Judgment

1 This request for a preliminary ruling concerns the interpretation of Article 80(1) and (2) and Article 84(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016 L 119, p. 1) (‘the GDPR’).

2 The request has been made in proceedings between Meta Platforms Ireland Limited, formerly Facebook Ireland Limited, whose registered office is in Ireland, and Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband e.V. (Federal Union of Consumer Organisations and Associations, Germany) (‘the Federal Union’) concerning the infringement by Meta Platforms Ireland of the German legislation on the protection of personal data constituting, at the same time, an unfair commercial practice, an infringement of a law relating to consumer protection and a breach of the prohibition of the use of invalid general terms and conditions.

Legal context European Union law

The GDPR

3 Recitals 9, 10, 13 and 142 of the GDPR state:

‘(9) The objectives and principles of Directive [95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ 1995 L 281, p. 31)] remain sound, but it has not prevented fragmentation in the implementation of data protection across the Union, legal uncertainty or a widespread public perception that there are significant risks to the protection of natural persons, in particular with regard to online activity. Differences in the level of protection of the rights and freedoms of natural persons, in particular the right to the protection of personal data, with regard to the processing of personal data in the Member States may prevent the free flow of personal data throughout the Union. Those differences may therefore constitute an obstacle to the pursuit of economic activities at the level of the Union, distort competition and impede authorities in the discharge of their responsibilities under Union law. Such a difference in levels of protection is due to the existence of differences in the implementation and application of Directive [95/46].

(10) In order to ensure a consistent and high level of protection of natural persons and to remove the obstacles to flows of personal data within the Union, the level of protection of the rights and freedoms of natural persons with regard to the processing of such data should be equivalent in all Member States. Consistent and homogenous application of the rules for the protection of the fundamental rights and freedoms of natural persons with regard to the processing of personal data should be ensured throughout the Union. …

…

(13) In order to ensure a consistent level of protection for natural persons throughout the Union and to prevent divergences hampering the free movement of personal data within the internal market, a Regulation is necessary to provide legal certainty and transparency for economic operators, including micro, small and medium-sized enterprises, and to provide natural persons in all Member States with the same level of legally enforceable rights and obligations and responsibilities for controllers and processors, to ensure consistent monitoring of the processing of personal data, and equivalent sanctions in all Member States as well as effective cooperation between the supervisory authorities of different Member States. …

…

(142) Where a data subject considers that his or her rights under this Regulation are infringed, he or she should have the right to mandate a not-for-profit body, organisation or association which is constituted in accordance with the law of a Member State, has statutory objectives which are in the public interest and is active in the field of the protection of personal data to lodge a complaint on his or her behalf with a supervisory authority, exercise the right to a judicial remedy on behalf of data subjects or, if provided for in Member State law, exercise the right to receive compensation on behalf of data subjects. A Member State may provide for such a body, organisation or association to have the right to lodge a complaint in that Member State, independently of a data subject's mandate, and the right to an effective judicial remedy where it has reasons to consider that the rights of a data subject have been infringed as a result of the processing of personal data which infringes this Regulation. That body, organization or association may not be allowed to claim compensation on a data subject's behalf independently of the data subject's mandate.’

4 Article 1 of that regulation, entitled ‘Subject matter and objectives’, provides, in paragraph 1 thereof:

5 Article 4(1) of the GDPR provides:

‘For the purposes of this Regulation:

6 Chapter III of the GDPR, which includes Articles 12 to 23, is entitled ‘Rights of the data subject’.

7 Article 12 of that regulation, headed ‘Transparent information, communication and modalities for the exercise of the rights of the data subject’, lay downs, in paragraph 1 thereof:

8 Article 13 of the GDPR, entitled ‘Information to be provided where personal data are collected from the data subject’, provides, in paragraph 1(c) and (e) thereof:

9 Chapter VIII of that regulation, which comprises Articles 77 to 84, is entitled ‘Remedies, liability and penalties’.

10 Article 77 of the GDPR, headed ‘Right to lodge a complaint with a supervisory authority’, provides, in paragraph 1 thereof:

