Article 21 ePrivacy Regulation - Remedies
Article 21 ePrivacy Regulation
1. Without prejudice to any other administrative or judicial remedy, every end-user shall have the right to an effective judicial remedy in relation to any infringement of rights under this Regulation, the right to lodge a complaint with a supervisory authority and the right to an effective judicial remedy against any legally binding decision of a supervisory authority concerning them.
1a Articles 77-80 of Regulation (EU) 2016/679 shall apply mutatis mutandis.
2. Any natural or legal person other than end-users adversely affected by infringements of this Regulation, including a provider of electronic communications services protecting its legitimate business interests, shall have a right to bring legal proceedings in respect of such infringements.
1. Purpose of the provision
In light of a multitude of interferences with end-users’ privacy, which, in addition, often occure surreptitiously, there is a necessity of reinforcing the confidentiality and neutrality of messaging services.[1] Remedial and sanctioning systems are a keystone of such undertaking. Public confidence in communications systems can only be ensured by means of remedies that are legally secure and accessible to the end-user. Additionally, it requires a public prosecution of particularly intensive violations. In this light, Art. 21 ePrivacy Regulation concerns the Regulation’s practical enforcement by the persons concerned. It provides for the right to an effective judicial remedy in cases of privacy-infringements and related executive decisions by supervisory authorities. Moreover, it allows affected end-users to lodge a complaint with an authority in order to encourage it considering and deploying appropriate remedial action. In this regard, the provision serves to implement both Art. 47 S. 1 CFR’s fundamental right to an effective remedy and Arts. 7, 8 CFR in conjunction with Art. 16 Sec. 1 TFEU concerning the protection of personal data and privacy pursuant to the CJEU’s interpretation in its “Schrems” judgement.[2] It, thus, intends to correct enforcement deficits already criticized under the Data Protection Directive and in the run-up to the GDPR.[3]
[1] EDPB, Statement of the EDPB on the revision of the ePrivacy Regulation and its impact on the protection of individuals with regard to the privacy and confidentiality of their communications, p. 1; Rec. 20 ePrivacy Regulation
[2] CJEU, judgement of 6 October 2015, C-362/14 – Schrems, Rec. 55-59; Moos/Schefzig, in: Taeger/Gabel, DSGVO – BDSG – TTDSG (2022), Art. 77 Rec. 2.
[3] Boehm, in: Simitis/Hornung/Spiecker gen. Döhmann, Datenschutzrecht (2019), Art. 77 Rec. 1.
2. Historical background
The preceding ePrivacy Directive’s Rec. 47 S. 1 ordered national legislation to provide for judicial remedies, where the rights of end-users and subscribers were not respected. According to Art. 15 Sec. 2 ePrivacy Directive, the provisions on judicial remedies, liability and sanctions, implemented by its Chapter III, applied with regard to national provisions adopted pursuant to it and with regard to the individual rights derived from this Directive. In this respect, the inconsistent implementation by the Member States started to be a problem, in part, because they limited legal remedies to judicial remedies.[4] Related to the set-up pursuant to Chapter VIII of the GDPR, the ePrivacy Regulation, thus, seeks to harmonize efforts in providing end-users with sufficient rights and provides the European privacy-regime with increased enforcement power.
[4] Nemitz, in: Ehmann/Selmayr, Datenschutz-Grundverordnung (2018), Art. 77 Rec. 2.
3. Systematics
Art. 21 ePrivacy Regulation opens up Chapter V on remedies, liability and penalties. In this way, the legislator locates the approach of an individual law enforcement of privacy regulations prior to its corresponding executive remedies under Art. 18 Sec. 1ab; 23 and 24 ePrivacy Regulation. This emphasizes the approach of a primarily self-responsible legal action by the end-user, which can, at best, be supplemented by the work of authorities. Despite authorities’ corresponding ex officio obligation to investigate, such work can only make up a subsidiary part of a comprehensive law enforcement, both in terms of scope and effectiveness. The right to complaint pursuant to Art. 21 Sec. 1 Var. 2 ePrivacy Regulation, in particular, confirms that in light of millionfold infringements, supervisory authorities cannot always respond to every violation or even disclose such violations, at the outset. Thus, individual remedies are by all means the more important part of law enforcement, if only to draw the attention of supervisory authorities to a corresponding violation.
Compared to the layout of the GDPR, Art. 21 ePrivacy Regulation comprises different remedies within one single stipulation. This concerns Arts. 77 to 80 GDPR, which are explicitly referred to by Art. 21 Sec. 1a ePrivacy Regulation. Consequently, stipulations apply mutatis mutandis, however only to the extent that these are not already provided for by the materially similar stipulations under the ePrivacy Regulation. Additional provisions concern the specification of formal requirements and procedures. In this respect, Art. 80 GDPR should be mentioned which, contrary to its preceding material provisions, only stipulates a formal facilitation of their exercise.[5] In view of its limited content-overlap with Art. 21 Sec. 1 ePrivacy Regulation, the latter must therefore be considered separately.
With regard to both national law and other European remedies, Art. 21 Sec. 1 ePrivacy Regulation postulates that remedies pursuant to this provision apply “without prejudice” to any other administrative or judicial remedy. Thus, supervisory authorities may neither refer the complainant to other, particularly national, remedies, nor does the exercise of rights under the ePrivacy Regulation preclude their admissibility.[6] Rather, an end-user may resort to different rights parallely, such as, e.g., the simultaneous assertion of both a complaint towards the authority and a claim for compensation against the infringer pursuant to Art. 22 ePrivacy Regulation. This is in line with the idea of different remedies pursuing different objectives, such as, for instance, an acute cessation of future infringements (by measures of the authority) and a retroactive compensation of already suffered damages. As regards the exercise of national remedies, it, yet, appears questionable, if in light of the Regulation’s fully harmonizing and immediate effect, there is actually any space left. When considering the rather generic and superficial layout of both Art. 21 ePrivacy Regulation and even Art. 77 GDPR, however, such will be inevitably necessary, at least with respect to the procedural arrangements.[7] Here, the provisions of national administrative law can be considered, in particular, provided that the requirements of both the ePrivacy Regulation and the CJEU are met. In that, the latter including the principles of equivalence and effectiveness, meaning that procedural provision must, on the one hand, guarantee an equal treatment of Unional and national situations and, on the other, allow for a primary and effective application of Union law.[8]
[6] Nemitz, in: Ehmann/Selmayr, Datenschutz-Grundverordnung (2018), Art. 77 Rec. 4.
[7] Mundil, in: Wolff/Brink, BeckOK Datenschutzrecht (2021), Art. 77 Rec. 2.
[8] CJEU, judgement of 21 September 1983, C-205-215/83 – Deutsche Milchkontor.
II. Right to an effective judicial remedy, Art. 21 Sec. 1 Var. 1 and Var. 3
Art. 21 Sec. 1 ePrivacy Regulation provides for a right to an effective judicial remedy both in relation to a privacy-infringement under the Regulation (Var. 1) and a legally binding decision against the end-user (Var. 3). The latter must be issued by a supervisory authority under Art. 18 ePrivacy Regulation. The provision complements Art. 21 Sec. 1 Var. 2 ePrivacy Regulation, which grants affected end-users the right to turn to a supervisory authority whenever they are concerned with a possible privacy infringement. Contrary to the latter, Art. 21 Sec. 1 Var. 1 ePrivacy Regulation allows for the pursuit of an immediate and self-reliant legal protection. Particularly in rather simple and obvious cases, this action can be expedient, as it enables comparatively fast and effective legal remedy.[9] This being said, self-reliant judicial action also entails a comprehensive involvement by the person concerned and a significant cost risk. In contrast, Art. 21 Sec. 1 Var. 1 ePrivacy Regulation not only grants access to the resources and authority of a governmental body, but is also gratis to the end-user (cf. below under No. III.3.d). Thus, it is likely that Art. 21 Sec. 1 Var. 1 ePrivacy Regulation unfolds a comparatively limited practical effect compared to its Var. 2.
