IP case law Court of Justice

CJEU, 18 Jun 2026, C-414/24 (Datenschutzbehörde)

Personal Data Protection > General Data Protection Regulation (GDPR) > Article 77 - Right to lodge a complaint with a supervisory authority
Personal Data Protection > General Data Protection Regulation (GDPR) > Article 79 - Right to an effective judicial remedy against a controller or processor

Provisional text

JUDGMENT OF THE COURT (First Chamber)

18 June 2026 (*)

( Reference for a preliminary ruling – Protection of natural persons with regard to the processing of personal data – Regulation (EU) 2016/679 – Articles 77 and 79 – Remedies – Parallel exercise – Relationship between the lodging of a complaint with a national supervisory authority and the exercise of a judicial remedy – Risk of contradictory decisions – Principle of effective judicial protection – Procedural autonomy of the Member States – Principle of effectiveness – Principle of equivalence )

In Case C-414/24,

REQUEST for a preliminary ruling under Article 267 TFEU from the Verwaltungsgerichtshof (Supreme Administrative Court, Austria), made by decision of 17 May 2024, received at the Court on 13 June 2024, in the proceedings

Datenschutzbehörde,

Dr. G S

other party:

Bundesministerin für Justiz,

D GmbH,

THE COURT (First Chamber),

composed of F. Biltgen, President of the Chamber, I. Ziemele (Rapporteur), A. Kumin, S. Gervasoni and M. Bošnjak, Judges,

Advocate General: J. Richard de la Tour,

Registrar: A. Calot Escobar,

having regard to the written procedure,

after considering the observations submitted on behalf of:

–         the Datenschutzbehörde, by M. Schmidl and E. Wagner,

–        Dr. G S, by S. Binder-Novak, Rechtsanwältin,

–        D GmbH, by S. Korab, Rechtsanwalt,

–        the Austrian Government, by A. Posch, J. Schmoll and C. Gabauer, acting as Agents,

–        the Italian Government, by S. Fiorentino, acting as Agent, and by E. De Bonis, avvocato dello Stato,

–        the Hungarian Government, by Zs. Biró-Tóth and M.Z. Fehér, acting as Agents,

–        the European Commission, by A. Bouchagiar, M. Heller and H. Kranenborg, acting as Agents,

after hearing the Opinion of the Advocate General at the sitting on 4 September 2025,

gives the following

Judgment

1        This request for a preliminary ruling concerns the interpretation of Article 77 and 79 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016 L 119, p. 1) (‘the GDPR’).

2        The request has been made in proceedings between Dr. G S and the Datenschutzbehörde (Data Protection Authority, Austria) (‘the DSB’) concerning the rejection by that authority of the complaint lodged by Dr. G S, alleging a breach of her right to the protection of personal data concerning her, on the ground that the data subject had already brought judicial proceedings concerning the same subject matter and remained pending before the court seised.

 Legal context

 European Union law

3        Recitals 10, 11, 129 and 141 of the GDPR state:

‘(10)      In order to ensure a consistent and high level of protection of natural persons and to remove the obstacles to flows of personal data within the Union, the level of protection of the rights and freedoms of natural persons with regard to the processing of such data should be equivalent in all Member States. Consistent and homogenous application of the rules for the protection of the fundamental rights and freedoms of natural persons with regard to the processing of personal data should be ensured throughout the Union. …

(11)      Effective protection of personal data throughout the Union requires the strengthening and setting out in detail of the rights of data subjects and the obligations of those who process and determine the processing of personal data …

