Provisional text
OPINION OF ADVOCATE GENERAL
NORKUS
delivered on 16 April 2026(1)
Case C‑205/25
Joachim Lindenberg
v
Bayerisches Landesamt für Datenschutzaufsicht
(Request for a preliminary ruling from the Bayerisches Verwaltungsgericht Ansbach (Bavarian Administrative Court, Ansbach, Germany))
( Reference for a preliminary ruling – Protection of natural persons with regard to the processing of personal data – Regulation (EU) 2016/679 – Article 15 – Data subject’s request for access to his or her personal data – Article 77 – Data contained in the file of a supervisory authority involved in a complaint procedure – Article 4(7) – Concept of ‘controller’ – Article 23 – Restrictions on the right of access – National legislation precluding any access to the file )
I. Introduction
1. This request for a preliminary ruling from the Bayerisches Verwaltungsgericht Ansbach (Bavarian Administrative Court, Ansbach, Germany) under Article 267 TFEU concerns the interpretation of Article 4(7) and (21) and Articles 15, 23 and 77 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)(2) (‘the GDPR’).
2. The request for a preliminary ruling has been made in proceedings between Mr Joachim Lindenberg, a journalist specialising in data protection, and the Bayerisches Landesamt für Datenschutzaufsicht (Bavarian Data Protection Authority, Germany; ‘the Landesamt’) concerning that authority’s refusal to grant him full access to its file on the basis of Article 15 of the GDPR in the context of a procedure initiated in response to a complaint that he had lodged against a third party. The Landesamt justified its refusal by reference to a Bavarian provision which precludes public access to the files of supervisory authorities. Following the action brought by Mr Lindenberg, the Landesamt finally granted electronic access to the file without admitting any legal error, while the applicant has continued to seek a declaration that the initial refusal was unlawful. Taking the view that an interpretation of the relevant provisions of the GDPR and an examination of the compatibility of the Bavarian legislation with EU law are required to resolve the dispute, the referring court decided to stay the proceedings and to refer two questions to the Court of Justice for a preliminary ruling.
3. The Court is asked to rule on whether, in the context of a complaint procedure initiated under Article 77 of the GDPR, a data protection supervisory authority may be classified as a ‘controller’ within the meaning of Article 4(7) of the GDPR, and to what extent that authority is required to comply with the access obligations laid down in Article 15 of the GDPR. In particular, the Court is requested to consider whether EU law precludes national legislation which rules out any right of access to the file for data subjects. That assessment must be carried out in the light of Article 23 of the GDPR, which allows the access obligations set out in that regulation to be restricted on specific grounds of public interest, as well as Article 8(2) of the Charter of Fundamental Rights of the European Union (‘the Charter’), which guarantees everyone the right of access to data which has been collected concerning him or her. In that regard, the Court will have to weigh the requirement of transparency of public administration against the need to ensure the effectiveness of data protection investigations.
II. Legal framework
A. European Union law
4. Articles 8 and 52 of the Charter, Article 16 TFEU, and Article 4(1), (2), (7) and (9) and Articles 5, 15, 23, 51, 57, 58 and 77 of the GDPR are relevant in the present case.
B. German law
5. Under Article 18 of the Bayerisches Datenschutzgesetz (Bavarian Law on Data Protection; ‘the BayDSG’), the Landesamt is a supervisory authority with respect to non-public entities.
6. Article 20 of the BayDSG provides:
‘(1) Anyone may apply to the supervisory authorities to claim that his or her rights have been infringed in the processing of his or her personal data. The data subject must suffer no disadvantage by virtue of referring a matter to the supervisory authorities.
(2) There shall be no rights of access or inspection with respect to the files and records of the supervisory authorities.’
7. The explanatory memorandum to Article 20(2) of the BayDSG states that that provision applies and precludes any right of access under Article 15 of the GDPR where such a right is invoked against the Landesamt in respect of its files and records.
III. The facts of the dispute in the main proceedings, the main proceedings and the questions referred for a preliminary ruling
8. Mr Lindenberg is a journalist and runs a blog dealing with data protection among other topics. Since 2021, he has lodged a number of complaints with the Landesamt.
9. After Mr Lindenberg lodged a data protection complaint with the Landesamt on 13 May 2022, it initiated a supervisory procedure in respect of a third party. By email of 11 October 2022, the Landesamt informed Mr Lindenberg that it had found that data protection breaches had been committed by the person against whom the complaint had been made. It added that, after the expiry of the period prescribed for remedying the breaches, the person against whom the complaint had been made would be issued with a penalty notice if that person were to commit further breaches. By email of the same date, Mr Lindenberg asked to be provided with additional details of the measures taken by the Landesamt. As the authority did not respond to that request, Mr Lindenberg, by email of 11 October 2022, requested full details pursuant to Article 15(1) and (3) of the GDPR.
10. By email and decision of 20 October 2022, the Landesamt refused the request for access under Article 15(1) and (3) of the GDPR. It justified its refusal by stating that the express provision set out in Article 20(2) of the BayDSG precluded the right to access and inspect supervisory authorities’ files and records.
11. Mr Lindenberg brought an action against that decision before the Bayerisches Verwaltungsgericht Ansbach (Bavarian Administrative Court, Ansbach), requesting that the Landesamt be ordered to provide him with a copy of all the information in the file relating to the complaint procedure initiated on 13 May 2022.
12. On 23 February 2024, the Landesamt granted electronic access to the file relating to the supervisory procedure triggered by Mr Lindenberg’s complaint, but did not acknowledge any legal obligation in that regard.
13. Mr Lindenberg now seeks only a declaration that the Landesamt’s decision of 20 October 2022 refusing his access request was unlawful.
