Judgment of the Court (First Chamber) of 9 January 2025.Österreichische Datenschutzbehörde v F R and Bundesministerin für Justiz.Reference for a preliminary ruling – Protection of natural persons with regard to the processing of personal data – Regulation (EU) 2016/679 – Article 57(1)(f) and Article 57(4) – Tasks of the supervisory authority – Concepts of a ‘request’ and ‘excessive requests’ – Charging of a reasonable fee or refusal to act on requests in the event of manifestly unfounded or excessive requests – Criteria which may guide the supervisory authority in making its choice – Article 77(1) – Concept of a ‘complaint’.Case C-416/23.

This judgment concerns the interpretation of provisions of the GDPR regarding handling of complaints by data protection supervisory authorities. The key points are:Essence of the act:
The Court of Justice clarified how supervisory authorities should handle potentially excessive complaints under the GDPR, specifically interpreting Article 57(4) regarding charging fees or refusing to act on requests.Structure and main provisions:
The judgment addresses three key questions:- The concept of ‘request’ in Article 57(4) covers complaints under Article 77(1)- Requests cannot be deemed ‘excessive’ solely based on their number – authorities must prove abusive intent- Authorities can choose between charging fees or refusing requests, but must justify their choice as appropriate and proportionateKey provisions for implementation:
– Supervisory authorities must demonstrate abusive intent to classify requests as excessive- The number of complaints alone cannot justify refusing to handle them- Authorities must consider all circumstances and ensure their response is proportionate- Member States must provide adequate resources to handle legitimate complaints- The choice between charging fees or refusing requests must be justified and reasonable

Full text by link