menu MENU
arrow_back Back to the list of all Articles
Change country (Currently : Poland) language
Contact our local member in Poland mail_outline
Visit the website of GKR Legal account_balance

arrow_backPrevious Article
Article 79
Next Articlearrow_forward

Right to an effective judicial remedy against a controller or processor

Official
Texts Guidelines Caselaw Review of
EU Regulation Review of
Nat. Regulation
Show key term(s) and Article(s) related to article 79 of the Regulation keyboard_arrow_down Hide key term(s) and Article(s) related to article 79 keyboard_arrow_up
Show the recitals of the Regulation related to article 79 keyboard_arrow_down Hide the recitals of the Regulation related to article 79 keyboard_arrow_up

(145) For proceedings against a controller or processor, the plaintiff should have the choice to bring the action before the courts of the Member States where the controller or processor has an establishment or where the data subject resides, unless the controller is a public authority of a Member State acting in the exercise of its public powers.

Show the recitals of the Directive related to article 79 keyboard_arrow_down Hide the recitals of the Directive related to article 79 keyboard_arrow_up

(55) Whereas, if the controller fails to respect the rights of data subjects, national legislation must provide for a judicial remedy; whereas any damage which a person may suffer as a result of unlawful processing must be compensated for by the controller, who may be exempted from liability if he proves that he is not responsible for the damage, in particular in cases where he establishes fault on the part of the data subject or in case of force majeure; whereas sanctions must be imposed on any person, whether governed by private of public law, who fails to comply with the national measures taken under this Directive;

The GDPR

Article 79 gives people affected by processing, a genuine right to an effective judicial remedy against both the controller and the processor in case of infringement of their rights resulting from the processing of their data. This right is not to be confused either with the possibility of lodging a complaint with a supervisory authority referred to in article 78, nor with any other administrative or extra-judicial remedy provided under the relevant national law.

The second paragraph allows the data subject to bring his action either before the courts of the Member State in which the controller has an establishment or in the courts of the state of habitual residence of the data subject, unless controller or processor is a public authority of a Member State acting in the exercise of its public powers.

It should be noted that as per recital 146, the jurisdictional rules contained in the Regulation need subject to the general jurisdictional rules contained in other legal instruments, such as those contained in Regulation (EU) No. 1215/2012 of the European Parliament and the Council of 12 December 2012 concerning jurisdiction, recognition and enforcement of decisions on civil and commercial matters (Regulation called Brussels I bis).

The Directive

The Directive Article 22 requires the Member States to provide to any person the right to a judicial remedy in case of breach of the rights guaranteed to him by the national provisions transposing the Directive.

Potential issues

The competence of the courts will not necessarily imply that they must apply their national laws that codify the Regulation or that the national authority of the state court is competent.

Poland

The Draft Bill on Personal Data Protection published in September 2017

CHAPTER 8: CIVIL LIABILITY

Art. 78.1. Any person whose rights under the provisions of the Act have been infringed may request that such action be abandoned and may require the person committing the breach to complete the activities necessary to remove the consequences.

2. Making the claim referred to in para. 1, does not exclude the possibility of other claims for breaches of the provisions on the protection of personal data.

3. To the extent not governed by the Regulation 2016/679 and this Act, the redress of claims referred to in para. 1, is governed by the provisions of the Civil Code.

 

Art. 79. 1. For proceedings in cases of claims brought under Art. 78, to the extent not governed by the Act, the provisions of the Code of Civil Procedure shall apply.

2. The district court shall have jurisdiction over claims for infringement of the provisions on the protection of personal data, including claims under Art. 82 of the Regulation 2016/679, irrespective of the value of the subject-matter of the dispute.

 

Art. 80.1. On filing a lawsuit in the cases referred to in Art. 78, the court shall immediately notify the President of the Office.

2. If the proceedings concerning breaches of the provisions on the protection of personal data are pending before the President of the Office or the administrative court, the President of the Office shall notify the court referred to in para. 1.

3. The court may suspend proceedings pending before the court till the termination of the proceedings before the President of the Office.

 

Art. 81. About every judgment -  taking account of the action - on matters referred to in Art. 78 para. 1 and 2, the court shall notify the President of the Office.

arrow_back Previous ArticleArticle 79Next Article arrow_forward
arrow_back Previous ArticleArticle 79 Next Article arrow_forward
arrow_back Previous Article Article 79 Next Article arrow_forward

Summary

European Union

European Union

CJEU caselaw

C-40/17 (29 July 2019) - Fashion ID

1.      Articles 22 to 24 of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data must be interpreted as not precluding national legislation which allows consumer-protection associations to bring or defend legal proceedings against a person allegedly responsible for an infringement of the protection of personal data.

