15 February 2023

The General Data Protection Regulation (‘GDPR’) offers more types of remedies to individuals whose rights were infringed. Can those remedies be exercised parallelly, or shall the person concerned choose among them? The Court of Justice of the European Union (‘CJEU’) provides an answer to this question in its fresh decision, delivered in a Hungarian case.

The above question arose in a case concerning the access request of an individual who is the shareholder of a Hungarian public limited liability company. After attending a general meeting, the shareholder asked the company to send him the sound recording made at the general meeting. The company complied with the shareholder’s request only partially as it only made available excerpts from the recording which reproduced his own contributions.

The shareholder decided to pursue administrative and civil law remedies parallelly under the provisions of the GDPR.

First, the shareholder requested the Hungarian supervisory authority to order the company to send him the whole recording which request was refused by the authority, consequently, he started an administrative litigation against the decision of the supervisory authority.

Second, he also filed a civil lawsuit against the decision of the company refusing his access request. In its final judgement, the civil court already established that the company has infringed the shareholder’s right to access to his personal data.

In the above context, the Hungarian administrative court sent the case to Luxembourg to the CJEU, to give preliminary ruling on the question whether the administrative remedies and the civil remedies under the GDPR may be exercised concurrently with and independently of each other or whether one of them has priority over the other. The Hungarian administrative court noted that parallel exercise of these remedies could give rise to contradictory decisions concerning identical facts.

The Luxembourg court first examined the wording of the respective provisions of the GDPR and highlighted that the remedies offered must be capable of being exercised ‘without prejudice’ to the others. According to the CJEU, the provisions of the GDPR do not provide for any priority or exclusive competence or for any rule of precedence in respect of the assessment carried out by the authority or by a court as to whether there is an infringement of the rights concerned.

Furthermore, while the GDPR handles the situation when the data subject initiates proceedings before the supervisory authorities or courts of several Member States, the Regulation does not lay down such rules in respect of cases where the data subject files a complaint with the supervisory authority and starts litigation before the competent civil court of the same Member State.

Moreover, the aim of the GDPR is to ensure a high level of protection of natural persons with regard to the processing of their personal data. To leave to data subjects the option to exercise administrative and civil remedies concurrently with and independently of each other is consistent with the said objective of the GDPR.

Thus, the Luxembourg court found that the administrative and civil remedies provided for by the GDPR may be exercised concurrently with and independently of each other.

Finally, the CJEU admitted that the risk of contradictory decisions issued in parallel proceedings can call into question the consistent and homogeneous application of the GDPR which is capable of undermining legal certainty.

According to the Luxembourg court, each Member State shall lay down the detailed rules of administrative and judicial procedures to ensure the effective protection of the rights guaranteed by the GDPR, the consistent and homogeneous application of its provisions, as well as the right to an effective remedy before a court or tribunal.

By this decision the CJEU tried to strike a balance between efficiency of data subject rights under the GDPR and maintaining legal certainty, by outsourcing the latter partially to the Member States of the European Union.

As the CJEU made it clear that administrative and civil remedies under the GDPR can be exercised parallelly, data controllers may face a situation where they are hit by the investigation of the supervisory authority and by a civil lawsuit at the same time. Now the ball is on the side of the Hungarian legislator to ensure the rules which exclude that these parallel proceedings bring a completely different outcome.