{"id":86824,"date":"2026-07-02T16:25:04","date_gmt":"2026-07-02T14:25:04","guid":{"rendered":"https:\/\/www.lexxion.eu\/?post_type=dpi&#038;p=86824"},"modified":"2026-07-02T16:25:17","modified_gmt":"2026-07-02T14:25:17","slug":"data-protection-insider-issue-156","status":"publish","type":"dpi","link":"https:\/\/www.lexxion.eu\/en\/dpi\/data-protection-insider-issue-156\/","title":{"rendered":"Data Protection Insider, Issue 156"},"content":{"rendered":"<p><strong>Table of Contents:<\/strong><\/p>\n<ol>\n<li><a href=\"#CJEU rules on the possibility for a supervisory authority to reject a complaint also brought before a judicial body\">CJEU rules on the possibility for a supervisory authority to reject a complaint also brought before a judicial body<\/a><\/li>\n<li><a href=\"#CJEU rules on personal data processing in judicial proceedings\">CJEU rules on personal data processing in judicial proceedings<\/a><\/li>\n<li><a href=\"#AG Norkus: Individuals contributing to evaluative judgments are not sources of data\">AG Norkus: Individuals contributing to evaluative judgments are not sources of data<\/a><\/li>\n<li><a href=\"#European Commission proposes upgrades to the Europol and Eurojust Regulations and the data protection rules in the AFSJ in Regulation 2018\/1725\">European Commission proposes upgrades to the Europol and Eurojust Regulations and the data protection rules in the AFSJ in Regulation 2018\/1725<\/a><\/li>\n<li><a href=\"#EDPB releases new documents\">EDPB releases new documents<\/a><\/li>\n<\/ol>\n<p>&nbsp;<\/p>\n<p>In the present edition, we discuss two CJEU judgments, and one AG Opinion on different aspects of the GDPR. In addition, we present a list of the newest legislative proposals in the field of data protection and EDPB documents.<\/p>\n<h2 id=\"CJEU rules on the possibility for a supervisory authority to reject a complaint also brought before a judicial body\">CJEU rules on the possibility for a supervisory authority to reject a complaint also brought before a judicial body<\/h2>\n<p><a href=\"#1\">[1]<\/a> On 18th June, the CJEU ruled in the case of <em>Datenschutzbeh\u00f6rde<\/em>. In terms of the facts, the case essentially concerned a physician, who requested from a \u201csearch platform enabling third parties to provide reviews and testimonials on physicians\u2026the erasure of certain personal data concerning her, on the basis of the legal situation prior to the entry into force of the GDPR\u201d. This request was rejected by the platform. Consequently, the physician complained before the civil courts, and to the DPA. The DPA rejected the complaint on the basis that the \u201ccomplaint and the civil action\u2026related to the same subject matter, namely the erasure of personal data concerning\u201d her \u201cas published on that platform\u201d. In this regard, the DPA considered that \u201cthe parallel or successive conduct of proceedings before a supervisory authority and judicial proceedings would, from a systematic perspective, be inconsistent with the remedial mechanism provided for under the GDPR. In its view, in such a situation, the supervisory authority would have to rule on the same question as that referred to the civil court\u201d. The DPA further considered that \u201cthe concurrent exercise of the right to lodge a complaint with the supervisory authority and of the right to a judicial remedy concerning the same subject matter cannot be permitted\u201d. This led to proceedings in front of the national courts, culminating in proceedings before the Verwaltungsgerichtshof (Supreme Administrative Court), which referred two questions to the CJEU. The Court summarized these as follows: do \u201cArticle 77(1) and Article 79(1) of the GDPR\u201d preclude \u201ca supervisory authority, with which a complaint has been lodged under Article 77(1)\u2026from rejecting that complaint on the sole ground that judicial proceedings under Article 79(1)\u2026concerning the same subject matter, have already been brought and even though the decision given in those proceedings is not yet final\u201d. The Court ruled that the Articles in question \u201cmust be interpreted as precluding a supervisory authority, with which a complaint has been lodged under Article 77(1)\u2026from rejecting\u201d a \u201ccomplaint on the sole ground that judicial proceedings under Article 79(1)\u2026concerning the same subject matter, have already been brought and even though the decision given in those proceedings is not yet final\u201d. In this regard the Court highlighted that the grounds of complaint have been designed such as to potentially be brought concurrently, and that should they be allowed to function otherwise, this may result in diminished protection for the data subject. Interestingly, the Court did, in principle, however, recognise the possibility for supervisory authorities to be allowed to suspend cases also pending before judicial fora.