(129)      In order to ensure consistent monitoring and enforcement of this Regulation throughout the Union, the supervisory authorities should have in each Member State the same tasks and effective powers, including powers of investigation, corrective powers and sanctions, and authorisation and advisory powers, in particular in cases of complaints from natural persons, and without prejudice to the powers of prosecutorial authorities under Member State law, to bring infringements of this Regulation to the attention of the judicial authorities and engage in legal proceedings. Such powers should also include the power to impose a temporary or definitive limitation, including a ban, on processing. Member States may specify other tasks related to the protection of personal data under this Regulation. The powers of supervisory authorities should be exercised in accordance with appropriate procedural safeguards set out in Union and Member State law, impartially, fairly and within a reasonable time. In particular each measure should be appropriate, necessary and proportionate in view of ensuring compliance with this Regulation, taking into account the circumstances of each individual case, respect the right of every person to be heard before any individual measure which would affect him or her adversely is taken and avoid superfluous costs and excessive inconveniences for the persons concerned. Investigatory powers as regards access to premises should be exercised in accordance with specific requirements in Member State procedural law, such as the requirement to obtain a prior judicial authorisation. Each legally binding measure of the supervisory authority should be in writing, be clear and unambiguous, indicate the supervisory authority which has issued the measure, the date of issue of the measure, bear the signature of the head, or a member of the supervisory authority authorised by him or her, give the reasons for the measure, and refer to the right of an effective remedy. This should not preclude additional requirements pursuant to Member State procedural law. The adoption of a legally binding decision implies that it may give rise to judicial review in the Member State of the supervisory authority that adopted the decision.

(141)      Every data subject should have the right to lodge a complaint with a single supervisory authority, in particular in the Member State of his or her habitual residence, and the right to an effective judicial remedy in accordance with Article 47 of the [Charter of Fundamental Rights of the European Union (the Charter)] if the data subject considers that his or her rights under this Regulation are infringed or where the supervisory authority does not act on a complaint, partially or wholly rejects or dismisses a complaint or does not act where such action is necessary to protect the rights of the data subject. The investigation following a complaint should be carried out, subject to judicial review, to the extent that is appropriate in the specific case. The supervisory authority should inform the data subject of the progress and the outcome of the complaint within a reasonable period. …’

4        Article 17 of the GDPR, entitled ‘Right to erasure (“right to be forgotten”)’ provides, in paragraph 1(d):

‘The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

(d)      the personal data have been unlawfully processed’.

5        Chapter VI of the GDPR, entitled ‘Independent supervisory authorities’, includes Articles 51 to 59 of that regulation.

6        Article 57(1)(f) of that chapter, entitled ‘Tasks’, is worded as follows:

‘Without prejudice to other tasks set out under this Regulation, each supervisory authority shall on its territory:

(f)      handle complaints lodged by a data subject, or by a body, organisation or association in accordance with Article 80, and investigate, to the extent appropriate, the subject matter of the complaint and inform the complainant of the progress and the outcome of the investigation within a reasonable period, in particular if further investigation or coordination with another supervisory authority is necessary’.

7        Article 58(2) of the GDPR, entitled ‘Powers’ provides:

‘Each supervisory authority shall have all of the following corrective powers:

(a)      to issue warnings to a controller or processor that intended processing operations are likely to infringe provisions of this Regulation;

(b)      to issue reprimands to a controller or a processor where processing operations have infringed provisions of this Regulation;

(c)      to order the controller or the processor to comply with the data subject’s requests to exercise his or her rights pursuant to this Regulation;

(d)      to order the controller or processor to bring processing operations into compliance with the provisions of this Regulation, where appropriate, in a specified manner and within a specified period;

(e)      to order the controller to communicate a personal data breach to the data subject;

(f)      to impose a temporary or definitive limitation including a ban on processing;

(g)      to order the rectification or erasure of personal data or restriction of processing pursuant to Articles 16, 17 and 18 and the notification of such actions to recipients to whom the personal data have been disclosed pursuant to Article 17(2) and Article 19;

(h)      to withdraw a certification or to order the certification body to withdraw a certification issued pursuant to Articles 42 and 43, or to order the certification body not to issue certification if the requirements for the certification are not or are no longer met;

(i)      to impose an administrative fine pursuant to Article 83, in addition to, or instead of measures referred to in this paragraph, depending on the circumstances of each individual case;

(j)      to order the suspension of data flows to a recipient in a third country or to an international organisation.’

8        Chapter VIII of the GDPR, entitled ‘Remedies, liability and penalties’, comprises Articles 77 to 84 of that regulation.

9        Article 77 of the GDPR, entitled ‘Right to lodge a complaint with a supervisory authority’, provides:

‘1.      Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes this Regulation.