The paragraph corresponds the systematic set-up of Arts. 78 and 79 GDPR. These, as well, allow for remedial action against the responsible party and the supervisory authority, yet within two separate provisions. With regard to their specific regulations, the legislator refers to the latter by Art. 21 Sec. 1a ePrivacy Regulation. Subsequently, they apply mutatis mutandis.
Finally, both remedies apply “without prejudice” to any other administrative or judicial measure. This means, the plaintiff must not face any negative legal consequences following the choice of one or the other remedy (such as with regard to the admissibility of an action under national law or further administrative or out-of-court solutions).[10] Thus, there is an explicit coexistence of legal remedies.[11]
[9] Nemitz, in: Ehmann/Selmayr, Datenschutz-Grundverordnung (2018), Art. 79 Rec. 2.
[10] Werkmeister, in: Gola, Datenschutz-Grundverordnung (2018), Art. 79 Rec. 3.
[11] Nemitz, in: Ehmann/Selmayr, Datenschutz-Grundverordnung (2018), Art. 79 Rec. 2.
1. Effective judicial remedy
The concept of an effective remedy must be interpreted autonomously in the light of its primary legal basis in Art. 47 CFR and corresponding case law of the CJEU.[12] Accordingly, it requires adequate access to the courts of the Member States and the Union. Courts, in this sense, are permanent bodies obligated to make a binding decision in application of legal norms in a contentious (adversarial) procedure.[13] Pursuant to Art. 47 Sec. 2 S. 1 CFR, they must be established by law and function independently and impartially. Effective legal protection, in this respect, includes an adequate access to such courts, in the sense that access must not be made unnecessarily difficult, particularly, by excessively strict admissibility requirements. Moreover, the court seized must examine the case comprehensively and exclusively in accordance with the law.[14] Due to its legal findings, the court has to issue a judgment, which the plaintiff can enforce sufficiently.[15] If the case is particularly urgent, the person concerned must, furthermore, be granted urgent legal protection.[16]
Materially, legal protection pursued by the plaintiff must be accessible on both a primary and secondary level. On a primary level, the affected party must be able to avert the interference itself. This includes putting an end to it for the time being and the future as well as legally establishing its unlawfulness.[17] On a secondary level, the end-user must be able to also demand sufficient compensation for any consequences of the interference.
It is disputed, whether and to what extent also preventive legal protection must be regarded part of an effective judicial remedy to the end-user. Generally, this is advocated in the case of particularly serious violations of end-user’s rights that cannot be prevented in any other way.[18] However, this cannot be inferred directly from either Art. 79 GDPR or Art. 21 Sec. 1 ePrivacy Regulation. On a first sight, the wording’s focus (“in relation to any infringement of rights”) rather seems to solely apply to already committed violations. Neither does a broad understanding of the wording “any” infringement help, since it only contains the explicit reference to all of the privacy violations regulated under Art. 5 et seq. ePrivacy Regulation. Nor does it follow from this that preventive legal protection is categorically excluded from the Regulation. Particularly the legislative history cited in this context, according to which the Union legislator omitted the reference still contained in Art. 76 Sec. 5 of the draft GDPR in the final version, does not speak against but rather in favor of its inclusion.[19] Systematic congruence with regard to the uniformity of remedies intended under Rec. 9 and 10 GDPR and their application in the territory of the Member States is only conceivable, if the legislator saw it adequately covered by Art. 79 Sec. 1 GDPR already.[20] Thus, the wording “without prejudice to any available non-judicial remedy” does neither exclude preventive legal protection, since such protection is already covered by “judicial remedies” under Art. 79 Sec. 1 GDPR.[21] This becomes clear from the fact that a corresponding wording in Art. 21 Sec. 1 ePrivacy Regulation has been omitted, after all. Accordingly, Art. 79 Sec. 1 GDPR never had a materially restrictive content, but rather aimed at a mere clarification of the coexistence of all legal remedies. Art. 21 ePrivacy Regulation underlines this fact in course of the wording “without prejudice to any other administrative or judicial remedy”. Conclusions in the opposite direction are, thus, (without inexplicable inconsistencies) no longer possible.
[12] Mundil, in: Wolff/Brink, BeckOK Datenschutzrecht (2021), Art. 79 Rec. 10, with reference to CJEU, judgement of 3 December 1992, C-97/91 – Borelli/Commission; see also the CJEU’s landmark decision of 6 October 2015, C-362/14 – Schrems, Rec. 95.
[13] Jarass, in: Charta der Grundrechte der EU (2021), Rec. 22.
[14] Martini, in: Paal/Pauly, DS-GVO BDSG (2021), Art. 79 Rec. 16.
[15] Mundil, in: Wolff/Brink, BeckOK Datenschutzrecht (2021), Art. 79 Rec. 10.
[16] CJEU, judgement of 19 June 1990, C-213/89 – The Queen/Secretary of State for Transport, Rec. 21.
[17] Martini, in: Paal/Pauly, DS-GVO BDSG (2021), Art. 79 Rec. 17.
[18] Mundil, in: Wolff/Brink, BeckOK Datenschutzrecht (2021), Art. 79 Rec. 11; Martini, ibid., Rec. 17.
[19] Contrary opinion: Kreße, in: Sydow, Europäische Datenschutzgrundverordnung (2018), Art. 79 Rec. 30; Mantz, ZD 2014, 62 (65).
[20] Martini, in: Paal/Pauly, DS-GVO BDSG (2021), Art. 79 Rec. 17.
[21] Contrary opinion held, again, by Kreße, in: Sydow, Europäische Datenschutzgrundverordnung (2018), Art. 79 Rec. 30.
2. Remedy against infringements of privacy-rights, Art. 21 Sec. 1 Var. 1
Art. 21 Sec. 1 Var. 1 ePrivacy Regulation pertains to remedial actions against privacy-infringements. The right is directed against any infringer and must, in this respect, be distinguished from Var. 3, which only concerns subsequent acts of the authority. Hence, it is possible to speak of a triangle of parties between the end user, the infringer and the authority.
a) Holder of the remedy
In principle, Art. 21 Sec. 1 ePrivacy Regulation grants the effective judicial remedy against infringements of privacy-rights to “every end-user”. As opposed to Art. 79 Sec. 1 GDPR[22], this includes both natural and legal persons. The latter may additionally represent the earlier pursuant to Art. 80 Sec. 1 GDPR, insofar as these are approved non-profit organizations pursuant to the law of their Member State.[23] However, contrary to the conceivable broadness of the wording “in relation to any infringement of rights under this Regulation”, only the data subjects are covered by the provision, whereas a purely interested party action is excluded from the outset.[24] This is illustrated by a comparison with Art. 79 Sec. 1 GDPR, which states in a restrictive manner that a judicial remedy is only possible “where he or she considers that his or her rights under this Regulation have been infringed”. It is also underlined by the German language version of the GDPR, which speaks solely of the “betroffene Person”, i.e. “affected person”.
