← All articles

consultant

C‑97/23 P — Binding decisions of the EDPB are challengeable

The CJEU allows direct actions against an EDPB binding decision (WhatsApp v EDPB, 10/02/2026). Bottom line: intra‑group data sharing must be documented and defensible before the EU courts.

At a glance — On 10 February 2026, the CJEU admitted a direct action for annulment against EDPB Binding Decision 1/2021, enabling judicial review of Article 65 GDPR decisions. Groups must be able to defend intra‑group data flows and legal bases before EU courts (CJEU, C‑97/23 P; press release No 11/26).

The case

The CJEU set aside the General Court’s 2022 order dismissing WhatsApp Ireland’s action as inadmissible and referred the case back for assessment on the merits. The EDPB decision is an “act open to challenge” producing legal effects and of “direct concern” to the company (CJEU, C‑97/23 P, 10.02.2026). See the CJEU press release No 11/26 and the InfoCuria case page.

Context: the EDPB adopted Binding Decision 1/2021 on WhatsApp Ireland’s transparency obligations (including towards non‑users) and on explaining data exchanges within Meta, which guided the Irish DPC’s final decision.

Legal reasoning

The CJEU confirms the binding nature of EDPB decisions adopted under the consistency mechanism (Arts. 63 and 65 GDPR): they bind the lead supervisory authority and concerned authorities and affect companies’ legal situation. They are therefore challengeable acts under Arts. 263 and 264 TFEU (source: press release No 11/26).

On substance (Binding Decision 1/2021), key requirements for intra‑group sharing include:

  • Transparency (Arts. 5(1)(a), 12–14 GDPR): clearly explain intra‑group recipients, purposes, and any EEA‑external transfers.
  • Legal basis (Art. 6 GDPR): do not infer a basis from group affiliation; legitimate interests (Art. 6(1)(f)) requires a three‑part test and documented balancing; contract performance (Art. 6(1)(b)) does not cover secondary marketing or profiling uses.
  • International transfers (Chapter V, Arts. 44–49): where group entities are outside the EEA, secure flows (SCCs, BCRs, DPF where applicable).

In Luxembourg, the CNPD highlights BCRs (Art. 47 GDPR) as the structuring tool for recurring intra‑group flows and details approval conditions/fees (guidance 04/2025; BCR files FR and EN).

The EDPB also consulted on Guidelines 1/2024 regarding Article 6(1)(f) (legitimate interests), reinforcing expectations for robust, contextual analysis.

What changes in practice

  • Higher litigation exposure: EDPB binding decisions can be challenged directly before EU courts. Your internal positions (legal bases, notices, LIAs) must withstand EU‑level scrutiny (CJEU, C‑97/23 P; press release No 11/26).
  • Build the GDPR “evidence bundle”: for intra‑group flows, prepare: (1) an Art. 30 record per entity/purpose with precise recipient lists; (2) a documented LIA, version‑controlled and reviewed by the DPO; (3) Arts. 13–14 notices aligned with actual flows and covering non‑users; (4) a Chapter V transfer map (SCCs/BCRs/DPF) plus TIAs where DPF does not apply.
  • Choose the right transfer instrument: for regular, multi‑purpose flows, BCRs provide long‑term coherence; SCCs fit targeted, limited flows.
  • Extended transparency: if you process data about non‑customers (prospects, imported contacts, lookalike audiences), clarify source, purposes, legal basis, and offer an effective opt‑out. See the EDPB Transparency guidance.

For local execution, anchor your CNPD interactions within a structured GDPR Luxembourg compliance approach.

Common pitfalls

  1. “Group = same controller”: each company is a separate controller; intra‑group sharing remains a “recipient” disclosure to name and justify (GDPR Art. 4(7), 26; EDPB controller/processor guidance).
  2. Over‑stretching “contract performance”: marketing, advanced analytics, or profile enrichment are not automatically covered by Art. 6(1)(b) without valid consent or a balanced legitimate interests assessment (EDPB, Binding Decision 1/2021).
  3. Boilerplate LIAs: a legitimate interests test without real balancing (non‑customers, minors, inferred sensitive data) is inadequate; EDPB 1/2024 consultation calls for contextual analysis and an effective right to object.
  4. Underestimating extra‑EEA transfers: nearshore outside the EEA or a global data lake equals a Chapter V transfer; without DPF, BCRs or SCCs + TIAs, regulatory exposure is high (see CNPD’s notion of transfer).
  5. “Product‑centric” notices: notices must identify group recipients, describe actual purposes, and explain rights for non‑users (Arts. 12–14 GDPR; EDPB Transparency guidance).

Official sources

Need hands‑on support to structure your GDPR file and LIAs? Consider an outsourced DPO to secure your decisions and documentation.

Luxgap regulatory expertise article. For personalised guidance on this topic, contact us or configure your online quote.

LUXGAP NEWSLETTER

Get our analyses the moment they drop.

GDPR, NIS 2, AI expertise articles, plus invitations to free webinars + trainings at Luxgap. 1 to 2 emails per week max, one-click unsubscribe.

Your data is never shared. GDPR-compliant (we're DPOs after all).

A question on this topic?

Our team usually replies within one business day. Configure your quote or write to us.

Build my quote →