2.      The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78.’

10      Article 78 of the GDPR, entitled ‘Right to an effective judicial remedy against a supervisory authority’, provides, in paragraphs 1 and 2 thereof:

‘1.      Without prejudice to any other administrative or non-judicial remedy, each natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them.

2.      Without prejudice to any other administrative or non-judicial remedy, each data subject shall have the right to [an] effective judicial remedy where the supervisory authority which is competent pursuant to Articles 55 and 56 does not handle a complaint or does not inform the data subject within three months on the progress or outcome of the complaint lodged pursuant to Article 77.’

11      Article 79 of the GDPR, entitled ‘Right to an effective judicial remedy against a controller or processor’, provides:

‘1.      Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Article 77, each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation.

2.      Proceedings against a controller or a processor shall be brought before the courts of the Member State where the controller or processor has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where the data subject has his or her habitual residence, unless the controller or processor is a public authority of a Member State acting in the exercise of its public powers.’

12      Article 81 of the GDPR, entitled ‘Suspension of proceedings’ states, in paragraphs 2 and 3 thereof:

‘2.      Where proceedings concerning the same subject matter as regards processing of the same controller or processor are pending in a court in another Member State, any competent court other than the court first seised may suspend its proceedings.

3.      Where those proceedings are pending at first instance, any court other than the court first seised may also, on the application of one of the parties, decline jurisdiction if the court first seised has jurisdiction over the actions in question and its law permits the consolidation thereof.’

 Austrian law

13      Paragraph 94(1) of the Bundes-Verfassungsgesetz (Federal Constitutional Law), republished on 2 January 1930 (BGBl. 1/1930), in its version applicable to the facts of the dispute in the main proceedings provides:

‘The courts are independent of the executive at all levels.

…’

14      Paragraph 24 of Bundesgesetz zum Schutz natürlicher Personen bei der Verarbeitung personenbezogener Daten (Datenschutzgesetz – DSG) (Federal law on the protection of natural persons with regard to the processing of personal data) (Law on Data Protection - DSG), of 17 August 1999 (BGBl. I, 165/1999), in its version applicable to the facts of the dispute in the main proceedings, entitled ‘Complaints addressed to the data protection authority’, states in paragraphs 1 and 4 thereof:

‘(1)      Every data subject has the right to lodge a complaint with the data protection authority if the data subject considers that the processing of the personal data concerning him or her infringes the GDPR or Paragraph 1 or Article 2, first chapter.

(4)      The right to have a complaint dealt with expires if the complainant does not lodge the complaint within a year after having gained knowledge of the incident that gave rise to the complaint, and in any event within at most three years after the incident allegedly occurred. Late complaints shall be rejected. …’

 The dispute in the main proceedings and the questions referred for a preliminary ruling

15      On 3 July 2017, Dr. G S, a physician, submitted to Company D, operating a physician search platform enabling third parties to provide reviews and testimonials on physicians, a request for the erasure of certain personal data concerning her, on the basis of the legal situation prior to the entry into force of the GDPR. On 10 July 2017, Company D rejected that request for erasure.

16      Following that refusal, in November 2017, Dr. G S brought an action before a civil court against that company, alleging, inter alia, a breach of the right to the protection of personal data and requesting the erasure of published data concerning her. She also requested that that company be ordered to refrain from any further processing of that data.

17      On 22 June 2018, following the entry into force of the GDPR, Dr. G S made another request for Company D to erase personal data concerning her that was published on the platform operated by that company. That request was also rejected by letter of 6 July 2018.

18      In those circumstances, on 26 July 2018, Dr. G S lodged a complaint with the DSB under Article 77(1) of the GDPR, relying, inter alia, on Article 17 of that regulation, which enshrines the right to erasure. By that complaint, Dr. G S requested the DSB to determine that there had been a breach of her right to the protection of personal data, to order Company D to erase all the personal data concerning her from its platform and to refrain from any further processing of that data.

19      By decision of 4 January 2019, the DSB rejected that complaint on the ground that that complaint and the civil action brought in November 2017, as referred to in paragraph 16 of the present judgment, related to the same subject matter, namely the erasure of personal data concerning Dr. G S, as published on that platform.

