CJEU case C-33/22 Österreichische Datenschutzbehörde – CJEU Judgment (European Union, 2024)
CJEU judgment — not a DPA enforcement action
This is a Court of Justice ruling, not an enforcement action by a data protection authority. It is not included in cookie statistics or the Risk Calculator.
A data subject served as a witness during a committeee hearing held by the Austrian national parliament. Against his wishes a publication of the minutes of the hearing, which included his full name, were published on the website of the Austrian Parliament. The data subject complained to the DPA and requested an erasure of his data under Article 17 GDPR, stating that he was working as an undercover investigator and that a publication exposing his identity would affect his ability to do his job. The DPA rejected the complaint. It stated that the DPA is a body of the executive. Therefore, it does not have competence to oversee the activities of the committee under national law. This is because it considered the committee (the controller) to be a part of the legislative body. Under the principle of the separation of powersThe system of separation of powers divides the tasks of the state into three branches: legislative, executive and judicial. These tasks are assigned to different institutions in such a way that each of them can check the other. As a result, no one institution can become so powerful in a democracy as to destroy this system. in Austria, the executive cannot oversee the legislature. The data subject appealed this decision. The Federal Administrative Court anulled the DPA's decision. It held that the GDPR applies to acts done by the legislature because the GDPR concerns all data processing, irrespective of who carries it out. Therefore, the DPA was competent to review the decision. Moreover, it held that the legislature cannot rely on the exemption outlined in Article 2(2)(a) GDPR. The DPA appealed this decision. The Supreme Administrative Court referred three questions to the CJEU: 1) Does the GDPR apply to the activities of a Parliamentary committee of a Member State? 2) If question 1 is answered in the positive, do the activities of this committee fall under national security as defined by Recital 16 GDPR, therefore, making Article 2(2)(a) GDPR app
GDPR Articles Cited
A data subject served as a witness during a committeee hearing held by the Austrian national parliament. Against his wishes a publication of the minutes of the hearing, which included his full name, were published on the website of the Austrian Parliament. The data subject complained to the DPA and requested an erasure of his data under Article 17 GDPR, stating that he was working as an undercover investigator and that a publication exposing his identity would affect his ability to do his job. The DPA rejected the complaint. It stated that the DPA is a body of the executive. Therefore, it does not have competence to oversee the activities of the committee under national law. This is because it considered the committee (the controller) to be a part of the legislative body. Under the principle of the separation of powersThe system of separation of powers divides the tasks of the state into three branches: legislative, executive and judicial. These tasks are assigned to different institutions in such a way that each of them can check the other. As a result, no one institution can become so powerful in a democracy as to destroy this system. in Austria, the executive cannot oversee the legislature. The data subject appealed this decision. The Federal Administrative Court anulled the DPA's decision. It held that the GDPR applies to acts done by the legislature because the GDPR concerns all data processing, irrespective of who carries it out. Therefore, the DPA was competent to review the decision. Moreover, it held that the legislature cannot rely on the exemption outlined in Article 2(2)(a) GDPR. The DPA appealed this decision. The Supreme Administrative Court referred three questions to the CJEU: 1) Does the GDPR apply to the activities of a Parliamentary committee of a Member State? 2) If question 1 is answered in the positive, do the activities of this committee fall under national security as defined by Recital 16 GDPR, therefore, making Article 2(2)(a) GDPR app
Outcome
CJEU Judgment
A judgment by the Court of Justice of the European Union, typically on a preliminary reference from a national court.
Related Cases (0)
No other cases found for CJEU case C-33/22 Österreichische Datenschutzbehörde in EU
This is the only recorded case for this entity in this jurisdiction.
Details
Judgment Date
16 January 2024
Authority
Court of Justice of the European Union
GDPRhub ID
gdprhub-cjeu-4888About this data
Cite as: Cookie Fines. CJEU case C-33/22 Österreichische Datenschutzbehörde - European Union (2024). Retrieved from cookiefines.eu
Last updated: