The Advocate General of the Court of Justice of the European Union on April 16, 2026 delivered a far-reaching opinion in Case C-205/25 - Joachim Lindenberg v. Bayerisches Landesamt fur Datenschutzaufsicht - concluding that data protection authorities are themselves data controllers under the General Data Protection Regulation when handling complaints, and that a Bavarian law blocking any access to supervisory files is incompatible with GDPR. The opinion, presented by Advocate General Rimvydas Norkus, will now be considered by the Court of Justice before a binding judgment is issued.

The case carries implications that extend well beyond one German federal state. If the Court follows the Advocate General's reasoning - which it does in the majority of cases - it will mean that every supervisory authority across the 27 EU member states is legally required to respond to subject access requests from complainants whose personal data it processes, and that blanket national exemptions from that obligation are unlawful.

Background: a journalist, a complaint, and a closed file

The facts are straightforward. Joachim Lindenberg is a journalist and blogger who covers data protection issues. According to the opinion, he has initiated several complaint procedures before the Bayerisches Landesamt fur Datenschutzaufsicht - the Bavarian data protection authority responsible for the private sector, known as the BayLDA or Landesamt - since 2021.

On May 13, 2022, Lindenberg filed a data protection complaint against a third party. The Landesamt opened a control procedure and, by email of October 11, 2022, informed him that it had identified violations by the party he had complained about. That same day, Lindenberg requested additional information and then, in a formal message also dated October 11, 2022, invoked his right of access under Article 15, paragraphs 1 and 3, of the GDPR - requesting a copy of all personal data held in his complaint file.

On October 20, 2022, the Landesamt refused. Its justification was Article 20, paragraph 2, of the Bayerisches Datenschutzgesetz - the Bavarian Data Protection Act, referred to in proceedings as the BayDSG. That provision reads, according to the opinion: "There is no right of access or inspection with respect to the files and archives of supervisory authorities." The Landesamt argued that this national rule overrode any GDPR access entitlement.

Lindenberg appealed to the Bayerisches Verwaltungsgericht Ansbach - the Administrative Court of Ansbach, Bavaria - seeking an order requiring the Landesamt to provide a copy of all data in his complaint file. On February 23, 2024, the Landesamt eventually granted electronic access to the file, though without acknowledging any legal obligation to do so. Lindenberg continued his case, now seeking only a declaration that the October 20, 2022 refusal had been unlawful. The Ansbach court, uncertain whether EU law required a different outcome, suspended proceedings and referred two questions to the Court of Justice. The referral arrived at the Court on March 17, 2025. A hearing before the Court took place on January 22, 2026.

First question: are supervisory authorities data controllers?

The first question put to the Court asks whether a data protection authority, when handling a complaint under Article 77 of the GDPR, simultaneously qualifies as a controller in the sense of Article 4(7) of the same regulation.

The Landesamt argued that it did not. Its position was that a supervisory authority is, by definition, the entity that oversees controllers - and that this institutional role precludes it from also being a controller in respect of complaint files. Some participants in proceedings agreed.

Advocate General Norkus rejected that view. His analysis starts from the text of the GDPR. Article 4(7) defines a controller as "a natural or legal person, public authority, service or other body which, alone or jointly with others, determines the purposes and means of the processing." According to the opinion, the definition explicitly includes public authorities, and nothing in the regulation limits this to authorities that are not supervisory bodies. The CJEU has consistently interpreted the controller concept broadly.

The opinion then examines what a supervisory authority actually does with personal data when it instructs a complaint. It receives the complaint - which contains personal data about the complainant, the respondent, and potentially third parties. It registers, structures, and stores that data in its internal systems. It analyses the data, requests supplementary information from the respondent, and uses the full body of information to make binding decisions and issue communications to the parties. According to the Advocate General, all of these operations fall within the definition of "processing" in Article 4(2), which covers "any operation or set of operations which is performed on personal data."

Crucially, the opinion argues that the supervisory authority does not merely receive data determined by others. It decides independently what data to collect, how to organise complaint files, which additional documents to request, how long to retain information, and how to use the data in its analysis and decision-making. That autonomous decision-making over purposes and means is exactly what makes an entity a controller under the GDPR. According to the opinion, even the Landesamt acknowledged at the January 2026 hearing that it exercises a margin of discretion in how it handles complaints.

The Advocate General is equally clear on the practical stakes. If supervisory authorities were not considered controllers, complainants would have no way to know what personal data the authority had collected about them, could not request correction, deletion, or restriction, and could not verify whether their own data was being processed lawfully. "This would create a structural gap in protection," according to the opinion, "depriving the data subject, in their relationship with the supervisory authority, of the fundamental guarantees established by the GDPR." That outcome would be paradoxical: the body charged with protecting individuals' data rights would itself be exempt from them.

