Commissioner for Data Protection and Information Security of the State Thüringen – Court Ruling (Germany, 2022)

The data subject exercised their right to mandate an organisation to lodge a complaint in their name under Article 80 GDPR. A similar right is also found in the national law, with the difference that it also allows to stand as a litigant. From a procedural point of view, Article 80(1) GDPR does not establish the right to stand as a litigant, but the power to bring a complaint or court proceedings on behalf of the data subject. Thus, while the authorised representative Art. 80 GDPR is authorised to represent within the meaning of the GDPR, it would have to be rejected pursuant to § 67 (3) sentence 1 VwGO (AdministrationCourt Code) in the absence of the requirements of the enumerative catalogue (Numerus Clausus) of § 67 (2) sentence 2 VwGO. The mentioned provisions of the Administration Court Code define exactly which Institutions can be litigators in court and legally represent someone, the organisation could bring Act in the name of the data subject under in the proceedings held upon GDPR (ex. filing in a complaint at the national DPA), but in procedures which are regulated in national law, could not be signed as a litigant for someone else. Due to the procedural failure, the court dismissed the appeal.