In its judgment of 28 April 2022 the Court of Justice of the European Union (CJEU) confirmed that national legislation may allow consumer associations to bring General Data Protection Regulation (GDPR) claims in the collective interest of consumers to court, without being mandated by individuals, and irrespective of a specific, identified violation of data subject rights.
This CJEU ruling will enable better enforcement of data subject rights under the GDPR, and is therefore, an important step towards an even more comprehensive protection of personal data in the European Union (EU). It could lead to a wave of legal claims by consumer associations as these usually have more resources to pursue lawsuits than individuals. For companies the decision should be a reminder of the importance of GDPR compliance.
Data subject rights under the GDPR and how they can be exercised
To ensure an effective protection of data, the GDPR provides individuals with a comprehensive set of rights, in particular the right to:
- be informed (e.g., Art. 13 GDPR);
- access (Art. 15 GDPR);
- rectification (Art. 16 GDPR);
- erasure (Art. 17 GDPR);
- restrict processing (Art. 18 GDPR);
- data portability (Art. 20 GDPR);
- object (Art. 21 GDPR);
- not be subject to a decision based solely on automated processing (Art. 22 GDPR);
- lodge a complaint with a supervisory authority (Art. 77 GDPR);
- an effective judicial remedy against a supervisory authority (Art. 78 GDPR);
- an effective judicial remedy against a controller or processor (Art. 79 GDPR);
- compensation and liability (Art. 82 GDPR).
If a data subject believes processing of their personal data is not compliant with the GDPR, Art. 77 GDPR provides them with the right to turn to the supervisory authorities. In addition, claims for damages and injunctive relief can be brought to civil courts. Thereby, Art. 80 (1) GDPR provides for the right to mandate certain non-profit entities to exercise the data subjects’ rights for them.
In addition, Art. 80 (2) GDPR stipulates that national law may allow these entities to bring claims to supervisory authorities and courts without being mandated by a data subject, “if it considers that the rights of a data subject under this Regulation have been infringed as a result of the processing”.
Data subjects also increasingly make use of these possibilities to exercise their data subject rights. A survey conducted by European Data Protection Board (EDPD) showed that the number of data subjects exercising their right under Art. 77 GDPR increases year by year. To keep up with the rising number of claims, and corresponding increase in proceedings, the authorities have been given access to more resources as well.
In addition, more and more consumer organisations are taking action against companies that do not comply with the requirements of the GDPR. A popular example is privacy advocate Max Schrems’ organisation noyb, which issued hundreds of complaints against companies using non-compliant cookie banners.
Current judgements on the GDPR
Read our regular reviews of data protection law rulings to stay up to date!