2.      The operator of a website, such as Fashion ID GmbH & Co. KG, that embeds on that website a social plugin causing the browser of a visitor to that website to request content from the provider of that plugin and, to that end, to transmit to that provider personal data of the visitor can be considered to be a controller, within the meaning of Article 2(d) of Directive 95/46. That liability is, however, limited to the operation or set of operations involving the processing of personal data in respect of which it actually determines the purposes and means, that is to say, the collection and disclosure by transmission of the data at issue.

3.      In a situation such as that at issue in the main proceedings, in which the operator of a website embeds on that website a social plugin causing the browser of a visitor to that website to request content from the provider of that plugin and, to that end, to transmit to that provider personal data of the visitor, it is necessary that that operator and that provider each pursue a legitimate interest, within the meaning of Article 7(f) of Directive 95/46, through those processing operations in order for those operations to be justified in respect of each of them.

4.      Article 2(h) and Article 7(a) of Directive 95/46 must be interpreted as meaning that, in a situation such as that at issue in the main proceedings, in which the operator of a website embeds on that website a social plugin causing the browser of a visitor to that website to request content from the provider of that plugin and, to that end, to transmit to that provider personal data of the visitor, the consent referred to in those provisions must be obtained by that operator only with regard to the operation or set of operations involving the processing of personal data in respect of which that operator determines the purposes and means. In addition, Article 10 of that directive must be interpreted as meaning that, in such a situation, the duty to inform laid down in that provision is incumbent also on that operator, but the information that the latter must provide to the data subject need relate only to the operation or set of operations involving the processing of personal data in respect of which that operator actually determines the purposes and means.

Judgment of the Court 
Opinion of the Advocate General 


C‑132/21 (12 January 2023), Budapesti Elektromos Művek

Article 77(1), Article 78(1) and Article 79(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), read in the light of Article 47 of the Charter of Fundamental Rights of the European Union,

must be interpreted as permitting the remedies provided for in Article 77(1) and Article 78(1) of that regulation, on the one hand, and Article 79(1) thereof, on the other, to be exercised concurrently with and independently of each other. It is for the Member States, in accordance with the principle of procedural autonomy, to lay down detailed rules as regards the relationship between those remedies in order to ensure the effective protection of the rights guaranteed by that regulation and the consistent and homogeneous application of its provisions, as well as the right to an effective remedy before a court or tribunal as referred to in Article 47 of the Charter of Fundamental Rights.

Decision of the court

Opinion of the advocate General

C-313/23 (30 April 2025)  - Inspektorat kam Visshia sadeben savet

On those grounds, the Court (First Chamber) hereby rules:

1.      The second subparagraph of Article 19(1) TEU, read in conjunction with Article 47 of the Charter of Fundamental Rights of the European Union,

must be interpreted as meaning that the principle of judicial independence precludes a Member State’s practice under which the members of a judicial body of that Member State – who are elected by its parliament for terms of office of a specific duration and are competent to scrutinise the activity of judges, public prosecutors and investigating magistrates in the performance of their functions, to carry out checks in respect of their integrity and the absence of conflicts of interest on their part, as well as to propose to another judicial body the initiation of disciplinary proceedings with a view to the imposition of disciplinary penalties on those persons – continue to perform their functions beyond the legal duration of their terms of office as laid down in the Constitution of that Member State, until that parliament elects new members, where the extension of the expired terms of office does not have an express legal basis in national law containing clear and precise rules such as to circumscribe the performance of those functions and where it is not guaranteed that that extension is, in practice, limited in time.

2.      Article 2 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation),

must be interpreted as meaning that disclosure, to a judicial body, of personal data that are protected by banking secrecy and that concern judges, public prosecutors and investigating magistrates as well as their family members, with a view to the verification of the declarations which are submitted by those judges, public prosecutors and investigating magistrates concerning their assets and those of their family members and which are published, constitutes processing of personal data that comes within the material scope of that regulation.

3.      Article 4(7) of Regulation 2016/679

must be interpreted as meaning that a court having jurisdiction to authorise, at the request of another judicial body, disclosure by a bank to that body of data relating to the bank accounts of judges, public prosecutors and investigating magistrates as well as of their family members, cannot be classified as a controller within the meaning of that provision.

4.      Article 51 of Regulation 2016/679

must be interpreted as meaning that a court having jurisdiction to authorise disclosure of personal data to another judicial body does not constitute a supervisory authority within the meaning of that article, where that court is not entrusted by the Member State in which it is situated with monitoring the application of that regulation in order to protect, in particular, the fundamental rights and freedoms of natural persons in relation to the processing of their personal data.

