Inspektorat kam Visshia sadeben savet (Rule of law - Judicial independence - disciplinary proceedings against judges - Judgment) [2025] EUECJ C-313/23 (30 April 2025)
Court of Justice of the European Communities (including Court of First Instance Decisions)
You are here:BAILII >>
Databases >>
Court of Justice of the European Communities (including Court of First Instance Decisions) >>
Inspektorat kam Visshia sadeben savet (Rule of law - Judicial independence - disciplinary proceedings against judges - Judgment) [2025] EUECJ C-313/23 (30 April 2025)
URL: https://www.bailii.org/eu/cases/EUECJ/2025/C31323.html Cite as:
ECLI:EU:C:2025:303,
[2025] EUECJ C-313/23,
EU:C:2025:303
( References for a preliminary ruling - Rule of law - Judicial independence - Second subparagraph of Article 19(1) TEU - Effective legal protection in the fields covered by Union law - Judicial body competent to propose the initiation of disciplinary proceedings against judges, public prosecutors and investigating magistrates, with a view to the imposition of disciplinary penalties - Members of the judicial body remaining in office after the expiry of their term of office - Protection of natural persons with regard to the processing of personal data - Regulation (EU) 2016/679 - Data security - Access by a judicial body to data relating to the bank accounts of judges and public prosecutors and of their family members - Judicial authorisation for the purpose of lifting banking secrecy - Court authorising the lifting of banking secrecy - Article 4(7) - Concept of 'controller' - Article 51 - Concept of 'supervisory authority' )
In Joined Cases C‑313/23, C‑316/23 and C‑332/23,
THREE REQUESTS for a preliminary ruling under Article 267 TFEU from the Sofiyski rayonen sad (Sofia District Court, Bulgaria), made by decisions of 22 May 2023 (C‑313/23 and C‑332/23) and of 23 May 2023 (C‑316/23), received at the Court on 22 May 2023 (C‑313/23), 23 May 2023 (C‑316/23) and 25 May 2023 (C‑332/23), in the proceedings brought by
Inspektorat kam Visshia sadeben savet,
THE COURT (First Chamber),
composed of K. Lenaerts, President of the Court, acting as President of the First Chamber, T. von Danwitz (Rapporteur), Vice-President of the Court, A. Kumin, I. Ziemele and O. Spineanu-Matei, Judges,
Advocate General: P. Pikamäe,
Registrar: A. Calot Escobar,
having regard to the written procedure,
after considering the observations submitted on behalf of:
– the Inspektorat kam Visshia sadeben savet, by T. Tochkova, acting as Agent,
– the Bulgarian Government, by T. Mitova, S. Ruseva and R. Stoyanov, acting as Agents,
– the Polish Government, by B. Majczyna, acting as Agent,
– the European Commission, by A. Bouchagiar, C. Georgieva, H. Kranenborg and P. Van Nuffel, acting as Agents,
after hearing the Opinion of the Advocate General at the sitting on 4 October 2024,
gives the following
Judgment
1 These requests for a preliminary ruling concern the interpretation of the second subparagraph of Article 19(1) TEU and of Article 2(2)(a), Article 4(7), Article 32(1)(b), Article 33(3)(d), Article 51, Article 57(1)(b) and Article 79(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016 L 119, p. 1; 'the GDPR'), read in conjunction with Article 47 of the Charter of Fundamental Rights of the European Union ('the Charter').
2 The requests have been made in proceedings brought by the Inspektorat kam Visshia sadeben savet (Inspectorate at the Supreme Judicial Council, Bulgaria) ('the Inspectorate') seeking an order for data relating to the bank accounts of several judges and public prosecutors as well as of their family members to be disclosed to the Inspectorate.
'(16) This Regulation does not apply to issues of protection of fundamental rights and freedoms or the free flow of personal data related to activities which fall outside the scope of Union law, such as activities concerning national security. …
…
(20) While this Regulation applies, inter alia, to the activities of courts and other judicial authorities, Union or Member State law could specify the processing operations and processing procedures in relation to the processing of personal data by courts and other judicial authorities. The competence of the supervisory authorities should not cover the processing of personal data when courts are acting in their judicial capacity, in order to safeguard the independence of the judiciary in the performance of its judicial tasks, including decision-making. It should be possible to entrust supervision of such data processing operations to specific bodies within the judicial system of the Member State, which should, in particular ensure compliance with the rules of this Regulation, enhance awareness among members of the judiciary of their obligations under this Regulation and handle complaints in relation to such data processing operations.'
4 Article 2 of that regulation, entitled 'Material scope', provides, in paragraphs 1 and 2 thereof:
'1. This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.
2. This Regulation does not apply to the processing of personal data:
(a) in the course of an activity which falls outside the scope of Union law;
…'
5 Article 4 of that regulation, entitled 'Definitions', provides:
'For the purposes of this Regulation:
…
(2) “'processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
…
(7) “controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
…'
6 Article 12 of the GDPR, entitled 'Transparent information, communication and modalities for the exercise of the rights of the data subject', states, in paragraph 1 thereof:
'The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language … The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. …'
7 Article 14 of that regulation, entitled 'Information to be provided where personal data have not been obtained from the data subject', provides, in paragraphs 1 and 2 thereof:
'1. Where personal data have not been obtained from the data subject, the controller shall provide the data subject with the following information:
(a) the identity and the contact details of the controller and, where applicable, of the controller's representative;
(b) the contact details of the data protection officer, where applicable;
(c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
(d) the categories of personal data concerned;
(e) the recipients or categories of recipients of the personal data, if any;
(f) where applicable, that the controller intends to transfer personal data to a recipient in a third country or international organisation …;
2. In addition to the information referred to in paragraph 1, the controller shall provide the data subject with the following information necessary to ensure fair and transparent processing in respect of the data subject:
(a) the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
(b) where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party;
(c) the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject and to object to processing as well as the right to data portability;
(d) where processing is based on point (a) of Article 6(1) or point (a) of Article 9(2), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
(e) the right to lodge a complaint with a supervisory authority;
(f) from which source the personal data originate, and if applicable, whether it came from publicly accessible sources;
(g) the existence of automated decision-making …'
8 Article 21 of the GDPR, entitled 'Right to object', provides, in paragraph 1 thereof:
'The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.'
9 Article 32 of the GDPR, entitled 'Security of processing', states, in paragraph 1 thereof:
'Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
…
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
…'
10 Article 33 of that regulation, entitled 'Notification of a personal data breach to the supervisory authority', provides, in paragraphs 1 and 3 thereof:
'1. In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
…
3. The notification referred to in paragraph 1 shall at least:
…
(d) describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.'
11 Chapter VI of the GDPR, entitled 'Independent supervisory authorities', encompasses Articles 51 to 59 thereof.
12 Article 51 of that regulation, entitled 'Supervisory authority', is worded as follows:
'1. Each Member State shall provide for one or more independent public authorities to be responsible for monitoring the application of this Regulation, in order to protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data within the Union (“supervisory authority”).
…
3. Where more than one supervisory authority is established in a Member State, that Member State shall designate the supervisory authority which is to represent those authorities in the [European Data Protection Board] and shall set out the mechanism to ensure compliance by the other authorities with the rules relating to the consistency mechanism referred to in Article 63.
4. Each Member State shall notify to the Commission the provisions of its law which it adopts pursuant to this Chapter, by 25 May 2018 and, without delay, any subsequent amendment affecting them.'
13 Article 55 of that regulation, entitled 'Competence', provides:
'1. Each supervisory authority shall be competent for the performance of the tasks assigned to and the exercise of the powers conferred on it in accordance with this Regulation on the territory of its own Member State.
2. Where processing is carried out by public authorities or private bodies acting on the basis of point (c) or (e) of Article 6(1), the supervisory authority of the Member State concerned shall be competent. In such cases Article 56 does not apply.
3. Supervisory authorities shall not be competent to supervise processing operations of courts acting in their judicial capacity.'
14 Article 57 of the GDPR, entitled 'Tasks', provides, in paragraph 1 thereof:
'Without prejudice to other tasks set out under this Regulation, each supervisory authority shall on its territory:
(a) monitor and enforce the application of this Regulation;
…
(h) conduct investigations on the application of this Regulation, including on the basis of information received from another supervisory authority or other public authority;
…'
15 Article 58 of the GDPR, entitled 'Powers', lists, in paragraph 1 thereof, the investigative powers that each supervisory authority is to have and, in paragraph 2 thereof, the corrective powers that that authority is to have.
16 Chapter VIII of the GDPR, entitled 'Remedies, liability and penalties', encompasses Articles 77 to 84 of that regulation.
17 Article 77 of that regulation, entitled 'Right to lodge a complaint with a supervisory authority', provides, in paragraph 1 thereof:
'Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes this Regulation.'
18 Article 78 of that regulation, entitled 'Right to an effective judicial remedy against a supervisory authority', provides, in paragraph 1 thereof:
'Without prejudice to any other administrative or non-judicial remedy, each natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them.'
19 Article 79 of that regulation, entitled 'Right to an effective judicial remedy against a controller or processor', provides, in paragraph 1 thereof:
'Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Article 77, each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation.'
