Article 79
Right to an effective judicial remedy against a controller or processor
(55) Whereas, if the controller fails to respect the rights of data subjects, national legislation must provide for a judicial remedy; whereas any damage which a person may suffer as a result of unlawful processing must be compensated for by the controller, who may be exempted from liability if he proves that he is not responsible for the damage, in particular in cases where he establishes fault on the part of the data subject or in case of force majeure; whereas sanctions must be imposed on any person, whether governed by private of public law, who fails to comply with the national measures taken under this Directive;
Regulation
Art. 79 1. Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Article 77, each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation. 2. Proceedings against a controller or a processor shall be brought before the courts of the Member State where the controller or processor has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where the data subject has his or her habitual residence, unless the controller or processor is a public authority of a Member State acting in the exercise of its public powers. |
Directive
Art. 22 Without prejudice to any administrative remedy for which provision may be made, inter alia before the supervisory authority referred to in Article 28, prior to referral to the judicial authority, Member States shall provide for the right of every person to a judicial remedy for any breach of the rights guaranteed him by the national law applicable to the processing in question. |
Germany
|
Austria
All of the following in force until May 25, 2018: Court Action § 32 DSG 2000 (1) Claims for infringement of the rights of a person or a group of persons to secrecy, rectification and erasure against natural persons, groups of persons or legal entities established in forms of private law, are, as long as such legal entities were not acing to enforce laws when their rights were infringed, shall be brought before the civil courts. (2) If data have been used contrary to the provisions of this federal law, the data subject shall have the right to sue for an end to such unlawful condition. (3) In order to safeguard the legal right to put an end to an unlawful state an injunction may be issued even if the requirements mentioned in § 381 Foreclosure Act are not fulfilled. This also applies to orders to make a note about the dispute. (4) Complaints and applications for injunctions pursuant to this federal act shall in the first instance be lodged with the provincial civil court in whose district the plaintiff (applicant) has his domicile or seat. Actions (applications) may, however, also be brought before the provincial civil court in whose district the defendant has his domicile or seat or branch office. (5) The Data Protection Authority shall, in a case where there is probable cause to believe that a serious data protection infringement has been committed by a private sector controller, file an action for a declaratory judgement (§ 228 Code of Civil Procedure) in the court that is competent pursuant to para. 4 second sentence. (6) On request of an intervening party (§ 30 para 1) the Data Protection Authority shall, if such action appears necessary to safeguard the protected interests of a large number of natural persons pursuant to this federal law, intervene in the proceedings in support of the intervening party as an intervening third party (§§ 17 et seq. of the Code of Civil Procedure). (7) At the occasion of an admissible claim according to para 1 referring to a data application subject to the obligation of notification according to the view of the court, the court may request the Data Protection Authority for a review according to §§ 22 and 22a. The Data Protection Authority shall inform the court about the result of the review. The result is then to be notified by the court also to the parties, insofar as the proceedings have not been decided finally. Common Rules § 34 DSG 2000 (1) The right to lodge an application according to § 30, a complaint according to § 31 or legal action according to § 32 and claims for damages according to § 33 shall apply only if the charge is filed by the intervening party within a year after having gained knowledge of the incident that gave rise to the complaint and no later than three years after the alleged incident. This is to be communicated to the intervening party in the case of a late application according to § 30; late complaints according to § 31 or legal actions according to § 32 shall be rejected. (2) Applications according to § 30, complaints according to § 31 or legal action according to § 32 and claims for damages according to § 33 can be filed not only because of an alleged infringement of this federal law, but also based on an infringement of data protection provisions of another member state of the European Union, insofar as these provisions are applicable in Austria according to § 3. (3) If a case to be adjudicated by the Data Protection Authority by applying the national provisions of another member state of the European economic area pursuant to § 3, the Data Protection Authority shall ask the competent foreign supervisory authority for assistance. (4) The Data Protection Authority shall render inter-authority assistance to the independent supervisory authorities of the signatory states of the European economic area upon request. |