TA Luxembourg - 45716: Difference between revisions
No edit summary |
No edit summary |
||
(One intermediate revision by the same user not shown) | |||
Line 64: | Line 64: | ||
}} | }} | ||
The Administrative Court of Luxembourg held that a data subject | The Administrative Court of Luxembourg held that a data subject whose data were erased by the controller lacked of standing to appeal a DPA decision. | ||
== English Summary == | == English Summary == | ||
Line 89: | Line 89: | ||
''noyb'' will appeal this decision. | ''noyb'' will appeal this decision. | ||
A positive point of this decision is that the Administrative Court declared itself competent to reverse/review the DPA decision and not only to annul it. | A positive point of this decision is that the Administrative Court declared itself competent to reverse/review the DPA decision and not only to annul it. However, it seems that in Luxemburg, a controller can avoid a DPA proceeding by simply erasing the data. | ||
== Further Resources == | == Further Resources == |
Latest revision as of 13:55, 10 May 2023
TA Luxembourg - 45716 | |
---|---|
Court: | TA Luxembourg (Luxembourg) |
Jurisdiction: | Luxembourg |
Relevant Law: | Article 51 GDPR Article 78 GDPR Article 79 GDPR |
Decided: | 21.04.2023 |
Published: | 01.05.2023 |
Parties: | |
National Case Number/Name: | 45716 |
European Case Law Identifier: | LU:TADM:2023:45716 |
Appeal from: | CNPD (Luxembourg) |
Appeal to: | Unknown |
Original Language(s): | French |
Original Source: | CNPD (in French) |
Initial Contributor: | n/a |
The Administrative Court of Luxembourg held that a data subject whose data were erased by the controller lacked of standing to appeal a DPA decision.
English Summary
Facts
A data subject found that an American company (controller) had collected personal data about him and was marketing it on its website. On 5 April 2019, he contacted the controller, who replied the same day with a copy of his personal data and informed the data subject that it had deleted his personal data. Still on 5 April 2019, the data subject lodged a complaint with the Luxembourg DPA to have the controller act on his request in accordance with the GDPR.
After requesting the data subject to provide its correspondence with the controller, on 6 March 2020, the DPA informed the data subject that the controller was US based and that it would therefore be impossible to pursue his complaint. The data subject replied several times and asked among other things for clarification on the administrative procedure and in particular of the rules on investigations.
The DPA finally replied by letter that the opening of an investigation was not systematic whenever a controller is subject to a complaint. In this case, the DPA considered that it was not relevant to open an investigation since it had no means of action against a US based company.
On 1 March 2021, the data subject, represented by noyb, lodged an appeal with the administrative Court (hereafter the Court) requesting the reversal or cancellation of the DPA's letter. On the basis of Article 78 GDPR, the data subject considered that he had a standing in bringing the action.
Holding
The Court considered that both at the time of his complaint of 5 April 2019 and the lodging of the appeal, the data subject's data had already been deleted from the controller's website. Consequently, the court considered that the data subject did not prove that data processing was taking place when he lodged his appeal.
The Court also held that under Article 51 GDPR, the DPA is responsible for monitoring the application of the RGPD by controllers, "so that it is no longer called upon to intervene from the moment that any possible disregard of the RGPD by a controller has ceased". It considered that in this case, the data subject could therefore not rely on the GDPR to sanction a controller, except for an action for damages resulting from the violation of its rights.
The Court also noted that in order to obtain compensation for the damage resulting from the violation of the right to data protection, in accordance with Article 79 GDPR, it was not necessary to refer the matter to the DPA.
In conclusion, the appeal was declared inadmissible for lack of standing.
Comment
noyb will appeal this decision.
