In its press release relating to the Court of Justice of the European Union (CJEU) judgment of 10 February 2026 in Case C-97/23 P, the CJEU has confirmed that the action brought by an organization against a Binding Decision of the European Data Protection Board (EDPB) is admissible.
With this decision, the CJEU has clarified that organizations have a right of direct appeal against binding decisions of the EDPB on which a national authority’s decision against them is based.
Legal Context Relevant to the Case
To ensure the consistent application of the GDPR throughout the EU, whenever an organization carries out cross-border processing activities that affect individuals in several EU Member States, the GDPR provides for a cooperation mechanism between the relevant supervisory authorities when they intend to adopt any measures that produce legal effects regarding such processing.
The process for adopting such measures is generally (but not always) led by the supervisory authority in the Member State in which the relevant organization has its “main establishment” for GDPR purposes. That supervisory authority is known as the “lead supervisory authority” and may request and receive assistance from the other “supervisory authorities concerned” or carry out joint operations with them. The lead supervisory authority will typically submit a draft decision (e.g., a draft enforcement decision) to the other “supervisory authorities concerned” and they may, in turn, make “relevant and reasoned objections” in the case of any disagreement.
If the disagreement cannot be resolved, then a “dispute resolution” process follows. In such circumstances, the EDPB has the power to adopt legally binding decisions, based on a two-thirds majority of its members (or by a simple majority, if the first attempt fails). This decision must be reasoned and addressed to the lead supervisory authority and all the other supervisory authorities concerned and is binding on them. The decision must also be published on the EDPB’s website.
The lead supervisory authority is then required to adopt its final decision on the basis of the EDPB’s binding decision without undue delay and no later than one month following notification of the EDPB’s decision. The lead supervisory authority must notify the relevant organization of its final decision, which must also refer to and attach the EDPB’s decision.
Historically, if the relevant organization wished to challenge any element of the national supervisory authority’s decision that was based on the EBPB’s binding decision, it had to submit an appeal to its local national courts and, if those courts considered relevant, they could in turn refer questions to the CJEU for a preliminary ruling on the GDPR provisions applied by the supervisory authority in its decision. This left the national court before which the dispute was brought with sole responsibility for determining both the need for a request for a preliminary ruling by the CJEU and discretion over the questions it chose to submit to the CJEU. Notably, the court could, at its discretion, alternatively simply decide not to refer the matter to the CJEU.
However, in Case C-97/23 P, the CJEU has clarified that binding decisions of the EDPB are capable of challenge directly by the organization under Article 263 of the Treaty on the Functioning of the European Union (TFEU) and, accordingly, ruled that an action for annulment of an EDPB binding decision was admissible. This represents a significant recourse option for organizations confronted with local a decision that is based on an EDPB Binding decision. Indeed, in the case where an organization can challenge directly the EDPB’s binding decision, it will have control over the referral to the CJEU, as well as the content of its claim and the legal argumentation brought before the CJEU.
Facts of the Case
Following complaints about a free messaging app’s personal data processing activities, the Irish Data Protection Commission (DPC) initiated an investigation into this company’s compliance with its transparency obligations under the GDPR.
As lead supervisory authority, the DPC submitted a draft decision to the other supervisory authorities concerned, which resulted in “relevant and reasoned objections” from six supervisory authorities (i.e. the German Federal supervisory authority and the supervisory authorities of Finland, France, Italy, the Netherlands and Norway). As a result, the matter was referred to the EDPB for binding resolution.
The EDPB subsequently issued its Binding Decision, in which it found that, inter alia, certain provisions of the GDPR had been infringed and required the DPC to amend the proposed corrective measures, including by increasing the proposed fine.
On that basis, the DPC issued its final decision, which included an increased fine.
In response, the messaging app company (Company) brought an action to annul the EDPB’s decision before the General Court of the CJEU. The General Court dismissed that action as inadmissible on the basis that the EDPB’s decision was merely an intermediate act without legal effect on the Company, and the latter could only challenge the DPC’s decision before a national court. The Company then challenged the order of the General Court by bringing an appeal before the Court of Justice which it won (the CJEU is divided into two courts: the “Court of Justice” and the “General Court”)
CJEU Grand Chamber Decision of 10 February 2026 in Case C-97/23 P
The Court of Justice held that the EDPB’s binding decision was indeed open to challenge before the Courts of the European Union. In particular, the Court of Justice clarified that the EDPB’s decision:
- was an act of an EU body and was binding on third parties, namely, in the present case, the DPC and the other supervisory authorities concerned;
- definitively determined the position of the EDPB and dealt exhaustively with all the issues referred to it. As a result, such a decision could not be regarded as an intermediate act which was not open to challenge; and
- was of direct concern to the Company, since it directly affected the latter’s legal position, without leaving the DPC any discretion; in particular, the DPC had no discretion with respect to the EDPB’s decision regarding the messaging app’s infringement of certain provisions of the GDPR or its decision that the fine imposed on the Company should be increased.
As such, the Court of Justice held that the action for annulment was admissible. The Court of Justice therefore set aside the order of the General Court and referred the case back to the General Court to examine its merits (including whether the Company infringed the relevant provisions of the GDPR).
Incidentally, Company has also brought an action against the DPC’s decision before the Irish courts, which should lead to a request for a preliminary ruling before the CJEU. On this, the CJEU notes that:
“in the event of proceedings being brought concurrently before the General Court in the context of an action for annulment and the Court of Justice in the context of a request for a preliminary ruling, the principle of the sound administration of justice may warrant the Court of Justice having recourse, if it considers it appropriate to do so, to the third paragraph of Article 54 of the Statute of the Court of Justice of the European Union in order to stay the proceedings before it, in order to give preference to the proceedings before the General Court.”
This judgment is undoubtedly a major decision that opens the door to directly contesting EDPB decisions at an EU (CJEU) level and with the control over the claim, rather than through the more convoluted and uncertain procedure at national level.