14. The referring court notes that, where a complainant – such as Mr Lindenberg – initiates a complaint procedure with a data protection supervisory authority – such as the Landesamt – under Article 77 of the GDPR, that authority acts as a supervisory authority within the meaning of Article 4(21) of the GDPR in relation to the complainant. Some parties, including the Landesamt, argue that such a situation precludes the data protection supervisory authority from being a ‘controller’ in relation to the complainant for the purposes of Article 15 of the GDPR, read in conjunction with Article 4(7) thereof, and thus, from the outset, precludes the complainant from exercising the right to access personal data arising from the complaint procedure against the data protection supervisory authority.
15. By contrast, the referring court proceeds on the assumption that a data protection supervisory authority may be at once a supervisory authority within the meaning of Article 4(21) of the GDPR, a controller, and an entity against which a right of access is asserted for the purposes of Article 15 of the GDPR, read in conjunction with Article 4(7) thereof.
16. The referring court considers that, if this is indeed the case, the question arises as to whether a blanket exclusion of the right of access to the supervisory authority’s files and records, such as that laid down in Article 20(2) of the BayDSG, satisfies the conditions which must be respected in the exercise of the option to restrict that right, as provided for under Article 23(1) of the GDPR.
17. In those circumstances, the Bayerisches Verwaltungsgericht Ansbach (Bavarian Administrative Court, Ansbach) decided to stay the proceedings and to refer the following questions to the Court of Justice for a preliminary ruling:
‘(1) Is Article 15 of [the GDPR], read in conjunction with Article 4(7) [thereof], to be interpreted as meaning that a supervisory authority, as defined in Article 4(21) of [the GDPR] and acting in the context of a complaint procedure initiated by a data subject pursuant to Article 77 of [the GDPR], is at the same time a “controller” within the meaning of Article 15 of [the GDPR], read in conjunction with Article 4(7) [thereof], and is therefore required to grant the data subject access to information on the basis of Article 15 of [the GDPR]?
(2) If Question 1 is answered in the affirmative: Is EU law, in particular Article 23 of [the GDPR], to be interpreted as precluding national legislation – such as Article 20(2) of the [BayDSG], which excludes, in a blanket manner, rights of access or inspection with respect to files and records of supervisory authorities as defined in Article 4(21) of [the GDPR]?’
IV. Procedure before the Court
18. The order for reference dated 19 February 2025 was received at the Court Registry on 17 March 2025.
19. The Landesamt, the Bulgarian and Latvian Governments and the European Commission submitted written observations within the period prescribed by Article 23 of the Statute of the Court of Justice of the European Union.
20. At the hearing on 22 January 2026, the representatives ad litem of Mr Lindenberg, the Landesamt, the Bulgarian Government and the Commission presented argument.
V. Legal assessment
A. Preliminary remarks
21. This case raises a question of principle concerning the legal status of supervisory authorities in the light of the rights recognised by the GDPR and, in particular, the right of access guaranteed under Article 15 thereof. It involves determining whether, when investigating a complaint lodged under Article 77 of the GDPR, a supervisory authority may be classified as a ‘controller’ in respect of the data processed in that context, within the meaning of Article 4(7) of that regulation. That classification is decisive as it determines whether the access obligations to which a controller is subject apply. More broadly, it raises the issue of the balance between the protection of individual rights and the characteristics inherent to the performance of supervisory tasks, which are based on the independence of decision-making, the confidentiality of investigations and the effectiveness of investigative powers.
22. If the Court were to rule that a supervisory authority may be required, in principle, to comply with Article 15 of the GDPR, this would raise a second question, of a normative nature, as to whether a general, absolute exclusion of the right of access to administrative files is compatible with the legal framework of the European Union. Such national legislation must be assessed in the light of the requirements laid down in Article 23 of the GDPR, which strictly circumscribes the restrictions which may be imposed on the rights which it guarantees, by making them subject to compliance with cumulative conditions relating to the legal basis, necessity, proportionality and the safeguard of objectives of general interest recognised by the European Union. The assessment must also take into account the safeguards laid down in primary law, in particular those relating to respect for fundamental rights and the effectiveness of legal remedies.
23. The legal analysis will therefore be carried out in two successive stages. First, it must be determined whether and to what extent a supervisory authority may be classified as a ‘controller’ in the context of a complaint procedure, such as to be bound by the access obligations laid down in the GDPR.(3) Second, and only if the answer is in the affirmative, it will be necessary to assess whether a general, indiscriminate and preventive exclusion of the right of access to supervisory authorities’ files is compatible with the harmonised system of the GDPR, in view of the requirements of administrative transparency, data protection, institutional independence and effectiveness of supervisory mechanisms, which must be balanced without any of those requirements being deprived of their essence. (4)
B. The first question
1. The classification of a supervisory authority as a ‘controller’ under Article 4(7) of the GDPR
24. Regarding the potential classification of a supervisory authority as a ‘controller’, which is the subject of the first question referred, it is appropriate to begin by recalling the legal definition of that concept, as set out in Article 4(7) of the GDPR. Under that provision, ‘controller’ means any ‘natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data’. In that regard, it is important to bear in mind that, according to the Court’s settled case-law, that concept is interpreted broadly.(5)
25. First of all, it should be observed that that legal definition expressly refers to ‘public authorities’. Thus, the actual wording of Article 4(7) of the GDPR does not in any way rule out the possibility of classifying a supervisory authority as a ‘controller’. The EU legislature deliberately refrained from distinguishing between private and public entities, as shown by several recitals which explicitly refer to personal data processing by public authorities. Furthermore, in view of the broad and function-based meaning which the GDPR gives to the concept of ‘controller’, (6) the fact that a supervisory authority is defined in Article 4(21) of that regulation as an independent public authority established by a Member State pursuant to Article 51 of that regulation cannot be interpreted as precluding its potential classification as such.