A positive point of this decision is that the Administrative Court declared itself competent to reverse/review the DPA decision and not only to annul it. However, it seems that in Luxemburg, a controller can avoid a DPA proceeding by simply erasing the data.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
Administrative Court No. 45716 of the role of the Grand Duchy of Luxembourg ECLI:LU:TADM:2023:45716 4 bedroom Listed March 1, 2021 Public hearing of April 21, 2023 Appeal filed by the association under Austrian law ... – ..., …, against a courier from National Commission for Data Protection, Belvaux, in terms of data protection ___________________________________________________________________________ JUDGEMENT Having regard to the request entered under number 45716 of the roll and filed on March 1, 2021 at the registry of the administrative tribunal by Maître Catherine Warin, lawyer at the Court, registered at the table of the Luxembourg Bar Association, on behalf of the association under Austrian law ... – ..., established and having its registered office at AT-… (Austria), …, entered in the register Austrian Associations (Zentrales Vereinsregister) under number …, represented by its "Vorstandsvorsitzender" currently in office and appointed by Mr. ..., residing at L-…, said association taking up residence at the study of its litismandataire located at L-2763 Luxembourg, 10, rue Sainte Zithe, seeking the reversal, if not the annulment, of a decision thus qualified as of September 18, 2020 of the National Commission for the Protection of data (“CNPD”), a public establishment, registered in the register of commerce and companies of Luxembourg under number J52, established at L-4370 Belvaux, 15, boulevard du Jazz, represented by its college of Commissioners currently in office, informing Mr. ..., of his refusal to continue processing his complaint of July 8, 2020; Considering the exploit of the judicial officer Carlos Calvo, residing in Luxembourg, of March 4 2021, bearing service of the said request to the CNPD, prequalified; Having regard to the appointment of lawyer at the Court of Maître Elisabeth Guissart, lawyer at the Court, registered on the roll of the Luxembourg Bar Association, on behalf of and on behalf of the CNPD, prequalified, filed with the registry of the administrative court on March 16, 2021; Having regard to the memorandum in response filed at the registry of the administrative court on June 3, 2021 by Maître Elisabeth Guissart in the name and on behalf of the CNPD, prequalified; Having regard to the memorandum in reply filed at the registry of the administrative court on July 2, 2021 by Maître Catherine Warin in the name and on behalf of the association under Austrian law ... – ..., prequalified; Having regard to the memorandum in rejoinder filed at the registry of the administrative court on September 28 2021 by Maître Elisabeth Guissart in the name and on behalf of the CNPD, prequalified; Having regard to the documents submitted in question and in particular the act complained of; The judge-rapporteur heard in his report, as well as Maître Catherine Warin and Maître Elisabeth Guissart in their respective pleadings at the public hearing of November 8, 2022. 1____________________________________________________________________________ After finding that the company under American law ... had collected data from personal character on his person in order to market them on his website https://....co, Mr. ... contacted the said company on this subject on April 5, 2019 and was addressed by this last an email dated the same day to which a copy of his data was attached and informing him that the company ... had deleted his personal data from its databases. Also on April 5, 2019, Mr. ... lodged a complaint with the National Commission for Data Protection, hereinafter referred to as “the CNPD”, the asking to intervene with the company ... so that the latter responds to its request in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data personal character and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter referred to as “the GDPR”. By email of April 9, 2019, the CNPD asked Mr. ... to send it any correspondence with the controller of the company ..., including email containing his request for access and specific information, the automatic response to this request, as well as any correspondence subsequent to the introduction of his complaint, informing him, moreover, that the link on the company's website ... supposed containing his personal data would not seem to work. By e-mail of the same day, Mr. ... informed the CNPD that the company ... would seem to have canceled all of its data on their website following its contact with the latter, but that it would continue to collect and process the data of other European citizens. By email of March 6, 2020, the CNPD informed Mr. ..., after an initial examination of his complaint of April 5, 2019 and referring to recital number (166) of the GDPR, that taking into account the fact that the company ..., the data controller disputed, would be established in the United States and therefore outside the European Union, it would be impossible to pursue his complaint, whereas, while having the possibility of communicating with said company, the CNPD would not have the power to impose actions on it with a view to to improve its data protection practices, email to which Mr. replied on the same day. By email of March 17, 2020, the CNPD confirmed to him that it was impossible to continue his complaint, email to which Mr. ... replied by emails of the same day and March 28 and April 19 and 26, 2020, as well as by registered letter of May 4, 2020, to which the CNPD replied by email of May 25, 2020 while referring to his emails of March 6 and 17, 2020. By email of May 29, 2020, Mr. ... asked the CNPD to send him a decision signed in accordance with Articles 12 and 13 of its internal rules, which the CNPD refused by email of July 8, 2020. By letter dated August 10, 2020, Mr. ... contacted the CNPD again. By letter dated September 18, 2020, the CNPD informed Mr. ... of his impossibility to pursue his complaint of April 5, 2019 in the following terms: 2 “(…) Mr...., The National Data Protection Commission (hereinafter “CNPD”) returns to your email of July 8, 2020 relating to your complaint of April 5, 2019 against the Company .... Regarding your request for clarification of the