A certain opening of this principle is provided for by Art. 21 Sec. 2 ePrivacy Regulation, pursuant to which third-parties also have the right to bring legal proceedings in respect of privacy-infringements. Such persons do not have to be “adversely affected” but only seek to protect their “legitimate business interests”. This refers in particular to cases in which competing market participants, including providers of electronic communications services, attempt to gain a competitive advantage by engaging or permitting certain illegal conduct by third parties. If, thus, at first glance the framework of adequate legal protection under Art. 21 Sec. 2 ePrivacy Regulation might appear to be unduly overstretched, this in fact is a mere attempt to further intensify privacy protection, insofar as the Member States’ supervisory authorities are not always equipped and able to uncover and prosecute privacy violations. Furthermore, the popular action per se is not alien to Union law, but rather forms the dogmatic basis to all of its actions.[25] Thus, the limited opening to indirectly involved competitors fits well into the structure of legal protection under Union law.
It is a question of the individual case, whether a case of “legitimate business interests” applies. Even in the aforementioned example, not any infringer represents a relevant competitor. What is more, a repetitive and improper usage of the right as a means of intimidation might as well limit the legitimacy of interests. This being said, the bar must not be set too low in order to prevent excessive recourse to national courts. If legal protection is to be granted, further procedural requirements will be governed by the respective Member State’s law.
b) Infringement of rights pursuant to this Regulation
Art. 21 Sec. 1 Var. 1 ePrivacy Regulation concerns any infringement of rights under this Regulation. Namely, these include the rights under Chapter II and III, i.e. the interference with an end-user’s privacy in terms of their communication secrecy and the collection and processing of respective data (Arts. 5 to 7 ePrivacy Regulation), access to end-users’ terminal equipment (Art. 8 ePrivacy Regulation), as well as the provisions on communication behavior itself, i.e. the prevention of abusive communication and the publication of contact addresses (Arts. 12 to 16 ePrivacy Regulation). As was already the case under the GDPR, this only covers subjective rights, as the ePrivacy Regulation equally follows the principle of individual legal protection.[26] Contrary to the GDPR, however, there is no problem with regard to the scope of these rights, since clearly only those listed in Chapters II and III can be covered and a chapter corresponding to the GDPR headed “rights of the data subject” is not included to the ePrivacy Regulation.
In view of the infringement of such rights, a distinction must be made between three levels: (i) the assertion of an infringement pursuant to the stipulations under this Regulation, (ii) the prerequisites of sufficient substantiation, giving eventually rise to a corresponding right under Art. 21 Sec. 1 Var. 1 ePrivacy Regulation and (iii) the actual presence of an infringement. The allegation of an infringement, which is regularly made towards the infringer or directly towards the court in accordance with the procedural rules of each Member States, initially establishes a corresponding legal relationship between the parties. In the following, this is the basis for an examination of the admissibility of the action by the seized court. The claim must be sufficiently substantiated, which regularly also determines the further prospects of an action’s success. The right to effective legal protection only comes into being, if the reasons given by the aggrieved party actually show a corresponding infringement of the aforementioned provisions. Thus, Art. 21 Sec. 1 ePrivacy Regulation essentially coincides with Member States’ provision on the end-user’s standing, which are likely to differ accordingly. It is important to note that the provision itself does, yet, not define these requirements, but rather open up their applicability in individual cases from the outset. Art. 21 Sec. 1 Var. 1 ePrivacy Regulation is located upstream of the admissibility of a lawsuit as an inherent part of legal protection in the Member States. Under the aforementioned coincidence, consequently, no higher requirements can be imposed by the opening than by the admissibility itself. Rather, only certain basic requirements may be assumed under Art. 21 Sec. 1 Var. 1 ePrivacy Regulation. This said, even if the wording of the provision merely requires the person concerned to “consider” his rights to be infringed, a mere subjective feeling is not sufficient in this respect.[27] Rather, the end user must present sufficient facts, from which a corresponding infringement is at least (objectively) possible. Art. 47 CFR specifies in this sense that the holder of a fundamental right must plausibly assert a violation of rights and freedoms.[28] Otherwise, Art. 21 Sec. 1 ePrivacy Regulation does not secure legal recourse normatively, since this would collide with national admissibility requirements safeguarded under Rec. 143 S. 7 GDPR: The provision ultimately serves as a mere guarantee of the existence of sufficient judicial remedies, but is not intended to flesh them out in detail.
c) Jurisdiction, Art. 21 Sec. 2 ePrivacy Regulation in conjunction with Art. 79 Sec. 2 GDPR
According to Art. 79 Sec. 2 S. 1 GDPR, which applies according to the reference in Art. 21 Sec. 2 ePrivacy Regulation, proceedings against the infringing party shall be brought before the courts of the Member State where the controller or processor has an establishment (cf. Rec. 145 GDPR). “Establishment” is referred to under Union law as any place, where an economic entity carries out its activity by means of a fixed establishment for an indefinite period of time.[29] This understanding is also supported by Rec. 22 S. 2 GDPR, expressing that an establishment “implies the effective and real exercise of activity through stable arrangements”, whereby its legal form is irrelevant. It does not matter, if it functions through a branch or a subsidiary with a legal personality. Accordingly, in the case of several establishments, the end-user is also free to choose the place of their proceedings based on any one of these.[30] As Art. 79 Sec. 2 S. 2 GDPR states, they can alternatively even choose their own habitual residence, unless the party opposed is a public authority of a Member State acting in the exercise of its public powers.
[22] For many, see Boehm, in: Simitis/Hornung/Spiecker gen. Döhmannn, Datenschutzrecht (2019), Art. 79 Rec. 9.
[23] See No. IV.1.a).
[24] In view of Art. 79 GDPR, see Bergt, in: Kühling/Buchner, DS-GVO BDSG (2020), Art. 79 Rec. 10.
[25] Mundil, in: Wolff/Brink, BeckOK Datenschutzrecht (2021), Art. 78 Rec. 10.
[26] Moos/Schefzig, in: Taeger/Gabel, DSGVO – BDSG – TTDSG (2022), Art. 79 Rec. 7; Martini, in: Paal/Pauly, DS-GVO BDSG (2021), Art. 79 Rec. 22; Mundil, in: Wolff/Brink, BeckOK Datenschutzrecht (2021), Art. 79 Rec. 11.
[27] Martini, in: Paal/Pauly, DS-GVO BDSG (2021), Art. 79 Rec. 18.
[28] Kreße, in: Sydow, Europäische Datenschutzgrundverordnung (2018), Art. 79 Rec. 20 et seqq.
[29] CJEU, judgement of 25 July 1991, C-221/89 – Factortame.
[30] Martini, in: Paal/Pauly, DS-GVO BDSG (2021), Art. 79 Rec. 25.