5.      Article 79(1) of Regulation 2016/679, read in conjunction with Article 47 of the Charter of Fundamental Rights,

must be interpreted as meaning that a court having jurisdiction to authorise disclosure of personal data to another judicial body is not required, where an action pursuant to that provision has not been brought before it, to ensure of its own motion the protection of the persons whose data are concerned as regards compliance with the provisions of that regulation relating to the security of personal data, including where it is known that that body has, in the past, infringed those provisions.

Opinion of the Advocate General 
Judgment of the Court 

Retour au sommaire Retour au sommaire
arrow_back Previous Article Article 79 Next Article arrow_forward
Regulation
1e 2e

Art. 79

1.   Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Article 77, each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation.

2.   Proceedings against a controller or a processor shall be brought before the courts of the Member State where the controller or processor has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where the data subject has his or her habitual residence, unless the controller or processor is a public authority of a Member State acting in the exercise of its public powers.
1st proposal close

Art. 75 

1. Without prejudice to any available administrative remedy, including the right to lodge a complaint with a supervisory authority as referred to in Article 73, every natural person shall have the right to a judicial remedy if they consider that their rights under this Regulation have been infringed as a result of the processing of their personal data in non-compliance with this Regulation.

2. Proceedings against a controller or a processor shall be brought before the courts of the Member State where the controller or processor has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where the data subject has its habitual residence, unless the controller is a public authority acting in the exercise of its public powers.

3. Where proceedings are pending in the consistency mechanism referred to in Article 58, which concern the same measure, decision or practice, a court may suspend the proceedings brought before it, except where the urgency of the matter for the protection of the data subject's rights does not allow to wait for the outcome of the procedure in the consistency mechanism.

4. The Member States shall enforce final decisions by the courts referred to in this Article.
2nd proposal close

Art. 75 

1. Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority under Article 73, data subjects shall have the right to an effective judicial remedy if they consider that their rights under this Regulation have been infringed as a result of the processing of their personal data in non-compliance with this Regulation.

2. Proceedings against a controller or a processor shall be brought before the courts of the Member State where the controller or processor has an establishment (…). Alternatively, such proceedings may be brought before the courts of the Member State where the data subject has his or her habitual residence, unless the controller or processor is a public authority acting in the exercise of its public powers.

3. (…)

4. (…)
Directive close

Art. 22

Without prejudice to any administrative remedy for which provision may be made, inter alia before the supervisory authority referred to in Article 28, prior to referral to the judicial authority, Member States shall provide for the right of every person to a judicial remedy for any breach of the rights guaranteed him by the national law applicable to the processing in question.
Poland
compare_arrows
visibility Old law

Entered into force on May 25, 2018:

The Act of May 10, 2018 on Personal Data Protection

 

Art. 92 In the area not regulated by Regulation 2016/679, as to the claims regarding the violation of the personal data protection laws referred to in art79 and art 82 of the Regulation, provisions of the 1964 Act shall apply - Civil Code

Art. 93 All claims arising from the violation of the personal data protection laws referred to in art 79 and art 82 of the Regulation 2016/679 shall be directed to the Regional Court

Art. 94 1. The court shall notify the President of the Office immediately, if a lawsuit is filed and the final judgement is reached in the proceedings regarding the violation of the personal data protection laws referred to in art 79 and art 82 of the Regulation 2016/679 .

2. Once notified about the on-going inspection, the President of the Office shall notify the court of every matter regarding the same violation of the personal data protection laws, that is pending before the President of the Office, court or has already been closed. The President of the Office shall also inform the court about any initiation of proceedings in the case of the same violation immediately

Art. 95 The court shall suspend the proceedings if the proceedings regarding the same violation of the personal data protection laws have been initiated by the President of the Office.

Art. 96 The court shall suspend the proceedings in the area of a final decision by the President of the Office was made regarding the violation of the personal data protection laws or in the area of a final judgement regarding the complaint referred to in art 145a paragraph 3 of the 2002 Act. – Law on proceedings before administrative court.

Art. 97 The findings of the final decision of the President of the Office regarding the violation of the personal data protection laws or in the area of a final judgement regarding the complaint referred to in art 145a paragraph 3 of the 2002 Act. – Law on proceedings before administrative court, bind the court in the proceedings for recovery of damages due to the violation of personal data protection laws in regards to finding a breach of these laws.

Art. 98 1. In cases regarding damages claims based on the violation of personal data protection laws, that can only be heard before the court, the President of the Office can bring an action in the name of that as well as join the proceedings at any stage, provided he receives the consent of the party.

2. In other damages cases, regarding the violation of the personal data protection laws, the President of the Office can joint the proceedings at any stage unless proceedings  regarding the same case have been brought before him.

3. In cases referred to in provisions 1 and 2 of the 1964 act shall apply to the president to the office

Art. 99 The President of the Office can present a viewpoint crucial for the proceedings regarding the violation of the personal data protection laws before the court if it is in public interest.