<\/p>\n<p>&nbsp;<\/p>\n<h2 id=\"CJEU rules on personal data processing in judicial proceedings\">CJEU rules on personal data processing in judicial proceedings<\/h2>\n<p><a href=\"#[2]\">[2]<\/a> On 18th June, the CJEU ruled in the case of <em>NTH Haustechnik GmbH<\/em>. In terms of the facts, the case essentially concerned a company employee who sold goods allegedly belonging to the company on eBay \u2013 the employee denies the goods belonged to the company. The company discovered this by accessing the employee\u2019s eBay account via the use of their ID and password \u2013 precisely how this happened remains the subject of debate \u2013 an act of processing personal data which the referring national court accepts may have been unlawful. In this regard, the referring court was unsure as to a number of questions related to the processing of such personal data in the context of judicial proceedings, and accordingly requested clarification from the CJEU. The CJEU considered the following six questions:<\/p>\n<ul>\n<li>Do Articles 6(1)(c) and 6(3) of the GDPR, in light of Articles 8(2) and 52 of the Charter, preclude \u201cnational legislation which\u2026when a court examines the facts and takes evidence\u2026prescribes that it is for the parties to submit detailed factual evidence\u2026and requires that court to take such evidence fully into consideration\u2026without providing any indication as to the circumstances and conditions under which the facts stated and the evidence adduced by the parties containing personal data may be used by that court\u201d?<\/li>\n<li>Does Article 17(3)(c) set \u201cout an alternative lawfulness condition which the processing may satisfy in order to comply with Article 5(1)(a)\u2026which is distinct from\u2026the lawfulness conditions listed in\u2026Article 6(1) of the GDPR\u201d?<\/li>\n<li>Does Article 5(1)(c), in light of Article 52(1) of the Charter, mean the principle of data minimisation \u201crequires a court to ensure\u2026that the principle of proportionality is observed\u201d?<\/li>\n<li>Do Articles 7 and 8 of the Charter, and Articles 5(1)(c), 6(1)(c), and 6(3) of the GDPR preclude national courts \u201cfrom using evidence containing personal data obtained in breach of the right to the protection of privacy and the right to protection of personal data by the party transmitting such data to it\u201d?<\/li>\n<li>Do Articles 13(1) and (2) of the GDPR preclude a national court, \u201cwhen acting in its judicial capacity, from using data collected by a person who has failed to comply with\u2026obligations to provide information under that provision\u201d?<\/li>\n<li>Does the GDPR require a national court, when \u201cacting in its judicial capacity, to ensure compliance with that regulation when it processes personal data relating to persons who are not a party to the proceedings pending before it\u201d and does EU law require \u201cthat one of the parties to those proceedings be able to rely on the fact that those data have been collected or stored unlawfully\u2026by the other party in breach of the rights which those third parties derive from that regulation\u201d?<\/li>\n<\/ul>\n<p>In consideration of these questions, the Court concluded:<\/p>\n<ul>\n<li>Articles 6(1)(c) and 6(3) of the GDPR, in light of Article 8(2) and Article 52 of the Charter do not preclude national legislation such as that in question \u201cprovided\u2026(i) there is clear and precise national case-law, the application of which is foreseeable, and which itself establishes the circumstances and conditions under which the facts stated and the evidence adduced by the parties containing personal data may be used by a court, (ii) that case-law meets an objective of public interest and (iii) that case-law is proportionate to that objective\u201d.<\/li>\n<li>Article 17(3)(e) \u201cdoes not formulate an alternative lawfulness condition which processing could satisfy in order to comply with Article 5(1)(a)\u2026and which is distinct from\u2026those listed in the first subparagraph of Article 6(1)\u201d.<\/li>\n<li>Article 5(1)(c), in light of Article 52 of the Charter means \u201cthe principle of \u2018data minimisation\u2019 does not require a court to ensure, for each processing of personal data it undertakes, that the principle of proportionality is observed\u2026provided that the conditions laid down in Article 5(1)(c)\u2026are met\u201d.<\/li>\n<li>Articles 7 and 8 of the Charter, and the relevant provisions of the GDPR do not preclude \u201ca national court from using evidence containing personal data obtained in breach of the right to privacy and the right to the protection of personal data by the party which transmitted such data to that court\u2026. By contrast, before disclosing those data to the parties or third parties, that court must verify that such data are limited to what is necessary in relation to the purposes for which such disclosure is made and, as appropriate, take certain measures to minimise the impediment to the right to the protection of personal data which such disclosure is likely to entail\u201d.