11 Article 78 of the GDPR, headed ‘Right to an effective judicial remedy against a supervisory authority’, lays down, in paragraph 1 thereof:

12 Article 79 of the GDPR, headed ‘Right to an effective judicial remedy against a controller or processor’, provides, in paragraph 1 thereof:

13 Article 80 of the GDPR, entitled ‘Representation of data subjects’, is worded as follows:

14 Article 82 of that regulation, headed ‘Right to compensation and liability’, provides, in paragraph 1

15 Article 84 of the GDPR, entitled ‘Penalties’, lays down, in paragraph 1 thereof:

16 The objective of Directive 2005/29/EC of the European Parliament and of the Council of 11 May 2005 concerning unfair business-to-consumer commercial practices in the internal market and amending Council Directive 84/450/EEC, Directives 97/7/EC, 98/27/EC and 2002/65/EC of the European Parliament and of the Council and Regulation (EC) No 2006/2004 of the European Parliament and of the Council (‘Unfair Commercial Practices Directive’) (OJ 2005 L 149, p. 22) is, according to Article 1 thereof, to contribute to the proper functioning of the internal market and achieve a high level of consumer protection by approximating the laws, regulations and administrative provisions of the Member States on unfair commercial practices harming consumers’ economic interests.

17 Under Article 5 of Directive 2005/29, entitled ‘Prohibition of unfair commercial practices’:

18 Article 11(1) of that directive, entitled ‘Enforcement’, provides:

19 Annex I to Directive 2005/29, which contains the list of unfair commercial practices in all circumstances, provides, in point 26 thereof:

20 Under Article 1 of Directive 2009/22/EC of the European Parliament and of the Council of 23 April 2009 on injunctions for the protection of consumers’ interests (OJ 2009 L 110, p. 30), entitled ‘Scope’:

21 Article 7 of Directive 2009/22, entitled ‘Provisions for wider action’, is worded as follows:

22 Annex I to Directive 2009/22 contains the list of EU directives referred to in Article 1 thereof. Point 11 of that annex refers to Directive 2005/29.

23 Recitals 11, 13 and 15 of Directive (EU) 2020/1828 of the European Parliament and of the Council of 25 November 2020 on representative actions for the protection of the collective interests of consumers and repealing Directive 2009/22/EC (OJ 2020 L 409, p. 1) state:

24 Article 2 of that directive, headed ‘Scope’, provides, in paragraph 1 thereof:

25 Article 24(1) of that directive, entitled ‘Transposition’, provides:

26 Annex I to Directive 2020/1828, which contains the list of provisions of EU law referred to in Article 2(1) thereof, refers to the GDPR in point 56 thereof.

27 Under Paragraph 2 of the Gesetz über Unterlassungsklagen bei Verbraucherrechts- und anderen Verstößen (Unterlassungsklagengesetz – UKlaG) (Law on injunctions against infringements of consumer law and other infringements) of 26 November 2001 (BGBl. 2001 I, p. 3138), in the version applicable to the dispute in the main proceedings (‘the Law on Injunctions’):

28 The Bundesgerichtshof (Federal Court of Justice, Germany) states that, under point 1 of the first sentence of Paragraph 3(1) of the Law on Injunctions, bodies with standing to bring proceedings, within the meaning of Paragraph 4 of that law, may, first, in accordance with Paragraph 1 of that law, seek an injunction against the use of invalid general terms and conditions under Paragraph 307 of the Bürgerliches Gesetzbuch (Civil Code) and, second, seek an injunction against infringements of consumer protection law, within the meaning of Paragraph 2(2) of that law.

29 Paragraph 3(1) of the Gesetz gegen den unlauteren Wettbewerb (Law against unfair competition) of 3 July 2004 (BGB1. 2004 I, p. 1414), in the version applicable to the main proceedings (‘the Law against unfair competition’), provides:

30 Paragraph 3a of the Law against unfair competition is worded as follows:

31 Paragraph 8 of the Law against unfair competition lays down:

32 The Bundesgerichtshof (Federal Court of Justice) states that Paragraph 13(1) of the Telemediengesetz (‘the Law on Electronic Media’) of 26 February 2007 (BGB1. 2007 I, p. 179) was applicable until the GDPR came into force. As from that date, that provision has been replaced by Articles 12 to 14 of the GDPR.

