In the case of Inspektorat kam Visshia sadeben savet (joined cases C-313/23, C-316/23, C-332/23, 30.4.2025), the CJEU addresses several legal questions concerning judicial independence and the application of the General Data Protection Regulation (GDPR) in Bulgaria.
The case involves the Bulgarian Inspectorate at the Supreme Judicial Council (“Inspectorate”), which requested the referring court, the Sofia District Court, to lift banking secrecy on the accounts of several judges, prosecutors, and their family members. The purpose was to verify asset declarations submitted by these individuals, as required under Bulgarian law.
In its ruling, the CJEU first holds that the principle of judicial independence under Article 19(1) TEU and Article 47 of the Charter precludes a practice whereby members of a judicial body, here the Inspectorate, continue to perform their functions beyond their constitutionally defined terms of office without clear legal rules limiting such extensions.
However, this post will focus on the CJEU’s findings regarding the requirements of the GDPR in the present case, more particularly on the answer by the CJEU to the sixth question raised by the referring court: whether it should, when dealing with the lifting of the bank secrecy in this case, ensure of its own motion the protection of the security of the data of the persons concerned.
In the aftermath of Deldits, which already involved the European Convention on Human Rights in interpreting the GDPR, this case indeed presents significant considerations for further reflection on the Convention’s impact on the application of the GDPR.
* * *
In substance, the CJEU answers the referring court’s sixth question by stating that if it is not seized under Articles 78(1) or 79(1) of the GDPR, and in the absence of rules of Bulgarian law expressly conferring supervisory powers on it, it is not required to ensure compliance with the substantive provisions of the GDPR in order to ensure their effectiveness (§ 135). However, the effectiveness of the remedies under Articles 77(1), 78(1) and 79(1) of the GDPR is to be ensured at domestic level, as a requirement flowing from Article 47 of the EU-Charter (§ 136). In other words, only an ex post judicial review is required under the GDPR, not an ex ante review. From a Convention perspective, this reasoning calls for the following observations.
One of the particularities of the GDPR is indeed the fact that, along with the European Public Prosecutor’s Office and Frontex, it belongs to the category of recent legal constructions by the EU which associate national and EU entities in implementing EU law. The list of these entities operating in the context of the GDPR includes, as national entities, the controllers, the processors, the supervisory bodies and the national courts, and, as a “body of the Union” with legal personality, the European Data Protection Board (“the Board”) (Art. 68(1)). In addition, the activity of these entities is governed by a combination of EU and national regulations (Recital 10, Art. 6 (2) and (3), Art. 58(6)).
The integration of EU and national entities, governed by both EU and national regulations, raises important questions regarding the standards which these entities must apply concerning the fundamental rights of individuals whose data come within the scope of the GDPR.
The protection of these fundamental rights indeed seems a major concerns of the drafters of the GDPR. However, despite some general statements to this effect (e.g. in Recitals 4 and 73), the GDPR itself provides limited guidance on how this concern should translate into the practical application of GDPR provisions. The following considerations may offer some help in this respect.
First, in the framework of the GDPR, the ultimate control over respect of a data subject’s rights, including his or her fundamental rights, lies in the hands of the national courts, which are entrusted with the competence to review legally binding decisions by the controllers, processors and supervisory authorities (Art. 78-79, 82).
Secondly, it must be assumed that these national courts, along with all other national entities involved in the application of the GDPR, are subject to the Convention. This flows from the principle according to which Article 1 of the Convention does not exclude any part of the member States’ “jurisdiction”, which includes EU law, from scrutiny under the Convention (see, among others, Matthews v. the United Kingdom, § 29). As a consequence, national courts must comply with the Convention when applying the GDPR (see mutatis mutandis, among others, Bivolaru and Moldovan v. France). By contrast, the Board, as “body of the Union”, would not in principle be subject to the Convention but only to EU law, including the EU-Charter.
* * *
This is particularly relevant in view of the abundant Strasbourg case-law on the protection of personal data, developed by the ECtHR on the basis of Article 8 of the Convention (see the Court’s case-law guide on data protection).