26. Second, it should be noted that, where such a supervisory authority carries out the tasks entrusted to it under Article 77 of the GDPR – in particular the investigation of complaints concerning possible breaches of data protection rules – it is itself required to process personal data. The authority does not merely receive those data; it structures, analyses, stores and uses them in the independent exercise of its investigative and enforcement powers under that regulation. In my view, such operations fall within the scope of Article 4(2) of the GDPR, which provides a broad definition of the concept of ‘processing’ that is not confined to a specific context and which covers all operations carried out on data.
27. In support of that assessment, in the following discussion I shall outline, first, the essential characteristics of the complaint procedure provided for in Article 77 of the GDPR and, second, the categories of personal data which the supervisory authorities are in practice routinely required to process in that context. That outline will allow a better understanding of the nature and scope of the tasks performed by supervisory authorities when they carry out such procedures.
(a) The essential characteristics of the ‘complaint procedure’ provided for in Article 77 of the GDPR
28. The complaint procedure(7) established by Article 77 of the GDPR is a central mechanism of the EU system designed to ensure the protection of natural persons in relation to the processing of their personal data. It contributes to the practical implementation of the principle set out in Article 8(3) of the Charter, according to which compliance with the rules on data protection must be subject to control by an independent authority. The Court has repeatedly stated that this supervisory mechanism does not merely exist on paper but is intended to ensure the real and effective protection of fundamental rights. (8)
29. Article 77(1) of the GDPR confers on any data subject the right to lodge a complaint, without any specific formal requirements or risk of incurring costs, in particular with the supervisory authority in the Member State of his or her habitual residence, place of work or place of the alleged infringement. Since that right is an essential element of the system of protection established by that regulation, it cannot be interpreted or applied in such a way as to make it practically impossible or excessively difficult to exercise it.(9)
30. It is important to point out that the lodging of a complaint does not merely grant the supervisory authority general powers of examination, but rather imposes a specific obligation on it to investigate the case thoroughly, diligently and impartially. In its case-law, the Court has held that, in accordance with Article 57(1)(f) of the GDPR, each supervisory authority is required to handle complaints lodged on its territory, to examine their nature as necessary and to deal with them with all due diligence.(10)
31. It follows that a supervisory authority may not refrain from handling a complaint on grounds of administrative convenience or considerations of expediency alone. Similarly, it is prohibited from reducing its role to that of an informal mediator or mere facilitator. On the contrary, it is required to examine the alleged infringement in fact and in law and to implement effectively the corrective powers vested in it by EU law where appropriate.(11)
32. According to the case-law, the powers listed in Article 58 of the GDPR must be interpreted in the light of their purpose, namely to ensure that that regulation is fully effective. The Court has emphasised the supervisory authorities’ obligation to adopt ‘appropriate and necessary’ corrective measures in the event of a breach being established and to use all instruments at their disposal. That obligation includes punitive action, as inaction is liable to undermine the effectiveness of that regulation.(12)
33. Moreover, Article 77(2) of the GDPR requires that the complainant be informed of the progress and the outcome of the procedure. That requirement is fulfilled only if the response provided establishes that the complaint has been examined in fact and in law and contains the information necessary for effective judicial review. The procedure cannot therefore be confined to the adoption of a purely formal decision, but must result in a detailed, duly reasoned assessment capable of examination by a court seised under Article 78(1) of the GDPR. Any decision adopted by a supervisory authority on a complaint is subject to full judicial review.(13)
34. Viewed as a whole, the procedure provided for in Article 77 of the GDPR is not merely an administrative act but a legal remedy in its own right, established by EU law and serving both to protect individual rights and to ensure the objective safeguard of the legal system of data protection. The Court recognises supervisory authorities as institutional guarantors of a system for the structural protection of fundamental rights, whose role is not limited to passively receiving complaints but involves actively applying data protection rules.
(b) The ‘processing’ of personal data by a supervisory authority in a complaint procedure
35. Having recalled the essential characteristics of the complaint procedure, it is necessary to consider to what extent a supervisory authority’s activity constitutes ‘processing’ within the meaning of Article 4(2) of the GDPR. That concept is defined as ‘any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction’.
36. In that regard, it should be observed that, in the context of a procedure based on Article 77 of the GDPR, a supervisory authority does not merely receive data. On the contrary, it performs a set of separate, structured operations for the purpose of carrying out its statutory task of examination, investigation and supervision. Processing begins from the lodging of the complaint, which contains data relating to the complainant and, as the case may be, the data controller concerned or identifiable third parties. That information – which falls within the concept of ‘personal data’ within the meaning of Article 4(1) of the GDPR – is recorded, placed in a file and stored in the supervisory authority’s internal systems, which already entails physical and organisational operations constituting ‘processing’. (14)
37. Those operations are among the tasks assigned to supervisory authorities by Article 57(1) of the GDPR, as set out in the present Opinion. Those tasks include, inter alia, examining complaints (point (f)) and exercising investigative and decision-making powers (point (h)). When carrying out those tasks, the authorities act within a framework of functional and decision-making independence guaranteed by EU law, an independence which is tangibly reflected in the manner in which complaints are investigated and how the resulting supervisory powers are exercised.
38. During the procedure, the supervisory authority carries out a factual and legal examination of the information submitted to it. It collects, organises, analyses and assesses data in accordance with the applicable legislative framework. Other processing operations also take place when it requests additional information from the controller – against whom a complaint is directed and who is the subject of an investigation – or when it consults additional documents, which may themselves contain personal data. That information is then received, recorded, analysed and stored by the supervisory authority. Similarly, the cross-referencing of that information with any pre-existing files or information may be considered a ‘processing’ operation.
39. The data thus processed are used by the supervisory authority for the purposes of the independent exercise of its investigative and decision-making powers.(15) They serve to establish the facts, determine their legal characterisation, assess possible corrective measures and, where appropriate, adopt binding decisions or orders. They are also used when procedural communications are sent to the parties, in particular when the complainant or controller is informed of the outcome of the procedure.
