In a pivotal ruling delivered on 10 February 2026, the Court of Justice of the European Union (CJEU) overturned an earlier order by the General Court, thus affirming the admissibility of an action for annulment brought by a data controller against a binding decision of the European Data Protection Board (EDPB). This judgment provides clarity on the scope of judicial remedies available to data controllers under the General Data Protection Regulation (GDPR), while also reinforcing the significant legal weight of EDPB decisions within the EU’s enforcement framework.
Background to the dispute
The proceedings originated from an investigation into how a data controller processed personal data under the GDPR. The Irish Data Protection Commission (DPC) investigated transparency and information obligations as the lead supervisory authority. Disagreements among the national data protection authorities regarding a draft decision resulted in the matter being referred to the EDPB for dispute resolution. On 28 July 2021, the EDPB adopted a binding decision, finding alleged infringements of the GDPR and mandating increased fines. Consequently, the DPC issued its final decision, imposing administrative fines.
General Court's initial dismissal
The data controller sought to annul the EDPB’s binding decision before the General Court of the European Union. However, the General Court deemed the action inadmissible. It considered that the EDPB's decision was merely a preparatory or intermediate act and, therefore, not “an act open to challenge” under Article 263 TFEU. Furthermore, the General Court held that the decision was not of “direct concern” to the data controller, suggesting that it should only challenge the DPC's final decision before national courts.
CJEU reversal: paving the way for direct recourse
In its appeal judgment, the CJEU disagreed with the General Court on both key points and, reversing the General Court’s ruling, declared the action admissible. In doing so, it opened a significant avenue for judicial review to the benefit of data controllers and applicants before the General Court more generally.
The EDPB decision constitutes an “act open to challenge”
The CJEU confirmed the criteria for an act to be “open to challenge”, stating it must originate from an EU body and be “intended to produce legal effects vis-à-vis third parties.” The Court emphasised that decision of the EDPB is inherently binding on the lead supervisory authority and all other supervisory authorities concerned.
Importantly, the CJEU held that the EDPB's decision definitively determines the position of the competent EU body and “deals exhaustively with all the issues which that body is required to resolve.” This definitive nature means that such decisions cannot be classified as mere intermediate measures lacking independent legal effects, regardless of their position in the consistency review procedure. The Court explicitly stated that the General Court erred in confusing the requirements for an “act open to challenge” with the conditions for “direct concern” and in incorrectly classifying the decision as an intermediate measure lacking independent legal effect.
The EDPB decision is of “direct concern” to a data controller
The CJEU also ruled that the EDPB's decision was of direct concern to the data controller, thus fulfilling the second condition for admissibility. For an act to be of direct concern to a person not being its addressee, such act must: (1) directly affect that person’s legal situation, and (2) leave no discretion to the addressees tasked with implementing it. The CJEU ruled that the EDPB's decision directly affected the data controller’s legal situation, notably by requiring changes to its contractual relationship with users. This demonstrates how such decisions can significantly alter a data controller's operational model.
Regarding discretion, the CJEU concluded that the EDPB's decision bound the supervisory authorities, leaving them with no room to depart from the EDPB’s position. This included definitive findings of infringement, the classification of specific data types, and the mandate to increase fines. The authorities were, in short, “not able to change the result of the assessments made” by the EDPB on these issues.
While acknowledging the potential for parallel proceedings (before the EU courts for the EDPB decision and before national courts for the final national decision by the lead supervisory authority), the CJEU emphasised the role of mechanisms such as preliminary rulings and stays of proceedings to ensure judicial coherence.
Implications and next steps
The CJEU has clarified that entities subject to GDPR enforcement can directly challenge binding decisions before the EU courts. This also applies when those decisions are subsequently implemented through national supervisory authority decisions. The ruling strengthens effective judicial protection by providing an essential and effective means of judicial review of pan-European GDPR enforcement actions and ensures accountability at the EU level.
As the CJEU's decision focused solely on admissibility, the merits of the case have not yet been determined. The matter has been referred to the General Court for a detailed assessment of the data controller's arguments against the EDPB's findings of infringement. The legal community will closely follow the General Court's eventual ruling on the substance of the dispute, as it will likely further shape the interpretation and application of key GDPR provisions, as well as the dynamics of multi-jurisdictional data protection enforcement.