reasons why the articles 9 of the regulations of the National Commission for Data Protection (CNPD) relating to the investigation procedure (hereinafter "Investigations Regulation") and 10 and 12 of the of Internal Order of the CNPD (hereinafter "ROI") are not applicable in the case case, we inform you that it appears from the provisions of the ROI that the investigation files and complaints fall under different procedures. The Investigations Regulation is only applicable to investigation files, and the articles 10 and 12 of the aforementioned ROI are only applicable to the sessions of deliberation of the CNPD, including deliberations relating to investigation files. In addition, although the processing of a complaint may result in the proposal and the opening of an investigation according to the procedures provided for in Article 2 of the Investigations Regulation, the opening of an investigation file following a complaint is not systematic. Indeed, when a complaint is submitted, the "complaints" service tries to resolve the issue raised without opening a formal investigation within the meaning of Articles 37 to 41 of the law of 1 August 2018 on the organization of the National Commission for the data protection and the general data protection regime (hereinafter: “Law of the August 1, 2018”). Most complaints can be resolved and closed from this manner, after the CNPD has intervened with the data controller concerned. When it turns out that the complaint file cannot be processed in this way, the College may decide to open an investigation. There are no legislative criteria that define when the CNPD must or must not open investigation. The CNPD is an independent supervisory authority that benefits from the principle of the “opportunity for action” (cf. Opinion of the Council of State of June 26, 2018, doc. parl. N° 7184/28). It may also refuse to follow up on a complaint that is manifestly unfounded. or excessive, in accordance with Article 57 (4) of the GDPR. In the case of your complaint, the opening of an investigation file does not appear relevant, because the CNPD has no means of action against a person responsible for the treatment established on the territory of the United States of America having no establishment on the territory of the European Union (EU) or not having designated a representative in the EU in pursuant to Article 27 of the GDPR. Indeed, in these cases, it is impossible for him to enforce the provisions of the GDPR on the territory of the United States of America. Considering that we have answered your questions, we consider that our intervention in part of your claim is now complete. (…)” er By motion filed with the administrative court on March 1, 2021, the legal association Austrian ... – ..., hereinafter referred to as "the association ...", mandated for this purpose by Mr. ...through a representation agreement signed on November 16, 2020, an appeal was brought 3tending to the reform if not the cancellation of the aforementioned letter from the CNPD of September 18 2020. In its memorandum in response, the CNPD first raises the lack of jurisdiction ratione matter of the administrative tribunal to hear the appeal lodged against the act referred, at the reason that this would not constitute a decision-making administrative act adversely affecting Mr. ... having, in this same order of ideas, no personal and present interest to act, then that the company ... would have deleted his personal data from its database and would have then stopped all processing of his data. In its brief in response, the association ... asserts first of all that the company ... reportedly put Mr....'s profile back online after deleting it. As regards Mr. ...'s cause of action, the association ... submits that the data collected by the company ... would indeed constitute personal data that the GDPR would like to protect. She then points out that Mr. ... would have had a personal interest in lodge a complaint relating to the processing of his personal data and would thus have also interest in taking action against the letter from the CNPD of September 18, 2020. The association ... considers, in this context and by referring to Article 78 of the GDPR, that Sir ... should not have to demonstrate the unfortunate consequences that the courier of the CNPD of September 18, 2020 would have caused him, while the simple fact that his fundamental right to the protection of his data would not have been respected would be sufficient to establish his interest in taking action. She then specifies that Mr. ...'s interest in acting would be both personal and direct effective, born, current and legitimate, whereas the act referred would concern him directly in that it relate to his complaint lodged with the CNPD, said complaint relating to the violation of his fundamental rights which the CNPD would refuse to investigate. It further argues that despite the fact that all of the personal data of Mr.... would have been suppressed by the company..., the violation of the fundamental right of this the latter would be an unfortunate consequence, whereas otherwise it would suffice for a manager to processing to erase the disputed data so that “the problem disappears”. However, the right of access would constitute the cornerstone of the rights of individuals, so that without access full to their data and to the information that surrounds the processing of these, it would be impossible to exercise all the other rights provided for by the GDPR, as would be recalled also the Belgian data protection authority in its decision no. 15/2021. The association ... considers, moreover, that Mr. ... would have an interest in acting, whereas a judgment by the administrative tribunal would allow it to then seek liability both of the perpetrators of these violations before the civil courts and the CNPD. As to the legitimate nature of Mr. ...'s interest in acting, the association ... specifies although it would not matter if this one would have been worried about not being the only particular concerned by the practice of the company ... and that it would not be relevant that he would have introduced several complaints against several entities with the CNPD. Before any progress in question, the court notes that, following the repeal of the directive 95/46/EC of the European Parliament and of the Council of 24 October 1994 on the protection of natural persons with regard to the