40. It follows from all of the foregoing that the supervisory authority cannot be regarded merely as a data ‘recipient’ within the meaning of Article 4(9) of the GDPR. Since it independently decides the arrangements for collecting, analysing, organising and using those data for the purposes of performing its statutory tasks, it acts as an operator carrying out ‘processing’ in the full sense of Article 4(2) of the GDPR. That aspect will be examined in more detail in the following section.
2. The power of the supervisory authority to ‘determine the purposes and means of the processing’
41. For a supervisory authority to be classified as a ‘controller’ within the meaning of Article 4(7) of the GDPR, it must also have the power to determine the purposes and means of the processing of personal data.
42. As stated above, the supervisory authority’s role in a complaint procedure under Article 77 of the GDPR is not limited to the passive receipt of information. In reality, it determines the purpose of the processing, in that it decides that the data will be used for assessing a possible infringement of data protection rules, establishing the facts and, where appropriate, preparing and adopting supervisory measures. Such determination of purpose is not only prescribed by law, but it also requires that the purpose be specified independently by the authority on a case-by-case basis, inter alia as regards the scope of scrutiny, the exact focus of the investigation, and the legal characterisation of the allegations raised. (16)
43. The supervisory authority also independently decides essential aspects of the means of processing. It determines which personal data are collected, in what form they are recorded, structured and stored, according to what criteria files are created, digital archives organised or evidence catalogued, and what technical or organisational processes are used for analysing or further processing the data or making them available internally. Similarly, it decides whether it is necessary to send requests for information to the party against whom the complaint has been lodged, what additional information should be sought, how it will be cross-referenced, and how long it will be stored. Clearly, that power to select and organise data goes beyond merely performing an auxiliary or ancillary task.
44. The independence of the authority’s decision-making is confirmed by the processing operations which it undertakes in practice. The authority registers the complaint, opens its own files, stores and organises the data which it receives or collects, assesses those data from a factual and a legal perspective, requests additional documents, records the investigative steps taken and adopts procedural and substantive decisions based on its own assessment. The processing therefore not only supports the technical management of administrative files, but also forms the basis for independent investigative, assessment and decision-making activity which EU law entrusts solely to supervisory authorities.
45. The fact that that activity is carried out in performance of a statutory task does not remove the status of ‘controller’. The Court has stated on several occasions that public authorities may be classified as ‘controllers’ if they have decision-making discretion as to the specific processing arrangements.(17) In that regard, it should be noted that the Landesamt itself acknowledged at the hearing that it has the discretion to determine its own tasks, including how it handles complaints, (18) and that that discretion reflects its independence.
46. In the absence of any subordination with regard to the determination of the purposes and means, classification as a ‘processor’ must also be precluded, since the authority does not act on the instructions of a third party, but exercises its own prerogatives. In particular, the supervisory authority does not in any way act on behalf of the controller to which the complaint relates, but exercises a public power conferred on it in order to ensure compliance with EU law.
47. While the processing at issue is, as a general rule, based on Article 6(1)(e) of the GDPR, read in conjunction with Article 57(1)(f) and (h) of that regulation, the existence of a legal basis ensures only the lawfulness of the processing, without ruling out the status of ‘controller’ of the processing. On the contrary, the fact that the law entrusts the authority with carrying out supervisory tasks confirms that it processes the data in fulfilment of its own statutory obligations and in accordance with the arrangements which it defines itself. As a ‘controller’, it therefore in principle remains subject to the general obligations under the GDPR, in particular the principles set out in Article 5 thereof and the rights of the data subject listed in Chapter III of that regulation, unless those principles and rights have been legitimately restricted by a sufficiently clear and proportionate legal provision in accordance with Article 23 of the GDPR.
48. The independence of supervisory authorities, as enshrined in Article 52 of the GDPR and reiterated in recital 117 thereof, requires that they be classified as ‘controllers’ for the personal data processing operations which they carry out in the performance of their statutory tasks. It is only through the independent determination of the purposes and means of the processing operations concerned – together with the assumption of the resulting responsibility – that they are able to exercise their supervisory and enforcement powers in complete independence vis-à-vis the entities under their supervision. Considering them as mere subordinates pursuing purposes defined by third parties in the context of the handling of complaints would undermine their institutional autonomy, make them dependent on the controllers under examination and render meaningless the requirement of responsibility laid down in EU law. The supervisory authority must therefore assume responsibility in its own right for the processing of personal data carried out in the context of the complaint procedure, since the rights of data subjects under the GDPR apply fully to it.(19)
49. Lastly, if the supervisory authority were not classified as a ‘controller’ when handling complaints, the data subject would lose significant protection with regard to a key aspect of the processing of his or her data. The rights of data subjects provided for in Articles 12 to 22 of the GDPR, in particular the right of access referred to in Article 15 thereof, may be exercised only against the controller. Without that classification, the data subject would not be able to know what data the authority collects and processes in connection with a complaint, nor could he or she request their rectification, erasure or restriction. Data processing by the authority would thus avoid any requirement of transparency or accountability, even though the authority is specifically responsible for ensuring that the rights of data subjects are protected. Failure to classify the authority as the ‘controller’ would therefore create a structural gap in protection, leaving the data subject without the fundamental safeguards provided for in the GDPR in his or her relationship with the supervisory authority.(20)
50. It follows that, in the context of handling complaints lodged under Article 77 of the GDPR, a supervisory authority decides on the purposes and means of processing and does not merely receive or administer data determined by a third party. It acts as an independent actor who collects, organises, analyses and uses personal data as a basis for decisions adopted in the exercise of public authority. It must therefore be classified as a ‘controller’ within the meaning of the broad definition set out in Article 4(7) of the GDPR. (21)
51. For the sake of completeness, it must be observed that the fact that the EU legislature did not expressly envisage a situation in which the supervisory authority acts simultaneously as a ‘controller’ within the meaning of Article 4(7) of the GDPR during a complaint procedure does not constitute a relevant argument against such a classification. On the contrary, the decisive question is whether the authority fulfils the substantive conditions laid down in that provision. As is apparent from the foregoing analysis, it plainly does in the present case.