Bulgarian law
Constitution of the Republic of Bulgaria
20 Article 117(2) of the Konstitutsia na Republika Bulgaria (Constitution of the Republic of Bulgaria), in the version applicable to the facts in the main proceedings ('the Bulgarian Constitution'), provides:
'The judiciary shall be independent. In carrying out their functions, judges, jurors, public prosecutors and investigating magistrates shall be subject only to the law.'
21 Article 132a of the Bulgarian Constitution, in the version applicable at the time the present requests for a preliminary ruling were made, provides:
'(1) An inspectorate shall be established at the Supreme Judicial Council. It shall be composed of an Inspector General and 10 inspectors.
(2) The Inspector General shall be elected for a five-year term by a majority of two thirds of the members of the National Assembly.
(3) The inspectors shall be elected for a four-year term by the National Assembly in accordance with the procedure laid down in paragraph 2.
(4) The Inspector General and the inspectors may be re-elected, although not for two consecutive terms.
…
(6) The Inspectorate shall scrutinise the activities of the judicial authorities without undermining the independence of judges, jurors, public prosecutors and investigating magistrates in the performance of their functions. The Inspectorate shall carry out checks in respect of the integrity and conflicts of interest of judges, public prosecutors and investigating magistrates, the declarations of their assets, and for the purpose of identifying actions which are detrimental to the reputation of the judiciary or which relate to the violation of the independence of judges, public prosecutors and investigating magistrates. The Inspector General and the inspectors shall be independent and shall be subject only to the law in the performance of their functions.
(7) The Inspectorate shall act of its own motion, on the initiative of citizens, legal persons or State bodies, including judges, public prosecutors and investigating magistrates.
…
(10) The conditions and procedure applicable to the election and removal from office of the Inspector General and the inspectors, and to the organisation and activities of the Inspectorate, shall be established by law.'
The ZSV
22 Article 46 of the Zakon za sadebnata vlast (Law on the Judiciary) (DV No 64 of 7 August 2007), in the version applicable to the facts in the main proceedings ('the ZSV'), provides:
'The National Assembly shall elect the Inspector General and each of the inspectors individually by a two-thirds majority of members.'
2. shall scrutinise the arrangements for initiating and conducting legal proceedings, prosecutions and investigations, in addition to the finalisation of cases within the prescribed time;
…
6. shall propose disciplinary penalties against judges, public prosecutors, investigating magistrates and administrative heads of the judiciary;
7. shall issue alerts, recommendations and reports to other State bodies, including competent judicial authorities;
8. shall carry out checks in respect of the integrity and conflicts of interest of judges, public prosecutors and investigating magistrates, the declarations of their assets, and for the purpose of identifying actions which are detrimental to the reputation of the judiciary or which relate to the violation of the independence of judges, public prosecutors and investigating magistrates;
…
15. shall supervise the processing of personal data in the cases referred to in Article 17(1) of the Law on the protection of personal data.
(2) When engaging in the supervision referred to in Article 54(1)(15), the Inspectorate shall perform the tasks and exercise the powers provided for by the Law on the protection of personal data.'
'Judges, public prosecutors and investigating magistrates shall submit the following declarations to the [Inspectorate]:
1. a declaration of assets and interests in two parts;
2. a declaration of a change in the circumstances declared in the declaration referred to in point 1 in the part concerning the interests referred to in Article 175b(1)(11) to (13) and of the origin of funds in the event of early repayment of debts and loans.'
25 Article 175b(4) of the ZSV is worded as follows:
'Judges, public prosecutors and investigating magistrates shall declare the assets and income of their spouse or of the person with whom they live together as a couple as well as of their minor children.'
'(1) The [Inspectorate] shall keep and maintain electronic public registers:
1. of the declarations under Article 175a(1)(1) and (2);
2. of decisions imposing administrative penalties that have become final.
(2) The [Inspectorate] shall record in the public register referred to in point 1 of subparagraph 1 the declarations of assets and interests and of changes in the declared circumstances. These shall be recorded exclusively by officials authorised by the Inspector General.
…
(4) Everyone shall have the right to access data contained in the public register.
(5) Access shall be provided via the website of the [Inspectorate], subject to the requirements relating to the protection of personal data.'
'(1) Within six months of the expiry of the time limit for submitting the declaration, the [Inspectorate] shall verify the accuracy of the facts declared. …
…
(6) The [Inspectorate] may obtain information from the information systems referred to in Articles 56 and 56a of the Law on credit institutions. The Inspector General and the inspectors from the [Inspectorate] may apply to the rayonen sad [(district court)] in whose jurisdiction the data subject is domiciled for banking secrecy to be lifted, except in those cases where consent has been given pursuant to Article 62(5)(1) of the Law on credit institutions. Consent shall be given to the [Inspectorate] in writing, without notarial certification of the signature, on a form approved by the Inspector General.'
1. the administrative head, as regards the penalty referred to in Article 308(1)(1);
2. the relevant chamber of the Supreme Judicial Council (the Chamber of Judges, Public Prosecutors and Investigating Magistrates), as regards the penalties referred to in Article 308(1)(2), (3), (4) and (6);
…
4. the plenary formation of the Supreme Judicial Council, as regards the penalties referred to in Article 308(2) imposed on an elected member of the Supreme Judicial Council.'
'A proposal to initiate disciplinary proceedings with a view to the imposition of a disciplinary penalty on a judge, a public prosecutor or an investigating magistrate or on an administrative head or a deputy administrative head may be made by:
'The decision of the plenary formation or of the relevant chamber of the Supreme Judicial Council may be challenged by the person on whom the disciplinary penalty is imposed and, where no disciplinary penalty has been imposed or the penalty imposed is less severe than that proposed, by the person who made the proposal, before the Varhoven administrativen sad [(Supreme Administrative Court, Bulgaria)] within 14 days of notification or service of the decision.'
The ZKI
32 Article 62 of the Zakon za kreditnite institutsii (Law on credit institutions) (DV No 59 of 21 July 2006), in the version applicable to the facts in the main proceedings ('the ZKI'), provides:
'(1) Bank employees, members of the management and supervisory bodies of banks, officials from the [Bulgarian National Bank (BNB)], employees and members of the board of directors of the Deposit Insurance Fund, liquidators, temporary administrators and administrators, and any other person working for a bank, shall be prohibited from disclosing or using for their own personal gain or for the benefit of their family members information covered by banking secrecy.
(2) Banking secrecy consists of the facts and circumstances affecting the balances and transactions on the accounts and deposits held by the bank's customers.
…
(5) Except to the BNB and for the purposes and under the conditions provided for in Article 56, the bank may provide the information referred to in paragraph 2 concerning individual customers only:
1. with their consent;
2. pursuant to a court decision adopted in accordance with paragraphs 6 and 7;
3. by order of a court, where that is necessary to clarify the circumstances of a case pending before it;
4. in the situations referred to in paragraph 12, in the case of a bank involved in an insolvency procedure; or
5. in the context of ongoing international arbitration proceedings to which the Republic of Bulgaria is a party.
(6) The court may order the disclosure of the information referred to in paragraph 2 also at the request:
…
12. of the Inspector General or of an inspector from the [Inspectorate].
(7) The judge of the rayonen sad [(district court)] shall rule in closed session by reasoned decision on the request referred to in paragraph 6, no later than 24 hours after its submission, specifying the period to which the information referred to in paragraph 1 pertains. The decision of the court cannot be appealed.
…'
The ZZLD
33 Article 6(1) of the Zakon za zashtita na lichnite danni (Law on the protection of personal data) (DV No 1 of 4 January 2002), in the version applicable to the facts in the main proceedings ('the ZZLD'), is worded as follows:
'The Komisia za zashtita na lichnite danni [(Commission for Personal Data Protection, Bulgaria; 'the KZLD')] is a permanent and independent supervisory authority which ensures the protection of individuals with regard to the processing of and access to their personal data as well as inspections in respect of compliance with [the GDPR] and with this law.'
'(1) The [Inspectorate] shall monitor and ensure compliance with the [GDPR], the present law and the normative acts relating to the protection of personal data, where personal data are processed by:
1. a court in the performance of its functions as a judicial authority, and
2. the public prosecutor's office and the investigating authorities in the performance of their functions as judicial authorities, for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal law penalties.
(2) The detailed procedure for the performance of the activity referred to in paragraph 1, including the carrying out of checks as well as the conduct of proceedings before the Inspectorate, shall be laid down in the rules referred to in Article 55(8) [of the ZSV].'
'In supervising the processing of personal data by a court in the performance of its functions as a judicial authority, except in cases where personal data are processed for the purposes of Article 42(1), the Inspectorate shall:
1. perform the tasks referred to in Article 57(1)(a) to (i), (l), (u) and (v) and Article 57(2) and (3) of [the GDPR];
2. exercise the powers conferred by Article 58(1)(a), (b), (d), (e), (f), Article 58(2)(a) to (g), (i) and (j) and Article 58(3)(a), (b) and (c) of [the GDPR];
3. apply accordingly the list drawn up by [the KZLD] in accordance with Article 35(4) of [the GDPR], read in conjunction with the requirement for a data protection impact assessment;
4. refer the matter to a court in the event of an infringement of [the GDPR].'
