News & Insights
ECJ: Supervisory Authorities Cannot Limit GDPR Complaints by Quota
On 9 January 2025, the European Court of Justice (ECJ) held in case C-416/23 that national data protection authorities may not impose blanket limits on the number of GDPR complaints a data subject can file, unless there is evidence of abusive intent. The ruling overturned an Austrian Data Protection Authority policy that restricted individuals to a maximum of two valid complaints per month—regardless of any potential repeated violations.
The Court clarified that while Article 57(4) GDPR allows authorities to refuse or charge a reasonable fee for complaints that are “manifestly unfounded or excessive,” sheer quantity alone does not justify refusal. Complaints must also be shown to be vexatious or abusive. Thus, volume is merely one factor—not a standalone basis—for treating complaints as excessive.
Why This Matters in Practice?
The ECJ’s decision protects individuals’ right to effective legal recourse under Article 77 GDPR, affirming that administrative ease cannot override fundamental data subject rights. Data protection authorities must now conduct fair, case-by-case assessments before dismissing complaints—even if the same person submits many. This sets a high procedural standard for all EU DPAs in handling complaints. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:62023CA0416
