Through the decision taken in Case C-319/20, the Court of Justice of the European Union decided that consumer protection associations may bring representative actions against infringements of a data subject’s rights to the protection of their personal data, even in the absence of a mandate to that effect.
In this respect, the Court stated that Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the “GDPR”) does not prevent national legislation which allows a consumer protection association to bring legal proceedings against a person allegedly responsible for an infringement of the laws protecting personal data, even in the absence of a mandate conferred for that purpose and independently of the infringement of specific rights of the data subjects.
Such proceedings can be started on the basis of the infringement of the prohibition of unfair commercial practices, a breach of a consumer protection law or the prohibition of the use of invalid general terms and conditions, where the data processing concerned is liable to affect the rights of identified or identifiable natural persons.
The Court noted that the GDPR brings about harmonization of national legislation on the protection of personal data. However, certain provisions of the GDPR make it possible for Member States to lay down additional rules which leave them a margin of discretion as to the manner in which those provisions may be implemented, provided that the national rules adopted do not undermine the content and objectives of the regulation. In that regard, the Member States also have the option to provide for a representative action mechanism against the person allegedly responsible for an infringement of the laws protecting personal data, while setting out a number of requirements which must be complied with.
Thus, a consumer protection association falls within the scope of the concept of a “body that has standing to bring proceedings” for the purposes of the GDPR in that it pursues a public interest objective consisting in safeguarding the rights of consumers.
In conclusion, such right of consumer protection associations cannot be exercised directly on the basis of the GDPR and it can be granted only if a Member State includes such possibility in its internal legislation. Consequently, if a Member State opts to regulate such right, a consumer protection association may bring legal proceedings against a person allegedly responsible for an infringement of the laws protecting personal data, even in the absence of a mandate conferred for that purpose and independently of the infringement of specific rights of the data subjects, on the basis of the infringement of the prohibition of unfair commercial practices, a breach of a consumer protection law or the prohibition of the use of invalid general terms and conditions, where the data processing concerned is liable to affect the rights of identified or identifiable natural persons.