'(1) In the event of an infringement of his or her rights under [the GDPR] and the present law, the data subject may challenge the acts and actions of the controller and the processor before a court in accordance with the procedure provided for by the Code of Administrative Procedure.
…
(4) The data subject cannot refer the matter to a court when there are pending proceedings before [the KZLD] for the same infringement or where a decision of [the KZLD] concerning the same infringement has been challenged and there is no final court decision. At the request of the data subject or of the court, [the KZLD] shall certify that there are no pending proceedings before it regarding the same dispute.
(5) Paragraph 4 shall also apply where proceedings are pending before the Inspectorate.'
The disputes in the main proceedings and the questions referred for a preliminary ruling
37 On 15 May 2023, after the expiry of the period prescribed for the submission, for 2022, of the annual declarations of the assets of judges, public prosecutors and investigating magistrates and of their families, referred to in Articles 175a and 175b of the ZSV, the Inspectorate requested the Sofiyski rayonen sad (Sofia District Court, Bulgaria) – the referring court – to lift banking secrecy in relation to the bank accounts of several judges and public prosecutors and of their family members, pursuant to Article 62(6)(12) of the ZKI.
38 The referring court notes, in the first place, that it must ascertain whether the Inspectorate has competence to submit such a request to it. In that regard, the referring court states that that body, which was created by an amendment to the Bulgarian Constitution adopted in 2007, is entrusted with investigating the exercise of undue influence over judges, public prosecutors and investigating magistrates, verifying their asset declarations, and identifying possible conflicts of interest and violations of the independence of the judiciary.
39 The referring court states that the Inspectorate is composed of an Inspector General and 10 inspectors, who are elected by the National Assembly for a five- and four-year term, respectively. The terms of office of all the members of the Inspectorate expired in 2020, without new members having been elected by the National Assembly.
40 It is true that, by judgment of 27 September 2022, the Konstitutsionen sad (Constitutional Court, Bulgaria) ruled that the Bulgarian Constitution must be interpreted as meaning that the Inspector General and the inspectors whose terms of office have expired are to continue to perform their functions until the National Assembly elects new members of the Inspectorate, taking the view that maintaining the functions entrusted to the Inspectorate outweighs the risks of abuse by members thereof whose terms of office have expired. The referring court notes, however, that that judgment did not address the question whether members of the Inspectorate who continue to perform their functions after the expiry of their term of office might exercise undue influence over the judicial system or could themselves be subject to pressure from members of the National Assembly.
41 The referring court is therefore uncertain whether EU law lays down stricter conditions than the Bulgarian Constitution as interpreted by the Konstitutsionen sad (Constitutional Court). In particular, in the light of the case-law of the Court of Justice established in the judgment of 11 May 2023, Inspecția Judiciară (C‑817/21, EU:C:2023:391, paragraphs 50 and 51), the referring court is uncertain whether an extension of the terms of office of the members of the Inspectorate is liable to undermine the guarantees of independence of that authority as the authority empowered to initiate disciplinary proceedings against judges, public prosecutors or investigating magistrates, and, if so, what the criteria are for assessing whether and for how long such an extension is permissible.
42 In the second place, the referring court is uncertain about the role and obligations of the national courts where they are called upon to authorise the Inspectorate to access the personal data of judges, public prosecutors or investigating magistrates.
43 In that regard, the referring court observes that, in 2019, a serious problem relating to the security of the data held by the Inspectorate attracted the attention of the Bulgarian media. The KZLD found that the personal data of approximately 20 judges and public prosecutors held by the Inspectorate had been unlawfully published in their entirety on the Inspectorate's website, which led the KZLD to impose a fine on the Inspectorate. The referring court notes that it does not have any information enabling it to ascertain whether, since that incident, measures have been taken so as to ensure data security.
44 The referring court is uncertain whether an authorisation it might grant to the Inspectorate to access personal data covered by banking secrecy comes within the scope of the GDPR and, if so, what impact that would have on the review which it must carry out. It points out, in that regard, that the GDPR imposes obligations on persons who process personal data, on controllers and on supervisory authorities.
45 By contrast, the obligations of a court granting authorisation to an authority to access such data are not directly governed by the GDPR. It is therefore necessary to determine whether such a court must be regarded as having the status of 'controller', within the meaning of Article 4(7) of the GDPR, or of a 'supervisory authority', within the meaning of Article 51 of that regulation, in so far as it grants the Inspectorate an authorisation without which the data concerned cannot be accessed. The Inspectorate collects and verifies, for the purposes referred to in Articles 175a and 175d of the ZSV, data relating to the assets of judges, public prosecutors and investigating magistrates, whereas the courts review that activity by granting or refusing access to the data at issue.
46 In that regard, the referring court observes that its review should, according to the interpretation of national law which prevails in Bulgaria, be purely formal and be limited to ascertaining whether the persons in respect of whom the lifting of banking secrecy is sought have the status of persons who are under an obligation to submit a declaration within the meaning of the ZSV, that is to say, whether they are judges, public prosecutors or investigating magistrates, or persons who have a family relationship or another relationship as provided for by that law with them. In principle, where those conditions are satisfied, courts should always authorise the lifting of banking secrecy. By contrast, that would not be the case if the courts engaging in a prior review could be regarded as controllers in respect of the personal data to which they are granting access, with the result that they should ensure data security pursuant to Articles 32 to 34 of the GDPR.
47 Although those courts do not have direct access to the personal data covered by banking secrecy, they determine to a certain extent the purposes of the processing by authorising or prohibiting access to those data. Furthermore, the national provisions applicable in the main proceedings do not specify, where the purposes of the processing of personal data are determined by law, which authority is to be subject to the rights and obligations of a controller in respect of personal data.
48 In addition, the referring court is uncertain whether it may check, before authorising access to the data, whether the Inspectorate has taken measures to ensure that the data are processed in accordance with the law, in order not to act as a mere rubber stamp.
49 Lastly, even if the court responsible for authorising access by the Inspectorate to personal data covered by banking secrecy does not have the status of controller or supervisory authority, the question arises as to whether it must carry out such checks in order to ensure effective judicial protection as provided for in Article 79 of the GDPR. It is true that that provision governs cases in which the data subject brings an action before the court in order to protect his or her rights. Nevertheless, where the proceedings relating to the disclosure of the data are conducted without the participation of the data subject and national law provides for prior judicial review, a similar obligation should, according to the referring court, be imposed ex officio. That also follows from the right to an effective judicial remedy, enshrined in Article 47 of the Charter. In the absence of such an obligation, the court will always be limited to formally examining and upholding the administration's action, which appears inconsistent with the objectives of Article 79 of the GDPR.
50 In those circumstances, the Sofiyski rayonen sad (Sofia District Court) decided to stay the proceedings and to refer the following questions, worded identically in Cases C‑313/23, C‑316/23 and C‑332/23, to the Court of Justice for a preliminary ruling:
'(1) Must the second subparagraph of Article 19(1) TEU, read in conjunction with the second paragraph of Article 47 of [the Charter], be interpreted as meaning that it is per se or under certain conditions an infringement of the obligation incumbent on Member States to provide effective remedies sufficient to ensure independent judicial review for the functions of an authority which can impose disciplinary penalties on judges and has powers to collect data relating to their assets and liabilities to be indefinitely extended after the constitutionally stipulated term of office of that body comes to an end? If such an extension is permissible, under what conditions is that the case?
(2) Must Article 2(2)(a) of [the GDPR] be interpreted as meaning that the disclosure of data covered by banking secrecy for the purposes of verifying assets and liabilities of judges and public prosecutors which are subsequently made public constitutes an activity which falls outside the scope of [EU] law? Is the answer different where that activity also includes the disclosure of data relating to family members of those judges and public prosecutors who are not judges or public prosecutors themselves?
(3) If the answer to the second question is that [EU] law is applicable, must Article 4(7) of [the GDPR] be interpreted as meaning that a judicial authority which allows another State authority to access data concerning the account balances of judges and public prosecutors and their family members determines the purposes or means of the processing of personal data and is therefore a “controller” for the purposes of the processing of personal data?
(4) If the answer to the second question is that [EU] law is applicable and the third question is answered in the negative, must Article 51 of [the GDPR] be interpreted as meaning that a judicial authority which allows another State authority to access data concerning the account balances of judges and public prosecutors and their family members is responsible for monitoring the application of that regulation and must therefore be classified as a “supervisory authority” in relation to those data?
(5) If the answer to the second question is that [EU] law is applicable and either the third or the fourth questions are answered in the affirmative, must Article 32(1)(b) of [the GDPR] and Article 57(1)(a) of that regulation be interpreted as meaning that a judicial authority which allows another State authority to access data concerning the account balances of judges and public prosecutors and their families, is obliged, in the presence of [information] concerning a personal data breach committed in the past by the authority to which such access is to be granted, to obtain information on the data protection measures taken and to take into account the appropriateness of those measures in its decision to permit access?
(6) If the answer to the second question is that [EU] law is applicable, and irrespective of the answers to the third and fourth questions, must Article 79(1) of [the GDPR], read in conjunction with Article 47 of [the Charter], be interpreted as meaning that, where the national law of a Member State provides that certain categories of data may be disclosed only after permission to do so has been granted by a court, the court so competent must of its own motion grant legal protection to the persons whose data are to be disclosed, by requiring the authority which has applied for access to the data in question and which is known to have committed a personal data breach in the past to provide information on the measures taken pursuant to Article 33(3)(d) of [the GDPR] and their effective application?'
