Parallel, not exclusive: The CJEU clarifies the GDPR system of remedies

06.07.2026
Gernot Fritz, Fabian Duschnig

The relationship between lodging a complaint with a data protection supervisory authority under Article 77 GDPR and bringing a judicial remedy against a controller under Article 79 GDPR has raised practical questions ever since the GDPR became applicable. Can both routes be pursued at the same time? And may a supervisory authority reject a complaint simply because court proceedings concerning the same matter have already been brought?

In its judgment of 18 June 2026 in Case C-414/24, the Court of Justice of the European Union has now provided important clarification under EU law – with relevance well beyond the Austrian case from which the reference arose.

Background

The case concerned a dispute between an Austrian doctor and the operator of a doctor-rating platform. The doctor requested the deletion of personal data relating to her. The platform operator refused.

In November 2017, the doctor first brought civil proceedings under Article 79 GDPR. In July 2018, she additionally filed a complaint with the Austrian Data Protection Authority under Article 77 GDPR. Both proceedings concerned the same subject matter: the deletion of the personal data published on the platform.

The Data Protection Authority rejected the complaint. In its view, pursuing proceedings before both the supervisory authority and the courts in relation to the same matter was incompatible with the GDPR’s system of legal remedies.

The Austrian Federal Administrative Court upheld the rejection, albeit on different grounds, namely that the complaint had been filed out of time. The Austrian Supreme Administrative Court, however, had fundamental doubts as to whether this practice was compatible with EU law and referred the matter to the CJEU. At the time of the reference, the civil court judgment had not yet become final.

The CJEU’s answer: parallel remedies as a guarantee under EU law

The CJEU first confirms what is already apparent from the wording of the GDPR: Article 77(1) GDPR grants every data subject the right to lodge a complaint with a supervisory authority “without prejudice to any other administrative or judicial remedy”. Article 79(1) GDPR reflects the same approach. The right to an effective judicial remedy likewise exists without prejudice to the possibility of lodging a complaint with a supervisory authority.

The Court thus builds on the position it had already developed in Case C-132/21 (Nemzeti Adatvédelmi) and takes it to its logical conclusion. The two remedies may be exercised in parallel and independently of each other. The GDPR provides neither for the priority of one remedy over the other nor for the exclusive jurisdiction of either supervisory authorities or courts.

This conclusion is confirmed by the context and objectives of the Regulation. Making several parallel remedies available serves the high level of data protection that the GDPR seeks to ensure. At the same time, it strengthens the right to effective judicial protection enshrined in Article 47 of the Charter of Fundamental Rights of the European Union.

A further aspect of the Court’s reasoning is particularly noteworthy. Under Article 57(1)(f) GDPR, the supervisory authority is required to handle complaints. If it concludes that the GDPR has been infringed and that its corrective powers under Article 58(2) GDPR are capable of remedying that infringement, it must act. That duty to intervene would be undermined if the supervisory authority were prevented from acting solely because judicial proceedings were still pending and the court’s decision had not yet become final.

The limit: rejection infringes the principle of effectiveness

From this starting point, the CJEU draws a clear conclusion: a supervisory authority may not reject a complaint solely because court proceedings concerning the same matter have already been brought and the court’s decision has not yet become final.

Such a practice creates a specific risk. If the judicial remedy is dismissed without a decision on the merits, for example on procedural grounds, and national time limits for lodging a complaint have meanwhile expired, the data subject may lose any effective protection. The CJEU therefore considers such an arrangement of the interaction between remedies to be contrary to the principle of effectiveness.

The fact that, at the time of rejecting the complaint, the supervisory authority cannot know whether the court proceedings will in fact lead to a substantive decision only reinforces this conclusion.

The stay of proceedings suggested by the CJEU – and its limits under Austrian law

At the same time, the CJEU recognises that avoiding contradictory decisions is a legitimate interest. It therefore outlines a coordination mechanism that would be compatible with EU law: the supervisory authority could stay its proceedings until the pending court proceedings have been finally concluded and then duly take the court’s decision into account.

From an EU-law perspective, this approach is understandable. Under Austrian law, however, it raises significant follow-up questions. On the basis of the procedural rules currently in force, such a stay does not appear to be readily available.

The general rules on staying administrative proceedings typically require another body to decide a preliminary issue on which the administrative authority depends. That is precisely what is missing here. Where a civil court and the Data Protection Authority assess the same substantive issue in parallel (for example, the lawfulness of a specific processing operation) the court is not determining that issue with binding effect for the authority. Rather, both bodies assess the same question on an equal footing, albeit in different types of proceedings and with different legal consequences.

Nor do the Austrian data-protection-specific rules provide a clear solution for this situation. They allow certain decision periods to be suspended, for example where proceedings have already been lawfully stayed on another basis or where GDPR-internal coordination mechanisms between supervisory authorities apply. They do not, however, create a general power for the Data Protection Authority to stay complaint proceedings solely because parallel civil proceedings concerning the same facts are pending.

This reveals a practical tension. The CJEU considers a stay to be a permissible coordination mechanism under EU law. Yet Austrian law, at least in the situation of two parallel sets of proceedings each deciding the main issue before it, does not currently provide a clear mechanism for such a stay.

Consequences for Austrian law

The judgment calls into question the Austrian practice of rejecting complaints by reference to pending civil proceedings. The separation principle under Austrian constitutional law cannot justify rejecting a complaint under Article 77 GDPR as long as the corresponding court proceedings have not yet been finally concluded.

At the same time, the stay suggested by the CJEU cannot easily be mapped onto the existing Austrian rules. The parallel jurisdiction of the Data Protection Authority and the ordinary courts is expressly built into the GDPR system. Articles 77 and 79 GDPR, as well as Section 29 of the Austrian Data Protection Act, proceed on the basis that administrative and judicial protection may exist side by side. A duty to coordinate by way of a stay, however, cannot currently be clearly derived from Austrian law.

The practical consequence is that the Data Protection Authority will generally have to conduct and decide its proceedings, even where a civil court is dealing in parallel with the same facts or the same substantive legal question. Divergent outcomes therefore cannot be ruled out. To a certain extent, they are inherent in a system of parallel remedies and are structurally mitigated by the different functions and legal consequences of the respective proceedings. The Data Protection Authority decides, in the exercise of public authority, on data protection corrective measures. The civil court, by contrast, decides in particular on civil-law claims such as injunctions, erasure or damages.

Trennstrich bunt

Conclusion

The CJEU closes an important gap in the EU-wide understanding of the GDPR’s system of remedies. Administrative and judicial remedies are available as equivalent and independent instruments. Their parallel availability is not a flaw in the system, but part of the EU-law concept of effective legal protection.

For Austria, the judgment is particularly interesting because it requires more than simply abandoning a practice of rejecting complaints. The CJEU identifies a stay of proceedings as a possible coordination mechanism. Yet precisely that mechanism does not appear to be clearly available under current Austrian law. This creates a tension between the coordination favoured under EU law and the limits of national procedural law.

Until the legislature provides clarification, the Data Protection Authority will therefore generally have to handle and decide complaints even where parallel civil proceedings are pending. The risk of divergent outcomes is not eliminated. But it is the consequence of a system of legal protection that deliberately gives data subjects more than one route to enforce their rights.

For the enforcement of data protection claims, the judgment therefore opens up a broader strategic toolbox. Data subjects may use administrative and judicial remedies in parallel. Controllers, in turn, must be prepared for the fact that pending court proceedings will not automatically block a complaint before the supervisory authority.

We support clients in strategically coordinating data protection disputes and in keeping a close eye on the procedural requirements of both avenues of redress.