52. In that context, the Landesamt’s argument that specific provisions of the GDPR necessarily assume a strict distinction between the supervisory authority and the ‘controller’ cannot succeed either. Those provisions relate solely to the standard situation envisaged by the EU legislature, in which those two roles do not overlap. However, they do not exclude the possibility that a supervisory authority may simultaneously fulfil the conditions required to be classified as a ‘controller’ in certain circumstances, such as those at issue in the main proceedings.
53. In so far as certain provisions of the GDPR provide for ‘cooperation’ or ‘consultation’ between the ‘controller’ and the supervisory authority, inter alia Articles 31 and 36 thereof, any conflict resulting from an overlap of those roles may be resolved by means of a teleological interpretation of that regulation. Such an interpretation requires the supervisory authority’s internal procedures to be organised and coordinated in a manner which ensures that the objectives pursued by the provisions concerned are achieved in practice.
3. The existence of a complainant’s right of access based on Article 15 of the GDPR
54. As has been stated in the present Opinion, classifying the supervisory authority as a ‘controller’ obliges it to ensure compliance with the rights conferred on data subjects by Chapter III of the GDPR. Those rights include, in particular, the right of access laid down in Article 15 of that regulation.
55. In a procedure initiated under Article 77 of the GDPR, the complainant, in principle, also has the status of a ‘data subject’ within the meaning of that regulation. As such, he or she may require the supervisory authority to confirm whether personal data concerning him or her are being processed. If that is the case, the right of access also includes all the information listed exhaustively in Article 15(1)(a) to (h) of the GDPR, including in particular the purposes of the processing, the categories of data concerned, the recipients or categories of recipients, the storage period and information regarding the data subject’s rights.
(a) The right to obtain a ‘copy’ under Article 15(3) of the GDPR
56. The right of access entails, inter alia, the data subject’s right to obtain a copy of the data under Article 15(3) of the GDPR. That provision requires the controller to provide the data subject with a copy of his or her personal data in an intelligible form, enabling him or her to understand exactly the scope and manner of processing. The purpose of that right is to enable the data subject to ascertain which of his or her data are undergoing processing, to identify the source of the data, to understand the purposes of the processing and to be informed of the possible recipients of the data.(22)
57. The Court has ruled that the copy must be provided in such a way as to enable effective verification of the lawfulness of the processing and the meaningful exercise of the other rights laid down in the GDPR.(23) The term ‘copy’ does not relate to a document as such, but to the personal data which it contains; what matters is that those data are communicated in a way that is complete and clear and enables their meaning to be reproduced. In order to ensure the effectiveness of that right, the reproduction of extracts from documents – even entire documents – or of extracts from databases which contain, inter alia, personal data undergoing processing may prove to be essential. (24)
58. However, the scope of that right remains strictly circumscribed by its function. It extends only to the data subject’s ‘personal data’ and includes any information which relates to him or her or which enables him or her to be identified, within the meaning of Article 4(1) of the GDPR. Where the context in which those data appear is necessary to ensure a complete understanding of them, the obligation to provide the data may involve the transmission of an appropriate extract or a presentation of the data in context, to the extent necessary to meet the requirements of transparency. The right to obtain a copy is thus a central part of the informational self-determination mechanism established by the GDPR, in that it guarantees data subjects substantial control over the processing of their data and allows them to verify whether it complies with the requirements of EU law.
(b) Article 15 of the GDPR does not provide for a ‘general right of access to administrative files’
59. However, the right of access laid down in Article 15 of the GDPR, which is specific to the system of personal data protection, cannot be treated as a general right of access to administrative files or a generally applicable requirement of administrative transparency. The sole purpose of that provision is to ensure transparent processing in order to allow data subjects to verify its lawfulness and to effectively exercise the related rights, inter alia the rights to rectification, erasure (‘the right to be forgotten’), restriction of processing and objection. (25) By contrast, it does not establish a general right of access to information held by the administrative authorities, a right to consult internal documents, or a fortiori a right to disclosure of information relating to a public authority’s internal deliberation or decision-making process. This becomes evident when the right of access under Article 15 of the GDPR is compared with other access rights laid down in EU and national law.
60. First, Article 15 and Article 77(2) of the GDPR serve different purposes and a strict distinction must therefore be made between them. Article 77(2) establishes a procedural right to be informed of the progress and outcome of the complaint, but does not confer a right of access to data or documents under data protection legislation. Thus, while Article 15 aims to ensure that individuals have control over their own personal data, Article 77(2) relates to the requirement for procedural transparency in the administrative handling of complaints. Those provisions, which are independent in their purpose and scope, cannot be confused with or substituted for one another. They are separate legal regimes, based on different normative rationales, subject to their own specific conditions of application, and are not intended to overlap with, or to be substituted for, one another.
61. Second, Article 15 of the GDPR establishes only a right to access personal data, and does not lay down either a right to access the administrative file or a right to consult documents held by the authority.(26) Its material scope is confined to the communication of personal data undergoing processing and does not extend either to administrative transparency or to access to internal decision-making processes. Therefore, unless otherwise specified in sector-specific EU legislation, the right of access to the file remains within the legislative competence of the Member States, where it is generally governed by legislation on general administrative procedure, special procedural regimes, laws on freedom of information and transparency, or specific professional or sectoral rules. (27)
62. It follows that Article 15 of the GDPR does not establish any right to the communication or consultation of administrative files as such. In particular, the scope of the right of access does not extend to internal legal assessments, opinions, annotations, memos, preparatory documents or, more generally, information relating to the process of drafting administrative decisions or justifying them internally. Where a document held by an authority contains personal data relating to the complainant, the obligation to provide access is limited to communicating the data themselves, rather than providing or reproducing the entire document in which they are contained. Lastly, information that does not allow the data subject to be identified, either directly or indirectly, is not covered as such by the material scope of Article 15 of the GDPR.
