CE - 473254: Difference between revisions

From GDPRhub
(Created page with "{{COURTdecisionBOX |Jurisdiction=France |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=CE |Court_Original_Name=Conseil d'Etat |Court_English_Name=Supreme Administrative Court |Court_With_Country=CE (France) |Case_Number_Name=473254 |ECLI=ECLI:FR:CECHR:2024:473254.20240130 |Original_Source_Name_1=Légifrance |Original_Source_Link_1=https://www.legifrance.gouv.fr/ceta/id/CETATEXT000049066545?juridiction=CONSEIL_ETAT&juridiction=COURS_APPEL&page=1&pageSi...")
 
mNo edit summary
 
(One intermediate revision by one other user not shown)
Line 49: Line 49:
|Party_Link_2=
|Party_Link_2=


|Appeal_From_Body=CNIL
|Appeal_From_Body=CNIL (France)
|Appeal_From_Case_Number_Name=
|Appeal_From_Case_Number_Name=
|Appeal_From_Status=
|Appeal_From_Status=
Line 62: Line 62:
}}
}}


The French Supreme Administrative Court rejected an appeal regarding a €10,000 fine imposed by the French DPA to a controller for failing to cooperate with the DPA.
The French Supreme Administrative Court rejected a controller's appeal regarding a €10,000 fine imposed by the French DPA for failing to cooperate under Article 31 GDPR.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
A data subject lodged a complaint to the French DPA (“CNIL”) regarding workplace video surveillance on the controller’s premises. The CNIL lead an investigation on 21 June 2022. During said investigation, the person in charge of the premises did not object to the investigation, however the manager then instructed the person in charge of the premises not to sign the inspection report, and did not respond to phone calls and messages sent to him by the agents of the CNIL. The controller did not reply to requests for information and documents, nor to reminders sent by the DPA. On 2 December 2022, the CNIL sent a report proposing to impose an administrative fine and an injunction to provide the information requested, to which no response was received. In a letter dated 22 December 2022, the controller’s lawyer submitted observations and communicated only part of the information and documents requested.  
A data subject lodged a complaint to the French DPA (“CNIL”) regarding workplace video surveillance on the controller’s premises. The CNIL led an investigation on 21 June 2022. During said investigation, the person in charge of the premises did not object to the investigation, however the manager then instructed the person in charge of the premises not to sign the inspection report, and did not respond to phone calls and messages sent to him by the agents of the CNIL. The controller did not reply to requests for information and documents, nor to reminders sent by the DPA. On 2 December 2022, the CNIL sent a report proposing to impose an administrative fine and an injunction to provide the information requested, to which no response was received. In a letter dated 22 December 2022, the controller’s lawyer submitted observations and communicated only part of the information and documents requested.  


The CNIL imposed a €10,000 fine on 8 February 2023 for not cooperating with the DPA. The CNIL also asked that the controller provide the documents requested and provide detailed answers to the questions asked, subject to a penalty of €50 per day of delay at the end of the period of one month following the notification of this decision.
The CNIL imposed a €10,000 fine on 8 February 2023 for not cooperating with the DPA. The CNIL also asked that the controller provide the documents requested and provide detailed answers to the questions asked, subject to a penalty of €50 per day of delay at the end of the period of one month following the notification of this decision.
Line 74: Line 74:


=== Holding ===
=== Holding ===
Firstly, pursuant to [[Article 58 GDPR#1a|Article 58(1)(a) GDPR]], the CNIL may order the controller to provide it with any information and personal data it requires to do its duties. Furthermore, [[Article 31 GDPR|Article 31 GDPR]] states that the controller must cooperate with the supervisory authority. The Conseil d’Etat considered that the controller did not provide the CNIL with the documents and information requested on the video surveillance systems installed on its business premises, thereby depriving the CNIL of the means necessary to verify the controller’s compliance with the GDPR.  
Firstly, pursuant to [[Article 58 GDPR#1a|Article 58(1)(a) GDPR]], a supervisory authority may order the controller to provide it with any information and personal data it requires to do its duties. Furthermore, [[Article 31 GDPR|Article 31 GDPR]] states that the controller must cooperate with the supervisory authority. The Conseil d’Etat considered that the controller did not provide the CNIL with the documents and information requested on the video surveillance systems installed on its business premises, thereby depriving the CNIL of the means necessary to verify the controller’s compliance with the GDPR.  


