the Verwaltungsgerichtshof (Supreme Administrative Court) examines whether there were other legal grounds for the rejection of that complaint. After recalling what the Court held in its judgment in Nemzeti Adatvédelmi és Információszabadság Hatóság and its judgment of 7 December 2023, SCHUFA Holding (Discharge from remaining debts) [(8)], the referring court raises the question, inter alia, of the ground put forward by the DSB, relating to the existence of pending judicial proceedings in the same case. Paragraph 94(1) of the Federal Constitutional Law provides that the courts are independent of the executive at all levels. As the referring court explains, that provision guarantees a principle of the separation of powers between the judiciary and the executive, which requires that a case be assigned in its entirety for the purposes of its enforcement either to the courts or to the administrative authorities. That provision therefore does not allow courts and administrative authorities to decide on the same case concurrently or consecutively. (9)
29. First of all, the referring court is uncertain whether a complaint lodged with the supervisory authority under Article 77 of the GDPR may be rejected where an effective judicial remedy under Article 79 of the GDPR has already been sought in the same case and the associated proceedings are still pending before the court.
30. The referring court notes that, in its judgment in Nemzeti Adatvédelmi és Információszabadság Hatóság, the Court held that Articles 77 to 79 of the GDPR permit the remedies provided for in Article 77(1) and Article 78(1) of that regulation, on the one hand, and in Article 79(1) thereof, on the other, to be exercised concurrently with and independently of each other, and that it is for the Member States, in accordance with the principle of procedural autonomy, to lay down detailed rules as regards the relationship between those remedies in order to ensure the effective protection of the rights guaranteed by that regulation and the consistent and homogeneous application of its provisions, as well as the right to an effective remedy before a court or tribunal, as referred to in Article 47 of the Charter.
31. The referring court considers that it is possible to prevent the existence of contradictory decisions, which ‘would call into question the objective … of ensuring a consistent and homogeneous application of the rules for the protection of the fundamental rights and freedoms of natural persons with regard to the processing of personal data throughout the European Union’, (10) by means of a mechanism which is similar in its effect to that for which Article 81(2) and (3) of the GDPR provides, whereby when one dispute is pending before the civil courts and the administrative authorities, the body other than the one first seized declines jurisdiction.
32. According to that court, even though the applicable national arrangement is not an exact match with the mechanisms set out in the GDPR for dealings between Member States, it seems reasonable, in view of that objective, to regard it as permissible.
33. The referring court adds that, even though the principle of effective judicial protection, on which the Court relies, focuses primarily on the situation of the data subject who exercises the right of judicial remedy, the data controller cast in the role of respondent must also be granted the right to effective administration of proceedings, a right which may be prejudiced by the fact that two parallel procedures may constitute quite a considerable burden, particularly in terms of the cost of legal representation in those two sets of proceedings.
34. Thus, even the fact that a case is pending before a court seised in accordance with Article 79 of the GDPR makes it inadmissible for the supervisory authority to deal with that case, under Article 77 of the GDPR, if a complaint is lodged with that authority after the judicial proceedings have been brought.
35. However, the referring court notes that, in the event of a complaint lodged under Article 77 of the GDPR being rejected on the sole ground that judicial proceedings are pending, a substantive decision on the alleged breach of personal data protection will not yet have been made at the time of rejection, and so there is no risk of contradictory decisions at that stage either.
36. Secondly, if its first question is answered in the negative, the referring court wishes to know whether a complaint lodged with the supervisory authority under Article 77 of the GDPR may be rejected on the ground that a judicial decision on the merits has already been delivered in proceedings brought under Article 79 of the GDPR.
37. According to that court, the rejection, on the basis of the principle of prior adjudication, of a complaint lodged with the supervisory authority on or after the date on which a decision on the merits has been delivered in the judicial proceedings takes account of the aim of avoiding contradictory decisions. However, the view may be taken that reliance on a decision which is not final does not provide the data subject with any certainty regarding the continuing validity of that decision.