63. It should also be borne in mind that the right of access established in Article 15 of the GDPR may be subject to limitations under Article 23(1) of that regulation, provided that the conditions laid down therein are satisfied. That is the subject of the second question referred for a preliminary ruling, which I shall address in the following section.
4. Interim conclusion
64. In the light of the foregoing considerations, I consider that the answer to the first question should be that Article 15 of the GDPR, read in conjunction with Article 4(7) thereof, must be interpreted as meaning that a supervisory authority, within the meaning of Article 4(21) of that regulation, when acting in the context of a complaint procedure based on Article 77 of that regulation, also has the status of ‘controller’ within the meaning of that regulation and is therefore required to ensure the data subject’s right of access provided for in Article 15 of the GDPR.
C. The second question
1. Restrictions on the right of access to personal data listed in Article 23 of the GDPR
65. By its second question, the referring court seeks clarification of the relationship between Article 23 of the GDPR and a national provision which, like Article 20(2) of the BayDSG, provides for a general exclusion of the right of access or consultation vis-à-vis the data protection supervisory authority. The answer to that question requires an in-depth analysis of the GDPR’s scheme as reflected in its wording, its purpose and the relevant recitals, and the application of the principles developed by the Court concerning the limitations which may be imposed on data subjects’ rights.
66. Article 23 of the GDPR states that legislative measures of the European Union or of the Member States to which the controller is subject may restrict, inter alia, the right of access enshrined in Article 15 of that regulation, provided that such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to achieve one of the legitimate objectives listed in points (a) to (j) of that provision. However, Article 23(1) of the GDPR cannot be interpreted as empowering a national legislature to freely substitute its own rules for the provisions of Articles 12 to 22 of that regulation. On the contrary, Article 23(1) establishes an exhaustive list of opening clauses which authorise the national legislature to impose restrictions on data subjects’ rights and controllers’ obligations under those articles, on the grounds specifically listed.(28)
67. Article 23 of the GDPR thus establishes a derogation regime for the areas it covers, which mainly concern the performance of public tasks and the pursuit of public interest objectives capable of justifying a curtailment of the rights of data subjects as compared with other sectors of activity. In that regard, account must be taken of the first and second sentences of recital 4 of the GDPR, which require that the fundamental rights at issue be balanced and that the limitations envisaged be justified, necessary and proportionate in the light of the competing rights and interests.
68. It is apparent from the order for reference that, although the explanatory memorandum to the Bavarian Law expressly mentions Article 23 of the GDPR as the legal basis for Article 20(2) of the BayDSG, it does not refer to any of the objectives listed in that provision. It merely states that Article 20(2) of that law reflects the specific requirement relating to the purpose of information obtained in the performance of data protection supervisory activities. However, the referring court notes that, according to the Landesamt’s observations in the main proceedings, Article 20(2) of the BayDSG in fact pursues two main objectives: preserving the confidentiality of third parties’ personal data and ensuring the proper functioning and independence of the supervisory authority.
69. In accordance with the principles governing the cooperation mechanism established by Article 267 TFEU between the Courts of the European Union and the national courts – under which the interpretation of domestic law is solely a matter for the referring courts(29) and the Court is required to take account of the content and the scope of that law as provided by them (30) – I shall take those comments as the basis for my assessment.
2. Compatibility with Article 23 of the GDPR of a general exclusion of the right of access under Article 15 of that regulation
70. In the remainder of the present Opinion, I shall determine whether a general exclusion of the right of access provided for in Article 15 of the GDPR may be justified in view of the abovementioned legislative objectives. I shall also assess whether such legislation satisfies the additional requirements which Article 23 of the GDPR imposes on any restriction of that right.
(a) Existence of a legitimate objective
(1) Protecting the confidentiality of third parties’ personal data
71. Protecting the confidentiality of third parties’ personal data constitutes a legitimate objective under the GDPR, which may, in principle, justify limitations to data subjects’ rights. In that regard, it should be noted that, with respect to the right of access provided for in Article 15 of the GDPR, recital 63 of that regulation states that ‘that right should not adversely affect the rights or freedoms of others’. Account is therefore taken of the fact that, as is apparent from recital 4 of the GDPR, the right to the protection of personal data is not an absolute right, since it must be considered in relation to its function in society and be balanced against other fundamental rights.(31)
72. Article 23(1)(i) of the GDPR expressly refers to the protection of ‘the rights and freedoms of others’, as confirmed by recital 73 of that regulation. Consequently, when it comes to the personal data of public officials or private individuals, the national legislature can legitimately argue that disclosure of such data would infringe personality rights, and that there is a need for protection which must be balanced against the complainant’s right of access.
(2) Safeguarding the proper functioning and independence of supervisory authorities
73. The preservation of the proper functioning and the independent decision-making of supervisory authorities also constitutes a legitimate objective for the purposes of Article 23(1) of the GDPR. The EU legislature has given them a pivotal role within the European data protection system, as shown by Article 52 of that regulation, which guarantees their full independence, and by the scope of the investigative and corrective powers set out in Articles 57 and 58 of that regulation.(32) On that point, the Court has made clear in its case-law that the proper functioning of those authorities must be guaranteed, in particular by ensuring that it is not hindered by manifestly unfounded or excessive complaints within the meaning of Article 57(4) of the GDPR. (33)
74. Therefore, and in the light of Article 23(1)(h) of the GDPR, which permits restrictions where they are necessary for the performance of ‘monitoring’ and ‘inspection’ functions connected to the exercise of official authority, a limitation of the right of access may be justified in principle. Furthermore, given the existing parallels, account must also be taken of the objective stated in Article 23(1)(f) of the GDPR and further detailed in recital 73 of that regulation, namely that of ensuring the independence of the judiciary and protecting the conduct of judicial proceedings. It is true that supervisory authorities do not form part of the judicial system; nevertheless, like State bodies responsible for ensuring compliance with the law, they play an essential role in detecting and sanctioning breaches of personal data protection law. It follows that an application by analogy of that provision may, in any event, be envisaged.
