Referral C-332/23 (Inspektorat kam Visshia sadeben savet, 25 May 2023)

1. Must the second subparagraph of Article 19(1) [TEU], read in conjunction with the second paragraph of Article 47 of the Charter of Fundamental Rights of the European Union, be interpreted as meaning that it is per se or under certain conditions an infringement of the obligation incumbent on Member States to provide effective remedies sufficient to ensure independent judicial review for the functions of an authority which can impose disciplinary penalties on judges and has powers to collect data relating to their assets and liabilities to be indefinitely extended after the constitutionally stipulated term of office of that body comes to an end? If such an extension is permissible, under what conditions is that the case?

2. Must Article 2(2)(a) of Regulation (EU) 2016/679 … on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation; ‘the GDPR’) be interpreted as meaning that the disclosure of data covered by banking secrecy for the purposes of verifying assets and liabilities of judges and public prosecutors which are subsequently made public constitutes an activity which falls outside the scope of Union law? Is the answer different where that activity also includes the disclosure of data relating to family members of those judges and public prosecutors who are not judges or public prosecutors themselves?

3. If the answer to the second question is that Union law is applicable, must Article 4(7) of the General Data Protection Regulation be interpreted as meaning that a judicial authority which allows another State authority to access data concerning the account balances of judges and public prosecutors and their family members determines the purposes or means of the processing of personal data and is therefore a ‘controller’ for the purposes of the processing of personal data?

4. If the answer to the second question is that Union law is applicable and the third question is answered in the negative, must Article 51 of the General Data Protection Regulation be interpreted as meaning that a judicial authority which allows another State authority to access data concerning the account balances of judges and public prosecutors and their family members is responsible for monitoring [the application of] that regulation and must therefore be classified as a ‘supervisory authority’ in relation to those data?

5. If the answer to the second question is that Union law is applicable and either the third or the fourth questions are answered in the affirmative, must Article 32(1)(b) of the General Data Protection Regulation and Article 57(1)(a) of that regulation be interpreted as meaning that a judicial authority which allows another State authority to access data concerning the account balances of judges and public prosecutors and their families, is obliged, in the presence of data concerning a personal data breach committed in the past by the authority to which such access is to be granted, to obtain information on the data protection measures taken and to take into account the appropriateness of those measures in its decision to permit access?

6. If the answer to the second question is that Union law is applicable, and irrespective of the answers to the third and fourth questions, must Article 79(1) of the General Data Protection Regulation, read in conjunction with Article 47 of the Charter of Fundamental Rights of the European Union, to be interpreted as meaning that, where the national law of a Member State provides that certain categories of data may be disclosed only after permission to do so has been granted by a court, the court so competent must of its own motion grant legal protection to the persons whose data are to be disclosed, by requiring the authority which has applied for access to the data in question and which is known to have committed a personal data breach in the past to provide information on the measures taken pursuant to Article 33(3)(d) of the General Data Protection Regulation and their effective application?