IP case law Court of Justice

Referral C-416/23 (Österreichische Datenschutzbehörde, 6 Jul 2023)

1. Must the concept of ‘requests’ or ‘request’ in Article 57(4) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation – GDPR) be interpreted as meaning that it also covers ‘complaints’ under Article 77(1) of the GDPR?

If Question 1 is answered in the affirmative:

2. Must Article 57(4) of the GDPR be interpreted as meaning that, for requests to be ‘excessive’, it is sufficient that a data subject has merely addressed a certain number of requests (complaints under Article 77(1) of the GDPR) to a supervisory authority within a certain period of time, irrespective of whether the facts are different and/or whether the requests (complaints) concern different controllers, or is an abusive intention on the part of the data subject required in addition to the frequent repetition of requests (complaints)?

3. Must Article 57(4) of the GDPR be interpreted as meaning that, in the case of a ‘manifestly unfounded’ or ‘excessive’ request (complaint), the supervisory authority is free to choose whether to charge a reasonable fee based on the administrative costs of processing it or refuse to process it from the outset? If not, which circumstances and criteria must the supervisory authority take into account? In particular, is the supervisory authority obliged to charge a reasonable fee primarily, as a less severe measure, and entitled to refuse to process manifestly unfounded or excessive requests (complaints) only in the event that charging a fee to prevent such requests is futile?

Case details on the CJEU website (external link)