Thus, on the question raised by the referring court, about whether it should of its own motion, when allowing access to confidential data by authorising the lifting of bank secrecy, also ensure the security of these data at the hands of the authority requiring access to them, several key principles developed by the ECtHR would appear to be relevant.
These principles include the duty on the courts reviewing measures designed to allow access to incriminating evidence to carry out a balancing of the various competing interests, having regard, inter alia, to the seriousness of the offence at stake, the necessity and proportionality of the impugned measures, the safeguards implemented in order to confine the impact of the measures to reasonable bounds and the extent of possible repercussions on respect for the private life of the person concerned (see the case-law guide on data protection, referred to above, at §§ 170 er seq.).
As to whether this scrutiny should take place ex ante, i.e. prior to the authorisation given to access the requested data, or ex post, i.e. in the context of a judicial review carried out after any penalty has been imposed on the basis of the personal data at issue, this question is to be decided in light of the effectiveness of the ex post judicial review. It is only if the court carrying out this ex post judicial review is competent to effectively review all the factual and legal aspects of the case as described above, including the necessity and proportionality of the access thus provided to the requested data, and if this court is capable of affording appropriate redress, that such an ex post review will be considered sufficient under Article 8 of the Convention.
Thus, a purely formal legality control of a measure encroaching on a data subject’s rights, prior to the implementation of that measure, as described in § 46 of the CJEU’s judgment, might not suffice under Article 8 of the Convention, if there is no guarantee of an effective ex post facto judicial review. Whether there is such a guarantee will depend on the applicable law but also on the circumstances of the case (see e.g., mutatis mutandis, DELTA PEKÁRNY a.s. c. v. Czech Republic, at §§ 92-93, and Ships Waste Oil Collector B.V. and Others v. the Netherlands, at §§ 191 et seq., which also insists on safeguards against arbitrariness and abuse).
Interestingly, the referring court in the case at hand expressed doubts about the effectiveness of the judicial control provided under Article 79 of the GDPR and referred to the fact that Bulgarian law provides for a prior judicial review (§ 49). The CJEU, however, dismissed this concern, arguing that the judicial review provided for by Articles 78(1) and 79(1) of the GDPR is to take place after the processing of the personal data concerned (§§ 128-130). The CJEU thereby seems to minimise the role of an ex ante judicial review, at odds with the Strasbourg case-law referred to above.
The CJEU however adds that “the Member States must ensure that the practical arrangements for the exercise of the remedies provided for in Article 77(1), Article 78(1) and Article 79(1) of that regulation effectively meet the requirements arising from the right to an effective remedy enshrined in Article 47 of the Charter” (§ 136).
This brings us back to square one, with the CJEU ultimately acknowledging that the key criterion to be applied in this context is the effectiveness of the judicial review available to the data subject. Yet, while the ECtHR sees the effectiveness of the judicial review in the possible combination of an ex ante and ex post review which should also rely on substantive criteria, including a necessity and proportionality assessment, the CJEU locates the judicial review entirely in the final phase of the judicial proceedings, which can be too late, and apparently reduces its effectiveness to a matter of procedural fairness governed by Article 47 of the EU-Charter only.
It would therefore appear that the Luxembourg approach to the judicial review to which data subjects are entitled under the GDPR in a case like the present one offers a lower protection level than the Strasbourg approach. Since the CJEU in this case does not properly interpret any of the EU-Charter rights, it can be left open whether its approach is compatible with Article 52(3) of the EU-Charter.
However that may be, though, this case shows that national judges and prosecutors are well advised in having regard to the Strasbourg case-law when applying the GDPR. If, as in the case at hand, the Strasbourg protection level turns out to be higher than the Luxembourg level, there is nothing to prevent them, in the absence of any primacy of EU law over the Convention, from applying the Strasbourg protection level. National law offering a lower protection level cannot stand in the way of the Strasbourg level either. Thus, by applying the latter, judges and prosecutors not only better protect citizens, but they also protect themselves from being found in breach of the Convention by the ECtHR.