<\/li>\n<li>Articles 13(1) and (2) do not preclude \u201ca national court\u2026from using data collected by a party or by a third party which has failed to comply with its obligations to provide information\u201d.<\/li>\n<li>A \u201ccourt is required, when acting in its judicial capacity, to ensure compliance with\u201d the GDPR \u201cwhen it processes personal data relating to persons who are not a party to proceedings. EU law does not require one of the parties to those proceedings to be able to rely on the fact that the other party collected or stored data unlawfully\u2026in breach of the rights which those third parties derive from that regulation\u201d.<\/li>\n<\/ul>\n<p>This is an lengthy and involved case, in which many separate questions relating to the processing of personal data in judicial proceedings were considered. It is not possible, in the context of this brief summary, to elaborate on the Court\u2019s reasoning in relation to each question. Accordingly, we strongly encourage all interested in personal data processing in the judicial sector to read the text of the case in full.<\/p>\n<p>&nbsp;<\/p>\n<h2 id=\"AG Norkus: Individuals contributing to evaluative judgments are not sources of data\">AG Norkus: Individuals contributing to evaluative judgments are not sources of data<\/h2>\n<p><a href=\"#[3]\">[3]<\/a> On 18th June, AG Norkus advised the Court on the scope of the right of access in relation to the source which provided the personal data of a data subject in <em>Waldfelber<\/em>. As to the facts of the case, a headteacher of a school in Austria (TS) learned that the applicant in the main proceedings (RS) has been appointed as a programme coordinator for a training for the teachers in his school. The trainings are organised by the University of Educational Sciences (UES). TS made enquiries among his acquaintances to find out more about RS. After a conversation with one of them, TS sent an email from his professional account to the UES, requesting a different programme coordinator to be appointed for the training of his colleagues. RS learned about the email and requested to know the identity of the third party (or source of information) who gave negative feedback, relying on his right of access under Article 15(1)(g) GDPR. In order to solve the legal dispute, the referring court asked the CJEU the following three questions: (1) whether TS can be classified as a controller; (2) whether the right of access, more precisely the right to know the identity of the person who provided information concerning oneself, applies in the present case, and (3) whether not complying with the right of access as regards the source of the data may give rise to claims for damages and whether the Austrian law on liability is compatible with the GDPR. AG Norkus advised the CJEU to rule as follows. On the first question, AG Norkus opined that a headteacher who processes personal data in his professional capacity, acting on behalf of the school he is employed at, does not qualify as a controller under Article 4 GDPR. In such a case, he suggested, the school would be the controller. Having reached that conclusion, AG Norkus argued that it is not necessary to answer the remaining two questions. However, he decided to propose an answer in case the CJEU decides to go into these questions. On the second question, AG Norkus advised that the scope of the right of access should be assessed in relation to its purpose of enabling the data subject to control the legality of the processing of their data, and that it encompasses evaluative judgments. Then, he turned to the question of who should be considered to be the source of information in casu. He opined that if the evaluative judgment is to be attributed to TS, then he should be considered to be the source of the information. If, however, TS merely cites the opinion of his interlocutor, then the interlocutor should be seen as the source. He suggested that the referring court should decide on this. AG Norkus also examined whether TS\u2019s interlocutor could be considered to be \u201c\u2018any available information as to [that] source\u2019\u201d under Article 15(1)(g) GDPR and answered this question in the negative. As to the third question, he referred to <em>Brillen Rottler<\/em>, where the CJEU established that a breach of the right to rectification could in principle give rise to damage claims. As to the Austrian law on liability, AG Norkus opined that \u201cArticle 82 of the GDPR does not preclude national rules pursuant to which persons acting on behalf of certain public legal entities cannot be held liable for the damage which they cause to data subjects, in their capacity as controllers or processors, provided that those rules also identify the entity against which a claim for compensation may be brought by such data subjects\u201d.