38. In those circumstances, the Verwaltungsgerichtshof (Supreme Administrative Court) decided to stay the proceedings and refer the following questions to the Court of Justice for a preliminary ruling:
‘(1) Are Articles 77 and 79 of [the GDPR] to be interpreted, in the light of the findings of the Court in the judgments [in Nemzeti Adatvédelmi és Információszabadság Hatóság] and [SCHUFA Holding], as meaning that the possibility provided by national law for the rejection of a complaint lodged with a supervisory authority under Article 77 of the GDPR on the ground that a judicial remedy has already been sought in the same case under Article 79 of the GDPR and that the action is pending before the court [in question] constitutes a permissible arrangement for regulating the relationship between those remedies within the meaning of the abovementioned case-law of the Court?
(2) If the answer to the first question is in the negative, are Articles 77 and 79 of [the GDPR] to be interpreted, in the light of the findings of the Court in the judgments [in Nemzeti Adatvédelmi és Információszabadság Hatóság] and [SCHUFA Holding], as meaning that the possibility provided by national law for the rejection of a complaint lodged with a supervisory authority under Article 77 of the GDPR on the ground that a substantive judgment (even if not yet final) has already been made in the pending proceedings in the same case on the judicial remedy under Article 79 of the GDPR constitutes a permissible arrangement for regulating the relationship between those remedies within the meaning of the abovementioned case-law of the Court?’
39. GS, D, the DSB, the Austrian, Italian and Hungarian Governments and the European Commission submitted written observations.
IV. Analysis
40. In order to be able to rule on the action before it, the referring court wishes to obtain clarification from the Court as to the relationship between, on the one hand, a complaint lodged with a supervisory authority under Article 77(1) of the GDPR and, on the other hand, judicial proceedings brought under Article 79(1) of that regulation.
41. By its questions, which I propose to examine together, the referring court thus asks the Court, in essence, to rule on whether a supervisory authority with which a complaint has been lodged, in accordance with Article 77(1) of the GDPR, may reject that complaint on the ground that judicial proceedings under Article 79(1) of that regulation, concerning the same subject matter, have already been brought (first question) and where the decision given in those proceedings is not yet final (second question).
42. In my view, both questions should be answered in the negative. I note, moreover, that despite the DSB’s rejection of the complaint lodged by GS, both the Austrian government and that supervisory authority share this view.
43. It must be recalled, at the outset, that Chapter VIII of the GDPR governs, inter alia, the legal remedies enabling the protection of the data subject’s rights where his or her personal data have been the subject of processing that is allegedly contrary to the provisions of that regulation. The protection of those rights may thus be sought either directly by the data subject, under Articles 77 to 79 of that regulation, or by an authorised entity, whether there is a mandate to that end or not, pursuant to Article 80 thereof. (11)
44. In order to clarify for the referring court whether the rejection by the supervisory authority of a complaint submitted to it under Article 77(1) of the GDPR on the ground that judicial proceedings under Article 79(1) of that regulation, concerning the same subject matter, have already been brought and where the decision given in those proceedings is not yet final, constitutes a permissible arrangement as regards the relationship between those remedies provided for by that regulation, it should be borne in mind that, in interpreting a provision of EU law it is necessary to consider not only its wording but also its context and the objectives pursued by the legislation of which it forms part. (12)
45. As regards the wording of the relevant provisions of the GDPR, it should be recalled, first of all, that Article 77(1) of that regulation states that it is ‘without prejudice to any other administrative or judicial remedy’ that every data subject has the right to lodge a complaint with a supervisory authority. Secondly, under Article 78(1) of the regulation, each natural or legal person has the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them ‘without prejudice to any other administrative or non-judicial remedy’. Finally, Article 79(1) of that regulation guarantees each data subject the right to an effective judicial remedy ‘without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Article 77’.
46. According to the Court, those provisions of the GDPR offer different remedies to persons claiming that that regulation has been infringed, it being understood that each of those remedies must be capable of being exercised ‘without prejudice’ to the others. (13) Accordingly, the GDPR does not provide for any priority or exclusive competence or jurisdiction or for any rule of precedence in respect of the assessment carried out by the authority or by the courts referred to therein as to whether there is an infringement of the rights conferred by that regulation. (14) In other words, the EU legislature wished to provide data subjects with a complete system of remedies, in which the right to a judicial remedy and the possibility of exercising an administrative or non-judicial remedy coexist independently, neither remedy being subsidiary to the other.
