Blog » DOUBLE TROUBLE FOR EU DATA CONTROLLERS? PARALLEL PROCEEDINGS UNDER GDPR ALLOWED BY LUXEMBOURG IN HUNGARIAN CASE
DOUBLE TROUBLE FOR EU DATA CONTROLLERS? PARALLEL PROCEEDINGS UNDER GDPR ALLOWED BY LUXEMBOURG IN HUNGARIAN CASE
10 May 2023
The General Data Protection Regulation (‘GDPR’) offers more types of remedies to individuals whose rights were infringed. Can those remedies be exercised parallelly, or shall the person concerned choose among them? The Court of Justice of the European Union (‘CJEU’) provides an answer to this question in its fresh decision, delivered in a Hungarian case.
The above question arose in a case concerning the access request of an individual who is the shareholder of a Hungarian public limited liability company. After attending a general meeting, the shareholder asked the company to send him the sound recording made at the general meeting. The company complied with the shareholder’s request only partially as it only made available excerpts from the recording which reproduced his own contributions.
The shareholder decided to pursue administrative and civil law remedies parallelly under the provisions of the GDPR.
First, the shareholder requested the Hungarian supervisory authority to order the company to send him the whole recording which request was refused by the authority, consequently, he started an administrative litigation against the decision of the supervisory authority.
Second, he also filed a civil lawsuit against the decision of the company refusing his access request. In its final judgement, the civil court already established that the company has infringed the shareholder’s right to access to his personal data.
In the above context, the Hungarian administrative court sent the case to Luxembourg to the CJEU, to give preliminary ruling on the question whether the administrative remedies and the civil remedies under the GDPR may be exercised concurrently with and independently of each other or whether one of them has priority over the other. The Hungarian administrative court noted that parallel exercise of these remedies could give rise to contradictory decisions concerning identical facts.
The Luxembourg court first examined the wording of the respective provisions of the GDPR and highlighted that the remedies offered must be capable of being exercised ‘without prejudice’ to the others. According to the CJEU, the provisions of the GDPR do not provide for any priority or exclusive competence or for any rule of precedence in respect of the assessment carried out by the authority or by a court as to whether there is an infringement of the rights concerned.
Furthermore, while the GDPR handles the situation when the data subject initiates proceedings before the supervisory authorities or courts of several Member States, the Regulation does not lay down such rules in respect of cases where the data subject files a complaint with the supervisory authority and starts litigation before the competent civil court of the same Member State.
Moreover, the aim of the GDPR is to ensure a high level of protection of natural persons with regard to the processing of their personal data. To leave to data subjects the option to exercise administrative and civil remedies concurrently with and independently of each other is consistent with the said objective of the GDPR.
Thus, the Luxembourg court found that the administrative and civil remedies provided for by the GDPR may be exercised concurrently with and independently of each other.
Finally, the CJEU admitted that the risk of contradictory decisions issued in parallel proceedings can call into question the consistent and homogeneous application of the GDPR which is capable of undermining legal certainty.
According to the Luxembourg court, each Member State shall lay down the detailed rules of administrative and judicial procedures to ensure the effective protection of the rights guaranteed by the GDPR, the consistent and homogeneous application of its provisions, as well as the right to an effective remedy before a court or tribunal.
By this decision the CJEU tried to strike a balance between efficiency of data subject rights under the GDPR and maintaining legal certainty, by outsourcing the latter partially to the Member States of the European Union.
As the CJEU made it clear that administrative and civil remedies under the GDPR can be exercised parallelly, data controllers may face a situation where they are hit by the investigation of the supervisory authority and by a civil lawsuit at the same time. Now the ball is on the side of the Hungarian legislator to ensure the rules which exclude that these parallel proceedings bring a completely different outcome.
This article was originally published on CEE Legal Matters on 13/02/2023
CAN THE EMPLOYER EXPAND THE EMPLOYEES’ DUTIES WITHOUT CHANGING THE JOB DESCRIPTION IN HUNGARY?
The position and tasks of the employee are one of the key elements of the employment contract and are typically recorded in the job description. It is often a matter of dispute between the parties whether the employer can unilaterally modify the job description at all, and if so, to what extent. In a recent court decision, a Hungarian appellate court addressed the above question in a situation where the employer supplemented the employee's tasks with new tasks similar to his existing tasks. In this article, we analyse the recent decision on this matter.Read more »
CAN A HARSH FACEBOOK COMMENT BE A LAWFUL GROUND FOR DISMISSAL IN HUNGARY?
Social media platforms significantly changed the ways how people express their opinions: sharing views became easier than ever. On the one hand, this is positive, but on the other hand, it is also dangerous in the employment context, as the employee's opinion may be prejudicial to the employer's interests. A recent decision of the Hungarian Supreme Court gives answer to the question whether the employer can dismiss the employee for expressing his opinion on Facebook.Read more »
NEW EU – US DATA PRIVACY FRAMEWORK - SIMPLIFIED DATA TRANSFER TO THE US
With the Schrems II judgment, which invalidated the Privacy Shield, the CJEU (Court of Justice of the European Union) make it more difficult to comply with the GDPR for companies transferring personal data from the EU to the US. However, the new EU-US Data Privacy Framework (or “Framework”) adopted on 10 July aims to put an end to this situation. But how does the Framework make data transfers between the EU and US easier? In this short article, we explain the basics of the new Framework and answer the above question.Read more »