20      In that regard, the DSB took the view that the parallel or successive conduct of proceedings before a supervisory authority and judicial proceedings would, from a systematic perspective, be inconsistent with the remedial mechanism provided for under the GDPR. In its view, in such a situation, the supervisory authority would have to rule on the same question as that referred to the civil court. The DSB submits that the concurrent exercise of the right to lodge a complaint with the supervisory authority and of the right to a judicial remedy concerning the same subject matter cannot be permitted.

21      Dr. G S challenged the DSB’s decision of 4 January 2019 before the Bundesverwaltungsgericht (Federal Administrative Court, Austria), which, by judgment of 4 December 2020, dismissed her action at a time when the judgment delivered by the civil court on 23 July 2020, rejecting Dr. G S’s request, had not yet become final.

22      In that regard, the Bundesverwaltungsgericht (Federal Administrative Court) considered that the GDPR had deliberately established a two-track legal remedy. The latter court recalled that since the GDPR was directly applicable, national provisions which are contrary to it had to be disapplied. Accordingly, the complaint lodged by Dr. G S under Article 77(1) of that regulation could not be rejected on the grounds relied on by the DSB, with the result that it was necessary, on the contrary, to acknowledge the competence of the supervisory authority to decide on that complaint.

23      In that context, however, the Bundesverwaltungsgericht (Federal Administrative Court) considered that complaint to have been lodged out of time in that it did not comply with the one-year limitation period laid down in Article 24(4) of the Law on Data Protection, in its version applicable to the facts of the dispute in the main proceedings. Since a complaint under Article 77(1) of the GDPR is also to be rejected if it is lodged out of time, the rejection of Dr. G S’s complaint was, according to the Bundesverwaltungsgericht (Federal Administrative Court), the correct decision.

24      Both Dr. G S, after the Verfassungsgerichtshof (Constitutional Court, Austria) had declined to deal with her complaint, and the DSB lodged an appeal on a point of law with the Verwaltungsgerichtshof (Supreme Administrative Court, Austria), which is the referring court, against the decision of the Bundesverwaltungsgericht (Federal Administrative Court).

25      The Verwaltungsgerichtshof (Supreme Administrative Court) does not share the assessment of the Bundesverwaltungsgericht (Federal Administrative Court) that Dr. G S’s complaint was lodged out of time. The Verwaltungsgerichtshof (Supreme Administrative Court) nevertheless wishes to examine whether there were other legal grounds for the rejection of that complaint. After recalling the case-law arising from the judgments of 12 January 2023, Nemzeti Adatvédelmi és Információszabadság Hatóság (C-132/21, EU:C:2023:2), and of 7 December 2023, SCHUFA Holding (Discharge from remaining debts) (C-26/22 and C-64/22, EU:C:2023:958), the referring court raises the question, inter alia, of the ground put forward by the DSB, based on the existence of pending judicial proceedings concerning the same subject matter as that complaint. In that regard, the referring court observes that Paragraph 94(1) of the Federal Constitutional Law, in its version applicable to the facts of the dispute in the main proceedings, provides that the courts are independent of the executive at all levels. According to the information provided by the referring court, that provision enshrines a principle of separation between the judiciary and the administration, which implies that a case must be assigned, in its entirety, either to the courts or to the administrative authorities for the purpose of dealing with it. That provision therefore precludes courts and administrative authorities from ruling concurrently or successively on the same dispute.

26      In that context, that court has doubts as to whether a complaint lodged with the supervisory authority under Article 77(1) of the GDPR may be rejected on the ground that an effective judicial remedy, within the meaning of Article 79 of that regulation and concerning the same subject matter, has previously been sought and that the proceedings relating thereto are still pending before the court seised.

27      In that regard, in order to avoid conflicting decisions, the referring court is inclined to take the view that, on the basis of the mechanism provided for in Article 81(2) and (3) of the GDPR, it could be envisaged that, where a dispute is pending before the civil courts and administrative authorities, the body other than the one first seised is required, on account of the principle of prior adjudication, to reject the request of the person concerned.