3. Remedy against the decision of a supervisory authority, Art. 21 Sec. 1 Var. 3
According to Art. 21 Sec. 1 Var. 3 ePrivacy Regulation every end-user shall have the right to an effective judicial remedy against any legally binding decision of a supervisory authority concerning them. Thus, the European legislator clarifies that it considers an effective judicial control of supervisory authorities necessary.[31] This, not least, follows from the comprehensive amount of investigative and corrective powers, which authorities, moreover, can perform in complete independence.[32] In order to prevent a decoupling of practical effects, necessity and proportionality, as well as the development of a momentum of its own between national and European supervisory authorities, the judicial remedy fulfills an important function on the part of the affected party. At the same time, it is necessary to implement the fundamental right to an effective legal remedy pursuant to Art. 47 CFR.[33]
With regard to certain specifics of this remedy, as well as corresponding case law, Art. 21 Sec. 2 ePrivacy Regulation refers to Art. 78 GDPR, which, accordingly, applies mutatis mutandis. In that, it should be noted that neither Art. 21 Sec. 1 ePrivacy Regulation, nor Art. 78 GDPR concerns the procedural requirements and modalities of exercising the right itself. These are exclusively determined by the legal systems of the Member States.[34] Rather, both provisions merely open up the access to a legal remedy under national legal systems and are, consequently, located systematically prior to it.[35] Thus, they must not be confused with the plaintiff’s standing required under national law, even if they are largely identical in content.[36] To what extent material conflicts (as regards both the dogmatic classification and respective requirements) can, hence, be resolved by way of a recourse to national procedural stipulations, has not yet been clarified.[37] However, overlaps should be checked for their compatibility with Union law in any case prior to an application. That includes, in addition to the requirements under Art. 21 ePrivacy Regulation in conjunction with Art. 78 Sec. 1 GDPR, the principles of effectiveness and equivalence.[38] Should higher requirements by national legal systems in individual cases lead to unequal treatment of national and Union matters or impair the effectiveness of legal protection as laid down in Union law under Art. 47 CFR and 263 Sec. 4 TFEU, a correction in the sense of an interpretation in conformity with Union law will be necessary. This can fail solely due to the boundary of the wording, which is to be compensated, consequently, by a direct application of Art. 21 ePrivacy Regulation in conjunction with Art. 78 Sec. 1 GDPR.[39]
a) Holder of the remedy
Pursuant to Art. 21 Sec. 1 Var. 3 ePrivacy Regulation, the right to an effective judicial remedy against any legally binding decision of a supervisory authority is granted to the end-user concerned by it. Contrary to Var. 1 and 2, it is, thus, clear from the wording that an action based on the pure interest of a third party is not possible. As explained above, however, no reverse conclusion can be drawn from this.[40] In order to make use of its right, the person concerned must only assert that there is a legally binding decision in place against them, i.e. that they are addressee of an adverse decision, which produces legal effects concerning that person.[41]
In this context, the “normal” case of a decision will affect a single person alone.[42] However, there may be cases in which investigative or corrective measures have indirect third-party effects, for example, if a general restriction on the use of cookies pursuant to Art. 18 Sec. 1ab ePrivacy Regulation in conjunction with Art. 58 Sec. 2 lit. f GDPR also affects the business of a third-party cookie-user. It is questionable, if, and to what extent such a decision “concerns” them. In principle the existence of third-party effects and a respective action is well known to the law of the Union.[43] Art. 263 TFEU explicitly provides for the latter. According to this, a third party must be concerned both directly and individually (other than, e.g., German law, which under its § 42 Sec. 2 VwGO requires more restrictively a subjective right).[44] This is also followed up on by Rec. 143 S. 3 GDPR, which requires decisions of the EDPB to be of direct and individual concern to the complainant. Rec. 143 S. 4 GDPR, yet, seems to raise the bar, according to which “without prejudice” to the aforementioned right vis-à-vis the EDPB, an effective judicial remedy is given, if a legally binding decision of a supervisory authority produces “legal effects concerning that person”. In view of the identical wording in Art. 78 Sec. 1 GDPR, to which Art. 21 Sec. 2 ePrivacy Regulation refers, it, nevertheless, seems appropriate to include this interpretation under Art. 21 Sec. 1 ePrivacy Regulation. Accordingly, a decision “concerns” the third party insofar as it has legal effects towards it. This means, it is not sufficient for the third party to be affected in a factual manner, but must there be a direct and individual effect on its legal interests – even though not necessarily intended by the authority.[45]
The right is due to both natural and legal persons.[46] Additionally, legal persons may represent natural persons pursuant to the requirements of Art. 21 Sec. 2 ePrivacy Regulation in conjunction with Art. 80 Sec. 1 GDPR.[47] A problem imposes the systematic wording of Art. 21 Sec. 1 ePrivacy Regulation, pursuant to which “every end-user shall have the right […] to an effective judicial remedy against any legally binding decision of a supervisory authority”. Since end-users, under the definition by Art. 4 Sec. 1 lit. b ePrivacy Regulation in conjunction with Art. 2 No. 14 EECC, are any user not providing communications networks or services, a significant amount of possible addressees of respective authority-measures would be excluded. Since this is not in the interest of the legislator, seeking to implement a comprehensive scope of protection (cf. Rec. 6 ePrivacy Regulation), the latter group must be included by way of a teleological extension accordingly.
b) Legally binding decision of a supervisory authority
A remedy pursuant to Art. 21 Sec. 1 Var. 3 ePrivacy Regulation must be directed against legally binding decisions of a supervisory authority. Rec. 143 S. 5 GDPR specifies that such decisions concern in particular the exercise of investigative or corrective powers, which are assigned to the authorities pursuant to Art. 18 Sec. 1ab ePrivacy Regulation and particularly include the imposition of fines. It follows from this, that legal remedies only pertain to administrative, i.e. executive, measures, which are issued to regulate an individual case in the field of public law and intend to unfold external legal effects.[48] Not included, thus, are merely factual measures, which are not aimed at a legal result, or as Rec. 143 Sec. 6 GDPR puts it, are not legally binding (as for instance opinions, advices, warnings or recommendations).[49] However, this does not create a remedial gap insofar as Art. 21 Sec. 1 Var. 3 ePrivacy Regulation is granted “without prejudice” to other judicial remedies and as the laws of the Member States grant legal protection against respective sovereign acts, as well.
Actually, unregulated by Art. 21 Sec. 1 Var. 3 ePrivacy Regulation, however, is the case of a mere inaction by the authority, which can be equally onerous and, therefore, requires respective legal protection. Here, Art. 21 Sec. 2 ePrivacy Regulation in conjunction with Art. 78 Sec. 2 GDPR intervenes, which provides for a corresponding legal remedy within a period of three months after a complaint pursuant to Art. 21 Sec. 1 Var. 2 ePrivacy Regulation in conjunction with Art. 77 GDPR. Conceivable further constellations of a requested but unperformed administrative action find remedial protection to the extent they are, as well, provided for by national legislation.[50]
c) Jurisdiction, Art. 21 Sec. 2 ePrivacy Regulation in conjunction with Art. 78 Sec. 3 GDPR
The place of legal action is not regulated by the ePrivacy Regulation itself, but only by reference pursuant to Art. 21 Sec. 2 ePrivacy Regulation in conjunction with Art. 78 Sec. 3 GDPR. Accordingly, proceedings shall be brought before the court of the Member State in which the authority issuing the decision is established. This precludes actions against foreign supervisory authorities in domestic courts. There is also no exception applying in the case that a cross-border matter is processed by several European authorities simultaneously: the only decisive factor remains, which authority ultimately issues the decision, so that an action must in any case be brought at its establishment.[51] This serves to prevent divergent legal decisions in the event of possible appeals to several Member State courts and facilitates the determination of jurisdiction.[52] Withal, which Member State court specifically handles the action, must be determined pursuant to its own respective procedural law, as Rec. 143 S. 7 GDPR stipulates.[53]
[31] Moos/Schefzig, in: Taeger/Gabel, DSGVO – BDSG – TTDSG (2022), Art. 78 Rec. 2; Nemitz, in: Ehmann/Selmayr, Datenschutz-Grundverordnung (2018), Art. 78 Rec. 1.
[32] See Art. 18 No. II.2. and III.
[33] With regard to Art. 78 Sec. 1 GDPR cf. Boehm, in: Simitis/Hornung/Spiecker gen. Döhmannn, Datenschutzrecht (2019), Art. 78 Recs. 1, 5; Moos/Schefzig, ibid.; Körffer, in: Paal/Pauly, DS-GVO BDSG (2021), Art. 78 Rec. 1; Pötters/Werkmeister, in: Gola, Datenschutz-Grundverordnung (2018), Art. 78 Rec. 1.