<\/p>\n<p>&nbsp;<\/p>\n<h2 id=\"European Commission proposes upgrades to the Europol and Eurojust Regulations and the data protection rules in the AFSJ in Regulation 2018\/1725\">European Commission proposes upgrades to the Europol and Eurojust Regulations and the data protection rules in the AFSJ in Regulation 2018\/1725<\/h2>\n<p><a href=\"#[4]\">[4]<\/a> On 24th June, the European Commission tabled the following important legislative proposals:<\/p>\n<ul>\n<li>Proposal to amend the current Europol Regulation, in order to boost in particular Europol\u2019s data processing capabilities, including by allowing it to establish a Police Shared Data Space;<\/li>\n<li>Proposal to amend the current Eurojust Regulation, including giving Eurojust more analytical capabilities and opportunities to cooperate, e.g. with Europol;<\/li>\n<li>Amendments especially to Chapter IX Regulation 2018\/1725 (on the data protection rules applicable to the EU bodies and agencies in the AFSJ);<\/li>\n<li>Proposal on an update to the European Investigation Order; and<\/li>\n<li>Proposal on a novel European Remote Participation Order.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h2 id=\"EDPB releases new documents\">EDPB releases new documents<\/h2>\n<p><a href=\"#[5]\">[5]<\/a> Last week, the EDPB issued the following new documents:<\/p>\n<ul>\n<li>An Update to the \u201cOne-Stop-Shop (OSS) case digest on right to object and right to erasure\u201d and<\/li>\n<li>A \u201cdedicated contact form for stakeholders to report possible inconsistencies in how the GDPR is interpreted across Europe\u201d.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h3 id=\"More Information:\" style=\"text-align: justify;\">More Information:<\/h3>\n<p><a id=\"[1]\" href=\"#\">[1]<\/a><a href=\"https:\/\/eur-lex.europa.eu\/legal-content\/EN\/TXT\/HTML\/?uri=CELEX:62024CJ0414\" target=\"_blank\" rel=\"noopener\">https:\/\/eur-lex.europa.eu\/legal-content\/EN\/TXT\/HTML\/?uri=CELEX:62024CJ0414<\/a><\/p>\n<p><a id=\"[2]\" href=\"#\">[2]<\/a><a href=\"https:\/\/eur-lex.europa.eu\/legal-content\/EN\/TXT\/HTML\/?uri=CELEX:62024CJ0484\" target=\"_blank\" rel=\"noopener\">https:\/\/eur-lex.europa.eu\/legal-content\/EN\/TXT\/HTML\/?uri=CELEX:62024CJ0484<\/a><\/p>\n<p><a id=\"[3]\" href=\"#\">[3]<\/a><a href=\"https:\/\/eur-lex.europa.eu\/legal-content\/EN\/TXT\/?uri=CELEX:62025CC0185\" target=\"_blank\" rel=\"noopener\">https:\/\/eur-lex.europa.eu\/legal-content\/EN\/TXT\/?uri=CELEX:62025CC0185<\/a><\/p>\n<p><a id=\"[4]\" href=\"#\">[4]<\/a> <a href=\"https:\/\/ec.europa.eu\/commission\/presscorner\/detail\/en\/ip_26_1420\" target=\"_blank\" rel=\"noopener\">https:\/\/ec.europa.eu\/commission\/presscorner\/detail\/en\/ip_26_1420<\/a><\/p>\n<p><a id=\"[5]\" href=\"#\">[5]<\/a> <a href=\"https:\/\/www.edpb.europa.eu\/news\/one-stop-shop-case-digest-on-right-to-object-and-right-to-erasure-updated_en; https:\/\/www.edpb.europa.eu\/news\/supporting-gdpr-consistency-edpb-launches-dedicated-form_en\" target=\"_blank\" rel=\"noopener\">https:\/\/www.edpb.europa.eu\/news\/one-stop-shop-case-digest-on-right-to-object-and-right-to-erasure-updated_en; https:\/\/www.edpb.europa.eu\/news\/supporting-gdpr-consistency-edpb-launches-dedicated-form_en<\/a><\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Table of Contents: CJEU rules on the possibility for a supervisory authority to reject a [&hellip;]<\/p>\n","protected":false},"author":144,"featured_media":86822,"menu_order":0,"comment_status":"open","ping_status":"closed","template":"","dpi-category":[],"dpi-tag":[4277,4276,4279,4194,4285,4284,4283,4280,4281,4282,4278],"class_list":["post-86824","dpi","type-dpi","status-publish","has-post-thumbnail","hentry","dpi-tag-administrative-remedies","dpi-tag-civil-remedies","dpi-tag-courts","dpi-tag-edpb","dpi-tag-eudpr","dpi-tag-eurojust","dpi-tag-europol","dpi-tag-judicial-proceedings","dpi-tag-right-of-access","dpi-tag-source-of-information","dpi-tag-supervisory-authorities"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi\/86824","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi"}],"about":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/types\/dpi"}],"author":[{"embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/users\/144"}],"replies":[{"embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/comments?post=86824"}],"version-history":[{"count":1,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi\/86824\/revisions"}],"predecessor-version":[{"id":86825,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi\/86824\/revisions\/86825"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/media\/86822"}],"wp:attachment":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/media?parent=86824"}],"wp:term":[{"taxonomy":"dpi-category","embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi-category?post=86824"},{"taxonomy":"dpi-tag","embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi-tag?post=86824"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}