Update: On January 12, 2023, the Court of Justice of the European Union sided with the Advocate General’s opinion, confirming that a data subject can lodge a complaint with a Supervisory Authority and, concurrently, lodge judicial redress proceedings against the same controller/processor for damages resulting from the alleged GDPR violation.
More specifically, the CJEU held that the remedies provided for in Article 77(1) and Article 78(1) GDPR, on the one hand, and Article 79(1) GDPR, on the other, can be exercised in parallel and are independent of each other. Concerning the material outcome of the case, the referring court must determine how to implement the remedies, in line with national procedural law.
* * *
On September 8, 2022, the Advocate General (“AG”) of the Court of Justice of the European Union (“CJEU”) opined that data subjects should be able to lodge a complaint with a Supervisory Authority against a controller/processor for allegedly breaching the GDPR and, in parallel, lodge judicial redress proceedings against the same controller/processor for damages resulting from the alleged GDPR violation.
The case that was referred to the CJEU relates to a shareholder’s request to access audio recordings of a company meeting. The company provided the shareholder only with extracts of his/her interventions. Subsequently, the shareholder filed a complaint with the Hungarian Supervisory Authority for a breach of his/her right of access and asking the Supervisory Authority to order the company to disclose additional recordings. The Supervisory Authority rejected the complaint. As a result, the shareholder appealed the Supervisory Authority’s decision before a court and in parallel initiated separate judicial proceedings against the company asking for remedies for damages suffered.