47. The remedy provided for in Article 78(1) of the GDPR, the purpose of which is to examine the lawfulness of the decision of a supervisory authority adopted on the basis of Article 77 thereof, and the remedy provided for in Article 79(1) of that regulation may therefore be exercised concurrently with and independently of each other. (15) The same applies to complaints submitted to supervisory authorities pursuant to Article 77(1) of the GDPR.
48. That finding is borne out by the context of the relevant provisions of the GDPR (16) and by the objectives pursued by that regulation. In that regard, it is apparent, in particular, from recital 10 thereof that the aim of that regulation is to ensure a high level of protection of natural persons with regard to the processing of personal data within the European Union. Recital 11 of that regulation states, moreover, that effective protection of such data requires the strengthening of the rights of data subjects. Thus, the EU legislature’s decision to leave to data subjects the option to exercise the remedies provided for in Article 77(1) and Article 78(1) of the GDPR, on the one hand, and Article 79(1) thereof, on the other, concurrently with and independently of each other is consistent with the objective of that regulation. (17) The Court has also pointed out that making several remedies available strengthens the objective set out in recital 141 of the GDPR of guaranteeing for every data subject who considers that his or her rights under that regulation are infringed the right to an effective judicial remedy in accordance with Article 47 of the Charter. (18) I would add that such an interpretation is also borne out by the legislative process which led to the adoption of the GDPR. Within the Council of the European Union, the Republic of Austria explained its refusal to vote in favour of that text, in particular, with regard to the twin-track approach to judicial remedies provided for in that regulation. (19) However, that twin-track approach to judicial remedies was maintained in the final version of that regulation.
49. In the light of what the Court held in its judgment in Nemzeti Adatvédelmi és Információszabadság Hatóság, I consider that allowing a supervisory authority with which a complaint has been lodged, pursuant to Article 77(1) of the GDPR, to reject that complaint on the ground that judicial proceedings under Article 79(1) of that regulation, concerning the same subject matter, have already been brought and where the decision given in those proceedings is not yet final, would undermine the possibility afforded to data subjects by the GDPR to bring parallel actions in respect of the same processing of personal data.
50. Admittedly, I had occasion to point out in my Opinion in Nemzeti Adatvédelmi és Információszabadság Hatóság that that possibility may present a disadvantage, namely the legal uncertainty that arises when contradictory decisions are reached in the same Member State. While the risk of contradictory decisions between the supervisory authorities or the courts of different Member States was addressed by the EU legislature in the GDPR, the same does not apply where such decisions are adopted within one and the same Member State. (20) In those circumstances, it is for each Member State to put in place the procedural tools that make it possible to ensure that contradictory decisions are not adopted in relation to the same processing of personal data. (21)
51. In the case which gave rise to the judgment in Nemzeti Adatvédelmi és Információszabadság Hatóság, the situation before the Court was one in which the court hearing an action brought on the basis of Article 78(1) of the GDPR could be called upon to adopt a decision contrary to the decision, which had become final, already adopted by the court hearing an action brought on the basis of Article 79(1) of that regulation.
52. In that case, the Court pointed out, first, that the existence of two contradictory decisions would call into question the objective, set out in recital 10 of the GDPR, of ensuring a consistent and homogeneous application of the rules for the protection of the fundamental rights and freedoms of natural persons with regard to the processing of personal data throughout the European Union. (22) According to the Court, the protection granted pursuant to a decision given to dispose of an action brought on the basis of Article 79(1) of that regulation, finding that that regulation’s provisions have been infringed, would not be consistent with a second judicial decision resulting from an action brought on the basis of Article 78(1) of that regulation that has the opposite outcome. (23) Second, the result of this would be a weakening of the protection of natural persons with regard to the processing of their personal data, since such an inconsistency would create a situation of legal uncertainty. (24)
53. It is therefore important for Member States to ensure that the existence of remedies that may be exercised in parallel by data subjects does not call into question the effectiveness of the protection of the rights that the GDPR confers on them. It is for the Member States to choose which procedural remedies appear to them to be the most appropriate in order to allow a harmonious relationship between the remedies provided for in Articles 77 to 79 of that regulation.
