CJEU case C-33/22 Österreichische Datenschutzbehörde – CJEU Judgment (European Union, 2024)
CJEU judgment — not a DPA enforcement action
This is a Court of Justice ruling, not an enforcement action by a data protection authority. It is not included in cookie statistics or the Risk Calculator.
The Court of Justice ruled that the GDPR applies to the activities of legislative bodies, including parliamentary committees. This is significant because it clarifies that data protection laws cover all data processing, regardless of who is handling it. It reinforces the idea that everyone must respect privacy rights.
What happened
The Court ruled that GDPR applies to the data processing activities of a parliamentary committee.
Who was affected
A data subject who was a witness in a parliamentary hearing and sought to erase his data was affected by this decision.
What the authority found
The Court held that the GDPR applies to legislative activities, meaning the data protection authority can review decisions made by legislative bodies.
Why this matters
This ruling sets a crucial precedent that reinforces the applicability of data protection laws to all entities, including government bodies. It encourages greater accountability in how personal data is handled by public institutions.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
A data subject served as a witness during a committeee hearing held by the Austrian national parliament. Against his wishes a publication of the minutes of the hearing, which included his full name, were published on the website of the Austrian Parliament. The data subject complained to the DPA and requested an erasure of his data under Article 17 GDPR, stating that he was working as an undercover investigator and that a publication exposing his identity would affect his ability to do his job. The DPA rejected the complaint. It stated that the DPA is a body of the executive. Therefore, it does not have competence to oversee the activities of the committee under national law. This is because it considered the committee (the controller) to be a part of the legislative body. Under the principle of the separation of powersThe system of separation of powers divides the tasks of the state into three branches: legislative, executive and judicial. These tasks are assigned to different institutions in such a way that each of them can check the other. As a result, no one institution can become so powerful in a democracy as to destroy this system. in Austria, the executive cannot oversee the legislature. The data subject appealed this decision. The Federal Administrative Court anulled the DPA's decision. It held that the GDPR applies to acts done by the legislature because the GDPR concerns all data processing, irrespective of who carries it out. Therefore, the DPA was competent to review the decision. Moreover, it held that the legislature cannot rely on the exemption outlined in Article 2(2)(a) GDPR. The DPA appealed this decision. The Supreme Administrative Court referred three questions to the CJEU: 1) Does the GDPR apply to the activities of a Parliamentary committee of a Member State? 2) If question 1 is answered in the positive, do the activities of this committee fall under national security as defined by Recital 16 GDPR, therefore, making Article 2(2)(a) GDPR app
Outcome
CJEU Judgment
A judgment by the Court of Justice of the European Union, typically on a preliminary reference from a national court.
Related Cases (0)
No other cases found for CJEU case C-33/22 Österreichische Datenschutzbehörde in EU
This is the only recorded case for this entity in this jurisdiction.
Details
Judgment Date
16 January 2024
Authority
Court of Justice of the European Union
GDPRhub ID
gdprhub-cjeu-4888About this data
Cite as: Cookie Fines. CJEU case C-33/22 Österreichische Datenschutzbehörde - European Union (2024). Retrieved from cookiefines.eu
Last updated: