Processing of personal data: decisions taken by a supervisory authority in the context of the indirect exercise of the rights of the data subject are legally binding (ECJ)

According to Judgment (16.11.2023) of the European Court of Justice in Case C-333/22 (Ligue des droits humains) as regards the processing of personal data, decisions taken by a supervisory authority in the context of the indirect exercise of the rights of the data subject are legally binding. A court must be able to verify the grounds and the evidence on which they are based. 

A citizen requests the Belgian autorité nationale de sécurité (National Security Authority) to issue him, for professional purposes, security clearance. He is refused that document on the ground that he had participated in demonstrations. Relying on his right of access to his data, that citizen makes a request to the Organe de contrôle de l’information policière (the Supervisory Body for Police Information), which informs him that he has only indirect access and that it will itself verify the lawfulness of the processing of his data. However, at the end of that verification, as allowed under Belgian law, that body merely replied to him that it had carried out the necessary verifications. 

That citizen then brought court proceedings before the first instance court, which declared that it had no substantive jurisdiction. Seised by the person concerned and Ligue des droits humains, the cour d’appel de Bruxelles (Court of Appeal, Brussels, Belgium) asks the Court of Justice whether EU law requires Member States to provide for the possibility for the data subject to be able to challenge the decision of the supervisory authority where the latter exercises the rights of that data subject with regard to the processing at issue. 

The Court of Justice takes the view that, in informing the data subject of the result of the verifications made, the competent supervisory authority adopts a legally binding decision. That decision must be amenable to judicial review in order for the data subject to be able to challenge the assessment made by the supervisory authority concerning the lawfulness of the data processing and the decision as to whether or not to adopt corrective measures. 

The Court observes that EU law requires the supervisory authority to inform the data subject, ‘at least that all necessary verifications or a review by the supervisory authority have taken place’ and of ‘his or her right to seek a judicial remedy’. Where this is not precluded by public interest purposes, Member States must nevertheless provide that the information disclosed to the data subject may go beyond that minimum information so that the data subject is in a position to defend his or her rights and to decide whether or not to apply to the court with jurisdiction. 

In addition, in cases where the information thus disclosed to the data subject was limited to the bare minimum, Member States must ensure that the court with jurisdiction, in order to check whether the reasons which warranted such a limitation on that information are well founded, may weigh up the public interest purposes pursued (State security, prevention, investigation, detection or prosecution of criminal offences) and the need to guarantee citizens compliance with their procedural rights. In the context of that judicial review, the national rules must enable the court to examine the grounds and the evidence behind the supervisory authority’s decision, as well as the conclusions which that authority drew from that decision. (

Full text of judgement is available here



George Kazoleas, Lawyer

Top Stories

Obligation of a creditor to check a consumer’s creditworthiness - Credit agreement void and creditor’s entitlement to payment of the agreed interest forfeited

Ombudsman inquiry on Commission President’s text messages is a wake-up call for EU

Graduate Programme 2024 for EU Nationals in European Central Bank

The rules of UEFA on ‘homegrown players’ could be contrary to EU law (ECJ)

ECtHR Judgement against Greece: Disclosure of the identities and medical data of prostitutes diagnosed with HIV was a breach of their right to private life

Cybercrime: the fear of a possible misuse of personal data is capable, in itself, of constituting non-material damage (ECJ)

Woman forced to travel abroad to have an abortion following legislative amendments in Poland breached the ECHR (ECtHR)