28      However, the referring court adds that, in the event of a complaint lodged under Article 77(1) of the GDPR being rejected on the sole ground that judicial proceedings are pending, a substantive decision on the alleged breach of personal data protection will not yet have been made at the time of that rejection, with the result that the risk of contradictory decisions is not yet manifest.

29      Based on the above, the question arises as to whether a distinction must be drawn between a situation in which judicial proceedings are pending and another in which a decision on the substance of the case has already been given, even if it is not yet final.

30      In those circumstances, the Verwaltungsgerichtshof (Supreme Administrative Court) decided to stay the proceedings and refer the following questions to the Court of Justice for a preliminary ruling:

‘(1)      Are Articles 77 and 79 of [the GDPR] to be interpreted, in the light of the findings of the Court in the judgments [of 12 January 2023 in Nemzeti Adatvédelmi és Információszabadság Hatóság (C-132/21, EU:C:2023:2)], and [of 7 December 2023, SCHUFA Holding (Discharge from remaining debts), (C-26/22 and C-64/22, EU:C:2023:958)], as meaning … that the possibility provided by national law for the rejection of a complaint lodged with a supervisory authority under Article 77 of the GDPR on the ground that a judicial remedy has already been sought in the same case under Article 79 of the GDPR and that the action is pending before a court [in question] constitutes a permissible arrangement for regulating the relationship between those remedies within the meaning of the abovementioned case-law of the Court […?]

(2)      [If the answer to the first question is in the negative, are Articles 77 and 79 of [the GDPR] to be interpreted, in the light of the findings of the Court in the judgments [of 12 January 2023 in Nemzeti Adatvédelmi és Információszabadság Hatóság (C-132/21, EU:C:2023:2)], and [of 7 December 2023, SCHUFA Holding (Discharge from remaining debts), (C-26/22 and C-64/22, EU:C:2023:958)], as meaning] that the possibility provided by national law for the rejection of a complaint lodged with a supervisory authority under Article 77 of the GDPR on the ground that a substantive judgment (even if not yet final) has already been made in the pending proceedings in the same case on the judicial remedy [sought] under Article 79 of the GDPR constitutes a permissible arrangement for regulating the relationship between those remedies within the meaning of the abovementioned case-law of the Court?’

 The questions referred for a preliminary ruling

31      By its two questions, which it is appropriate to examine together, the referring court asks, in essence, whether Article 77(1) and Article 79(1) of the GDPR must be interpreted as precluding a supervisory authority, with which a complaint has been lodged under Article 77(1) of that regulation, from rejecting that complaint on the sole ground that judicial proceedings under Article 79(1) thereof, and concerning the same subject matter, have already been brought and even though the decision given in those proceedings is not yet final.

32      As a preliminary point, it should be borne in mind that, in accordance with settled case-law, in interpreting a provision of EU law it is necessary to consider not only its wording but also its context and the objectives pursued by the legislation of which it forms part (judgment of 12 January 2023, Nemzeti Adatvédelmi és Információszabadság Hatóság, C-132/21, EU:C:2023:2, paragraph 32).

33      In the first place, it must be pointed out that Articles 77 and 79 fall under Chapter VIII of that regulation, which governs, inter alia, the legal remedies enabling the protection of the data subject’s rights where his or her personal data have been the subject of processing that is allegedly contrary to the provisions of that regulation. The protection of those rights may thus be sought directly by the data subject, under Articles 77 to 79 of that regulation (see, to that effect, judgment of 4 October 2024, Lindenapotheke, C-21/23, EU:C:2024:846, paragraph 47 and the case-law cited).

34      In that connection, in so far as concerns the wording of Articles 77 to 79, it should be recalled, first of all, that Article 77(1) of the GDPR provides that, without prejudice to any other administrative or judicial remedy, every data subject has the right to lodge a complaint with a supervisory authority. Subsequently, under Article 78(1) of that regulation, each natural or legal person has the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them, without prejudice to any other administrative or non-judicial remedy. Lastly, Article 79(1) of that regulation guarantees each data subject the right to an effective judicial remedy, without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Article 77(1) of that regulation (judgment of 4 October 2024, Lindenapotheke, C-21/23, EU:C:2024:846, paragraph 48 and the case-law cited).