[34] Cf. Rec. 143 S. 7 GDPR.
[35] See also already under No. II.2.b).
[36] Yet, in this respect Moos/Schefzig, in: Taeger/Gabel, DSGVO – BDSG – TTDSG (2022), Art. 78 Rec. 5 and, in essence, Körffer, in: Paal/Pauly, DS-GVO BDSG (2021), Art. 78 Rec. 6.
[37] Mundil, in: Wolff/Brink, BeckOK Datenschutzrecht (2021), Art. 78 Rec. 10.
[38] See only CJEU, judgement of 24 October 2018, C-234/17 – XC/Generalprokurator, Recs. 22 et seqq.
[39] Mundil, in: Wolff/Brink, BeckOK Datenschutzrecht (2021), Art. 78 Rec. 12.
[40] Concerning the right holder under Art. 21 Sec. 1 Var. 1 and 2 ePrivacy Regulation see No. II.2.a) and No. III.1.
[41] Rec. 143 S. 4 GDPR; details on this prerequisite under No. II.3.b).
[42] Boehm, in: Simitis/Hornung/Spiecker gen. Döhmann (2019), Datenschutzrecht, Art. 78 Rec. 8.
[43] For details see Mundil, in Wolff/Brink, BeckOK Datenschutzrecht (2021), Art. 78 Rec. 10, referring to the third-party effects of Directives (as established under CJEU, judgement of 7 January 2004, C-201/02 – Wells) and the explicit implementation of a third-party action within Art. 263 TFEU.
[44] Mundil, in Wolff/Brink, BeckOK Datenschutzrecht (2021), Art. 78 Rec. 10.
[45] Mundil, in Wolff/Brink, BeckOK Datenschutzrecht (2021), Art. 78 Rec. 10.
[46] See Art. 1 Sec. 1a ePrivacy Regulation.
[48] Definition by § 35 S. 1 German Administrative Procedure Act (VwVfG); see also Körffer, in: Paal/Pauly, DS-GVO BDSG (2021), Art. 78 Rec. 3; Pötters/Werkmeister, in: Gola, Datenschutz-Grundverordnung (2018), Art. 78 Rec. 3; Moos/Schefzig, in: Taeger/Gabel, DSGVO – BDSG – TTDSG (2022), Art. 78 Rec. 6.
[49] In German law these are called “schlicht hoheitliches Handeln“, i.e. „de facto sovereign acts“.
[50] For German law, see Körffer, in: Paal/Pauly, DS-GVO BDSG (2021), Art. 78 Rec. 4.
[51] Boehm, in: Simitis/Hornung/Spiecker gen. Döhmann (2019), Datenschutzrecht, Art. 78 Rec. 16; Körffer, in: Paal/Pauly, DS-GVO BDSG (2021), Art. 78 Rec. 14.
[52] Körffer, in: Paal/Pauly, DS-GVO BDSG (2021), Art. 78 Rec. 15.
[53] Regarding the subject matter and local jurisdiction under German law, see Moos/Schefzig, in: Taeger/Gabel, DSGVO – BDSG – TTDSG (2022), Art. 78 Recs. 14 et seqq.
III. Right to lodge a complaint, Art. 21 Sec. 1 Var. 2
The right to lodge a complaint serves an effective protection of persons concerned with possible privacy infringements. It provides for the opportunity to challenge violations of end-users’ rights under the ePrivacy Regulation, namely those pursuant to Chapters II and III. While some scholars regard this right coessential to a right of petition, provided by some national constitutions (e.g. Art. 17 German Constitution),[54] others argue it represents a stronger right, to the extent it provides for a “genuine legal remedy”.[55] Anyway, persons concerned are able to address supervisory authorities, without being subject to further formal requirements in the course of specific administrative, appellate or judicial proceedings.[56] In view of a simplified access to legal protection, as well as the possibility to resort to the supervisory bodies’ authority and capacity, the right to complain is, therefore, probably the most important legal remedy. That is true, particularly, in face of a sometimes difficult independent investigation and presentation of evidence by the end-user themselves.
The right of appeal does not conflict with the ex officio investigation duties pursuant to Art. 18 Sec. 1ab Alt. 1 ePrivacy Regulation. These can be carried out both before and after a case has been examined, irrespectively of any complaints. Consequently, the complaint of a person who is not affected or entitled to complain may also lead to an independent review, but in this case, there is no entitlement to have it carried out. Instead, the authority acts at its own discretion.
[54] Pötters/Werkmeister, in: Gola, Datenschutz-Grundverordnung (2018), Art. 77 Rec. 2.
[55] Nemitz, in: Ehmann/Selmayr, Datenschutz-Grundverordnung (2018), Art. 77 Rec. 2.
[56] Nemitz, in: Ehmann/Selmayr, Datenschutz-Grundverordnung (2018), Art. 77 Rec. 2.
1. Holder of the right to lodge a complaint
The right to lodge a complaint with a supervisory authority is entitled to “every end-user […] in relation to any infringement of rights under this Regulation”. This shows that not any arbitrary person can approach the authority with a corresponding request, but rather this depends on a sufficiently substantiated allegation of infringement.[57] According to the German translation of the corresponding provision under Art. 77 Sec. 1 GDPR, this finding comes across quite well, speaking only of the “betroffene Person”, i.e. the person concerned. It corresponds to the character of a subjective public right, which arises solely by an impairment of one’s own protected interests and cannot be asserted by third parties without a specific mandate. However, notices from other persons are not completely excluded, but merely do not lead to a claim for examination against the authority. Accordingly, it is up to the authority itself, whether it investigates the allegation or not. This principle does not apply by way of exception only, if this is provided for by national provisions in accordance with Art. 21 Sec. 1a ePrivacy Regulation in conjunction with Art. 80 Sec. 2 GDPR. In this case, the right of complaint is available to any person, if he or she considers the rights of another person to be infringed.
According to Art. 1 Sec. 1a ePrivacy Regulation, end-users might be natural or legal persons. Thus, the existing restriction to the former under Art. 77 Sec. 1 GDPR is considerably extended. In addition, according to Art. 21 Sec. 1a ePrivacy Regulation in connection with Art. 80 Sec. 1 GDPR, end-users may mandate legal persons to exercise their right on their behalf.[58] Respective entities need to meet specific requirements, so that not any legal person comes into consideration, but only such, being “properly constituted in accordance with the law of a Member State, having statutory objectives which are in the public interest, and [are] active in the [respective] field of protection”.[59]
[57] Körffer, in: Paal/Pauly, DS-GVO BDSG (2021), Art. 77 Rec. 2; Pötters/Werkmeister, in: Gola, Datenschutz-Grundverordnung (2018), Art. 77 Rec. 10; also see below under No. III.2.
[59] Details under No. IV.1.a).