Secondly, the Conseil d’Etat also considered that the documents the controller produced were insufficient to enable compliance of their video surveillance system with the GDPR. Therefore, the plea alleging insufficient reasons were given for the penalty was rejected by the Conseil d’Etat.
Secondly, the Conseil d’Etat also considered that the documents the controller produced were insufficient to enable compliance of their video surveillance system with the GDPR. Therefore, the plea alleging insufficient reasons were given for the penalty was rejected by the Conseil d’Etat.

Latest revision as of 09:21, 23 February 2024

CE - 473254
Courts logo1.png
Court: CE (France)
Jurisdiction: France
Relevant Law: Article 31 GDPR
Article 58(1)(a) GDPR
Decided: 30.01.2024
Published:
Parties:
National Case Number/Name: 473254
European Case Law Identifier: ECLI:FR:CECHR:2024:473254.20240130
Appeal from: CNIL (France)
Appeal to:
Original Language(s): French
Original Source: Légifrance (in French)
Initial Contributor: nzm

The French Supreme Administrative Court rejected a controller's appeal regarding a €10,000 fine imposed by the French DPA for failing to cooperate under Article 31 GDPR.

English Summary

Facts

A data subject lodged a complaint to the French DPA (“CNIL”) regarding workplace video surveillance on the controller’s premises. The CNIL led an investigation on 21 June 2022. During said investigation, the person in charge of the premises did not object to the investigation, however the manager then instructed the person in charge of the premises not to sign the inspection report, and did not respond to phone calls and messages sent to him by the agents of the CNIL. The controller did not reply to requests for information and documents, nor to reminders sent by the DPA. On 2 December 2022, the CNIL sent a report proposing to impose an administrative fine and an injunction to provide the information requested, to which no response was received. In a letter dated 22 December 2022, the controller’s lawyer submitted observations and communicated only part of the information and documents requested.

The CNIL imposed a €10,000 fine on 8 February 2023 for not cooperating with the DPA. The CNIL also asked that the controller provide the documents requested and provide detailed answers to the questions asked, subject to a penalty of €50 per day of delay at the end of the period of one month following the notification of this decision.

The controller asked the French Supreme Administrative Court (“Conseil d’Etat”) to annul this decision.

Holding

Firstly, pursuant to Article 58(1)(a) GDPR, a supervisory authority may order the controller to provide it with any information and personal data it requires to do its duties. Furthermore, Article 31 GDPR states that the controller must cooperate with the supervisory authority. The Conseil d’Etat considered that the controller did not provide the CNIL with the documents and information requested on the video surveillance systems installed on its business premises, thereby depriving the CNIL of the means necessary to verify the controller’s compliance with the GDPR.

Secondly, the Conseil d’Etat also considered that the documents the controller produced were insufficient to enable compliance of their video surveillance system with the GDPR. Therefore, the plea alleging insufficient reasons were given for the penalty was rejected by the Conseil d’Etat.

Lastly, the Conseil d’Etat noted that to impose a €10,000 fine, the CNIL took into consideration the controller’s failure to cooperate, its deliberate nature and the fact that they prevented the CNIL from verifying that the video surveillance system installed complied with the GDPR. Therefore, the Conseil d’Etat indicated that the CNIL did not impose a disproportionate fine on the company.

The application for annulment was thus dismissed by the Conseil d’Etat.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

Full Text

FRENCH REPUBLIC
IN THE NAME OF THE FRENCH PEOPLE

Given the following procedure:

By a summary request and a supplementary brief, registered on April 13 and July 13, 2023 at the litigation secretariat of the Council of State, the company LHA Développement requests the Council of State:

1°) to cancel decision no. SANPS-2023-004 of February 8, 2023 by which the president of the restricted formation of the National Commission for Informatics and Liberties (CNIL) pronounced against him an administrative fine of 10,000 euros, ordered him to communicate to the CNIL the documents requested in the inspection report as well as in the reminder letter and to provide detailed answers to the questions asked in these documents, subject to a penalty of 50 euros per day late at the end of a period of one month following notification of this decision;

2°) to charge the National Commission for Information Technology and Liberties the sum of 4,000 euros under article L. 761-1 of the administrative justice code.