(3) Protecting public security
75. For the sake of completeness, it should be noted that the order for reference also refers to the protection of public security as a possible justification under Article 23(1)(c) of the GDPR, without providing any further details. However, the assessment of the referring court and of the Commission, according to which that argument appears unfounded, should be endorsed. In the light of the facts of the case in the main proceedings as presented by the referring court, such a restriction clearly does not seem relevant. That justification will therefore be disregarded in the following analysis.
(b) Requirements imposed by the GDPR regulatory framework
76. First, it must be observed that the interest relating to the confidentiality of third parties’ personal data is duly taken into account by national legislation such as Article 20(2) of the BayDSG, in that it categorically prohibits the disclosure of such data. Furthermore, it cannot be ruled out that a lack of cooperation by supervisory authorities in handling access requests may result in the reallocation of human and material resources to other areas of activity, potentially leading to efficiency gains.
77. Second, such circumstances raise doubts as to their conformity with the regulatory framework established by the EU legislature when adopting the GDPR, in particular as regards the general scheme of that regulation, which is based on a balance between several interests: the transparency of data processing, the preservation of confidentiality where necessary, and the effective protection of those interests by supervisory authorities. National legislation which does not adequately reflect the balance between those interests cannot therefore satisfy the requirements of Article 23(1) of the GDPR. The same applies where it appears that measures which are less restrictive of fundamental rights but equally effective in achieving the objectives pursued may be envisaged.(34)
78. In that regard, it should be noted that the GDPR treats the right of access laid down in Article 15 thereof as an integral component of the principle of transparency. This is clear from recital 63 of that regulation, according to which the data subject should be able to ‘be aware of … the processing’ in order to ensure the effectiveness of the rights which that regulation confers on him or her. The Court has repeatedly confirmed that view, holding that the right of access occupies a central place in the general scheme of the system established by the GDPR. A national provision which deprives the data subject of that right in a general and indiscriminate manner therefore undermines the very core of the system of protection established by the EU legislature.
79. While it is true that Article 23 of the GDPR allows restrictions to be placed on data subjects’ rights, including the right of access, on grounds of public interest, it also requires such restrictions to be underpinned by a sufficiently precise legal basis. That basis must clearly define the nature, scope and limits of the restriction, as well as the safeguards necessary to prevent risks of abuse. Recital 41 of the GDPR states to that effect that any restriction of a right guaranteed by that regulation should be ‘clear and precise’ and ‘foreseeable’ to the data subject, who must be able to determine the extent of the restrictions which may be imposed on his or her rights.(35) A national provision which absolutely precludes the right of access without determining its material or personal scope or providing safeguards cannot fulfil those requirements.
80. Furthermore, recital 60 of the GDPR recalls that transparency is a fundamental principle of personal data processing, which also applies to the actions of public authorities. While certain information may be withheld temporarily from disclosure during a complaint procedure, inter alia to avoid compromising the prevention, detection or investigation of offences,(36) such withholding must remain strictly necessary and proportionate, and must not result in transparency vis-à-vis the data subject being rendered meaningless. A national provision which excludes all forms of access, without distinguishing between personal data and internal documents, thus disregards the scheme of the GDPR.
81. The Court has also held, in the light of Article 52(1) of the Charter, that limitations which may be imposed on a fundamental right must comply not only with the principles of legality and proportionality, but also with the principle of respect for the ‘essence’ of the right in question.(37) Recital 4 of the GDPR reaffirms that the protection of personal data constitutes a fundamental right, enshrined in Article 8 of the Charter, which may be restricted only in accordance with the principle of proportionality. However, completely precluding the right of access results in the data subject being deprived of the very essence of that right, preventing him or her from even minimal monitoring of the processing to which he or she is subject.
82. Recital 75 of the GDPR further emphasises that a lack or insufficiency of transparency in itself constitutes a risk which could seriously affect the rights and freedoms of data subjects. Legislation that completely deprives the data subject of the possibility of being informed of the processing carried out in respect of him or her creates the exact risk which the legislature intended to prevent.
83. It should be added that recital 129 of the GDPR defines supervisory authorities as independent bodies responsible for ensuring the application of that regulation and protecting the rights of data subjects. However, that task and the position of those authorities in the supervisory mechanism established by the GDPR do not mean that they are exempt from all the obligations arising under that regulation. On the contrary, the GDPR establishes a consistent legal framework within which supervisory authorities, while exercising their powers, remain fully subject to the rules it establishes, including those relating to the rights of data subjects. A national provision which completely precludes any communication of data concerning the data subject undermines that balance and infringes the requirement of accountability to which supervisory authorities are subject.
84. Furthermore, an absolute exclusion of the right of access appears to be incompatible with the objective pursued by the GDPR of ensuring a high level of data protection for natural persons, as set out in recital 10 of that regulation.(38) The envisaged level of protection is essentially based on transparency and on the data subject’s ability to monitor processing operations relating to him or her. The right of access set out in Article 15 of the GDPR is an essential element in that regard, as it underpins the effective exercise of all other rights of data subjects. (39) Precluding that right altogether would mean that certain processing operations would not be subject to any individual monitoring, thereby compromising the effectiveness of the high level of protection intended by the EU legislature.