2. Infringement of rights under this Regulation
The person concerned must provide a substantiated conjecture on a supposed infringement of rights under the ePrivacy Regulation, i.e. its Chapters II and III. Contrary to the wording of Art. 21 Sec. 1 ePrivacy Regulation (“in relation to any infringement of rights”), it is, therefore, not necessary to prove an actual infringement.[60] This is also suggested by the corresponding wording under Art. 77 Sec. 1 GDPR, according to which the data subject only needs to “consider” that a data breach has occurred against them. With regard to the question of whether the allegation must refer to an occurred or future infringement, the boundaries are fluid and must, hence, be assessed on a case-by-case basis. Bergt, for example, implies that an announced change in a contracting party’s general terms and conditions suffices, which, however, requires a sufficiently close relationship in advance.[61] Conversely, according to Moos/Schefzig, it is not adequate that the end-user merely intends to use a certain service and, subsequently, fears a violation of their privacy.[62] In view of both the ePrivacy Regulation’s express intent to promote a free movement of electronic data and communications pursuant to Art. 1 Sec. 2 ePrivacy Regulation and the considerable impact by an administrative review and measure, as well as, finally, the substantiated concern of overstretching the authorities, too great of an expansion cannot be advocated, after all. It must, rather, be assumed that the already very broad and low-threshold remedy of a complaint must, principally, refer to an occurred infringement, given the other formal requirements of substantiation (see below). Only in exceptional cases should this principle be dispensed, if there are sufficient other qualitative reasons, which indicate an imminent and quasi-inevitable infringement of the rights of the end-user. These can, for example, be an aforementioned contractual relationship or a repeated pattern of encroachment in comparable cases.
Withal, requirements on the quality of substantiation must not be set too high, in order not to undermine the fundamental rights pursuant to Arts. 47 S. 1; 8 Sec. 3 CFR, on the one hand, and to align with Art. 21 Sec. 1 Var. 2 ePrivacy Regulation’s purpose to facilitate an easy and unbureaucratic management of privacy rights, on the other hand.[63] Thus, the end-user only needs to present the facts necessary to allow the concerned supervisory authority taking up, investigating and legally assessing the complaint.[64] If such is not provided in the individual case, this, however, only leads to a further duty of investigation on the part of the authority, which in this case is directed at the person concerned. The authority, should, then, demand respective substantiation.[65] Finally, an investigation is only excluded if, in view of the information provided, there is obviously no infringement given.[66] Also, excessive enforcement is sometimes considered as a reason for exclusion from a valuing point of view.[67]
[60] Unanimous opinion under Art. 77 Sec. 1 GDPR, cf. Boehm, in: Simitis/Hornung/Spiecker gen. Döhmann, Datenschutzrecht (2019), Art. 77 Rec. 5; Körffer, in: Paal/Pauly, DS-GVO BDSG (2021), Art. 77 Rec. 3; Nemitz, in: Ehmann/Selmayr, Datenschutz-Grundverordnung (2018), Art. 77 Rec. 8; Bergt, in: Kühling/Buchner, DS-GVO BDSG (2020), Art. 77 Rec. 10.
[61] Bergt, in: Kühling/Buchner, DS-GVO BDSG (2020), Art. 77 Rec. 10.
[62] Moos/Schefzig, in: Taeger/Gabel, DSGVO – BDSG – TTDSG (2022), Art. 77 Rec. 5.
[63] Körffer, in: Paal/Pauly, DS-GVO BDSG (2021), Art. 77 Rec. 3.
[64] Bergt, in: Kühling/Buchner, DS-GVO BDSG (2020), Art. 77 Rec. 10.
[65] Moos/Schefzig, in: Taeger/Gabel, DSGVO – BDSG – TTDSG (2022), Art. 77 Rec. 8.
[66] Boehm, in: Simitis/Hornung/Spiecker gen. Döhmann, Datenschutzrecht (2019), Art. 77 Rec. 7.
[67] Boehm, in: Simitis/Hornung/Spiecker gen. Döhmann, Datenschutzrecht (2019), Art. 77 Rec. 5; however, Art. 57 Sec. 4 GDPR, indicates as well that the excessive submission of complaints may also lead to a mere chargeability, instead.
3. Stipulations pursuant to Art. 77 GDPR
Art. 21 Sec. 1 Var. 2 ePrivacy Regulation is to be read in conjunction with Art. 77 GDPR, which is explicitly referred to under Art. 21 Sec. 2 ePrivacy Regulation. Insofar as its requirements are already contained in Art. 21 Sec. 1 ePrivacy Regulation, they are replaced by the latter. This applies in particular to the requirements regarding the end-user (there: data subject) and the alleged infringement. In all other respects, the remaining provisions apply mutatis mutandis.
a) Formal requirements and time limit of the complaint
The complaint can be lodged without compliance to a specific form or time limit.[68] Accordingly, the complaint can be handed in both orally or in writing, as well as per Email. In that, supervisory authorities are required to take measures, facilitating the submission, as for instance by providing an electronic complaint form (cf. Art. 57 Sec. 2 GDPR).[69] Recital 141 GDPR, however, clarifies that such must not lead to an exclusion of other ways of submission. The complainant neither has to cite a specific provision, which, under his or her assessment might be infringed, since such obligation would collide with the authority’s aforementioned ex officio duty of legal investigation (see above under No. III.2.). Rather, a mere description of the underlying facts suffices. What is more, even an anonymous complaint is, principally, admissible.[70] An obligation to indicate the complainant’s name only exists to the extent that such is necessary for assessing their eligibility to the remedy.[71]
b) Competent authority and location of the complaint
Pursuant to Art. 21 Sec. 1 Var. 2 ePrivacy Regulation, the complainant can lodge a complaint with “a supervisory authority”.
aa) Competent authority
Art. 21 Sec. 1 Var. 2 ePrivacy Regulation refers to the supervisory authority as established under Art. 18 Sec. 0 ePrivacy Regulation.[72] Consequently, the complainant may only address an authority responsible for monitoring the application of this regulation.
bb) Local jurisdiction
With regard to local jurisdiction, the complainant may address any desired supervisory authority.[73] This follows from Art. 77 Sec. 1 GDPR’s wording which only mentions “in particular”, i.e. exemplarily, the authority in the Member State of his or her habitual residence, place of work or place of the alleged infringement. Consequently, any other European supervisory authority pursuant to Art. 18 Sec. 0 ePrivacy Regulation may theoretically be considered, as well – although this probably might not be recommendable for purely practical reasons. In any case, according to Art. 4 No. 22 lit. c GDPR, the submission of a complaint establishes the competence of the elected authority. This, however, is the only one to investigate the case subsequently, so that the complainant cannot choose other authorities, as well.[74]
c) Handling of the complaint by the supervisory authority
The right to complaint does not establish a right to the actual adoption of a specific measure by the supervisory authority. This follows from an inversion to Art. 57 Sec. 1 lit. f GDPR, pursuant to which the latter shall only handle complaints and investigate to the extent appropriate. In that, it needs to apply a dutiful discretion, which is subject to appropriate judicial review, concerning any discretionary errors. In addition, the authority shall inform the complainant of the progress and the outcome of investigation within a reasonable period of time. Such may be extended, if further investigations or coordination with another supervisory authority is necessary. Indeed, there is no binding processing period.[75] However, according to Art. 21 Sec. 1a ePrivacy Regulation in conjunction with Art. 78 Sec. 2 GDPR, a data subject may take legal action against a supervisory authority, if the latter has not dealt with a complaint or has not informed the data subject of the status or outcome of the complaint within three months of time. Pursuant to Art. 78 Sec. 3 GDPR, the courts in the jurisdiction where the supervisory authority is established are generally competent. The specific court must be determined pursuant to the Member State law (cf. Rec. 143 S. 7 GDPR).