33 Under the first sentence of Paragraph 13(1) of the Law on Electronic Media:

The dispute in the main proceedings and the question referred for a preliminary ruling

34 Meta Platforms Ireland, which manages the provision of services of the online social network Facebook in the European Union, is the controller of the personal data of users of that social network in the European Union. Facebook Germany GmbH, which has its registered office in Germany, promotes the sale of advertising space at the internet address www.facebook.de. The Facebook internet platform contains, inter alia, at the internet address www.facebook.de, an area called ‘App-Zentrum’ (‘App Center’) on which Meta Platforms Ireland makes available to users free games provided by third parties. When consulting the App Center of some of those games, an indication appears informing the user that the use of the application concerned enables the gaming company to obtain a certain amount of personal data and, by that use, permission is given for it to publish data on behalf of that user, such as his or her score and other information. The consequence of that use is that the user accepts the general terms and conditions of the application and its data protection policy. In addition, in the case of a specific game, it is stated that the application has permission to post the status, photos and other information on behalf of that user.

35 The Federal Union, a body which has standing under Paragraph 4 of the Law on Injunctions, considers that the information provided by the games concerned in the App Center is unfair, in particular in terms of the failure to comply with the legal requirements which apply to the obtention of valid consent from the user under the provisions governing data protection. Moreover, it considers that the statement that the application has permission to publish certain personal information of the user on his or her behalf constitutes a general condition which unduly disadvantages the user.

36 In that context, the Federal Union brought an action for an injunction before the Landgericht Berlin (Regional Court, Berlin, Germany) against Meta Platforms Ireland based on Paragraph 3a of the Law against unfair competition, the first sentence of point 11 of Paragraph 2(2) of the Law on Injunctions and the Civil Code. It brought that action independently of a specific infringement of a data subject's right to protection of his or her data and without being mandated to do so by such a person.

37 The Landgericht Berlin (Regional Court, Berlin) ruled against Meta Platforms Ireland, in accordance with the form of order sought by the Federal Union. The appeal brought by Meta Platforms Ireland before the Kammergericht Berlin (Higher Regional Court, Berlin, Germany) was dismissed. Meta Platforms Ireland then brought an appeal on a point of law (Revision) before the referring court against the dismissal decision adopted by the Kammergericht Berlin (Higher Regional Court, Berlin).

38 The referring court considers that the action brought by the Federal Union is well founded, in so far as Meta Platforms Ireland infringed Paragraph 3a of the Law against unfair competition and the first sentence of point 11 of Paragraph 2(2) of the Law on Injunctions, and used an invalid general condition, within the meaning of Paragraph 1 of the Law on Injunctions.

39 However, that court has doubts as to the admissibility of the action brought by the Federal Union. It takes the view that it cannot be ruled out that the Federal Union, which did indeed have standing to bring proceedings on the date on which it brought the action – on the basis of Paragraph 8(3) of the Law against unfair competition and point 1 of the first sentence of Paragraph 3(1) of the Law on Injunctions – lost that status during the proceedings, following the entry into force of the GDPR and, in particular, Article 80(1) and (2) and Article 84(1) thereof. If that were the case, the referring court would have to uphold the appeal on a point of law brought by Meta Platforms Ireland and dismiss the action of the Federal Union, since, under German procedural law, standing to bring proceedings must endure until the end of the proceedings at last instance.

40 According to the referring court, the answer in that regard is not clear from the assessment of the wording, scheme and objectives of the provisions of the GDPR.

41 As regards the wording of the provisions of the GDPR, the referring court notes that the existence of standing to bring proceedings of not-for-profit bodies, organisations or associations which have been properly constituted in accordance with the law of a Member State, pursuant to Article 80(1) of the GDPR, presupposes that the data subject has mandated a body, organisation or association for it to exercise on his or her behalf the rights referred to in Articles 77 to 79 of the GDPR and the right to compensation referred to in Article 82 of the GDPR where the law of a Member State so provides.