Art. 100 The proceeding regarding the violation of the personal data protection laws referred to in art 79 and art 82 of the Regulation 2016/679 in shall be governed by the 1964 Act – Civil Code.
Old law close

In force until May 25, 2018:

The Act on Personal Data Protection

 

Article 32

1. The data subject has a right to control the processing of his/her personal data contained in

the filing systems, and in particular he/she has the right to:

(…)

6) demand the data to be completed, updated, rectified, temporally or permanently suspended or erased, in case they are not complete, outdated, untrue or collected with the violation of the act, or in case they are no longer required for the purpose for which they have been collected,

7) make a justified demand in writing, in cases referred to in Article 23 paragraph 1 point 4 and 5, for the blocking of the processing of his/her data, due to his/her particular situation,

8) object to the processing of his/her personal data in cases referred to in Article 23 paragraph 1 point 4 and 5, should the controller intend to process the data for marketing purposes or to object to the transfer of the data to another controller,

9) make a demand to a controller for reconsidering of the individual case settled in contravention of Article 26a paragraph 1.

2. In case of the demand referred to in paragraph 1 point 7 the controller shall immediately stop the processing of the questioned data or without undue delay transmit the demand to the Inspector General who shall make an appropriate decision.

3. In case of the objection referred to in paragraph 1 point 8 further processing of the questioned data shall be prohibited. However, the controller is allowed to leave in filing system forename or forenames and a surname of a person with a PESEL identification number or address solely for the reason to avoid the data being used once more for the purposes to which the data subjects objected.

3a. In case of the demand referred to in Article 32 paragraph 1 point 9 the controller without undue delay shall consider the case or transmit it, together with his/her reasoned stand, to the Inspector General who shall issue an appropriate decision.

(…)
Austria close

All of the following in force until May 25, 2018:

Court Action

§ 32 DSG 2000

(1) Claims for infringement of the rights of a person or a group of persons to secrecy, rectification and erasure against natural persons, groups of persons or legal entities established in forms of private law, are, as long as such legal entities were not acing to enforce laws when their rights were infringed, shall be brought before the civil courts.

(2) If data have been used contrary to the provisions of this federal law, the data subject shall have the right to sue for an end to such unlawful condition.

(3) In order to safeguard the legal right to put an end to an unlawful state an injunction may be issued even if the requirements mentioned in § 381 Foreclosure Act are not fulfilled. This also applies to orders to make a note about the dispute.

(4) Complaints and applications for injunctions pursuant to this federal act shall in the first instance be lodged with the provincial civil court in whose district the plaintiff (applicant) has his domicile or seat. Actions (applications) may, however, also be brought before the provincial civil court in whose district the defendant has his domicile or seat or branch office.

(5) The Data Protection Authority shall, in a case where there is probable cause to believe that a serious data protection infringement has been committed by a private sector controller, file an action for a declaratory judgement (§ 228 Code of Civil Procedure) in the court that is competent pursuant to para. 4 second sentence.

(6) On request of an intervening party (§ 30 para 1) the Data Protection Authority shall, if such action appears necessary to safeguard the protected interests of a large number of natural persons pursuant to this federal law, intervene in the proceedings in support of the intervening party as an intervening third party (§§ 17 et seq. of the Code of Civil Procedure).

(7) At the occasion of an admissible claim according to para 1 referring to a data application subject to the obligation of notification according to the view of the court, the court may request the Data Protection Authority for a review according to §§ 22 and 22a. The Data Protection Authority shall inform the court about the result of the review. The result is then to be notified by the court also to the parties, insofar as the proceedings have not been decided finally.

Common Rules

§ 34 DSG 2000

(1) The right to lodge an application according to § 30, a complaint according to § 31 or legal action according to § 32 and claims for damages according to § 33 shall apply only if the charge is filed by the intervening party within a year after having gained knowledge of the incident that gave rise to the complaint and no later than three years after the alleged incident. This is to be communicated to the intervening party in the case of a late application according to § 30; late complaints according to § 31 or legal actions according to § 32 shall be rejected.

(2) Applications according to § 30, complaints according to § 31 or legal action according to § 32 and claims for damages according to § 33 can be filed not only because of an alleged infringement of this federal law, but also based on an infringement of data protection provisions of another member state of the European Union, insofar as these provisions are applicable in Austria according to § 3.

(3) If a case to be adjudicated by the Data Protection Authority by applying the national provisions of another member state of the European economic area pursuant to § 3, the Data Protection Authority shall ask the competent foreign supervisory authority for assistance.

(4) The Data Protection Authority shall render inter-authority assistance to the independent supervisory authorities of the signatory states of the European economic area upon request.
arrow_back Previous ArticleArticle 79 Next Article arrow_forward
close

2016 - www.itiplaw.eu.