Considering the other documents in the file;

Seen :
- Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016;
- Law No. 78-17 of January 6, 1978;
- Decree No. 2019-536 of May 29, 2019;
- the administrative justice code;

After hearing in public session:

- the report of Mr. Emmanuel Weicheldinger, master of requests for extraordinary service,

- the conclusions of Mr. Laurent Domingo, public rapporteur;

The floor having been given, after the conclusions, to SCP Gury et Maître, lawyer for the LHA Développement Company;

Considering the following:

1. It results from the investigation that a control delegation from the National Commission for Information Technology and Liberties (CNIL) carried out, on June 21, 2022, an inspection within the business operated by the company LHA Développement in a shopping center located in Pessac, following a complaint from an employee regarding the video surveillance system installed on its premises. By a decision of February 8, 2023, the president of the restricted formation of the CNIL imposed an administrative fine of 10,000 euros against him for failure to fulfill his obligation of cooperation and ordered him to communicate to the CNIL the documents requested in the control report and in the reminder letter as well as to provide detailed answers to the questions asked in these documents, subject to a penalty of 50 euros per day of delay after a period of one month following notification of this decision. The company LHA Développement requests the annulment of this decision.

2. Firstly, it follows from the investigation that the CNIL informed the public prosecutor prior to the intervention of the inspection carried out on site in the establishment of the applicant company, in accordance with the provisions of Article 25 of the decree of May 29, 2019 taken for the application of the law of January 6, 1978 relating to computing, files and freedoms. The plea according to which the contested decision was made following an irregular procedure is therefore in fact lacking.

3. Secondly, the contested decision of the CNIL mentions both the elements leading to the finding of a breach of the obligation of cooperation and specifies that the documents produced by the applicant company following notification of the sanction report are remained insufficient to enable the conformity of the video surveillance system to be assessed with the regulation of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of data , says GDPR. It follows that the argument based on the insufficiently justified nature of the sanction must be rejected.

4. Thirdly, on the one hand, by virtue of the provisions of a) and e) of paragraph 1 of Article 58 of the GDPR, the CNIL may, by virtue of its investigative powers, "order the person responsible of the processing and to the subcontractor, and, where applicable, to the representative of the controller or the subcontractor, to communicate to it any information it needs for the accomplishment of its missions" and "obtain from the controller and the subcontractor access to all personal data and all information necessary for the accomplishment of its missions. Likewise, the provisions of III of article 19 of the law of January 6, 1978 relating to data processing, files and freedoms provide that: "For the exercise of the missions falling under the National Commission for Data Processing and freedoms in application of Regulation (EU) 2016/679 of April 27, 2016 and this law, the members and agents mentioned in the first paragraph of I of this article may request communication of all documents necessary for the accomplishment of their mission, whatever the medium, and take a copy. They may collect, in particular on site or upon summons, any information and any justification useful and necessary for the accomplishment of their mission. They may access, under conditions preserving confidentiality with regard to third parties, to computer programs and data as well as requesting their transcription by any appropriate processing into documents directly usable for the purposes of control. Secrecy cannot be invoked against them except concerning the information covered by secrecy professional applicable to the relations between a lawyer and his client, by the confidentiality of the sources of journalistic treatment or, subject to the second paragraph of this III, by medical confidentiality. On the other hand, under the terms of Article 31 of the GDPR: "The controller and the subcontractor as well as, where applicable, their representatives cooperate with the supervisory authority, at the latter's request, in the execution of its missions. Likewise, according to article 18 of the law of January 6, 1978: "The (...) managers of public or private companies, (...) and more generally the holders or users of processing or data files of a personal nature cannot oppose the action of the National Commission for Information Technology and Liberties or its members and must on the contrary take all useful measures to facilitate its task. It follows from all of these provisions that managers of private companies and data controllers have an obligation to cooperate with the CNIL. As such, and subject to the secrets mentioned in III of article 19 of the law of January 6, 1978, they must in particular respond diligently, within the deadlines set by the CNIL and for which they are likely to request an extension, to requests for communication of any information or document that the Commission sends to them, for the accomplishment of its mission, by virtue of its investigative powers.