54. In that regard, the Court has held that, in the absence of EU rules governing the matter, it is for each Member State, in accordance with the principle of the procedural autonomy of the Member States, to lay down the detailed rules of administrative and judicial procedures intended to ensure a high level of protection of rights which individuals derive from EU law. (25) However, the detailed rules for the implementation of concurrent and independent remedies should not call into question the effectiveness and effective protection of the rights guaranteed by the GDPR. (26) Those detailed rules must not be less favourable than those governing similar domestic actions (principle of equivalence); nor must they render practically impossible or excessively difficult the exercise of rights conferred by EU law (principle of effectiveness). (27) Thus, the Court has also pointed out that the Member States must ensure that the practical arrangements for the exercise of the remedies provided for in Article 77(1), Article 78(1) and Article 79(1) of that regulation effectively meet the requirements arising from the right to an effective remedy enshrined in Article 47 of the Charter. (28)
55. In my Opinion in Nemzeti Adatvédelmi és Információszabadság Hatóság, (29) I stated inter alia that the Member States might provide that a court seised of an action under Article 79(1) of the GDPR, when a complaint procedure under Article 77(1) of that regulation or a legal action under Article 78(1) of that regulation is pending, may or must stay the proceedings pending before it and not give judgment until a decision has been taken in one or other of those procedures. (30) A stay of proceedings may, in my view, constitute a solution in order to avoid the adoption of contradictory decisions that may undermine legal certainty. (31)
56. That solution seems to me to be particularly appropriate in the context of the present case. Accordingly, a supervisory authority with which a complaint has been lodged in accordance with Article 77(1) of the GDPR should be allowed to suspend the investigation of that complaint where judicial proceedings under Article 79(1) of that regulation, concerning the same subject matter, have already been brought and where the decision given in those proceedings is not yet final.
57. By contrast, rejecting a complaint in such a context seems to me to be contrary to the principle of effectiveness, in so far as that arrangement as regards the relationship between those remedies is liable to call into question the effective protection of the rights guaranteed by the GDPR. Indeed, such a rejection seems to me to be contrary to the very principle of a complete system of remedies which may be exercised concurrently with and independently of each other. Moreover, rejecting a complaint is not necessarily an appropriate measure to avoid the adoption of contradictory decisions.
58. In that regard, it should be pointed out that, when a supervisory authority rejects a complaint on the ground that judicial proceedings brought in accordance with Article 79(1) of the GDPR are still pending, it cannot yet be certain that a decision on the merits will be given in those proceedings. That legal action may be rejected on a procedural ground, such as inadmissibility, without a decision on the merits.
59. Moreover, even if those proceedings should give rise to a decision on the merits, as in this case, that decision may be challenged by means of domestic remedies. This is why, contrary to what the Commission seems to consider in its observations, (32) the question whether the judicial decision is final or not seems to me to be of importance. In my view, the supervisory authority cannot automatically reject a complaint on the ground that judicial proceedings brought in accordance with Article 79(1) of the GDPR have resulted in a decision, as long as that decision has not become final and can therefore still be challenged.
60. In short, as long as the contradiction between the decision taken by a supervisory authority seised pursuant to Article 77(1) of the RGPD and the decision, that is not yet final, given by a court seised in accordance with Article 79(1) of that regulation is only hypothetical, that authority cannot reject the complaint submitted to it on the basis of that risk of contradiction.
61. In support of that interpretation, the importance of the right to lodge a complaint with a supervisory authority, enshrined in Article 77(1) of the GDPR, in order to ensure the effective protection of the rights guaranteed by that regulation should be stressed. That protection results, in particular, from the extensive powers conferred by that regulation on the supervisory authority to assess the existence of unlawful processing of the personal data of the data subject and to take appropriate measures to remedy it.
