Referral C-205/25 (Bayerisches Landesamt für Datenschutzaufsicht, 17 Mar 2025)

Is Article 15 of Regulation (EU) 2016/679, read in conjunction with Article 4(7) of Regulation 2016/679, 1 to be interpreted as meaning that a supervisory authority, as defined in Article 4(21) of Regulation 2016/679 and acting in the context of a complaint procedure initiated by a data subject pursuant to Article 77 of Regulation 2016/679, is at the same time a ‘controller’ within the meaning of Article 15 of Regulation 2016/679, read in conjunction with Article 4(7) of Regulation 2016/679, and is therefore required to grant the data subject access to information on the basis of Article 15 of Regulation 2016/679?

If Question 1 is answered in the affirmative: Is EU law, in particular Article 23 of Regulation 2016/679, to be interpreted as precluding national legislation – such as Article 20(2) of the Bayerisches Datenschutzgesetz (Bavarian Law on Data Protection), the provision at issue in the main proceedings – which excludes, in a blanket manner, rights of access or inspection with respect to files and records of supervisory authorities as defined in Article 4(21) of Regulation 2016/679?