Article 15 access rights: what they cover and what they do not

The opinion draws a careful line between what Article 15 requires and what it does not. This distinction matters because the Landesamt and others argued that granting access would amount to a general right of administrative file inspection - something the GDPR was never designed to create.

According to the Advocate General, Article 15 entitles the complainant to confirmation of whether their personal data is being processed, and if so, to a copy of that data along with the information enumerated in Article 15(1)(a) to (h): processing purposes, data categories, recipients, envisaged retention period, and information about data subject rights. The right to a copy under Article 15(3) requires the data to be provided in an intelligible form that allows the individual to verify the lawfulness of processing and exercise their other rights under the regulation. CJEU case law has established that this may sometimes require providing extracts from documents or even entire documents where the personal data cannot be separated from its context.

However, this is not a right of access to the administrative file as such. It does not extend to internal legal analyses, notes, drafts, deliberation records, or documents that contain no personal data of the complainant. The right covers the complainant's personal data held by the authority - not everything in the file. That distinction, the opinion argues, means the administrative burden on supervisory authorities would in practice be manageable.

There is also an important distinction between Article 15 and Article 77(2) of the GDPR. Article 77(2) requires authorities to inform complainants about the progress and outcome of their complaint, but it does not itself create a data access right. The two provisions serve different purposes and must not be conflated.

Second question: is the Bavarian blanket exclusion compatible with GDPR?

Having concluded that the Landesamt is a controller subject to Article 15, the Advocate General turns to the second question: does Article 23 of the GDPR permit a national provision like Article 20(2) of the BayDSG, which categorically eliminates any access or inspection right in respect of supervisory authority files?

Article 23 allows EU or member state legislation to restrict the rights of data subjects - including the Article 15 access right - where such restrictions are necessary and proportionate in a democratic society and pursue one of a closed list of legitimate objectives set out in Article 23(1)(a) to (j). The provision is not a general opt-out. It is a tightly circumscribed exception that requires a clear legal basis, a defined scope, identified objectives, proportionate means, and adequate safeguards.

The Advocate General identifies two objectives that the Landesamt invoked in proceedings: protecting the confidentiality of third-party personal data, and preserving the good functioning and independence of supervisory authorities. According to the opinion, both could in principle constitute legitimate aims under Article 23. The protection of third parties' rights is expressly referenced in Article 23(1)(i). The protection of supervisory authorities' effective functioning can be linked to Article 23(1)(h), which covers restrictions necessary for the exercise of public supervision and inspection.

But the opinion does not stop there. It assesses whether the BayDSG provision satisfies all the conditions Article 23 imposes - and concludes it does not, for several compounding reasons.

First, proportionality. The GDPR requires that any restriction go no further than necessary to achieve the stated objective. Partial redaction, temporary withholding during active investigations, anonymisation of third-party data, and differentiated treatment by document type are all measures that could achieve the Landesamt's stated goals without removing the access right entirely. According to the Advocate General, a total exclusion is disproportionate because it eliminates more than is necessary.

Second, the essential content of the right. The CJEU has established, drawing on Article 52(1) of the Charter of Fundamental Rights of the EU, that restrictions on fundamental rights must not impair the core of those rights. Article 15 access is described in the opinion as an indispensable component of the GDPR system: without it, data subjects cannot exercise their rights to rectification, erasure, restriction, or objection. Removing access entirely eliminates the right's substance.

Third, legal precision. Article 23(2) requires that the limiting measure specify the scope, purpose, and safeguards of the restriction. The BayDSG provision, according to the opinion, does not reference any of the objectives listed in Article 23(1) and does not contain any of the required elements. The Bavarian legislature's preparatory materials mention Article 23 as the legal basis but do not identify which objective from that article is being pursued. The Advocate General states that post-hoc justifications offered by the Landesamt in litigation cannot remedy this legislative deficiency.

Fourth, uniqueness within Germany. According to the referral from the Ansbach court, Article 20(2) of the BayDSG represents a singularity in the German legal order: no other federal state has enacted a comparable exclusion. According to the opinion, this isolation is itself an indicator that the restriction is neither necessary nor proportionate - all other German supervisory authorities discharge their functions without needing to suppress data subject rights in this way.

The Advocate General's proposed answer to the Court on the second question is direct: Article 23 must be interpreted as precluding a national provision that, as such, excludes any right of access under Article 15 before the data protection supervisory authority.

Practical significance and limits

Several points limit the practical disruption this ruling could cause if the Court follows the opinion. The Advocate General is explicit that Article 15 does not create a right to inspect administrative files. Authorities would not be required to share internal deliberations, legal opinions, or third-party information beyond what constitutes the complainant's personal data. They retain the tools under Article 12(5) to refuse or charge for manifestly unfounded or excessive requests. They can withhold information temporarily during active investigations under conditions the EDPB has outlined in its Guidelines 10/2020 on restrictions under Article 23.