The purpose of each investigation is, eventually, to either refute the allegation or to redress the infringement or impose penalties and fines in accordance with the powers granted by Art. 18 Sec. 1ab; 23 et seq. ePrivacy Regulation. This gives the right of appeal its unique knock-on effect and provides correspondingly effective legal protection.
d) Gratuitousness of the complaint
According to Art. 57 Sec. 3 GDPR, the performance of the tasks by any supervisory authority is free of charge for the end-user. This includes the submission of complaints pursuant to Art. 21 Sec. 1a ePrivacy Regulation in conjunction with Art. 77 Sec. 1 GDPR. Exceptions are made, however, due to Art. 57 Sec. 4 S. 1 Alt. 1 GDPR, whenever such are “manifestly unfounded or excessive”, particularly because of their repetitive character. Conversely, the infringer may be subject to charges for the investigation by the supervisory authority, initiated as a result of the complaint, if such is provided for by national law.[76]
[68] von Lewinski, in: Auernhammer, DSGO BDSG (2020), Art. 77 Rec. 5; Becker, in: Plath, DSGVO/BDSG (2018), Art. 77 Rec. 4; as regards the derivation of the lacking time-limit, see Bergt, in: Kühling/Buchner, DS-GVO BDSG (2020), Art. 77 Rec. 12.
[69] Körffer, in: Paal/Pauly, DS-GVO BDSG (2021), Art. 77 Rec. 3.
[70] Bergt, in: Kühling/Buchner, DS-GVO BDSG (2020), Art. 77 Rec. 13.
[71] Boehm, in: Simitis/Hornung/Spiecker gen. Döhmann, Datenschutzrecht (2019), Art. 77 Rec. 12.
[72] Cf. Art. 18 No. I.
[73] Bergt, in: Kühling/Buchner, DS-GVO BDSG (2020), Art. 77 Rec. 9.
[74] Rec. 141 S. 1 GDPR.
[75] Pötters/Werkmeister, in: Gola, Datenschutz-Grundverordnung (2018), Art. 77 Rec. 8.
[76] Bergt, in: Kühling/Buchner, DS-GVO BDSG (2020), Art. 77 Rec. 15.
IV. Representation of data subjects, Art. 80 GDPR
Art. 21 Sec. 1a ePrivacy Regulation in conjunction with Art. 80 Sec. 1 GDPR allows legal persons to pursue legal remedies provided under Art. 21 Sec. 1 ePrivacy Regulation on behalf of the end-user. Art. 80 Sec. 2 GDPR stipulates that legal persons might even make use of these rights independently, if this option is provided for by Member State law. Thus, a collective element is added to the framework of legal protection under the ePrivacy Regulation. It aims to achieve both a more effective use of remedies and enhance compliance to the regulation’s stipulations.[77] It follows the consideration that cases might entail both complex legal assessments and that the performance of individual rights may sometimes be connected to a significant cost risk.[78] In order to, nonetheless, ensure the necessary complementation of executive, i.e. administrative, prosecution in form of private legal action, such may, hence, be forwarded to more competent and better equipped collective organizations. At the same time, action against privacy-intrusions is concentrated on the part of the representing institutions and, thus, made more effective.[79]
[77] Boehm, in: Simitis/Hornung/Spiecker gen. Döhmann, Datenschutzrecht (2019), Art. 80 Rec. 1 et seq.
[78] Becker, in: Plath, DSGVO BDSG (2018), Art. 80 Rec. 1; Spindler, ZD 2016, 114 (115).
[79] Frenzel, in: Paal/Pauly, DS-GVO BDSG (2021), Art. 80 Rec. 1.
1. Mandating collective organizations, Art. 80 Sec. 1 GDPR
Pursuant to Art. 80 Sec. 1 GDPR a concerned end-user, both natural and legal, has the right to mandate a non-profit body, organization or association (NPO) to perform the right of lodging a complaint with a supervisory authority (Art. 21 Secs. 1 Var. 2; 1a ePrivacy Regulation in conjunction with Art. 77 GDPR). Respective institutions might also represent the person concerned in bringing legal proceedings against the infringer (Art. 21 Secs. 1 Var. 1; 1a ePrivacy Regulation in conjunction with Art. 78 GDPR) or against a legally binding decision of a supervisory authority (Art. 21 Secs. 1 Var. 3; 1a ePrivacy Regulation in conjunction with Art. 79 GDPR). In contrast to Art. 80 Sec. 2 GDPR, the data subject must provide an explicit mandate for that purpose. The organization, then, will pursue its activities “on behalf” of the end-user. This does not impact the fact that remedies under Arts. 77-79 GDPR are still individual legal remedies. In that, Art. 80 Sec. 1 GDPR merely facilitates their performance by an option of representation.[80] Consequently, the basic requirement of a right to a judicial or administrative remedy pursuant to Art. 21 Sec. 1 ePrivacy Regulation remains in place under Art. 80 Sec. 1 GDPR. Withal, the right to receive compensation pursuant to Art. 82 GDPR is excluded from this option, since the referral under Art. 21 Sec. 1a ePrivacy Regulation only pertains to remedies provided under its Sec. 1.
a) Requirements regarding the organization
Bodies, organizations or associations, mandated pursuant to Art. 80 Sec. 1 GDPR, must meet four requirements: (i) they must be non-profit, (ii) properly constituted in accordance with the law of a Member State, (iii) pursue objectives, which are in the public interest and (iv) must be active in the field of data and privacy protection.
A non-profit alignment is given, if the organization does not expect any direct or indirect economic benefit, which exceeds its costs.[81] Only compensation for expenses and reimbursement of out-of-pocket expenses do not conflict with this.[82] Rather, these are common and necessary in a functioning, non-profit enterprise. To the contrary, commercially operating legal service providers, foundations and similar organizations that assert class actions, as well as so-called “warning associations”, are, therefore, not authorized representatives.[83] Overall, this requirement serves to counteract a “commercial claim culture” in the area of data and privacy protection.[84]
Mandated organizations must be properly constituted in accordance with the law of a Member State. Since the enlistment under Art. 80 Sec. 1 GDPR must be read as an attempt to clarify the comprehensive inclusion of conceivable institutions, in general, any corporate form suffices. This includes both private and public bodies.[85] Excluded from the range of possible representatives, however, are natural persons.[86]
The organisations, furthermore, must pursue statutory objectives in the public interest. This means, on the one hand, that the organization must have a respective statute, whose rules and objectives can be subject to review.[87] It follows from the wording that it does not have to be a statute in the formal sense, but rather any form of bindingly defined objectives.[88] On the other hand, such organisation must aim at the public interest. Whether this is given, must be examined in any individual case. Thus, it will regularly not suffice, if only part of the organization works toward the public welfare, and others, e.g., primarily for profit.[89] Rather must the entire body be structurally set-up to pursue the public interest. The term of public interest must be regarded in the sense of public welfare, as opposed to individual welfare. What particularly defines public welfare and what activities properly align with it, is not mentioned neither within the GDPR, nor the ePrivacy Regulation. In view of the specification under Art. 80 Sec. 1 GDPR, however, it must always concern the protection of end-users’ rights and freedoms with regard to the protection of their personal data and, more specifically in the context of the ePrivacy Regulation, end-users’ privacy.