42 The referring court states that standing to bring proceedings under Paragraph 8(3)(3) of the Law against unfair competition does not cover such an action brought on the basis of a mandate and on behalf of a data subject in order to assert his or her personal rights. On the contrary, it confers on an association, by virtue of a right peculiar to it and stemming from Paragraph 3(1) and Paragraph 3a of the Law against unfair competition, standing to bring proceedings on an objective basis against infringements of the provisions of the GDPR, independently of the infringement of specific rights of data subjects and of a mandate conferred by them.

43 In addition, the referring court observes that Article 80(2) of the GDPR does not provide for an association's standing to bring proceedings in order to secure the application, objectively, of the law on the protection of personal data since that provision presupposes that the rights of a data subject laid down in the GDPR have actually been infringed as a result of the processing of specific data.

44 Furthermore, an association's standing to bring proceedings, such as that provided for in Paragraph 8(3) of the Law against unfair competition, cannot result from Article 84(1) of the GDPR, under which the Member States are to lay down the rules on other penalties applicable to infringements of that regulation and are to take all measures necessary to ensure that they are implemented. The standing of an association, such as that referred to in Paragraph 8(3) of the Law against unfair competition, cannot be regarded as constituting a ‘penalty’ within the meaning of that provision of the GDPR.

45 As regards the scheme of the provisions of the GDPR, the referring court considers that it may be inferred from the fact that it harmonised, inter alia, the powers of the supervisory authorities that it is principally for those authorities to verify the application of the provisions of that regulation. However, the expression ‘without prejudice to any other … remedy’, which appears in Article 77(1), Article 78(1) and (2) and Article 79(1) of the GDPR, may undermine the argument that oversight of the application of the law is exhaustively governed by that regulation.

46 As regards the objective of the provisions of the GDPR, the referring court notes that the effectiveness of that regulation may support an argument in favour of associations having standing to bring proceedings on the basis of competition law, in accordance with Paragraph 8(3)(3) of the Law against unfair competition, independently of the infringement of specific rights of data subjects, since that would allow an additional opportunity to supervise the application of the law to remain, in order to ensure as high a level as possible of protection of personal data, in accordance with recital 10 of the GDPR. Nonetheless, accepting that associations have standing to bring proceedings under competition law may be considered to run counter to the objective of harmonisation pursued by the GDPR.

47 In the light of those considerations, the Bundesgerichtshof (Federal Court of Justice) decided to stay the proceedings and to refer the following question to the Court of Justice for a preliminary ruling:

Consideration of the question referred

48 As a preliminary point, it should be noted that, as is apparent, in particular, from paragraph 36 and from paragraphs 41 to 44 above, the dispute in the main proceedings is between a consumer protection association, such as the Federal Union, and Meta Platforms Ireland and concerns the question whether such an association may bring proceedings against that company in the absence of a mandate granted to it for that purpose and independently of the infringement of specific rights of the data subjects.

49 In those circumstances, as the Commission correctly observed in its written observations, the answer to the question referred for a preliminary ruling depends solely on the interpretation of Article 80(2) of the GDPR, since the provisions of Article 80(1) of the GDPR and of Article 84 of the GDPR are not relevant in the present case. First, the application of Article 80(1) of the GDPR presupposes that the data subject has mandated the not-for-profit body, organisation or association referred to in that provision to take on his or her behalf the legal measures provided for in Articles 77 to 79 of the GDPR. It is common ground that that is not the case in the main proceedings, since the Federal Union acts independently of any mandate from a data subject. Second, it is common ground that Article 84 of the GDPR concerns the administrative and criminal penalties applicable to infringements of that regulation, which is also not at issue in the main proceedings.

50 Furthermore, it should be noted that the case in the main proceedings does not raise the question of a competitor's standing to bring proceedings. Consequently, it is only necessary to answer the part of the question which relates to the standing to bring proceedings of associations, bodies and chambers authorised under national law, referred to in Article 80(2) of the GDPR.