5. It appears from the investigation that during the inspection on June 21, 2022, to which the manager of the premises did not object, the agents of the CNIL delegation were able to communicate by telephone with the manager, who was thus informed of the purpose of the checks and answered some of their questions. On the other hand, the latter then instructed the person in charge of the premises not to sign the inspection report and did not respond to the various calls and telephone messages sent to him by the agents of the delegation before to leave the premises. Subsequently, the company did not respond to requests for communication, within eight days, of information and documents formulated in the inspection report, which was notified to it by registered letter with acknowledgment of receipt of June 24, 2022. It did not respond to the reminder letter of July 25, 2022. By registered letter with acknowledgment of receipt of December 2, 2022, the CNIL notified the applicant company of a report proposing to impose an administrative fine against him as well as an injunction under penalty to communicate the information requested in the report and in the reminder letter, which remained unanswered. It was only by a letter dated December 22, 2022 that the lawyer for the applicant company produced observations and communicated only part of the information and documents requested. It follows that since the company did not communicate to the CNIL the documents and information requested on the video surveillance system set up in its commercial premises, thus depriving the Commission of the means necessary to verify the compliance of the latter with the rules of the GDPR, the applicant is not justified in maintaining that the CNIL would have tainted its decision with an error of fact and an error of assessment by finding a breach of the obligation of cooperation provided for by the Article 31 of the GDPR, cited in point 4.

6. Finally, under 7° of III of article 20 of the law of January 6, 1978, to which article 22-1 of the same law refers, to impose an administrative fine against a data controller who does not respect the obligations resulting from the GDPR, the president of the restricted training of the CNIL takes into account the criteria specified in article 83 of this regulation, which provides that administrative fines imposed by the supervisory authorities national measures must, in each case, be “effective, proportionate and dissuasive”. To set the amount of the fine, which cannot exceed 20,000 euros within the framework of the implementation of article 22-1 of the law of January 6, 1978, must, in particular, be taken into consideration: "a ) the nature, severity and duration of the violation, taking into account the nature, scope or purpose of the processing concerned, as well as the number of data subjects affected and the level of damage they suffered; / b) the fact that the violation was committed deliberately or negligently; / c) any measures taken by the controller or processor to mitigate the damage suffered by the data subjects; / d) the degree of liability of the controller of the processing or processor, taking into account the technical and organizational measures they have implemented pursuant to Articles 25 and 32; / e) any relevant violation previously committed by the controller or processor; / f) the degree of cooperation established with the supervisory authority with a view to remedying the violation and mitigating possible negative effects; / g) the categories of personal data affected by the violation; / h) the manner in which the supervisory authority became aware of the violation, in particular whether and to what extent the controller or processor notified the violation; / i) where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned for the same purpose, compliance with these measures; / j) the application of codes of conduct approved pursuant to Article 40 or certification mechanisms approved pursuant to Article 42; and/k) any other aggravating or mitigating circumstances applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, directly or indirectly, as a result of the violation."

7. It follows from the investigation that in setting the amount of the administrative fine imposed on the applicant company at 10,000 euros, the president of the restricted body of the CNIL took into consideration the lack of cooperation of the applicant company as that it emerges from the factual elements set out in point 5 of this decision while taking into account the circumstance that a warning letter of September 13, 2021 had not been sent to the head office of the applicant company. Given the particularly prolonged nature of the company's lack of cooperation, its deliberate nature and the fact that it obstructed the verification by the CNIL services of the compliance with the GDPR of the video surveillance system put in place within the business operated by this company, the president of the restricted body of the CNIL did not impose a disproportionate fine by withholding an amount of 10,000 euros.

8. It follows from all of the above that the applicant company is not justified in requesting the annulment of the decision it is contesting. His request must therefore be rejected, including his conclusions under article L. 761-1 of the administrative justice code.

DECIDED :
--------------

Article 1: The request from the company LHA Développement is rejected.
Article 2: This decision will be notified to the company LHA Développement and to the National Commission for Information Technology and Liberties.

Deliberated at the end of the meeting of January 17, 2024 at which sat: Mr. Rémy Schwartz, deputy president of the litigation section, presiding; Mr. Bertrand Dacosta, Ms. Anne Egerszegi, presidents of chambers; Mr. Olivier Yeznikian, Ms. Rozen Noguellou, Mr. Nicolas Polge, Mr. Vincent Daumas, Mr. Didier Ribes, State Councilors and Mr. Emmanuel Weicheldinger, master of requests in extraordinary rapporteur service.

Returned on January 30, 2024.

President :
Signed: Mr. Rémy Schwartz

The rapporteur :
Signed: Mr. Emmanuel Weiheldinger

The Secretary :
Signed: Ms. Chloé-Claudia Sediang

ECLI:FR:CECHR:2024:473254.20240130