85. With regard to the objective of protecting third parties’ rights and freedoms, which was invoked to justify a limitation of the right of access, it should be recalled that the Court has ruled that, in the event of a conflict between the right of access and the rights or freedoms of others, the authorities must strike a balance between the interests involved. Recital 63 of the GDPR expressly states that that balance cannot under any circumstances justify a complete refusal of access.(40) Suitable measures, such as partial disclosure, redaction or anonymisation of data, protection of the identity of persons reporting breaches, differentiated treatment according to categories of documents, or communication of non-individualised, structured information, make it possible to reconcile the interests at stake without completely removing the right of access.
86. As regards the alleged need to ensure the independent and effective performance of the tasks of supervisory authorities, it is unclear how the exercise of the right of access under Article 15 of the GDPR would compromise that objective. It is appropriate to agree with the referring court’s assessment that the independence of supervisory authorities does not in any way mean that the lawfulness of the processing of personal data which they conduct should be exempt from data subjects’ review. The risk of possible ‘influence’ which might be facilitated by access to information, as argued by the Landesamt, must therefore be dismissed.
87. Furthermore, as explained above, Article 15 of the GDPR does not establish a general right of access to the file,(41) which means that the resulting administrative burden should be limited. This apart, it should be noted that Article 12(5) of that regulation provides supervisory authorities with appropriate means for dealing with improper or excessive requests. (42) They are also empowered to adopt various management measures, such as temporarily refusing to provide information during a procedure, excluding specific internal documents from disclosure, distinguishing between different types of procedures, communicating only information relating to stages which have already been completed, or putting in place organisational mechanisms ensuring that internal processes are not disrupted by requests for access. Such measures ensure the proper functioning of supervisory authorities without completely excluding the right of access provided for in Article 15 of the GDPR.
88. It is also important to recall that the effectiveness of supervisory authorities depends decisively on their being provided with the necessary means, that is to say, the human, technical and financial resources as well as the premises and infrastructure that are essential for the effective performance of their tasks and exercise of their powers.(43) Article 52(4) of the GDPR expressly requires the Member States to ensure such allocation of resources. From that point of view, the question of the proper functioning of supervisory authorities cannot be reduced merely to the number of requests for access under Article 15 of the GDPR. Under no circumstances must an inadequate allocation of resources to authorities lead to a diminution in the level of personal data protection.
89. It is apparent from the order for reference that Article 20(2) of the BayDSG is unique in the German legal system, since no other Land provides for a similar exclusion of the right of access. Such regulatory isolation strongly indicates that a restriction of that magnitude cannot be regarded as necessary or proportionate within the meaning of Article 23(1) of the GDPR. As all the other supervisory authorities carry out their tasks without resorting to a general removal of data subjects’ rights, it seems difficult to argue that such a measure is essential for the proper functioning of the authority or for the protection of third parties’ rights. A legislative provision specific to one Land, which restricts the rights guaranteed by the GDPR to a significantly greater extent than the legislation adopted in other parts of the national territory, does not appear to satisfy the requirements of consistency, necessity and proportionality imposed by EU law.
90. It must therefore be concluded that, with respect to the two objectives pursued – protecting third parties’ rights and ensuring the proper performance of supervisory authorities’ tasks – different, less restrictive measures which are consistent with EU law allow the desired results to be achieved without removing the essence of the right of access, eliminating the required transparency vis-à-vis data subjects or impeding the possibility of verifying the lawfulness of processing carried out.
91. Another crucial point is that Article 20(2) of the BayDSG does not make it possible to identify the objective pursued by the national legislature. As is apparent from the information provided by the referring court, the travaux préparatoires merely mention Article 23 of the GDPR as a legal basis, without referring to any of the objectives listed in that provision. However, Article 23 of that regulation requires the purpose of the restriction to be clear from the provision itself, a condition necessary for the effective monitoring of compliance with the principles of necessity and proportionality.
92. That requirement for clarity cannot be met by justifications put forward ex post by a party to preliminary ruling proceedings under Article 267 TFEU, in particular where that party is the one benefiting from the restriction in question. To accept such a possibility would amount to replacing the will of a democratically accountable legislature with an interpretation devised for the purposes of an argument advanced in legal proceedings, which would be incompatible with the requirements of foreseeability, legislative transparency and legal certainty stemming from Article 23(1) and (2) of the GDPR.
93. In those circumstances, it must be concluded that a general and indiscriminate exclusion of the right of access, such as that set out in Article 20(2) of the BayDSG, is incompatible with the requirements of Article 23 of the GDPR, since it does not contain any of the elements expressly required by Article 23(2) of the GDPR and does not comply with the scheme or purpose of that regulation as reflected in the relevant recitals. Such a provision appears disproportionate, insufficiently specific and liable to deprive the right of access of its essence.
3. Interim conclusion
94. For the reasons set out above, I consider that Article 23 of the GDPR must be interpreted as precluding national legislation such as Article 20(2) of the BayDSG, in so far as it excludes, as such, the existence of a right of access based on Article 15 of the GDPR vis-à-vis the supervisory authority.
VI. Conclusion
95. In the light of the foregoing considerations, I propose that the Court of Justice answer the questions referred for a preliminary ruling by the Bayerisches Verwaltungsgericht Ansbach (Bavarian Administrative Court, Ansbach, Germany) as follows:
(1) Article 15, read in conjunction with Article 4(7), of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation),
must be interpreted as meaning that a supervisory authority within the meaning of Article 4(21) of Regulation 2016/679, when acting in the context of a complaint procedure based on Article 77 of that regulation, also has the status of a ‘controller’ within the meaning of that regulation and is therefore required to ensure the data subject’s right of access provided for in Article 15 of Regulation 2016/679.
(2) Article 23 of Regulation 2016/679
must be interpreted as precluding a national provision, such as that laid down in Article 20(2) of the Bavarian Law on Data Protection, which excludes, as such, the existence of a right of access based on Article 15 of that regulation vis-à-vis the Bavarian Data Protection Authority.