Article 79
Right to an effective judicial remedy against a controller or processor

Official
Texts
Guidelines
& Caselaw
Review of
EU Regulation
Review of
Nat. Regulation
Show the recitals of the Regulation related to article 79 keyboard_arrow_down Hide the recitals of the Regulation related to article 79 keyboard_arrow_up

(145) For proceedings against a controller or processor, the plaintiff should have the choice to bring the action before the courts of the Member States where the controller or processor has an establishment or where the data subject resides, unless the controller is a public authority of a Member State acting in the exercise of its public powers.

Show the recitals of the Directive related to article 79 keyboard_arrow_down Hide the recitals of the Directive related to article 79 keyboard_arrow_up

(55) Whereas, if the controller fails to respect the rights of data subjects, national legislation must provide for a judicial remedy; whereas any damage which a person may suffer as a result of unlawful processing must be compensated for by the controller, who may be exempted from liability if he proves that he is not responsible for the damage, in particular in cases where he establishes fault on the part of the data subject or in case of force majeure; whereas sanctions must be imposed on any person, whether governed by private of public law, who fails to comply with the national measures taken under this Directive;

The GDPR

Article 79 gives people affected by processing, a genuine right to an effective judicial remedy against both the controller and the processor in case of infringement of their rights resulting from the processing of their data. This right is not to be confused either with the possibility of lodging a complaint with a supervisory authority referred to in article 78, nor with any other administrative or extra-judicial remedy provided under the relevant national law.

The second paragraph allows the data subject to bring his action either before the courts of the Member State in which the controller has an establishment or in the courts of the state of habitual residence of the data subject, unless controller or processor is a public authority of a Member State acting in the exercise of its public powers.

It should be noted that as per recital 146, the jurisdictional rules contained in the Regulation need subject to the general jurisdictional rules contained in other legal instruments, such as those contained in Regulation (EU) No. 1215/2012 of the European Parliament and the Council of 12 December 2012 concerning jurisdiction, recognition and enforcement of decisions on civil and commercial matters (Regulation called Brussels I bis).

The Directive

The Directive Article 22 requires the Member States to provide to any person the right to a judicial remedy in case of breach of the rights guaranteed to him by the national provisions transposing the Directive.

Potential issues

The competence of the courts will not necessarily imply that they must apply their national laws that codify the Regulation or that the national authority of the state court is competent.

Regulation
1e 2e

Art. 79

1.   Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Article 77, each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation.

2.   Proceedings against a controller or a processor shall be brought before the courts of the Member State where the controller or processor has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where the data subject has his or her habitual residence, unless the controller or processor is a public authority of a Member State acting in the exercise of its public powers.

1st proposal close

Art. 75 

1. Without prejudice to any available administrative remedy, including the right to lodge a complaint with a supervisory authority as referred to in Article 73, every natural person shall have the right to a judicial remedy if they consider that their rights under this Regulation have been infringed as a result of the processing of their personal data in non-compliance with this Regulation.

2. Proceedings against a controller or a processor shall be brought before the courts of the Member State where the controller or processor has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where the data subject has its habitual residence, unless the controller is a public authority acting in the exercise of its public powers.

3. Where proceedings are pending in the consistency mechanism referred to in Article 58, which concern the same measure, decision or practice, a court may suspend the proceedings brought before it, except where the urgency of the matter for the protection of the data subject's rights does not allow to wait for the outcome of the procedure in the consistency mechanism.

4. The Member States shall enforce final decisions by the courts referred to in this Article.

2nd proposal close

Art. 75 

1. Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority under Article 73, data subjects shall have the right to an effective judicial remedy if they consider that their rights under this Regulation have been infringed as a result of the processing of their personal data in non-compliance with this Regulation.

2. Proceedings against a controller or a processor shall be brought before the courts of the Member State where the controller or processor has an establishment (…). Alternatively, such proceedings may be brought before the courts of the Member State where the data subject has his or her habitual residence, unless the controller or processor is a public authority acting in the exercise of its public powers.

3. (…)

4. (…)

Directive close

Art. 22

Without prejudice to any administrative remedy for which provision may be made, inter alia before the supervisory authority referred to in Article 28, prior to referral to the judicial authority, Member States shall provide for the right of every person to a judicial remedy for any breach of the rights guaranteed him by the national law applicable to the processing in question.

Section 34 GDPR Implementation Law. Applicability of General Administrative Law Act in decisions of
administrative bodies


A written decision on a request as referred to in Articles 15 to 22 of the
Regulation is taken within the time limits referred to in Article 12(3) of the
Regulation and will be considered to be a decision within the meaning of the
General Administrative Law Act in so far as the decision was taken by an
administrative body.


Section 35 GDPR  Implementation Law. Applicability of civil law in decisions of non‑administrative
bodies


1. Where a decision on a request as referred to in Section 34 is taken by a
body other than an administrative body, the interested party may file a written
application with the court to order the controller to grant or refuse the request
referred to in Articles 15 to 22 of the Regulation.
2. The application must be filed within six weeks of receipt of the controller’s
answer. If the controller has not answered within the time limits referred to in
Article 12(3) of the Regulation, the filing of the application will not be subject
to a time limit.
3. The court will grant the application in so far as it deems it well-founded.
Before the court issues a decision it will, where necessary, give the interested
parties the opportunity to put forward their points of view.
4. The application does not have to be filed by a lawyer.
5. Division 3 of Title 5 of Book 2 of the Code of Civil Procedure applies
equally.
6. The court may request parties and others to submit written information
and documents they hold, within a time limit set by the court. The controller
and the interested party must comply with this request. Section 8:45(2) and (3)
and Section 8:29 of the General Administrative Law Act apply equally.


Section 36 GDPR Implementation Law. Dispute resolution by Dutch Data Protection Authority or
through code of conduct


1. The interested party may also file a request with the Dutch Data Protection
Authority, within the time limit set for the appeal under the General
Administrative Law Act or within the time limit referred to in Section 35(2), to
mediate in or advise on his or her dispute with the controller or to use a dispute
resolution scheme as referred to in Article 40(2)(k) of the Regulation under an
approved code of conduct as referred to in Article 40(5) of the Regulation. In
that case, in derogation from Section 6:7 of the General Administrative Law
Act, the appeal may still be filed or the proceedings referred to in Section 35
may still be issued after the interested party has been notified – either by the
Dutch Data Protection Authority or pursuant to the dispute resolution scheme
– that the case has been closed, but not more than six weeks after such date.
2. During the appeal hearing and the proceedings referred to in subsection 1,
the bodies charged with resolving the dispute may request the Dutch Data
Protection Authority to issue an opinion.

close