51 It follows that the question referred by the referring court must be understood as seeking to ascertain, in essence, whether Article 80(2) of the GDPR must be interpreted as precluding national legislation which allows a consumer protection association to bring legal proceedings, in the absence of a mandate conferred on it for that purpose and independently of the infringement of specific rights of a data subject, against the person allegedly responsible for an infringement of the laws protecting personal data, by alleging infringement of the prohibition of unfair commercial practices, consumer protection legislation or the prohibition of the use of invalid general terms and conditions.

52 In order to answer that question, it must be borne in mind that, as is apparent from recital 10 of the GDPR, that regulation seeks, inter alia, to ensure consistent and homogeneous application of the rules for the protection of the fundamental rights and freedoms of natural persons with regard to the processing of personal data throughout the European Union and to remove obstacles to flows of personal data within the European Union.

53 In that context, Chapter VIII of that regulation governs, inter alia, the legal remedies enabling the protection of the data subject's rights where his or her personal data have been the subject of processing that is allegedly contrary to the provisions of that regulation. The protection of those rights may thus be sought either directly by the data subject or by an authorised entity, whether there is a mandate to that end or not, pursuant to Article 80 of the GDPR.

54 Thus, first of all, the data subject has the right to lodge a complaint himself or herself with a supervisory authority of a Member State or to bring an action before the national civil courts. More specifically, that data subject has the right to lodge a complaint with a supervisory authority, in accordance with Article 77 of the GDPR, the right to an effective judicial remedy against a supervisory authority, pursuant to Article 78 of the GDPR, the right to an effective judicial remedy against a controller or processor, provided for in Article 79 of the GDPR, and the right to obtain from the controller or processor compensation for the harm suffered, under Article 82 of the GDPR.

55 Next, in accordance with Article 80(1) of the GDPR, the data subject has the right to mandate a not-for-profit body, organisation or association, subject to certain conditions, to lodge a complaint on his or her behalf or to exercise the rights referred to in the articles referred to above on his or her behalf.

56 In accordance with Article 80(2) of the GDPR, Member States may provide that any body, organisation or association, independently of a data subject's mandate granted by a data subject, has the right to lodge, in the Member State in question, a complaint with the supervisory authority, pursuant to Article 77 of that regulation, and to exercise the rights referred to in Articles 78 and 79 thereof, if it considers that the rights of a data subject under that regulation have been infringed as a result of the processing of personal data concerning him or her.

57 In that regard, it should be noted that, as is apparent from Article 1(1) of the GDPR, read in the light, inter alia, of recitals 9, 10 and 13 thereof, that regulation seeks to ensure the harmonisation of national legislation on the protection of personal data which is, in principle, full. However, the provisions of that regulation make it possible for Member States to lay down additional, stricter or derogating national rules, which leave them a margin of discretion as to the manner in which those provisions may be implemented (‘opening clauses’).

58 In that regard, it must be recalled that, according to the Court's settled case-law, pursuant to Article 288 TFEU and by virtue of the very nature of regulations and of their function in the system of sources of EU law, the provisions of those regulations generally have immediate effect in the national legal systems without it being necessary for the national authorities to adopt measures of application. Nonetheless, some of those provisions may necessitate, for their implementation, the adoption of measures of application by the Member States (judgment of 15 June 2021, Facebook Ireland and Others, C–645/19, EU:C:2021:483, paragraph 110 and the case-law cited).

59 That is the case, inter alia, of Article 80(2) of the GDPR, which leaves the Member States a discretion with regard to its implementation. Thus, in order for it to be possible to proceed with the representative action without a mandate provided for in that provision, Member States must make use of the option made available to them by that provision to provide in their national law for that mode of representation of data subjects.

60 However, as the Advocate General observed, in points 51 and 52 of his Opinion, when the Member States exercise the option granted to them by such an opening clause, they must use their discretion under the conditions and within the limits laid down by the provisions of the GDPR and must therefore legislate in such a way as not to undermine the content and objectives of that regulation.

