Art. 80 GDPR regulates the right of representative action, i.e. the legal standing of consumer protection organizations. According to Art. 80 para. 1 GDPR, these organizations can act on behalf of data subjects.
Under Article 80(2) of the GDPR, Member States may provide that any of the organizations, associations, or other bodies mentioned in paragraph 1 of this Article shall, independently of a mandate from the data subject, have the right to lodge a complaint with the supervisory authority competent in accordance with Article 77 and to exercise the rights referred to in Articles 78 and 79 if they consider that the rights of a data subject under this Regulation have been infringed as a result of the processing.
In Case C-319/20, the European Court of Justice (ECJ) had already ruled that this right of association exists in the event of violations of substantive law. It was previously unclear whether this applied in cases of violations of “only” information obligations. In its ruling of July 11, 2024, Case C 757/22, the ECJ has now affirmed this, referring to the principle of transparency laid down in Art. 5 para. 1 GDPR.
This increases the risk of controllers being warned due to incorrect or incomplete information. It is therefore even more important to pay attention to data privacy policies.