Procedure before the Court
Joinder
51 By decision of the President of the Court of Justice of 30 June 2023, Cases C‑313/23, C‑316/23 and C‑332/23 were joined for the purposes of the written and oral procedures and the judgment.
The request that the oral part of the procedure be reopened
52 By document lodged at the Court Registry on 30 October 2024, the Inspectorate requested an order, pursuant to Article 83 of the Rules of Procedure of the Court of Justice, that the written part of the procedure be reopened. Since Article 83 of those Rules governs the reopening of the oral part of the procedure and, in the present case, that part of the procedure was closed following the presentation of the Advocate General's Opinion, that request must be understood as seeking the reopening of the oral part of the procedure.
53 In support of its request, the Inspectorate relies on two reasons in connection with the first question referred for a preliminary ruling. In the first place, it states that there has been a new development, namely an amendment, in December 2023, of Article 132a(4) of the Bulgarian Constitution, to the effect that members of the Inspectorate may henceforth be elected for two consecutive terms. In the second place, the Inspectorate submits that, in his Opinion, the Advocate General incorrectly assessed the situation at issue in the main proceedings by referring to national legislation and an opinion of the European Commission for Democracy through Law, known as 'the Venice Commission', which are not relevant to the present cases.
54 In that regard, it must be noted, first, that the Statute of the Court of Justice of the European Union and the Rules of Procedure make no provision for the interested parties referred to in Article 23 of that Statute to submit observations in response to the Advocate General's Opinion. Second, under the second paragraph of Article 252 TFEU, the Advocate General, acting with complete impartiality and independence, is to make, in open court, reasoned submissions on cases which, in accordance with that Statute, require the Advocate General's involvement. The Court is not bound either by the Advocate General's submissions or by the reasoning which led to those submissions. Consequently, a party's disagreement with the Opinion of the Advocate General, irrespective of the questions that he or she examines in the Opinion, cannot in itself constitute grounds justifying the reopening of the oral procedure (judgment of 19 December 2024, Ford Italia, C‑157/23, EU:C:2024:1045, paragraph 26 and the case-law cited).
55 It is true that, in accordance with Article 83 of the Rules of Procedure, the Court may at any time, after hearing the Advocate General, order the opening or reopening of the oral part of the procedure, in particular if it considers that it lacks sufficient information or where a party has, after the close of that part of the procedure, submitted a new fact which is of such a nature as to be a decisive factor for the decision of the Court, or where the case must be decided on the basis of an argument which has not been debated between the interested persons.
56 However, in the present case, the Court has all the information necessary to give a ruling on the requests for a preliminary ruling and the present cases do not have to be decided on the basis of arguments which have not been debated between the interested persons. Furthermore, the request that the oral part of the procedure be reopened does not disclose any new fact of such a nature as to be a decisive factor for the decision which the Court is called upon to give in those cases.
57 In those circumstances, the Court considers, having heard the Advocate General, that there is no need to order that the oral part of the procedure be reopened.
Admissibility of the requests for a preliminary ruling
58 The Bulgarian Government expresses doubts as regards the admissibility of the requests for a preliminary ruling, on the ground that, according to that government, the referring body in the main proceedings does not, in the context of those proceedings, have the characteristics of a 'court or tribunal' within the meaning of Article 267 TFEU. First, the Bulgarian Government claims that the proceedings before that body are unilateral, inasmuch as they are conducted without the participation of the persons concerned. Second, those proceedings do not have as their purpose the resolution of a legal dispute, since their sole purpose, in the submission of the Bulgarian Government, is to ascertain whether the conditions required for the lifting of banking secrecy are satisfied.
59 According to the Court's settled case-law, in order to determine whether the body in question that is making a reference is a 'court or tribunal' within the meaning of Article 267 TFEU, which is a question governed by EU law alone, the Court takes account of a number of factors, such as, inter alia, whether the body is established by law, whether it is permanent, whether its jurisdiction is compulsory, whether it applies rules of law and whether it is independent (see, to that effect, judgments of 29 March 2022, Getin Noble Bank, C‑132/20, EU:C:2022:235, paragraph 66, and of 7 May 2024, NADA and Others, C‑115/22, EU:C:2024:384, paragraph 35 and the case-law cited).
60 It is also clear from settled case-law that, although Article 267 TFEU does not make reference to the Court subject to the proceedings during which the national court refers a question for a preliminary ruling being inter partes, a national court may refer a question to the Court only if there is a case pending before it and if it is called upon to give judgment in proceedings intended to lead to a decision of a judicial nature. Accordingly, it is appropriate to determine whether a body may refer a case to the Court on the basis of criteria relating both to the constitution of that body and to its function. A national body may be classified as a 'court or tribunal', within the meaning of Article 267 TFEU, when it is performing judicial functions, but not when exercising other functions, inter alia functions of an administrative nature (see, to that effect, judgment of 3 May 2022, City Rail, C‑453/20, EU:C:2022:341, paragraphs 42 and 43 and the case-law cited).
61 It is not disputed that the Sofiyski rayonen sad (Sofia District Court), as such, meets the requirements set out in paragraph 59 above, concerning its establishment, its permanence, the application of rules of law and its independence, and there is nothing in the file before the Court to give rise to doubts in that regard. What the Bulgarian Government is raising in the present case is the question whether that court is called upon to give a ruling in proceedings intended to lead to a decision of a judicial nature. In that regard, it should be noted that that court is seised of a request made by the Inspectorate for banking secrecy to be lifted pursuant to Article 62(6)(12) of the ZKI. Although the Bulgarian Government submits that the examination that the referring court must carry out is of a purely formal nature, the fact remains that that court is called upon to ascertain whether the legal conditions for lifting banking secrecy are satisfied, to rule by way of a reasoned decision and to set the period in respect of which banking secrecy is to be lifted.
62 In particular, the authorisation which the referring court might grant is intended as a substitute, as is apparent from Article 62(5) of the ZKI, for the consent of the persons concerned. That authorisation may be relied on vis-à-vis banks with which those persons have bank accounts and has the effect of giving the Inspectorate access to the personal data relating to those accounts. In addition, such access entails an interference with the fundamental rights of those persons, enshrined in Articles 7 and 8 of the Charter (see, to that effect, judgment of 6 October 2020, État luxembourgeois (Right to bring an action against a request for information in tax matters), C‑245/19 and C‑246/19, EU:C:2020:795, paragraph 74).
63 In those circumstances, the functions performed by the referring court under Article 62(6)(12) of the ZKI do not consist in the adoption of acts of an administrative nature amenable to judicial review, but must be classified as judicial functions, since that court is in fact called upon to give a ruling independently, with a view to ensuring that the lifting of banking secrecy is lawful (see, by analogy, order of 15 January 2004, Saetti and Frediani, C‑235/02, EU:C:2004:26, paragraph 23).
64 Consequently, the requests for a preliminary ruling are admissible.
Consideration of the questions referred
The first question
65 As a preliminary point, it should be borne in mind that, according to settled case-law, in the procedure laid down by Article 267 TFEU providing for cooperation between national courts and the Court of Justice, it is for the latter to provide the national court with an answer which will be of use to it and enable it to decide the case before it. To that end, the Court of Justice should, where necessary, reformulate the questions referred to it (judgment of 30 January 2024, Direktor na Glavna direktsia 'Natsionalna politsia' pri MVR – Sofia, C‑118/22, EU:C:2024:97, paragraph 31 and the case-law cited).
66 In the present case, although the first question refers to a judicial body 'which can impose disciplinary penalties on judges and has powers to collect data relating to their assets', it is apparent both from the requests for a preliminary ruling and from the file before the Court that that body scrutinises the activities of judges, public prosecutors and investigating magistrates in the performance of their functions and carries out checks in respect of their integrity and the absence of conflicts of interest on their part, and that it has, in that context, the power to collect their personal data. In particular, that body is empowered, after carrying out such checks, to propose to another judicial body the initiation of disciplinary proceedings with a view to the imposition of disciplinary penalties on those persons.
67 As is apparent from the requests for a preliminary ruling, the referring court considers that the fact that the members of the Inspectorate, who are elected by a two-thirds majority of the members of the National Assembly, continue to perform their functions despite the expiry of their terms of office is such as to raise questions with regard to the requirement of independence of the judiciary. That court is uncertain whether the members of that judicial body could, in that context, exercise undue influence over judges, public prosecutors or investigating magistrates, or continue their activities under pressure from members of the National Assembly.
68 Thus, the first question referred for a preliminary ruling concerns the interpretation of the second subparagraph of Article 19(1) TEU, read in the light of Article 47 of the Charter, solely in the light of the extension of the expired terms of office of the members of the Inspectorate, without the scope of the powers of that judicial body being, as such, covered by that question.