The practical caseload challenge is real. Bavaria's BayLDA received 9,746 complaints in 2025 - a 61 percent increase compared to the previous year and the highest figure since the GDPR took effect in 2018. Handling access requests across that volume of cases would impose additional demands on an authority that, like most across Europe, already faces resource constraints. The opinion acknowledges this but notes that the GDPR obliges member states under Article 52(4) to provide supervisory authorities with sufficient human, technical, and financial resources. Chronic underfunding cannot justify removing data subject rights.

The wider context is one of growing legal complexity around how GDPR applies to supervisory authorities themselves. Europe's top court ruled in February 2026 that EDPB binding decisions are directly challengeable before EU courts, opening a new accountability channel for companies contesting enforcement. The European Commission proposed major GDPR amendments in its Digital Omnibus initiative in 2025, including changes to access rights under Article 12(5) that EDPB and privacy advocates sharply rejected. Data protection authorities and the Commission's own privacy watchdogs pushed back hard against those proposals in a February 2026 joint opinion. Against that legislative backdrop, a ruling confirming that supervisory authorities are themselves bound by the access rights they are meant to enforce would send a significant signal about the regulation's internal coherence.

For marketing and advertising technology professionals, the implications are indirect but real. The question of who qualifies as a controller - and what obligations that status carries - has been contested across dozens of enforcement cases. The CJEU's broad and functional interpretation of the controller concept, already applied in cases involving Facebook social plugins, joint controllers in online advertising, and TC Strings in the Transparency and Consent Framework, continues to expand in scope. The Belgian court's May 2025 ruling on IAB Europe's TCF responsibilities illustrated how the controller determination shapes the entire downstream compliance picture. A ruling confirming that even regulatory bodies cannot escape controllership when they determine the purposes and means of processing would reinforce the same logic throughout the ad tech stack.

The Austrian authority's August 2025 ruling ordering YouTube to honor a data access request after a five-year case illustrated how Article 15 disputes can drag on and impose costs on all parties. A clearer legal framework for what the right covers - including the precise limits the Advocate General outlines - could reduce such disputes if adopted and widely implemented.

Timeline

  • May 13, 2022 - Joachim Lindenberg files data protection complaint against a third party before the BayLDA
  • October 11, 2022 - BayLDA informs Lindenberg violations were detected; Lindenberg requests full file access under GDPR Article 15
  • October 20, 2022 - BayLDA refuses access, citing Article 20(2) of the BayDSG
  • February 23, 2024 - BayLDA grants Lindenberg electronic access to the file without acknowledging legal obligation
  • February 19, 2025 - Bayerisches Verwaltungsgericht Ansbach issues referral to the CJEU with two preliminary questions
  • March 17, 2025 - Referral received by the Court of Justice of the European Union; registered as Case C-205/25
  • January 22, 2026 - Hearing before the Court of Justice; arguments submitted by Lindenberg, the BayLDA, the Bulgarian government, and the European Commission
  • April 15, 2026 - Belgian DPA publishes AI and data rights brochure covering GDPR subject access rights
  • April 16, 2026 - Advocate General Rimvydas Norkus presents opinion in Case C-205/25 before the CJEU

Summary

Who: Advocate General Rimvydas Norkus of the Court of Justice of the European Union, in a case brought by German journalist Joachim Lindenberg against the Bayerisches Landesamt fur Datenschutzaufsicht, with written observations from the BayLDA, the Bulgarian and Latvian governments, and the European Commission.

What: An Advocate General opinion concluding that data protection authorities are data controllers under GDPR when handling complaints under Article 77, must therefore honor subject access requests under Article 15, and cannot rely on a national provision - such as Article 20(2) of the Bavarian Data Protection Act - that categorically excludes any right of access to supervisory files.

When: The opinion was presented on April 16, 2026. The underlying facts span from May 2022, when the complaint was filed, to February 2024, when the BayLDA eventually provided access. The CJEU referral was received on March 17, 2025.

Where: The case originates in Bavaria, Germany, and is before the Court of Justice of the European Union in Luxembourg. The legal questions apply across all 27 EU member states wherever GDPR is in force.

Why: The case matters because it determines whether regulatory bodies charged with enforcing individuals' data rights are themselves bound by those same rights when processing complainants' personal data. The Advocate General's opinion establishes that institutional function as a supervisory authority does not remove controllership obligations, and that blanket national exclusions from GDPR access rights fail the proportionality and legal precision tests required by Article 23.

Share this article
The link has been copied!