Autoridades de control de un Estado miembro y tratamiento transfronterizo de datos, tras la STJUE de 15 de junio de 2021 (Asunto C-645/19)

Abstract

The Court of Justice of the European Union (CJEU), in its judgment of 15 June 2021, Case C-645/19 (Facebook v DPA Belgium), confirms the power of national data protection authorities against Facebook and sets out the conditions for national data supervisory authorities of a Member State to initiate proceedings for cross-border data protection processing. The Belgian subsidiary of the social network claimed in its appeal that, under European law, the only data protection authority empowered to initiate proceedings in relation to cross-border data processing was the Irish Data Protection Commission (DPC), as the company’s European headquarters are in Dublin. However, the CJEU accepts that the Belgian authority has jurisdiction in such cases. The highest European court thus answers the question referred for a preliminary ruling by the Brussels Court of Appeal as to whether the GDPR actually prevents the Belgian national data protection authority from initiating legal proceedings in its Member State for cross-border data processing carried out by Facebook, whose European headquarters are in Ireland.