69 In those circumstances, the view must be taken that, by its first question, the referring court asks, in essence, whether and, as the case may be, under what conditions the second subparagraph of Article 19(1) TEU, read in the light of Article 47 of the Charter, precludes a Member State's practice under which the members of a judicial body of that Member State – who are elected by its parliament for terms of office of a specific duration and are competent to scrutinise the activity of judges, public prosecutors and investigating magistrates in the performance of their functions, to carry out checks in respect of their integrity and the absence of conflicts of interest on their part, as well as to propose to another judicial body the initiation of disciplinary proceedings with a view to the imposition of disciplinary penalties on those persons – continue to perform their functions beyond the legal duration of their terms of office as laid down in the Constitution of that Member State, until that parliament elects new members.
The jurisdiction of the Court
70 The Polish Government submits that the Court does not have jurisdiction to answer the first question, since, according to that government, the European Union has no competence in the field of the organisation of justice in the Member States.
71 In that regard, although the organisation of justice in the Member States falls within the competence of those Member States, the Member States are nevertheless required, when exercising that competence, to comply with their obligations deriving from EU law and, in particular, from the second subparagraph of Article 19(1) TEU (see, to that effect, judgment of 9 January 2024, G. and Others (Appointment of judges to the ordinary courts in Poland), C‑181/21 and C‑269/21, EU:C:2024:1, paragraph 57 and the case-law cited).
72 That is the case with national rules governing the disciplinary liability of judges (see, to that effect, judgments of 21 December 2021, Euro Box Promotion and Others, C‑357/19, C‑379/19, C‑547/19, C‑811/19 and C‑840/19, EU:C:2021:1034, paragraph 133, and of 11 May 2023, Inspecţia Judiciară, C‑817/21, EU:C:2023:391, paragraph 44 and the case-law cited), including those relating to the organisation and operation of a judicial body which, like the Inspectorate, is competent to scrutinise the activities of judges in the performance of their functions, to carry out checks in respect of their integrity and to ascertain whether there are any conflicts of interest on the part of those judges as well as to propose to another judicial body the initiation of disciplinary proceedings with a view to the imposition of disciplinary penalties on them.
73 In those circumstances, and since the first question referred for a preliminary ruling concerns the interpretation of EU law, the Court has jurisdiction to answer that question.
Admissibility
74 The Bulgarian Government and the Inspectorate are challenging the admissibility of the first question on the ground that the Inspectorate does not have the power to impose disciplinary penalties, with the result that, according to them, the first question bears no relation to the subject matter of the main proceedings.
75 In addition, the Inspectorate submits that the first question is hypothetical. First, according to the Inspectorate, the main proceedings bear no relation to disciplinary proceedings. Second, while a structural failure to meet the requirements of independence is required for a finding of an infringement of the second subparagraph of Article 19(1) TEU, the referring court does not specify in what way the alleged failure at issue in the main proceedings is structural in nature.
76 In that regard, according to settled case-law, it is solely for the national court, before which the dispute has been brought and which must assume responsibility for the judicial decision to be made, to determine, in the light of the particular circumstances of the case, both the need for and the relevance of the questions that it submits to the Court. Consequently, where the questions submitted concern the interpretation of a rule of EU law, the Court is in principle bound to give a ruling (judgments of 16 February 2023, Rzecznik Praw Dziecka and Others (Suspension of the return decision), C‑638/22 PPU, EU:C:2023:103, paragraph 47, and of 24 July 2023, Lin, C‑107/23 PPU, EU:C:2023:606, paragraph 61).
77 Consequently, questions relating to EU law enjoy a presumption of relevance. The Court may refuse to rule on a question referred for a preliminary ruling by a national court only where it is quite obvious that the interpretation of an EU rule that is sought bears no relation to the actual facts of the main action or its purpose, where the problem is hypothetical, or where the Court does not have before it the factual or legal material necessary to give a useful answer to the questions submitted to it (see, to that effect, judgments of 16 February 2023, Rzecznik Praw Dziecka and Others (Suspension of the return decision), C‑638/22 PPU, EU:C:2023:103, paragraph 48, and of 24 July 2023, Lin, C‑107/23 PPU, EU:C:2023:606, paragraph 62).
78 In the present case, the referring court is uncertain as regards the action to be taken in response to the Inspectorate's requests for an authorisation to access data relating to the bank accounts of several judges and public prosecutors and their family members. In particular, that court wishes to know whether EU law precludes that judicial body from making requests of that nature where the terms of office of all its members expired several years ago. It therefore appears that it is for that court indirectly to rule on that matter in limine litis before being able to decide whether to grant the requests submitted to it. It follows that the interpretation of EU law requested is objectively required for the decision to be taken by the referring court (see, to that effect, judgment of 18 May 2021, Asociaţia 'Forumul Judecătorilor din România' and Others, C‑83/19, C‑127/19, C‑195/19, C‑291/19, C‑355/19 and C‑397/19, EU:C:2021:393, paragraphs 118 and 119).
79 As regards the submissions of the Inspectorate set out in paragraph 75 above, relating in particular to the powers available to it in the context of the main proceedings and to the absence of a structural failure to meet the requirements arising from the second subparagraph of Article 19(1) TEU, those submissions come, in fact, within the scope of the examination of the substance of the first question and, therefore, cannot lead to that question being inadmissible.
80 It follows from the foregoing that the first question referred for a preliminary ruling is admissible.
Substance
81 It should be recalled that every Member State must, in accordance with the second subparagraph of Article 19(1) TEU, ensure that the bodies which are called upon, as 'courts or tribunals' within the meaning of EU law, to rule on questions relating to the application or interpretation of EU law and which thus come within its judicial system in the fields covered by EU law, meet the requirements of effective judicial protection, including that of independence (judgment of 11 July 2024, Hann-Invest and Others, C‑554/21, C‑622/21 and C‑727/21, EU:C:2024:594, paragraph 47 and the case-law cited).
82 The very existence of effective judicial review designed to ensure compliance with EU law is of the essence of the rule of law. In that regard, in accordance with the second subparagraph of Article 19(1) TEU, it is for the Member States to establish a system of legal remedies and procedures ensuring for individuals compliance with their right to effective judicial protection in the fields covered by EU law. The principle of the effective judicial protection of individuals' rights under EU law, referred to in the second subparagraph of Article 19(1) TEU, is a general principle of EU law stemming from the constitutional traditions common to the Member States, which has been enshrined in Articles 6 and 13 of the Convention for the Protection of Human Rights and Fundamental Freedoms, signed in Rome on 4 November 1950, and is now reaffirmed in Article 47 of the Charter (judgment of 21 December 2021, Euro Box Promotion and Others, C‑357/19, C‑379/19, C‑547/19, C‑811/19 and C‑840/19, EU:C:2021:1034, paragraph 219 and the case-law cited).
83 To that end, maintaining the independence of bodies which may be called upon to rule on questions concerning the application or interpretation of EU law is essential, as confirmed by the second paragraph of Article 47 of the Charter, which refers to access to an 'independent' tribunal as one of the requirements linked to the fundamental right to an effective remedy (judgment of 18 May 2021, Asociația 'Forumul Judecătorilor din România'and Others, C‑83/19, C‑127/19, C‑195/19, C‑291/19, C‑355/19 and C‑397/19, EU:C:2021:393, paragraph 194 and the case-law cited).
84 That requirement that courts be independent, which is inherent in the task of adjudication, forms part of the essence of the right to effective judicial protection and the fundamental right to a fair trial, which is of cardinal importance as a guarantee that all the rights which individuals derive from EU law will be protected and that the values common to the Member States set out in Article 2 TEU, in particular the rule of law, will be safeguarded. In accordance with the principle of the separation of powers which characterises the operation of the rule of law, the independence of the judiciary must in particular be ensured in relation to the legislature and the executive (judgment of 18 May 2021, Asociația Forumul Judecătorilor Din România and Others, C‑83/19, C‑127/19, C‑195/19, C‑291/19, C‑355/19 and C‑397/19, EU:C:2021:393, paragraph 195 and the case-law cited).
85 It is settled case-law of the Court that the guarantees of independence and impartiality required under EU law presuppose rules that are such as to dispel any reasonable doubt, in the minds of individuals, as to the imperviousness of the body in question to external factors and its neutrality with respect to the interests before it (judgments of 20 April 2021, Repubblika, C‑896/19, EU:C:2021:311, paragraph 53 and the case-law cited, and of 18 May 2021, Asociaţia 'Forumul Judecătorilor din România' and Others, C‑83/19, C‑127/19, C‑195/19, C‑291/19, C‑355/19 and C‑397/19, EU:C:2021:393, paragraph 196).
86 As regards specifically the rules governing the disciplinary regime in respect of judges, the requirement of independence of courts and tribunals following from the second subparagraph of Article 19(1) TEU requires that that regime must provide the necessary guarantees in order to prevent any risk of its being used as a system of political control of the content of judicial decisions. Rules which define, in particular, both conduct amounting to disciplinary offences and the penalties actually applicable, provide for the involvement of an independent body in accordance with a procedure which fully safeguards the rights enshrined in Articles 47 and 48 of the Charter, in particular the rights of the defence, and lay down the possibility of bringing legal proceedings challenging the disciplinary bodies' decisions constitute a set of guarantees that are essential for safeguarding the independence of the judiciary (judgments of 18 May 2021, Asociația 'Forumul Judecătorilor din România' and Others, C‑83/19, C‑127/19, C‑195/19, C‑291/19, C‑355/19 and C‑397/19, EU:C:2021:393, paragraph 198 and the case-law cited; and of 11 May 2023, Inspecţia Judiciară, C‑817/21, EU:C:2023:391, paragraph 48 and the case-law cited).