61 In this instance, as was confirmed by the German Government at the hearing in the present case, the German legislature did not adopt, following the entry into force of the GDPR, particular provisions specifically designed to implement Article 80(2) of that regulation in its national law. The national legislation at issue in the main proceedings, adopted in order to transpose Directive 2009/22, already allows consumer protection associations to bring legal proceedings against the person allegedly responsible for an infringement of the laws protecting personal data. That government observes, moreover, that, in its judgment of 29 July 2019, Fashion ID (C–40/17, EU:C:2019:629), concerning the interpretation of the provisions of Directive 95/46, the Court held that those provisions do not preclude that national legislation.

62 In those circumstances, as the Advocate General observed in point 60 of his Opinion, it is necessary, in essence, to ascertain whether the national rules at issue in the main proceedings fall within the scope of the discretion conferred on each Member State by Article 80(2) of the GDPR and thus to interpret that provision taking into account its wording and the scheme and objectives of that regulation.

63 In that regard, it should be noted that Article 80(2) of the GDPR allows Member States to provide for a representative action mechanism against the person allegedly responsible for an infringement of the laws protecting personal data, while setting out a number of requirements at the level of the personal and material scope which must be complied with for that purpose.

64 As regards, in the first place, the personal scope of such a mechanism, standing to bring proceedings is conferred on a body, organisation or association which meets the criteria set out in Article 80(1) of the GDPR. In particular, that provision refers to ‘not-for-profit body, organisation or association which has been properly constituted in accordance with the law of a Member State, has statutory objectives which are in the public interest, and is active in the field of the protection of data subjects’ rights and freedoms with regard to the protection of their personal data’.

65 It must be held that a consumer protection association, such as the Federal Union, may fall within the scope of that concept in that it pursues a public interest objective consisting in safeguarding the rights and freedoms of data subjects in their capacity as consumers, since the attainment of such an objective is likely to be related to the protection of the personal data of those persons.

66 The infringement of the rules intended to protect consumers or to combat unfair commercial practices – infringement which a consumer protection association, such as the Federal Union, aims to prevent and penalise, inter alia by recourse to actions for an injunction provided for in the applicable national legislation – may be related, as in the present case, to the infringement of the rules on the protection of personal data of those consumers.

67 As regards, in the second place, the material scope of that mechanism, the exercise of the representative action provided for in Article 80(2) of the GDPR by an entity meeting the conditions referred to in paragraph 1 of that article presupposes that that entity, independently of any mandate conferred on it, ‘considers that the rights of a data subject under [that r]egulation have been infringed as a result of the processing’ of his or her personal data.

68 In that regard, it must be stated, first, that for the purposes of bringing a representative action, within the meaning of Article 80(2) of the GDPR, such an entity cannot be required to carry out a prior individual identification of the person specifically concerned by data processing that is allegedly contrary to the provisions of the GDPR.

69 It is sufficient to note that the concept of ‘data subject’, within the meaning of Article 4(1) of that regulation, covers not only an ‘identified natural person’, but also an ‘identifiable natural person’, namely a natural person ‘who can be identified’, directly or indirectly, by reference to an identifier such as, inter alia, a name, an identification number, location data or an online identifier. In those circumstances, the designation of a category or group of persons affected by such treatment may also be sufficient for the purpose of bringing such representative action.

70 Secondly, under Article 80(2) of the GDPR, the bringing of a representative action is also not subject to the existence of a specific infringement of the rights which a person derives from the data protection rules.

71 As is apparent from the very wording of that provision, recalled in paragraph 67 of the present judgment, the lodging of a representative action presupposes only that the entity concerned ‘considers’ that the rights of a data subject laid down in that regulation have been infringed as a result of the processing of his or her personal data and therefore alleges the existence of data processing that is contrary to the provisions of that regulation.

72 It follows that, in order to recognise that such an entity has standing to bring proceedings under that provision, it is sufficient to claim that the data processing concerned is liable to affect the rights which identified or identifiable natural persons derive from that regulation, without it being necessary to prove actual harm suffered by the data subject, in a given situation, by the infringement of his or her rights.