35      The Court has already ruled that those provisions of the GDPR offer different remedies to persons claiming that that regulation has been infringed, it being understood that each of those remedies must be capable of being exercised ‘without prejudice’ to the others (judgment of 12 January 2023, Nemzeti Adatvédelmi és Információszabadság Hatóság, C-132/21, EU:C:2023:2, paragraph 34).

36      It follows, as the Advocate General observed in point 46 of his Opinion, that the GDPR does not provide for any priority or exclusive competence or jurisdiction nor does it establish any rule of precedence in respect of the assessment carried out by the authority or by the courts referred to therein as to whether there is a breach of the rights conferred by that regulation. The Court has already held that the remedy provided for in Article 78(1) of the GDPR, the purpose of which is to examine the lawfulness of the decision of a supervisory authority adopted on the basis of Article 77 thereof, and the remedy provided for in Article 79(1) of that regulation may also be exercised concurrently with and independently of each other (see, to that effect, judgment of 12 January 2023, Nemzeti Adatvédelmi és Információszabadság Hatóság, C-132/21, EU:C:2023:2, paragraph 35).

37      In the second place, as regards the context of those provisions of the GDPR, it should be recalled that, under Article 57(1)(f) of that regulation, each supervisory authority is required on its territory to handle complaints which, in accordance with Article 77(1) of that regulation, any data subject is entitled to lodge where that data subject considers that the processing of personal data relating to him or her infringes that regulation, to investigate, to the extent appropriate, the subject matter of the complaint and inform the complainant of the progress and the outcome of the investigation within a reasonable period. Accordingly, the supervisory authority must deal with such a complaint with all due diligence (judgment of 26 September 2024, Land Hessen (Obligation to act by the data protection authority), C-768/21, EU:C:2024:785, paragraph 32 and the case-law cited). As confirmed by recital 129 of the GDPR, the supervisory authority thus plays an indispensable role in the system of protection of personal data, contributing to the consistent application of the regulation in question within the Member States.

38      In the third place, that contextual interpretation is supported by the objectives pursued by the GDPR. In that regard, it should be noted that the EU legislature’s choice to grant data subjects to whom the processing of personal data relates the possibility of simultaneously and independently exercising the remedies provided for in Article 77(1) and Article 79(1) of the GDPR is consistent with the objective pursued by that regulation, which is, as is apparent from recital 10 thereof, to ensure a high level of protection of natural persons with regard to the processing of personal data in the European Union. Moreover, recital 11 of that regulation states that effective protection of such data requires the strengthening of the rights of data subjects.

39      In that context, the Court has already ruled that making several remedies available strengthens the objective set out in recital 141 of the GDPR of guaranteeing for every data subject who considers that his or her rights under that regulation are infringed the right to an effective judicial remedy in accordance with Article 47 of the Charter (judgment of 12 January 2023, Nemzeti Adatvédelmi és Információszabadság Hatóság, C-132/21, EU:C:2023:2, paragraph 44).

40      The Court has also pointed out that the EU legislature’s decision to leave to data subjects the option to exercise the remedies provided for in Article 77(1) and Article 78(1) of the GDPR, on the one hand, and Article 79(1) thereof, on the other, concurrently with and independently of each other is consistent with the objective of that regulation (see, to that effect, judgment of 12 January 2023, Nemzeti Adatvédelmi és Információszabadság Hatóság, C-132/21, EU:C:2023:2, paragraph 42).

41      However, in the absence of EU rules governing the matter, it is for each Member State, in accordance with the principle of the procedural autonomy of the Member States, to lay down the detailed rules of administrative and judicial procedures intended to ensure a high level of protection of rights which individuals derive from EU law (judgment of 12 January 2023, Nemzeti Adatvédelmi és Információszabadság Hatóság, C-132/21, EU:C:2023:2, paragraph 45).