87 Since the prospect of opening a disciplinary investigation is, as such, liable to exert pressure on those who have the task of adjudicating in a dispute, it is essential that a body competent to conduct investigations and bring disciplinary proceedings should act objectively and impartially in the performance of its duties and, to that end, be free from any external influence (see, to that effect, judgments of 18 May 2021, Asociația 'Forumul Judecătorilor din România' and Others, C‑83/19, C‑127/19, C‑195/19, C‑291/19, C‑355/19 and C‑397/19, EU:C:2021:393, paragraph 199, and of 11 May 2023, Inspecţia Judiciară, C‑817/21, EU:C:2023:391, paragraph 49). That applies in particular to a judicial body which, like the Inspectorate, has broad powers to scrutinise the activity of judges, public prosecutors and investigating magistrates in the performance of their functions, to carry out checks in respect of their integrity and the absence of conflicts of interest on their part, as well as to propose to another judicial body, following such checks, the initiation of disciplinary proceedings with a view to the imposition of disciplinary penalties on those persons.
88 Thus, it is important that all the rules governing the organisation and operation of such a body, including those governing the procedure for the appointment of its members, be designed in such a way that there can be no reasonable doubt, in the minds of individuals, that the powers and functions of such a body will not be used as an instrument to exert pressure on, or political control over, judicial activity (see, to that effect, judgment of 11 May 2023, Inspecţia Judiciară, C‑817/21, EU:C:2023:391, paragraphs 50 and 51 and the case-law cited).
89 Those rules may, generally speaking, affect that body's practice directly and thus prevent or, on the contrary, encourage disciplinary action the object or effect of which is to exert pressure, in particular, on those who have the task of adjudicating in a dispute or of ensuring political control over their activity (see, to that effect, judgment of 11 May 2023, Inspecţia Judiciară, C‑817/21, EU:C:2023:391, paragraph 52).
90 It is ultimately for the referring court to rule, in the final analysis, on the imperviousness of the body at issue in the main proceedings to external influence as well as on its objectivity and impartiality in relation to the performance of its duties, having made the relevant findings in that regard. Indeed, it must be borne in mind that Article 267 TFEU does not empower the Court to apply rules of EU law to a particular case, but only to rule on the interpretation of the Treaties and of acts of EU institutions. According to settled case-law, the Court may, however, in the framework of the judicial cooperation provided for by Article 267 TFEU and on the basis of the material presented to it, provide the national court with an interpretation of EU law which may be useful to it in assessing the effects of one or other of its provisions (see, to that effect, judgment of 11 May 2023, Inspecţia Judiciară, C‑817/21, EU:C:2023:391, paragraph 58).
91 In the present case, the Inspectorate consists of an Inspector General and 10 inspectors, who are elected by the National Assembly by a two-thirds majority of its members for a five- and four-year term of office, respectively. In accordance with the national legislation applicable as at the date of submission of the present requests for a preliminary ruling, the members of the Inspectorate could not be re-elected for a second consecutive term of office.
92 As regards the situation at issue in the main proceedings, in which the terms of office of the members of the Inspectorate expired without the National Assembly having elected its new members, the national legislation does not appear to contain any rule as to whether members of the Inspectorate whose terms of office have expired may continue to perform their functions. It is true that, according to the information provided by the referring court, the members of the Inspectorate, in accordance with the case-law of the Konstitutsionen sad (Constitutional Court), are to continue, in such a situation, to perform their functions until the National Assembly elects new members. Nevertheless, in addition to Bulgarian law not containing any rules such as to circumscribe the performance of those functions extended in that manner, it also does not contain any legal provisions under which a potential deadlock in the process for the appointment of new members of the Inspectorate can be resolved, with the result that the extension of the terms of office of its former members appears, in practice, to be capable of continuing indefinitely.
93 First, while it is for the Member States alone to decide whether or not to authorise the performance of the functions, beyond the legal duration of their term of office, of members of a judicial body which is competent to scrutinise the activity of judges, public prosecutors and investigating magistrates as well as to propose the initiation of disciplinary proceedings against those persons, in order to ensure continuity in the functioning of that body, the Member States are required, when opting for such an extension of terms of office, to ensure that the performance of functions after the expiry of the term of office has an express legal basis in domestic law containing clear and precise rules such as to circumscribe that performance.
94 In addition, the Member States must ensure that the conditions and detailed rules to which that performance is subject are designed in such a way as to enable the relevant members of the judicial body to act objectively and impartially in the performance of their duties as well as ensure that they are, for that purpose, free of any external influence, as required by the case-law cited in paragraphs 87 and 88 above.
95 Second, as the Advocate General observed, in essence, in point 58 of his Opinion, although, in certain circumstances, the extension of the terms of office may prove necessary in view of the importance of the functions performed by the judicial body concerned, the fact remains that, beyond the legal duration of those terms of office, that body is acting without any express legal basis in domestic law containing clear and precise rules such as to circumscribe the performance of those functions. Therefore, it is only exceptionally and on condition that it is circumscribed by clear and precise rules excluding, in practice, the possibility that it may be indefinite in its duration, that that extension may be conceivable.
96 Nevertheless, when a Member State circumscribes such an extension, it cannot amend its legislation or its Constitution in such a way as to bring about a reduction in the protection of the value of the rule of law, a value which is given concrete expression by, inter alia, Article 19 TEU, in particular as regards the guarantees of judicial independence vis-à-vis the legislature and the executive (see, to that effect, judgment of 20 April 2021, Repubblika, C‑896/19, EU:C:2021:311, paragraphs 63 and 65).
97 In the light of the foregoing considerations, the answer to the first question is that the second subparagraph of Article 19(1) TEU, read in the light of Article 47 of the Charter, must be interpreted as meaning that the principle of judicial independence precludes a Member State's practice under which the members of a judicial body of that Member State – who are elected by its parliament for terms of office of a specific duration and are competent to scrutinise the activity of judges, public prosecutors and investigating magistrates in the performance of their functions, to carry out checks in respect of their integrity and the absence of conflicts of interest on their part, as well as to propose to another judicial body the initiation of disciplinary proceedings with a view to the imposition of disciplinary penalties on those persons – continue to perform their functions beyond the legal duration of their terms of office as laid down in the Constitution of that Member State, until that parliament elects new members, where the extension of the expired terms of office does not have an express legal basis in national law containing clear and precise rules such as to circumscribe the performance of those functions and where it is not guaranteed that that extension is, in practice, limited in time.
The second question
98 By its second question, the referring court seeks, in essence, to ascertain whether Article 2 of the GDPR must be interpreted as meaning that disclosure, to a judicial body, of personal data that are protected by banking secrecy and that concern judges, public prosecutors and investigating magistrates as well as their family members, with a view to the verification of the declarations which are submitted by those judges, public prosecutors and investigating magistrates concerning their assets and those of their family members and which are published, constitutes processing of personal data that comes within the material scope of that regulation.
99 According to settled case-law, Article 2(1) of the GDPR gives a very broad definition of its material scope. Subject to the cases referred to in Article 2(2) and (3) thereof, the GDPR applies to processing carried out both by private persons and by public authorities, including, as recital 20 thereof indicates, by judicial authorities (see, to that effect, judgments of 24 March 2022, Autoriteit Persoonsgegevens, C‑245/20, EU:C:2022:216, paragraph 25, and of 16 January 2024, Österreichische Datenschutzbehörde, C‑33/22, EU:C:2024:46, paragraphs 33 and 36).
100 Furthermore, the Court has previously held that neither the fact that the information which is the subject of the national provisions relates to judges nor the fact that that information might have certain links with the performance of their duties is, in itself, such as to remove those national provisions from the scope of the GDPR (judgment of 5 June 2023, Commission v Poland (Independence and private life of judges), C‑204/21, EU:C:2023:442, paragraph 315).
101 Article 2 of the GDPR sets out, in paragraphs 2 and 3 thereof, in exhaustive terms, the exceptions to the rule determining the material scope of that regulation laid down in paragraph 1 thereof; those exceptions, in particular the ones provided for in paragraph 2, must be interpreted strictly (see, to that effect, judgments of 22 June 2021, Latvijas Republikas Saeima (Penalty points), C‑439/19, EU:C:2021:504, paragraph 62; of 5 June 2023, Commission v Poland (Independence and private life of judges), C‑204/21, EU:C:2023:442, paragraph 316; and of 16 January 2024, Österreichische Datenschutzbehörde, C‑33/22, EU:C:2024:46, paragraph 37).
102 Article 2(2)(a) of the GDPR, which is the specific subject of the second question referred for a preliminary ruling, provides that that regulation does not apply to the processing of personal data 'in the course of an activity which falls outside the scope of Union law'.
