Data Protection Insider, Issue 152

23. April 2026  |   von DPI Editorial Team
Data Protection Insider, Issue 152 - Data Protection Insider 3

Table of Contents:

  1. AG Norkus Advises that DPAs are Controllers for Complaints and Subject to the Right of Access
  2. EDPB Publishes New Documents

 

AG Norkus Advises that DPAs are Controllers for Complaints and Subject to the Right of Access

On 16th April, AG Norkus advised the CJEU to rule that when DPAs process complaints, they act as data controllers under Article 4(7) GDPR and should comply with obligations under the right of access under Article 15 GDPR, in Joachim Lindenberg v. Bayerisches Landesamt für Datenschutzaufsicht. As to the facts of the case, the applicant in the main proceedings (Mr Lindenberg) is a journalist, who publishes on data protection topics. He filed several complaints with the Bavarian DPA. One of the complaints lead to an investigation and the finding of data protection violations, as well as to a warning of possible fines, under the GDPR. The Bavarian DPA informed Mr Lindenberg of the outcome, but did not provide him with documentation on the case file, despite the fact that Mr Lindenberg requested access to the documents. It relied on §20(2) of the Bavarian Data Protection Act, according to which there exists no right of access to, or consultation of, the files of data protection supervisory authorities. After Mr Lindenberg challenged the refusal to see the files, the Bavarian DPA disclosed to him the documents, but made it clear that it did so voluntarily, and not as a consequence of a legal obligation. Mr Lindenberg then challenged the DPA’s original refusal of access to documents and with that also §20(2) of the Bavarian Data Protection Act. This challenge resulted in two preliminary ruling questions: i) is a DPA as a supervisory authority a data controller under Article 4(7) GDPR and is it subject to the right of access to one’s data under Article 15 GDPR; and ii) is §20(2) Bavarian Data Protection Act incompatible with EU law. AG Norkus advised the CJEU to rule as follows. On the first question, he opined that Article 4(7) GDPR is phrased broadly and includes a functional definition of a controller, which does not permit an interpretation which excludes per se DPAs from its scope. He noted that when DPAs process an Article 77 GDPR complaint, they process personal data in the sense of Article 4(2) GDPR and decide independently about the means of purposes of the processing of this data. As a result, according to the AG, a DPA has obligations under Article 15 GDPR, but only as far as the processing of the personal data of the requesting person is concerned. Thus, he distinguished between the right of access to one’s data (Article 15 GDPR) and the right of access to documents concerning the complaint (Article 77 GDPR). As to the second question, AG Norkus noted that the right of access in Article 15 GDPR is not an absolute right and that it could be restricted, e.g. to protect the rights and interests of others, and the independence of (supervisory) authorities and public security (referring to Article 23 GDPR). However, the AG argued that §20(2) Bavarian Data Protection Act is not compatible with Article 23 GDPR, because it provides for a general and absolute ban on the right of access to one’s data as contained in the acts of the DPAs, and does not explain what legitimate purposes it pursues. In his Opinion, any of the purposes as pointed out by him could be achieved via a more balanced approach, i.e. by the possibility for proportionate restrictions on the right of access in Article 15 GDPR, which are clearly regulated in German law.

Editorial note: At the time of writing the above summary, the AG Opinion was not available in English. The Summary is based on the German language version of the Opinion.

-EDPB Publishes New Documents-

Over the past two weeks, the EDPB released the following documents:

Über

DPI Editorial Team


Dara Hallinan, Editor: Legal academic working at FIZ Karlsruhe. His specific focus is on the interaction between law, new technologies – particularly ICT and biotech – and society. He studied law in the UK and Germany, completed a Master’s in Human Rights and Democracy in Italy and Estonia and wrote his PhD at the Vrije Universiteit Brussel on the better regulation of genetic privacy in biobanks and genomic research through data protection law. He is also programme director for the annual Computers, Privacy and Data Protection conference.


Diana Dimitrova, Editor: Researcher at FIZ Karlsruhe. Focus on privacy and data protection, especially on rights of data subjects in the Area of Freedom, Security and Justice. Completed her PhD at the VUB on the topic of ‘Data Subject Rights: The rights of access and rectification in the AFSJ’. Previously, legal researcher at KU Leuven and trainee at EDPS. Holds LL.M. in European Law from Leiden University.

Hinterlasse eine Antwort

Zurück zur Übersicht