42      Accordingly, it is for the referring court to determine, on the basis of the national procedural provisions, in what manner the remedies provided for by Articles 77 to 79 of the GDPR must be implemented (see, to that effect, judgment of 12 January 2023, Nemzeti Adatvédelmi és Információszabadság Hatóság, C-132/21, EU:C:2023:2, paragraph 46).

43      In particular, the detailed rules for the implementation of concurrent and independent remedies should not call into question the effectiveness and effective protection of the rights guaranteed by that regulation (judgment of 12 January 2023, Nemzeti Adatvédelmi és Információszabadság Hatóság, C-132/21, EU:C:2023:2, paragraph 47).

44      In that connection, those detailed rules must not be less favourable than those governing similar domestic actions (principle of equivalence); nor must they render practically impossible or excessively difficult the exercise of rights conferred by EU law (principle of effectiveness) (judgment of 12 January 2023, Nemzeti Adatvédelmi és Információszabadság Hatóság, C-132/21, EU:C:2023:2, paragraph 48).

45      In that context, the Court pointed out that when the Member States set out detailed procedural rules for legal actions intended to ensure the protection of rights conferred by the GDPR, they must ensure compliance with the right to an effective remedy and to a fair trial, enshrined in Article 47 of the Charter, which constitutes a reaffirmation of the principle of effective judicial protection (judgment of 12 January 2023, Nemzeti Adatvédelmi és Információszabadság Hatóság, C-132/21, EU:C:2023:2, paragraph 50).

46      In the present case, it is apparent from the request for a preliminary ruling that the system of remedies provided for by Austrian law precludes courts and administrative authorities from ruling in parallel or successively on the same dispute. In that context, the question arises as to whether a complaint lodged with the supervisory authority under Article 77(1) of the GDPR may be rejected on the sole ground that judicial proceedings, based on Article 79 of that regulation and concerning the same subject matter, have already been brought and that those proceedings are still pending.

47      According to the referring court, such a relationship between legal remedies would help to avoid the adoption of contradictory decisions in respect of the same request. However, it observes that, where the DSB rejects a complaint lodged under Article 77(1) of the GDPR on the ground that judicial proceedings brought in accordance with Article 79(1) of that regulation are pending before the court seised, that authority cannot be assured that a decision on the merits will actually be given in the context of those proceedings. That would be the case, in particular, if those proceedings were to be dismissed as inadmissible, without a decision being given on the merits.

48      In that regard, it should be recalled that, as stated in paragraph 37 of the present judgment, under Article 57(1)(f) of the GDPR, each supervisory authority is required on its territory to handle complaints which, in accordance with Article 77(1) of that regulation, any data subject is entitled to lodge where that data subject considers that the processing of his or her personal data infringes the regulation, and is required to examine the nature of that complaint as necessary. The supervisory authority must deal with such a complaint with all due diligence (judgment of 7 December 2023, SCHUFA Holding (Discharge from remaining debts), C-26/22 and C-64/22, EU:C:2023:958, paragraph 56 and the case-law cited).

49      In the context of that processing, that authority has, as regards the remedies listed in Article 58(2) of the GDPR, a margin of discretion as to the choice of appropriate and necessary means (judgment of 7 December 2023, SCHUFA Holding (Discharge from remaining debts), C-26/22 and C-64/22, EU:C:2023:958, paragraph 68 and the case-law cited).

50      In that regard, the Court has ruled that the complaints procedure, which is not similar to that of a petition, is designed as a mechanism capable of effectively safeguarding the rights and interests of data subjects (judgment of 7 December 2023, SCHUFA Holding (Discharge from remaining debts), C-26/22 and C-64/22, EU:C:2023:958, paragraph 58).

51      Indeed, the supervisory authority is required to take action where the exercise of one or more of the corrective powers provided for in Article 58(2) of the GDPR is appropriate, necessary and proportionate to remedy the shortcoming found and ensure that that regulation is fully enforced (see, to that effect, judgment of 30 April 2025, Inspektorat kam Visshia sadeben savet, C-313/23, C-316/23 and C-332/23, EU:C:2025:303, paragraph 132).