103 In accordance with settled case-law, that provision, read in the light of recital 16 of the GDPR, has the sole purpose of excluding from the scope of that regulation the processing of personal data carried out by State authorities in the course of an activity which is intended to safeguard national security or of an activity which can be classified in the same category, it being specified that the activities having the aim of safeguarding national security encompass, in particular, those that are intended to protect essential State functions and the fundamental interests of society. The mere fact that an activity is an activity characteristic of the State or of a public authority is not a sufficient ground for that exception to be automatically applicable to such an activity (see, to that effect, judgments of 22 June 2021, Latvijas Republikas Saeima (Penalty points), C‑439/19, EU:C:2021:504, paragraphs 66 and 67; of 8 December 2022, Inspektor v Inspektorata kam Visshia sadeben savet (Purposes of the processing of personal data – Criminal investigation), C‑180/21, EU:C:2022:967, paragraph 79; and of 5 June 2023, Commission v Poland (Independence and private life of judges), C‑204/21, EU:C:2023:442, paragraphs 317 and 318).
104 Although ensuring the proper administration of justice in the Member States and, in particular, the enactment of rules applicable to the status of judges, public prosecutors and investigating magistrates, more specifically judges, and to the performance of their functions come within the competence of those States (see, to that effect, judgment of 5 June 2023, Commission v Poland (Independence and private life of judges), C‑204/21, EU:C:2023:442, paragraph 319), the fact remains that data processing, such as that at issue in the main proceedings, the objective of which is to scrutinise the integrity of judges, public prosecutors and investigating magistrates, and to ascertain whether there are any conflicts of interest on their part, is neither an activity intended to safeguard national security nor an activity which can be classified in the same category.
105 Furthermore, it must be noted that disclosure to a judicial body of personal data that are protected by banking secrecy and that concern judges, public prosecutors and investigating magistrates as well as their family members, with a view to the verification of the declarations which relate to the assets of the judges, public prosecutors and investigating magistrates and to those of their family members and which are published, constitutes 'processing' within the meaning of Article 4(2) of the GDPR. That disclosure constitutes the making available of those personal data to that body.
106 The answer to the second question referred is therefore that Article 2 of the GDPR must be interpreted as meaning that disclosure, to a judicial body, of personal data that are protected by banking secrecy and that concern judges, public prosecutors and investigating magistrates as well as their family members, with a view to the verification of the declarations which are submitted by those judges, public prosecutors and investigating magistrates concerning their assets and those of their family members and which are published, constitutes processing of personal data that comes within the material scope of that regulation.
The third question
107 By its third question, the referring court asks whether Article 4(7) of the GDPR must be interpreted as meaning that a court having jurisdiction to authorise, at the request of another judicial body, disclosure by a bank to that body of data relating to the bank accounts of judges, public prosecutors and investigating magistrates as well as of their family members, may be classified as a controller within the meaning of that provision.
108 Under Article 4(7) of the GDPR, the concept of 'controller' covers natural or legal persons, public authorities, agencies or other bodies which, alone or jointly with others, determine the purposes and means of the processing of personal data. That provision also states that, where the purposes and means of such processing are determined, inter alia, by Member State law, the controller or the specific criteria for its nomination may be provided for by that law.
109 In accordance with the Court's settled case-law, that provision seeks to ensure, through a broad definition of the concept of 'controller', in accordance with the objective pursued by the GDPR, effective and complete protection of the fundamental rights and freedoms of natural persons and, in particular, a high level of protection of the right of every person to the protection of personal data concerning him or her (see, to that effect, judgments of 5 December 2023, Nacionalinis visuomenės sveikatos centras, C‑683/21, EU:C:2023:949, paragraphs 28 and 29, and of 7 March 2024, IAB Europe, C‑604/22, EU:C:2024:214, paragraphs 53 to 55 and the case-law cited).
110 In order to establish whether a person or entity is to be classified as a controller within the meaning of Article 4(7) of the GDPR, it must therefore be examined whether that person or entity determines, alone or jointly with others, the purposes and means of the processing or whether those purposes and means are determined by national law. Where such determination is made by national law, it is then appropriate to ascertain whether that law nominates the controller or provides for the specific criteria for its nomination (judgment of 27 February 2025, Amt der Tiroler Landesregierung, C‑638/23, EU:C:2025:127, paragraph 27).
111 It is also important to state that, having regard to the broad definition of the concept of 'controller' within the meaning of Article 4(7) of the GDPR, the determination of the purposes and means of the processing and, where appropriate, the nomination of that controller by national law may not only be explicit but also implicit. In the latter case, that determination of the purposes and means of the processing must nevertheless be derived with sufficient certainty from the role, task and powers conferred on the person or entity concerned (judgment of 27 February 2025, Amt der Tiroler Landesregierung, C‑638/23, EU:C:2025:127, paragraph 28).
112 The protection of the data subjects would be undermined if point 7 of Article 4 of the GDPR were interpreted restrictively to cover only those cases in which the purposes and means of the data processing performed by a person, a public authority, an agency or a body are expressly determined by national law, even where those purposes and means are apparent, in essence, from the legal provisions governing the activity of the entity concerned (judgment of 11 January 2024, État belge (Data processed by an official journal), C‑231/22, EU:C:2024:7, paragraph 30).
113 In the present case, the referring court is uncertain whether it must be regarded as the controller in respect of the processing at issue in the main proceedings, namely disclosure to the Inspectorate of personal data that are covered by banking secrecy, on account of the fact that it is legally responsible for authorising such disclosure.
114 In that regard, under the national legislation applicable to the cases in the main proceedings, the Inspectorate is competent to carry out, inter alia, checks in respect of the integrity and absence of conflicts of interest on the part of judges, public prosecutors and investigating magistrates, as well as to verify their asset declarations. To that end, that legislation enables the Inspectorate to request access to data relating to the bank accounts of judges, public prosecutors and investigating magistrates as well as of their family members. Where the data subjects have not given consent to such access, that judicial body has, pursuant to that legislation, the power to request prior judicial authorisation in order to access those data.
115 It thus appears that it is the national legislation applicable to the cases in the main proceedings which determines the circle of persons and the data which may be the subject of the processing, lays down the purposes of that processing and designates the competent body, namely the Inspectorate, with a view to achieving those purposes. The court considering a request for authorisation of disclosure takes action only where the Inspectorate has made a request for the purpose of exercising the powers conferred on it by national law, and confines itself to ascertaining whether the conditions of legality laid down by that law are satisfied. Similarly, it is not that court but the Inspectorate that determines, on the basis of the applicable national rules, the persons whose data it is seeking to access for the purposes of that exercise and in relation to whom it submits a request for authorisation to that court.
116 Thus, although it is for that court to examine whether and to what extent the conditions governing the legality of the processing are satisfied in a given case, it does not determine of its own accord either the purpose of the processing or the persons and data concerned. In those circumstances, it is not that court but the body competent to achieve the purposes pursued that is the controller within the meaning of Article 4(7) of the GDPR.
117 In the light of the foregoing considerations, the answer to the third question is that Article 4(7) of the GDPR must be interpreted as meaning that a court having jurisdiction to authorise, at the request of another judicial body, disclosure by a bank to that body of data relating to the bank accounts of judges, public prosecutors and investigating magistrates as well as of their family members, cannot be classified as a controller within the meaning of that provision.
The fourth question
118 By its fourth question, the referring court asks, in essence, whether Article 51 of the GDPR must be interpreted as meaning that a court having jurisdiction to authorise disclosure of personal data to another judicial body constitutes a supervisory authority within the meaning of that article.
119 Article 51(1) of the GDPR requires Member States to provide for one or more independent public authorities which are to be responsible for monitoring the application of that regulation. The establishment of such authorities, which is also provided for by primary EU law, namely Article 8(3) of the Charter and Article 16(2) TFEU, is an essential component of the protection of individuals with regard to the processing of personal data (see, to that effect, judgment of 8 April 2014, Commission v Hungary, C‑288/12, EU:C:2014:237, paragraph 48, and Opinion 1/15 (EU-Canada PNR Agreement) of 26 July 2017, EU:C:2017:592, paragraph 229).
120 Those authorities have the primary task, under Article 51(1) and (2) and Article 57(1)(a) and (g) of the GDPR, to monitor and enforce the application of that regulation, while contributing to its consistent application within the European Union, in order to protect the fundamental rights and freedoms of natural persons in relation to the processing of their personal data and to facilitate the free flow of such data within the European Union. To that end, they have at their disposal the various powers conferred on them under Article 58 of the GDPR (see, to that effect, judgment of 4 July 2023, Meta Platforms and Others (General terms of use of a social network), C‑252/21, EU:C:2023:537, paragraph 45).
121 Member States are required, in accordance with Article 51(4) of the GDPR, to notify to the Commission the provisions of their law and any subsequent amendments that they adopt pursuant to Chapter VI of that regulation, in particular those concerning the supervisory authority or authorities which they have entrusted with the task of monitoring the application of that regulation.
122 In the present case, it is not apparent from any of the documents in the file before the Court that the referring court is entrusted, by Bulgarian law, with the task of monitoring the application of the GDPR or, in particular, that it has the powers which a supervisory authority must have under Article 58 of that regulation.
123 The answer to the fourth question is therefore that Article 51 of the GDPR must be interpreted as meaning that a court having jurisdiction to authorise disclosure of personal data to another judicial body does not constitute a supervisory authority within the meaning of that article, where that court is not entrusted by the Member State in which it is situated with monitoring the application of that regulation in order to protect, in particular, the fundamental rights and freedoms of natural persons in relation to the processing of their personal data.