Against that background, data and privacy protection must make up at least one of the organization’s fields of activity, yet, not necessarily the only one.[90] From this it follows, that Art. 80 Sec. 1 GDPR includes organisations of various activity fields, as for instance, general consumer protection associations, even if the enforcement of data protection or privacy rights is only a subordinate part of their activities.[91] Pursuant to a consequent approach, this, as well, includes, e.g. trade unions, social associations and sector-specific interest groups, professional associations of data protection officers, political parties, citizens’ initiatives and trade unions.[92]
b) Mandating
Pursuant to Art. 80 Sec. 1 GDPR, the data subject may mandate a collective organization to exercise the rights referred to in Arts. 77 – 79 GDPR, i.e. the right to an effective judicial remedy against an infringement of privacy rights or a legally binding decision of a supervisory authority, as well as the right to lodge a complaint with a supervisory authority pursuant to Art. 21 Sec. 1 ePrivacy Regulation, on his or her behalf. This clarifies that, in contrast to Art. 80 Sec. 2 GDPR, the relevant rights are not asserted in the organization’s own name or even as their own right, but rather in the name of the represented party.[93]
In accordance with the relevant national legal bases, the mandate to exercise respective rights establishes a contractual relationship between the end-user and the organization, giving rise to mutual rights and obligations.[94] In German law, this, for instance, means that the organization concerned must always comply with the end-user’s instructions and inform them about the status of the proceedings.[95] Since, after all, the organization acts on behalf of the end-user, the law, here, stipulates that they must be able to decide on both the form and the fact of a further progression in proceedings.
As regards the form of the mandate, Art. 80 Sec. 1 GDPR stipulates no specific prerequisites.[96] Consequently, the mandate can be provided for both orally or in writing and does not have to meet special material requirements. Yet, with regard to national procedural law, respective regulations may apply, which might stipulate specific evidence requirements for the existence of a mandate.[97] Insofar as neither the GDPR nor the ePrivacy Regulation make their own stipulations, these continue to apply and must be observed in order to exercise the mandate effectively. In addition, the scope of the right should be clearly designated and, if applicable, the manner of exertion should be sufficiently outlined with regard to the needs of the end-user.
[80] Frenzel, in: Paal/Pauly, DS-GVO BDSG (2021), Art. 80 Rec. 8.
[81] Moos/Schefzig, in: Taeger/Gabel, DSGVO – BDSG – TTDSG (2022), Art. 80 Rec. 6.
[82] Frenzel, in: Paal/Pauly, DS-GVO BDSG (2021), Art. 80 Rec. 6.
[83] Karg, in: Wolff/Brink, BeckOK Datenschutzrecht (2021), Art. 80 Rec. 11.
[84] Boehm, in: Simitis/Hornung/Spiecker gen. Döhmann, Datenschutzrecht (2019), Art. 80 Rec. 8, with reference to the GDPR’s trilogue-proceedings, which had initially included this requirement to the text (5419/1/16 REV 1 ADD 1, 31).
[85] Bergt, in: Kühling/Buchner, DS-GVO BDSG (2020), Art. 80 Rec. 5.
[86] Boehm, in: Simitis/Hornung/Spiecker gen. Döhmann, Datenschutzrecht (2019), Art. 80 Rec. 7.
[87] Bergt, in: Kühling/Buchner, DS-GVO BDSG (2020), Art. 80 Rec. 8.
[88] Boehm, in: Simitis/Hornung/Spiecker gen. Döhmann, Datenschutzrecht (2019), Art. 80 Rec. 8.
[89] Boehm, in: Simitis/Hornung/Spiecker gen. Döhmann, Datenschutzrecht (2019), Art. 80 Rec. 8.
[90] Moos/Schefzig, in: Taeger/Gabel, DSGVO – BDSG – TTDSG (2022), Art. 80 Rec. 10.
[91] Bergt, in: Kühling/Buchner, DS-GVO BDSG (2020), Art. 80 Rec. 9; Kreße, in: Sydow, Europäische Datenschutz-Grundverordnung, Art. 80 Rec. 9.
[92] Moos/Schefzig, in: Taeger/Gabel, DSGVO – BDSG – TTDSG (2022), Art. 80 Rec. 10.
[93] Werkmeister, in: Gola, Datenschutz-Grundverordnung (2018), Art. 80 Rec. 8.
[94] Nemitz, in: Ehman/Selmayr, Datenschutz-Grundverordnung (2018), Art. 80 Rec. 8.
[95] Cf. § 662 et seqq. German Civil Code (BGB).
[96] Boehm, in: Simitis/Hornung/Spiecker gen. Döhmann, Datenschutzrecht (2019), Art. 80 Rec. 9.
[97] Boehm, in: Simitis/Hornung/Spiecker gen. Döhmann, Datenschutzrecht (2019), Art. 80 Rec. 9.
2. Abstract complaint and class action, Art. 80 Sec. 2 GDPR
Art. 21 Sec. 1a ePrivacy Regulation in conjunction with Art. 80 Sec. 2 GDPR provides the possibility for Member States to allow any body, organization or association referred to in Art. 80 Sec. 1 GDPR[98] to exercise the rights pursuant to Arts. 77 – 79 GDPR, i.e. the right to an effective judicial remedy against an infringement of privacy rights or a legally binding decision of a supervisory authority, as well as the right to lodge a complaint with a supervisory authority pursuant to Art. 21 Sec. 1 ePrivacy Regulation, independently of a data subject’s, that is, an end-user’s mandate.
A necessary but also sufficient prerequisite for action by the collective body is that there is reason to believe that the rights of an end-user were infringed as a result of processing that is not compliant with the ePrivacy Regulation.[99] Consequently, there is no need for proof that a specific individual right has, in fact, been infringed.[100] It suffices that, given the circumstances and actions of the individual case, an infringement by alleged party could (hypothetically) have occurred.[101] Since, however, any processing which does not comply with the ePrivacy Regulation generally leads to an infringement of the rights of an end-user, the opening clause enables an objective monitoring by collective organizations.[102] This corresponds to Art. 21 Secs. 1 Var. 1; 1a ePrivacy Regulation’s function to achieve a high level of protection of personal data in the course of complementary law enforcement via private legal remedies in order to “bypass” potential deficits in investigation and prosecution on the part of public authorities.[103]
Similar to Art. 80 Sec. 1 GDPR, the exertion of a claim for damages is exempted from the provision. Collective organizations are, thus, excluded from exercising a claim for damages in their own name. Here, the collective powers do not go as far as to curtail the compensatory function of damages in favor of a purely deterrent effect. Rather, this continues to be possible only pursuant to a respective mandate by the end-user.[104]
[98] See No. IV.1.a).
[99] Cf. also Rec. 142 GDPR.
[100] CJEU, judgement of 28 April 2022, C-319/20 – Meta/Bundeszentrale Verbrucherverband, Recs. 68 – 73; in detail regarding the before lead debate between scholars, whether an objective non-compliance to the Regulation sufficed or a possible subjective infringement needed to be given, see Boehm, in: Simitis/Hornung/Spiecker gen. Döhmann, Datenschutzrecht (2019), Art. 80 Rec. 14 et seq.; with regard to the practical issue that, consequently, an organization needs to become aware of the infringement first and, therefore, oftentimes prefer an explicit mandate, see Nemitz, in: Ehman/Selmayr, Datenschutz-Grundverordnung (2018), Art. 80 Rec. 13.
[101] Cf. CJEU, judgement of 28 April 2022, C-319/20 – Meta/Bundeszentrale Verbrucherverband, Recs. 68 – 73.
[102] Moos/Schefzig, in: Taeger/Gabel, DSGVO – BDSG – TTDSG (2022), Art. 80 Rec. 22; see also commentary by Monsees/Richter, in: https://www.taylorwessing.com/en/insights-and-events/insights/2022/04/eugh-bestaetigt-klagebefugnis-von-verbraucherschutzverbaenden-datenschutzverstoessenen, last retrieved, 29 July 2022.
[103] Cf. CJEU, judgement of 28 April 2022, C-319/20 – Meta/Bundeszentrale Verbrucherverband, Recs. 73 – 75.
[104] Neun/Lubitzsch, BB 2017, 2563 (2565).