Two Are Better Than One: Are Data Subjects Allowed to File Several Legal Remedies at the Same Time in the Case of Data Protection Violations?

In the case of data protection violations, data subjects are generally free to choose between different legal remedies. But what happens if data subjects want to file not just one, but several legal remedies in parallel? Can the administrative court, for example, deal with the same facts that are also being dealt with by the civil court at the same time? In its judgment of 12 January 2023 (C-132/21), the European Court of Justice affirmed this in principle.

What happened?
In 2019, the data subject attended the general meeting of the controller and in this context addressed several questions to the members of the board of directors as well as to other participants. Afterwards, the data subject requested the controller to provide him with the audio recordings made during the meeting. The person in charge only complied with this request to a limited extent. The person concerned was given audio tapes, which only contained his speeches, but not the answers to the questions asked. The person in charge claimed that the answers were data of third parties, which had to be protected.

The data subject complained to the data protection supervisory authority, which rejected the complaint and an action was brought before the administrative court. At the same time, however, the data subject also brought an action before the civil courts, so that two courts had to decide on the same facts.

While the action was still pending before the administrative court, the civil court upheld the action and found that the controller had violated the data subject's right of access to his or her personal data. This judgement became final.

However, since the administrative court now had to deal with the same facts and the same issue, it referred the question to the European Court of Justice whether it was bound by the final judgment of the civil court, which related to the same facts and the same legal issues, in the course of its judgment. Since a parallel appeal could well lead to conflicting decisions, it should in particular be clarified in this context whether one of the appeals took precedence over the other.

How did the European Court of Justice rule?
The European Court of Justice held that, in principle, parallel remedies were permissible under Art. 77 - 79 GDPR. The GDPR provides data subjects with various remedies, each of which is "without prejudice" to the others. No overriding or exclusive jurisdiction could be inferred from the GDPR - irrespective of whether it was a decision of an authority or a court. The primary objective of the GDPR, based on Recital 10, was exclusively to guarantee data subjects a high level of data protection. The parallel use of several remedies would guarantee this objective and strengthen the rights of data subjects.

In the view of the European Court of Justice, the concrete implementation of a high level of data protection was, against this background, up to the individual Member States.

What does this decision mean for the member states?
Within the framework of their procedural autonomy, the Member States are now obliged to adopt appropriate procedural rules and to ensure that an interplay of remedies is regulated "in order to guarantee the effectiveness of the protection of the rights guaranteed by this Regulation, the uniform and consistent application of its provisions and the right to an effective remedy before a court laid down in Article 47 of the Charter of Fundamental Rights".

Similarly, it is important to avoid contradictory decisions in the interests of a uniform interpretation of the GDPR. This is likely to be achieved primarily through appeals.

Conclusion
The ruling of the European Court of Justice shows once again the paramount importance of the protection of personal data. Businesses should therefore always be vigilant in thoroughly reviewing all data processing in their operations and taking the necessary safeguards to ensure the security and protection of that data.

Therefore, deal with your data processing procedures at an early stage. If you need support in this regard, please contact us. We will be happy to help you and support you with our expert knowledge.