73 Such an interpretation is consistent with the requirements stemming from Article 16 TFEU and Article 8 of the Charter of Fundamental Rights of the European Union and, thus, with the objective pursued by the GDPR consisting in ensuring effective protection of the fundamental rights and freedoms of natural persons and, in particular, of ensuring a high level of protection of the right of every person to the protection of personal data concerning him or her (see, to that effect, judgment of 15 June 2021, Facebook Ireland and Others, C–645/19, EU:C:2021:483, paragraphs 44, 45 and 91).

74 Authorising consumer protection associations, such as the Federal Union, to bring, by means of a representative action mechanism, actions seeking to have processing contrary to the provisions of that regulation brought to an end, independently of the infringement of the rights of a person individually and specifically affected by that infringement, undoubtedly contributes to strengthening the rights of data subjects and ensuring that they enjoy a high level of protection.

75 Furthermore, it should be noted that the bringing of such a representative action, in so far as it makes it possible to prevent a large number of infringements of the rights of data subjects by the processing of their personal data, could prove more effective than the action that a single person individually and specifically affected by an infringement of his or her right to the protection of his or her personal data may bring against the person responsible for that infringement.

76 As the Advocate General observed in point 76 of his Opinion, the preventive function of actions brought by consumer protection associations, such as the Federal Union, could not be guaranteed if the representative action provided for in Article 80(2) of the GDPR allowed only the infringement of the rights of a person individually and specifically affected by that infringement to be invoked.

77 In the third place, it is still necessary to ascertain, as requested by the referring court, whether Article 80(2) of the GDPR precludes the bringing of a representative action independently of a specific infringement of a right of a data subject and of a mandate conferred by that data subject, where infringement of data protection rules has been alleged in the context of an action seeking to review the application of other legal rules intended to ensure consumer protection.

78 In that regard, it should be noted at the outset that, as has been observed, in essence, in paragraph 66 of the present judgment, the infringement of a rule relating to the protection of personal data may at the same time give rise to an infringement of rules on consumer protection or unfair commercial practices.

79 Therefore, as the Advocate General observed in point 72 of his Opinion, that provision does not preclude the Member States from exercising the option it offers them in that consumer protection associations are entitled to take action against infringements of the rights provided for by the GDPR through, as the case may be, rules intended to protect consumers or combat unfair commercial practices, such as those provided for by Directive 2005/29 and Directive 2009/22.

80 That interpretation of Article 80(2) of the GDPR is moreover supported by Directive 2020/1828 which repeals and replaces, as from 25 June 2023, Directive 2009/22. In that context, it must be observed that, in accordance with Article 2(1) thereof, Directive 2020/1828 applies to representative actions brought in relation to traders’ infringements of the provisions of EU law referred to in Annex I of that directive, which mentions the GDPR in point 56.

81 It is true that Directive 2020/1828 is not applicable in the context of the dispute in the main proceedings and its transposition deadline has not yet expired. However, it contains several elements which confirm that Article 80 of the GDPR does not preclude the bringing of additional representative actions in the field of consumer protection.

82 Although, as is apparent from recital 11 of that directive, it remains possible to provide a procedural mechanism for additional representative actions in the field of consumer protection, the application mechanisms provided for in the GDPR or based on that regulation, such as that provided for in Article 80 of that regulation, cannot be replaced or amended, as stated in recital 15 of that directive, and they may thus be used to protect the collective interests of consumers.

83 In the light of all the foregoing considerations, the answer to the question referred is that Article 80(2) of the GDPR must be interpreted as not precluding national legislation which allows a consumer protection association to bring legal proceedings, in the absence of a mandate conferred on it for that purpose and independently of the infringement of specific rights of the data subjects, against the person allegedly responsible for an infringement of the laws protecting personal data, on the basis of the infringement of the prohibition of unfair commercial practices, a breach of a consumer protection law or the prohibition of the use of invalid general terms and conditions, where the data processing concerned is liable to affect the rights that identified or identifiable natural persons derive from that regulation.

Costs

84 Since these proceedings are, for the parties to the main proceedings, a step in the action pending before the national court, the decision on costs is a matter for that court. Costs incurred in submitting observations to the Court, other than the costs of those parties, are not recoverable.