CE - 474625: Difference between revisions
m (→Facts) |
mNo edit summary |
||
Line 66: | Line 66: | ||
}} | }} | ||
The Supreme Administrative Court found that a DPA’s order to reply to an access request is a sufficient corrective measure under Article 58(2) GDPR. However, if a data subject does not get a reply from the controller within 6 weeks, it can file a second complaint and the DPA’s discretion will be limited. | |||
== English Summary == | == English Summary == | ||
Line 78: | Line 78: | ||
=== Holding === | === Holding === | ||
The Conseil d’Etat considered that with regard to [https://www.legifrance.gouv.fr/loda/article_lc/LEGIARTI000037822923 Article 8] and [https://www.legifrance.gouv.fr/loda/article_lc/LEGIARTI000045072444 20 of "Loi Informatique et Libertés"] it is the CNIL’s responsibility to examine the facts giving rise to a complaint and to decide on the action to be taken. The Conseil d’Etat added that the | The Conseil d’Etat considered that with regard to [https://www.legifrance.gouv.fr/loda/article_lc/LEGIARTI000037822923 Article 8] and [https://www.legifrance.gouv.fr/loda/article_lc/LEGIARTI000045072444 20 of "Loi Informatique et Libertés"] it is the CNIL’s responsibility to examine the facts giving rise to a complaint and to decide on the action to be taken. The Conseil d’Etat added that the data subject may refer to the CNIL’s refusal to act with the administrative judge (juge de l’excès de pouvoir). It is then up to the judge to review the CNIL’s refusal, where appropriate. However, if the data subject alleges that a controller has disregarded the rights regarding personal data, guaranteed by law to the data subject with regard to personal data concerning them the CNIL's discretionary power to decide what action to take is exercised under the full control of the juge de l'excès de pouvoir. | ||
The Conseil d’Etat ruled that it was clear from the documents that the CNIL did not vitiate its decision to close the complaint as (i) the DPA reminded the controller of its legal obligation by asking the controller to comply with the request and (ii) they invited the data subject to submit a new complaint to the CNIL if the controller failed to comply with the request within 6 | The Conseil d’Etat ruled that it was clear from the documents that the CNIL did not vitiate its decision to close the complaint as (i) the DPA reminded the controller of its legal obligation by asking the controller to comply with the request and (ii) they invited the data subject to submit a new complaint to the CNIL if the controller failed to comply with the request within 6 weeks. | ||
The Conseil d’Etat therefore rejected the appeal against the CNIL decision. | The Conseil d’Etat therefore rejected the appeal against the CNIL decision. |
Revision as of 13:56, 6 March 2024
CE - 474625 | |
---|---|
Court: | CE (France) |
Jurisdiction: | France |
Relevant Law: | Article 17 GDPR Article 20 Loi Informatique et Libertés Article 8 Loi Informatique et Libertés |
Decided: | 14.02.2024 |
Published: | |
Parties: | Societe.com |
National Case Number/Name: | 474625 |
European Case Law Identifier: | ECLI:FR:CECHS:2024:474625.20240214 |
Appeal from: | CNIL |
Appeal to: | |
Original Language(s): | French |
Original Source: | Légifrance (in French) |
Initial Contributor: | nzm |
The Supreme Administrative Court found that a DPA’s order to reply to an access request is a sufficient corrective measure under Article 58(2) GDPR. However, if a data subject does not get a reply from the controller within 6 weeks, it can file a second complaint and the DPA’s discretion will be limited.
English Summary
Facts
On 10 April 2023, a data subject sent an erasure request to Societe.com (“controller”). The controller failed to respond to the request, therefore the data subject lodged a complaint with the French DPA (“CNIL”).
The CNIL reminded the company of its legal obligations, in particular by asking the controller to provide a response to the request, and therefore closed the data subject’s complaint and invited the data subject to submit a new complaint to the CNIL in 6 weeks if the controller failed to reply to this request.
The data subject sought the annulment of this decision with the French Supreme Administrative Court (“Conseil d’Etat”).
Holding
The Conseil d’Etat considered that with regard to Article 8 and 20 of "Loi Informatique et Libertés" it is the CNIL’s responsibility to examine the facts giving rise to a complaint and to decide on the action to be taken. The Conseil d’Etat added that the data subject may refer to the CNIL’s refusal to act with the administrative judge (juge de l’excès de pouvoir). It is then up to the judge to review the CNIL’s refusal, where appropriate. However, if the data subject alleges that a controller has disregarded the rights regarding personal data, guaranteed by law to the data subject with regard to personal data concerning them the CNIL's discretionary power to decide what action to take is exercised under the full control of the juge de l'excès de pouvoir.
The Conseil d’Etat ruled that it was clear from the documents that the CNIL did not vitiate its decision to close the complaint as (i) the DPA reminded the controller of its legal obligation by asking the controller to comply with the request and (ii) they invited the data subject to submit a new complaint to the CNIL if the controller failed to comply with the request within 6 weeks.
