The several complaints lodged with national supervisory authorities, by international non-profits such as NoyB, La Quadrature du Net, Privacy International and others, are a practical example of the provisions of Article 80(1) of the GDPR, which allows data subjects to exercise their remedies recognized by the Regulation, by mandating not-for-profit bodies engaged in the field of personal data protection.
CJEU on “privacy” complaints by non-profit organisations
Preliminary questions in case C-319/20
The German referring court asked the CJEU whether the GDPR precludes a Member State from providing that a not-for-profit consumer organisation may act:
– for a data protection violation, which constitutes at the same time an unfair commercial practice, a consumer protection violation and a violation of the prohibition of the use of invalid general terms and conditions
– without having received a mandate from the data subject
– without proving the actual violation.
The Court’s answer was affirmative on all three questions.
Facts
The Federal Union, which under German consumer law is the body entitled to act on injunctions for the protection of consumers, sued the company Meta Platforms Ireland believing that the indications provided by the games in the Applications Area were “unfair” for violation of the rules on the valid consent of the data subject under the GDPR; in addition, the indication that the application is authorized to publish on behalf of the user some of his personal information would constitute a general condition that unduly penalizes the consumer, as such defected by nullity.
Legal Process
Preliminary ruling
In Case C-319/20, the Bundesgerichtshof as referring court asks the CJEU for a preliminary ruling as to whether Article 80 of the GDPR does not allow a Member State to empower not-for-profit associations to take action against the infringer in the event of a violation of the GDPR:
- based on consumer protection law
- regardless of proof of such a violation
- in the absence of a mandate from the data subject.
In summary, the CJEU was asked whether, starting from consumer protection law, an organisation entitled to act to protect consumers under national law can enforce data subject rights under the GDPR, based on an alleged violation and even without a mandate.