European legislators had a clear goal in mind, when Article 79 was put into the GDPR. It aims to make the substantive data protection rules guaranteed by the GDPR effectively enforceable in a procedural way.
In the negotiations of the GDPR, Austria had expressed massive reservations for constitutional reasons against the envisaged parallel possibility of legal enforcement between courts and the supervisory authority and therefore emerged as the only country to vote against the GDPR. Two years after the GDPR coming into effect, the specifics surrounding this problem are still the subject of debate.
The right to an effective judicial remedy
While Article 77 GDPR states that the data subject has the right to lodge a complaint with a supervisory authority, Article 79 GDPR grants the right to an effective judicial remedy. The latter explicitly provides that this right to an effective judicial remedy is “granted without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Article 77”. Even the obligation under Article 78 GDPR to provide an effective judicial remedy in national law against legally binding decisions of a supervisory authority does not effectively guarantee an effective judicial remedy, since there are legal claims derived from the GDPR that do not fall under scope of a supervisory authority. Therefore, the purpose of Article 79 GDPR is to guarantee access to court in every case, where the data subject considers his rights under the GDPR to be infringed.
Enforceable rights of the data subject
Paragraph 1 of Article 79 GDPR refers to the violation of the data subject's "rights under this Regulation" and therefore relates to the violation of the data subject's own rights. The right to bring an action requires that the plaintiff be individually affected by the unlawful processing of his personal data and the resulting infringement of rights. Considering the broadly worded phrase “rights under this Regulation” Article 79 GDPR covers all subjective rights granted to individuals by the GDPR. Therefore, an individual may use Article 79 GDPR to bring an infringement of the following rights:
· Right to information (Art 12, 13, 14),
· Right of access (Art 15),
· Right to rectification (Art 16),
· Right to erasure ("right to be forgotten", Art 17),
· Right to restriction of processing (Art 18);
· In addition to the rights set out in Art 15-17, the data controller has an obligation to notify all recipients to whom personal data have been disclosed. The data subject upon request has a further right to be informed by the data controller about these recipients (Art 19);
· Right of data portability (Art 20; Recital 68);
· Right to object to the processing of data relating to the data subject, including profiling (Art 21 (1), (3); Recital 69; for the purposes of direct marketing Art 21(2)(f), Recital 70),
· Right not to be subject to a decision based solely on automated processing (including profiling) (Art 22; Recital 71(f)),
· Right to be informed in the event of a data breach (Art 34; this right also serves not only general interests but also the protection of individuals).
Implementation in Austrian Law and early Case Law
As mentioned above, the GDPR provides for two kinds of individual judicial remedies:
· A right to compensation from the controller or processor for damage suffered as a result of a breach of the regulation (Art 82),
· A right to an effective remedy in the form of a demand for a specific action to be taken (Art 79).
While the Austrian Data Protection Law (“DSG”), which was enacted to implement and supplement the GDPR, contains provisions to further elaborate on and specify the right to lodge a complaint pursuant to Article 77 GDPR (in § 24 DSG), the right to an effective judicial remedy against a supervisory authority pursuant to Article 78 GDPR (in § 27 DSG) and the right to compensation and liability pursuant to Article 82 GDPR (in § 29 DSG) it doesn’t do so for the right to an effective judicial remedy under Article 79 GDPR.
The legislator of the DSG apparently assumes that of all claims to which a data subject is entitled under the GDPR, only the right to compensation can be asserted in court. This directly contradicts with Article 79 GDPR, which due to the primacy of EU law prevails in the case of conflict.
This was affirmed by the Supreme Judicial Court of Austria (“OGH”) in the decision “6 Ob 131/18k” from 20.12.2018. It was held, that the claim for erasure of personal data by the plaintiff against the plaintiff’s ex-husband was admissible. The jurisdiction of the court derives directly from Article 79 and in this case from Article 17 GDPR.
The OGH referred to its own decision in the continuation of the Case Maximilian Schrems v Facebook Ireland Limited and clarified, that since the GDPR is directly applicable and directly enforceable, national regulations contradicting the GDPR must remain inapplicable due to the primacy of EU law (OGH 25.5.2019, 6 Ob 91/19d). In the legislative process at the European level, Austria was the only country to vote against the adoption of the GDPR, because the parallelism of the legal protection possibilities creates the risk of conflicting court decisions on the same matter (and therefore a violation of the principle of "res iudicata"). However, it is precisely what speaks for the fact that the GDPR deliberately provides for a dual-track approach to legal protection as intended by the EU legislature.
Summary
To standardize and improve the enforcement of the rights of data subjects throughout the EU, the GDPR orders a two-pronged approach to enforcement. While Article 77 GDPR gives the data subject the right to lodge a complaint with a supervisory authority, Article 79 GDPR grants the right to an effective judicial remedy. With the Austrian DSG, the legislator apparently assumes that of all granted rights under the GDPR, only the right to compensation can be asserted in court.
The OGH clearly rejected such an interpretation of the GDPR recently and ruled that the infringement of all rights of the data subject (in addition to a complaint with the supervisory authority) can be brought directly to an Austrian court.