The Conseil d’Etat therefore rejected the appeal against the CNIL decision.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
Full Text FRENCH REPUBLIC IN THE NAME OF THE FRENCH PEOPLE Considering the following procedure: By a request registered on May 30, 2023 at the litigation secretariat of the Council of State, Mr. B... C... asks the Council of State: 1°) to annul for abuse of power the decision by which the National Commission for Information Technology and Liberties (CNIL), on May 25, 2023, declared the closure of its complaint against the company Societe.com relating to the deletion personal data concerning him; 2°) to order the CNIL to take all appropriate measures to implement the right to delete personal data concerning him, accessible online on the societe.com website. Considering the other documents in the file; Seen : - Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016; - Law No. 78-17 of January 6, 1978; - the administrative justice code; After hearing in public session: - the report of Mr. Emmanuel Weicheldinger, master of requests for extraordinary service, - the conclusions of Ms. Esther de Moustier, public rapporteur; Considering the following: 1. It appears from the documents in the file that, on April 10, 2023, Mr. C... sent the company Societe.com a request to erase personal data concerning him, accessible online. On May 17, 2023, Mr. C... filed a complaint with the National Commission for Information Technology and Liberties (CNIL) due to the lack of response from the company Societe.com to his request. On May 25, 2023, the CNIL indicated to Mr. C... that it had reminded the company of its legal obligations, in particular by asking him to provide a response to his request, that he would have the possibility of contacting the CNIL again. , after the expiration of a period of six weeks, in the event that the company has not complied with its obligations, and has therefore taken a decision to close its complaint. Mr. C... requests the annulment of this decision. 2. Firstly, Article 17 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and the free circulation of these data (known as GDPR) provides that: "1. The data subject has the right to obtain from the data controller the erasure, as soon as possible, of personal data concerning him or her and the data controller has the "obligation to erase these personal data as soon as possible when one of the following reasons applies (...). ". Article 51 of the law of January 6, 1978 relating to data processing, files and freedoms provides that: "I. The right to erasure is exercised under the conditions provided for in article 17 of the regulation (EU ) 2016/679 of April 27, 2016. / (...) In the event of non-execution of the erasure of personal data or in the event of no response from the data controller within a period of one month to From the date of the request, the person concerned may contact the National Commission for Information Technology and Freedoms, which will rule on this request within three weeks from the date of receipt of the complaint. 3. Secondly, under the terms of article 8 of the law of January 6, 1978: "I.- The National Commission for Information Technology and Liberties is an independent administrative authority. It is the national supervisory authority in meaning and for the application of Regulation (EU) 2016/679 of April 27, 2016. It carries out the following missions:/ (...) 2° It ensures that the processing of personal data is implemented in accordance with to the provisions of this law and other provisions relating to the protection of personal data provided for by legislative and regulatory texts, European Union law and France's international commitments. As such:/ (...) d) It handles complaints, petitions and complaints lodged by a data subject or by a body, organization or association, examines or investigates the subject matter of the complaint, to the extent necessary, and informs the author of the complaint of the progress and outcome of the investigation (...)". 4. Thirdly, under the terms of article 20 of the same law: "II.- When the data controller or its subcontractor does not respect the obligations resulting from regulation (EU) 2016/679 of April 27, 2016 or this law, the president of the National Commission for Information Technology and Freedoms may remind him of his legal obligations or, if the breach noted is likely to be subject to compliance, pronounce on him a formal notice, within the deadline it sets: 1° To satisfy the requests presented by the data subject with a view to exercising their rights; 2° To bring the processing operations into compliance with the applicable provisions; 3° A with the exception of processing which concerns state security or defence, to communicate to the data subject a violation of personal data; 4° To rectify or erase personal data, or to limit the processing of these data. In the case provided for in 4° of this II, the president may, under the same conditions, give formal notice to the data controller or its subcontractor to notify the recipients of the data of the measures it has taken. The president may request that compliance be justified within a deadline he sets. (...) ". 5. It follows from the provisions mentioned in points 3 and 4 that it is up to the CNIL to proceed, when it receives a complaint or a claim relating to the implementation of its powers, to the examination of the facts which are at the origin and to decide on the follow-up to be given to them. To this end, it has a broad power of appreciation and may take into account the seriousness of the alleged breaches with regard to the legislation or regulations that it is responsible for enforcing, the seriousness of the evidence relating to these facts, the date on which they were committed, the context in which they were committed and, more generally, all the general interests for which it is responsible. The author of a complaint may refer the CNIL's refusal to respond to it to the judge for abuse of power. It is up to the judge to censure it, if necessary, for reasons of external illegality and, on the grounds of the merits of the decision, in the event of an error of fact or of law, of a manifest error of appreciation or misuse of power. However, when the author of the complaint relies on the lack of awareness by a data controller of the rights guaranteed by law to the data subject with regard to personal data concerning him or her, in particular the rights of access, rectification , erasure, limitation and opposition mentioned in articles 49, 50, 51, 53 and 56 of the law of January 6, 1978 relating to data processing, files and freedoms, the discretionary power of the CNIL to decide on the follow-up to be taken is exercised, having regard to the nature of the individual right in question, under the entire control of the judge of excess of power. 6. It appears from the documents in the file that, as stated in point 1, the CNIL, upon receipt of Mr. C...'s complaint, decided to remind the company Societe.com of its legal obligations by asking it to comply with these, while inviting Mr. C..., in the event that the company does not respond to this request within six weeks, to submit a new complaint to the CNIL. In doing so, in the circumstances of this case, it did not taint its decision to close the complaint with an error of assessment. 7. It follows from all of the above that the applicant is not justified in requesting the annulment of the decision he is impugning. Its conclusions for the purpose of an injunction can, therefore, only be rejected. DECIDED : -------------- Article 1: Mr. C...'s request is rejected. Article 2: This decision will be notified to Mr. B... C.... A copy will be sent to the National Commission for Information Technology and Liberties. Deliberated at the end of the session of January 11, 2024 where sat: Mr. Bertrand Dacosta, president of the chamber, presiding; Mr. Olivier Yeznikian, State Councilor and Mr. Emmanuel Weicheldinger, master of requests in extraordinary service-rapporteur. Returned on February 14, 2024. President : Signed: Mr. Bertrand Dacosta The rapporteur : Signed: Mr. Emmanuel Weiheldinger The Secretary : Signed: Ms. Sylvie Leporcq ECLI:FR:CECHS:2024:474625.20240214