The fifth question
124 The fifth question is asked only in the event that the Court answers the third or fourth question in the affirmative. As has been found in paragraphs 117 and 123 above, the third and fourth questions must be answered in the negative.
125 Accordingly, there is no need to answer the fifth question referred for a preliminary ruling.
The sixth question
126 By its sixth question, the referring court asks, in essence, whether Article 79(1) of the GDPR, read in the light of Article 47 of the Charter, must be interpreted as meaning that a court having jurisdiction to authorise disclosure of personal data to another judicial body is required, without an action pursuant to that provision having been brought before it, to ensure of its own motion the protection of the persons whose data are concerned as regards compliance with the provisions of that regulation relating to the security of personal data, where it is known that that body has infringed those provisions in the past.
127 In that regard, the referring court states that that question is raised in so far as the proceedings before it are conducted without the participation of the persons whose personal data are concerned and the judicial authorisation of the disclosure of those data to the Inspectorate is intended as a substitute for the consent of those persons, without being open to challenge. That court considers that, if it were limited to a purely formal examination of the request for authorisation made by the Inspectorate, without ensuring that that body guarantees the security of the data subjects' data, the judicial protection of those persons, provided for in Article 79 of the GDPR, would be deprived of its effectiveness. It is in those circumstances that the referring court has doubts as to whether it is required to ensure, of its own motion, that the Inspectorate complies with data security rules, by requiring the Inspectorate to provide it with information on the security measures taken pursuant to Article 33(3)(d) of that regulation.
128 In that regard, it must be recalled that the GDPR establishes a set of substantive and procedural rules relating to the security of data which must be observed by the controller, while providing, in Chapter VIII thereof, remedies which are intended to protect the rights of individuals whose personal data have been processed in a manner alleged to be contrary to the provisions of that regulation and which may be exercised by those persons concurrently with and independently of each other (see, to that effect, judgment of 12 January 2023, Nemzeti Adatvédelmi és Információszabadság Hatóság, C‑132/21, EU:C:2023:2, paragraph 35).
129 Since the level of protection provided for by the GDPR is dependent on the security measures adopted by controllers of personal data, those controllers must be encouraged to do everything in their power to prevent the occurrence of processing operations that do not comply with that regulation, given that they bear the burden of demonstrating the appropriateness of those measures (judgment of 14 December 2023, Natsionalna agentsia za prihodite, C‑340/21, EU:C:2023:986, paragraph 55).
130 Ensuring compliance with the requirements as regards security that are imposed by the GDPR is a matter, first, for the supervisory authorities, and second, the national courts hearing an action under Article 78(1) or under Article 79(1) of the GDPR.
131 As regards the supervisory authorities, their main task, as recalled in paragraph 120 above, is to monitor the application of the GDPR and ensure compliance with that regulation. In particular, they must be informed, pursuant to Article 33 of that regulation, of personal data breaches by the controllers.
132 Furthermore, Article 58(1) and (2) of the GDPR confers on those authorities significant powers of investigation and various corrective powers. It must be pointed out, in that regard, that they are required to take action where the exercise of one or more of the corrective powers provided for in Article 58(2) of that regulation is, taking into account all the circumstances of the specific case, appropriate, necessary and proportionate to remedy the shortcoming found and ensure that that regulation is fully enforced (judgment of 26 September 2024, Land Hessen (Obligation to act by the data protection authority), C‑768/21, EU:C:2024:785, paragraph 42).
133 In addition, it is of particular importance that the supervisory authorities have genuine powers to take effectual action against infringements of the GDPR, and in particular to bring them to an end, including in situations where data subjects have not been informed that their personal data have been processed, are not aware of it, or, in any event, have not lodged a complaint under Article 77(1) of the regulation (see, to that effect, judgment of 14 March 2024, Újpesti Polgármesteri Hivatal, C‑46/23, EU:C:2024:239, paragraph 41).
134 Those authorities must, like the national courts hearing an action under Article 78(1) or under Article 79(1) of the GDPR, make sure that the technical and organisational measures adopted by the controller are appropriate in order to ensure a level of security appropriate to the risk, as required by Article 32(1) of that regulation, while examining the substance of those measures in a concrete manner, in the light of all the criteria referred to in that article and the circumstances of the case and the evidence available to those authorities or courts in that regard (see, to that effect, judgments of 14 December 2023, Natsionalna agentsia za prihodite, C‑340/21, EU:C:2023:986, paragraphs 43 and 45, and of 28 November 2024, Másdi, C‑169/23, EU:C:2024:988, paragraph 71).
135 By contrast, national courts which are not seised of an action under Article 78(1) or under Article 79(1) of the GDPR are not, in the absence of rules expressly conferring supervisory powers on them, required to ensure compliance with the substantive provisions of that regulation in order to ensure their effectiveness.
136 Since the referring court is uncertain, in particular, as regards the effectiveness of the judicial remedy provided for in Article 79(1) of the GDPR, it must also, in order to give it a useful answer, be pointed out that the Member States must ensure that the practical arrangements for the exercise of the remedies provided for in Article 77(1), Article 78(1) and Article 79(1) of that regulation effectively meet the requirements arising from the right to an effective remedy enshrined in Article 47 of the Charter (see, to that effect, judgment of 12 January 2023, Nemzeti Adatvédelmi és Információszabadság Hatóság, C‑132/21, EU:C:2023:2, paragraph 51).
137 To that end, it is important that the controller, namely the competent judicial body to which access to personal data has been granted, provide the persons whose data are concerned with the information listed in Article 14(1) and (2) of the GDPR, in accordance with the modalities referred to in Articles 12(1) and in Article 14(3) of that regulation, since that information is necessary to enable those persons to exercise, where appropriate, the rights conferred on them by that regulation, in particular their right to object to their personal data being processed, laid down in Article 21 of the GDPR, and their right of action where they suffer damage, laid down in Articles 79 and 82 of that regulation (see, by analogy, judgment of 22 June 2023, Pankki S, C‑579/21, EU:C:2023:501, paragraph 58 and the case-law cited).
138 In the light of the foregoing considerations, the answer to the sixth question is that Article 79(1) of the GDPR, read in the light of Article 47 of the Charter, must be interpreted as meaning that a court having jurisdiction to authorise disclosure of personal data to another judicial body is not required, where an action pursuant to that provision has not been brought before it, to ensure of its own motion the protection of the persons whose data are concerned as regards compliance with the provisions of that regulation relating to the security of personal data, including where it is known that that body has, in the past, infringed those provisions.
Costs
139 Since these proceedings are, for the parties to the main proceedings, a step in the action pending before the referring court, the decision on costs is a matter for that court. Costs incurred in submitting observations to the Court, other than the costs of those parties, are not recoverable.
On those grounds, the Court (First Chamber) hereby rules:
must be interpreted as meaning that the principle of judicial independence precludes a Member State's practice under which the members of a judicial body of that Member State – who are elected by its parliament for terms of office of a specific duration and are competent to scrutinise the activity of judges, public prosecutors and investigating magistrates in the performance of their functions, to carry out checks in respect of their integrity and the absence of conflicts of interest on their part, as well as to propose to another judicial body the initiation of disciplinary proceedings with a view to the imposition of disciplinary penalties on those persons – continue to perform their functions beyond the legal duration of their terms of office as laid down in the Constitution of that Member State, until that parliament elects new members, where the extension of the expired terms of office does not have an express legal basis in national law containing clear and precise rules such as to circumscribe the performance of those functions and where it is not guaranteed that that extension is, in practice, limited in time.
2. Article 2 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation),
must be interpreted as meaning that disclosure, to a judicial body, of personal data that are protected by banking secrecy and that concern judges, public prosecutors and investigating magistrates as well as their family members, with a view to the verification of the declarations which are submitted by those judges, public prosecutors and investigating magistrates concerning their assets and those of their family members and which are published, constitutes processing of personal data that comes within the material scope of that regulation.
3. Article 4(7) of Regulation 2016/679
must be interpreted as meaning that a court having jurisdiction to authorise, at the request of another judicial body, disclosure by a bank to that body of data relating to the bank accounts of judges, public prosecutors and investigating magistrates as well as of their family members, cannot be classified as a controller within the meaning of that provision.
4. Article 51 of Regulation 2016/679
must be interpreted as meaning that a court having jurisdiction to authorise disclosure of personal data to another judicial body does not constitute a supervisory authority within the meaning of that article, where that court is not entrusted by the Member State in which it is situated with monitoring the application of that regulation in order to protect, in particular, the fundamental rights and freedoms of natural persons in relation to the processing of their personal data.
5. Article 79(1) of Regulation 2016/679, read in conjunction with Article 47 of the Charter of Fundamental Rights,
must be interpreted as meaning that a court having jurisdiction to authorise disclosure of personal data to another judicial body is not required, where an action pursuant to that provision has not been brought before it, to ensure of its own motion the protection of the persons whose data are concerned as regards compliance with the provisions of that regulation relating to the security of personal data, including where it is known that that body has, in the past, infringed those provisions.
