On 15 June 2021, the Court of Justice of the European Union (CJEU) adopted a relevant judgement, both for data subjects and for controllers and processors, on the powers of national data protection supervisory authorities in the protection of the rights and interests of the data subjects when their data are managed by a controller located in another EU state.
The dispute arose as to whether the Belgian national data protection authority could take action against Facebook Belgium, although Facebook Ireland had been recognised as the controller, i.e. how the “one-stop-shop mechanism” for the national data protection authorities worked.
The CJEU has stated that in the cases of cross-border data processing, the data protection supervisory authority of the Member State, which is not the lead supervisory authority, may use its power to refer alleged breaches of the GDPR to the court of that State.
The non-lead supervisory authority may use this power in compliance with the following conditions:
- the non-lead supervisory authority must comply with the cooperation and consistency procedures provided for in the GDPR, i.e. in dialogue with the lead supervisory authority;
- the controller is not required to have its main establishment or another establishment in the territory of that Member State but such controller must have an establishment in the territory of the Union;
- the non-lead supervisory authority may use its power to refer to the court of that State for the alleged breaches of the GDPR against the main establishment of the controller in the Member State of that authority as well as against another establishment of the controller if the action is brought against data processing carried out during the activities of that establishment.
Significance of the judgement for the data subjects:
- data subjects whose data protection rights or interests are breached may defend their rights by applying to their national supervisory authority, even if the establishment of the controller or processor is not in that Member State. This substantially facilitates and speeds up the defence mechanism of the rights of the data subject.
Significance of the judgement for the controllers or processors:
- in the cases of cross-border data processing, companies or organizations must be aware that proceedings may be instituted against them both at their main establishment and in other Member States, provided that the above conditions are met.
For more information or advice on data protection, please consult the specialists of ECOVIS ProventusLaw.
Prepared by Brigida Bacienė, Certified Data Protection Expert (CIPP/E) of ECOVIS ProventusLaw, and Andrius Karmonas, the Lawyer of ECOVIS ProventusLaw