52      It is true that that obligation to intervene requires that, where the supervisory authority receives a complaint under Article 77(1) of the GDPR and is informed of the existence of judicial proceedings brought on the basis of Article 79(1) of that regulation and concerning the same subject matter, it must take due account, in the examination of that complaint, of the decision which will definitively close those proceedings.

53      However, it would be contrary to that obligation to deprive a data subject to whom the processing of personal data relates of the benefit of such a protection mechanism by allowing the supervisory authority to reject his or her complaint on the sole ground that judicial proceedings under Article 79(1) of the GDPR and concerning the same subject matter have already been brought and even though the decision given in those proceedings has not yet become final.

54      In that context, as regards the risk of contradictory decisions being adopted in respect of the same processing of personal data within the same Member State, as the Advocate General observed, in essence, in points 55 and 56 of his Opinion, that Member State could, in a situation such as that in the main proceedings, envisage, for example, the establishment of a suspension mechanism under which the supervisory authority, hearing a complaint under Article 77(1) of the GDPR, would have the option or would be required to suspend the proceedings pending before it where judicial proceedings under Article 79(1) of that regulation and concerning the same subject matter, have already been brought. Such a stay may be maintained until the delivery of a first judgment given in the context of those proceedings and, where appropriate, in the event of an appeal being lodged against that judgment, until a court decision definitively closes the dispute in question.

55      In that regard, it should be noted that the possible suspension of the examination of a complaint lodged under Article 77(1) of that regulation with the supervisory authority pending a judicial decision appears to comply both with the requirement to guarantee the right to an effective judicial remedy and with the requirement to effectively protect the rights guaranteed by the GDPR and to avoid the adoption of contradictory decisions liable to undermine legal certainty.

56      By contrast, where the supervisory authority rejects a complaint on the sole ground that judicial proceedings brought on the basis of Article 79(1) of that regulation are pending, first, as mentioned in paragraph 47 of the present judgment, that authority cannot be certain that a decision on the merits will actually be given in the context of those judicial proceedings. Second, the lodging of a new complaint may prove impossible where national law provides that complaints must, under pain of being declared inadmissible, be submitted within a time limit, as is the case here, and that limit has already expired. Therefore, it cannot be ruled out that the data subject to whom the processing of personal data relates may be deprived of any effective protection where his or her judicial proceedings are dismissed on procedural grounds without a decision being given on the merits, or if he or she wishes to withdraw his or her judicial proceedings.

57      Accordingly, as the Advocate General observed, in essence, in point 57 of his Opinion, the rejection of a complaint lodged with the supervisory authority in a situation such as that of the dispute in the main proceedings would be contrary to the principle of effectiveness, since that arrangement as regards the relationship between those remedies is liable to compromise the effective protection of the rights guaranteed by the GDPR.

58      It follows that it is for the referring court to ascertain whether the provisions of national law in question in the main proceedings are such as to ensure effective protection of the rights guaranteed by the GDPR, in particular as regards the relationship between concurrent and independent remedies available to data subjects to whom the processing of personal data relates.

59      In the light of all the foregoing considerations, the answer to the first and second questions is that Article 77(1) and Article 79(1) of the GDPR must be interpreted as precluding a supervisory authority, with which a complaint has been lodged under Article 77(1) of that regulation, from rejecting that complaint on the sole ground that judicial proceedings under Article 79(1) thereof, and concerning the same subject matter, have already been brought and even though the decision given in those proceedings is not yet final.

 Costs

60      Since these proceedings are, for the parties to the main proceedings, a step in the action pending before the referring court, the decision on costs is a matter for that court. Costs incurred in submitting observations to the Court, other than the costs of those parties, are not recoverable.

On those grounds, the Court (First Chamber) hereby rules:

Article 77(1) and Article 79(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

must be interpreted as precluding a supervisory authority, with which a complaint has been lodged under Article 77(1) of that regulation, from rejecting that complaint on the sole ground that judicial proceedings under Article 79(1) thereof, and concerning the same subject matter, have already been brought and even though the decision given in those proceedings is not yet final.

[Signatures]

*      Language of the case: German.




Disclaimer

Powered by