62. In that context, I would point out that Article 51(1) of the GDPR requires Member States to provide for one or more independent public authorities that are to be responsible for monitoring the application of that regulation. The establishment of such authorities, which is also provided for by primary EU law, namely Article 8(3) of the Charter and Article 16(2) TFEU, is an essential component of the protection of individuals with regard to the processing of personal data. (33) Those authorities have the primary task, under Article 51(1) and (2) and Article 57(1)(a) and (g) of the GDPR, to monitor and enforce the application of that regulation, while contributing to its consistent application within the European Union, in order to protect the fundamental rights and freedoms of natural persons in relation to the processing of their personal data and to facilitate the free flow of such data within the European Union. (34)
63. In particular, under Article 57(1)(f) of the GDPR, each supervisory authority is required on its territory to handle complaints which, in accordance with Article 77(1) of that regulation, any data subject is entitled to lodge where that data subject considers that the processing of his or her personal data infringes the regulation, and is required to examine the nature of that complaint as necessary. The supervisory authority must deal with such a complaint with all due diligence. (35) Accordingly, the Court has pointed out that, although the supervisory authority must determine which action is appropriate and necessary and take into consideration all the circumstances of the processing of personal data in question in that determination, the supervisory authority is nevertheless required to execute its responsibility for ensuring that the GDPR is fully enforced with all due diligence. (36)
64. In order to monitor and enforce the application of that regulation, the supervisory authorities have at their disposal the various powers conferred on them under Article 58 of that regulation. Accordingly, Article 58(1) of the GDPR confers extensive investigative powers on those supervisory authorities. Where, following its investigation, such an authority finds an infringement of the provisions of that regulation, it is required to react appropriately in order to remedy the shortcoming found. To that end, Article 58(2) of that regulation lists the various corrective measures that the supervisory authority may adopt. (37)
65. The Court has concluded that the complaints procedure, which is not similar to that of a petition, is designed as a mechanism capable of effectively safeguarding the rights and interests of data subjects. (38) From that perspective, the supervisory authority is required to take action where the exercise of one or more of the corrective powers provided for in Article 58(2) of the GDPR is, taking into account all the circumstances of the specific case, appropriate, necessary and proportionate to remedy the shortcoming found and ensure that that regulation is fully enforced. (39)
66. In my view, it would be contrary to that objective and to the duty of diligence incumbent on the supervisory authority to automatically deprive a data subject of the benefit of such a mechanism by allowing that authority to reject his or her complaint on the ground that judicial proceedings under Article 79(1) of that regulation, concerning the same subject matter, have already been brought and where the decision given in those proceedings is not yet final. On the other hand, it seems to me that suspending the investigation of that complaint pending a final judicial decision is consistent both with the need to ensure the effective protection of the rights guaranteed by the GDPR and with the need to avoid contradictory decisions within the same Member State.
67. Admittedly, it is true that the rejection, on such a ground, of the complaint lodged with the supervisory authority pursuant to Article 77(1) of the GDPR does not necessarily prevent the data subject from lodging a new complaint with that authority after the judicial proceedings have been definitively closed, either on procedural grounds or in the event that the data subject withdraws his or her action.
68. However, it may not be possible to lodge a new complaint if, as is the case in Austria, national law provides that complaints must be submitted within a time limit, and this time limit has passed. In such a case, the data subject could find him or herself deprived of any effective protection if his or her action was dismissed on procedural grounds without a decision on the merits, or if he or she wished to discontinue the judicial proceedings.
69. In addition, and more generally, such a solution, which places the onus on the data subject to lodge a fresh complaint with the supervisory authority after the initial rejection of his or her original complaint, seems to me to be contrary to the duty of diligence incumbent on that authority. As I have already indicated, that duty implies that the supervisory authority is to deal with the complaints it receives with all due diligence. That duty requires, in particular, that, when the supervisory authority receives a complaint and is informed of the existence of judicial proceedings brought in accordance with Article 79(1) of the GDPR and relating to the same facts, that authority should, when investigating that complaint, take note of the decision that will definitively close those proceedings. In the meantime, that investigation should be suspended.
V. Conclusion
70. In the light of all of the foregoing considerations, I propose that the Court should answer the questions for a preliminary ruling referred by the Verwaltungsgerichtshof (Supreme Administrative Court, Austria) as follows:
Article 77(1) and Article 79(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation),
must be interpreted as meaning that they preclude a supervisory authority, with which a complaint has been lodged in accordance with Article 77(1) of that regulation, from rejecting that complaint on the ground that judicial proceedings under Article 79(1) of that regulation, concerning the same subject matter, have already been brought and where the decision given in those proceedings is not yet final.