processing of personal data and to the free 4circulation of these data, hereinafter referred to as “Directive 95/46/EC”, the organization of er the CNPD results from the law of August 1, 2018 on the organization of the National Commission for data protection and the general data protection regime, referred to below. afterwards by “the law of August 1, 2018”, adopted on the basis of the GDPR, so that the question of the applicability or not of the GDPR to the merits of this case does not have any consequence in with regard to the jurisdiction of the court of this court to hear decisions adopted by the CNPD. Indeed, the GDPR, a community regulation by essence of direct application under of Article 288 of the Treaty on the Functioning of the European Union, hereinafter referred to as “the TFEU”, provides in its article 51 for the creation of supervisory authorities in the Member States members, and therefore constitutes the framework legislation, to which the law of 1 August 2018, on the basis of which the CNPD was organized, so that the provisions of the GDPR relating to the organization, mission and decisions of the CNPD are, in any case, applicable. er It must then be noted that under the terms of article 55 of the law of August 1, 2018 "A appeal against the decisions of the CNPD taken pursuant to this law is open before the Administrative Tribunal which rules as judge of the merits. ", said provision not distinguishing the type of CNPD decisions subject to appeal and therefore including a a priori any decision emanating from the latter on the condition of grievance. It follows that the court has jurisdiction to hear the appeal for reversal introduced as the main. There is therefore no need to rule on the subsidiary action for annulment. The admissibility of an appeal is conditioned by the existence of an act likely to grievance and having produced that effect on the person of the plaintiff. However, to justify an interest in to act, one must be able to rely on the injury of a personal interest in the sense that the reversal or annulment of the contested act confers on the plaintiff certain satisfaction and personal. It is therefore important that the interest be not impersonal and general but personal. 2 In this case, it must be noted that it is constant, so as not to be contested by the association ... that both at the time of Mr. ...'s complaint of April 5, 2019 addressed to the CNPD, that at the time of the introduction of the appeal under analysis, the personal data of it had been deleted from the company's website ..., being, moreover, noted, that it does not appear from any document tendered to the debates that the processing of the data of Mr ... by the company ... would still be relevant, the copy of a profile entitled "...'s Email" not being undated and without any source reference. The association thus remains in default of prove a treatment, both at the time of the introduction of the appeal under analysis, and at the time data of Mr. ... by the company ..., so that Mr. ... cannot be assert an interest in acting because of the processing of his data by the said company at the time the introduction of his appeal involving a violation of his rights under the GDPR. This observation is not upset by the developments of the association ... according to which the prior processing of the personal data of Mr. ... by the company ... would constitute a violation of its rights provided for in the GDPR, whereas the role of the CNPD consists, in 1Trib. adm. October 22, 2007, No. 22489 of the list, No. adm. 2022, V° Contentious procedure, n° 12 and the others references cited therein. 2Trib. adm. November 7, 2016, No. 36132 of the list, No. adm. 2022, V° Contentious procedure, n° 14 and the others references cited therein. 5application of Article 51, paragraph (1) of the GDPR and Article 4 of the law of 1 August 2018 monitoring the application of the GDPR by data controllers, so that it is no longer called upon to intervene from the moment when a possible ignorance of the GDPR by a data controller has ceased, which, in the absence of evidence to the contrary, must be retained in this case. It must also be noted that Mr. ... cannot draw from the GDPR a personal right to have a data controller sanctioned outside of an action for compensation for damage resulting from a violation of his rights, a right expressly provided for by the GDPR. This observation is also not irritated by the developments of the association ... with respect to the interest of Mr. ... to have the decision referred amended or annulled in order to allow him to sue the company ... under Article 82 of the GDPR. Indeed, he results from Article 79, entitled “Right to an effective judicial remedy against a person responsible for processing or a processor”, paragraph (1) of the GDPR that “Without prejudice to any administrative or extrajudicial remedy available to him, including the right to lodge a complaint to a supervisory authority under Article 77, each person concerned has the right to an effective judicial remedy if he considers that the rights conferred by this Regulation have been infringed by the processing of his personal data personnel carried out in violation of this Regulation”. Thus, compensation for damage resulting, where applicable, from a violation of the rights to the protection of personal data of a person concerned is neither conditioned by a prior referral to the competent supervisory authority, such as the CNPD, or by a decision of the latter sanctioning such violation, respectively by a court decision relating thereto, of so that this argument is in fact lacking. Regarding the request for the allocation of procedural compensation made by the applicant, which fails to specify the nature of the sums exposed and not included in the costs and does not specify in what way it would be unfair to leave these costs at his expense is at reject, the mere reference to the article of the applicable law not being sufficient in this respect. For these reasons, the administrative court, fourth chamber, ruling contradictorily; declares itself competent to hear the main appeal for reversal; declares the main appeal for reform inadmissible, therefore rejects it; holds that there is no need to rule on the subsidiary action for annulment; rejects the request for the allocation of procedural compensation made by the association ... – ...; orders the association ... – ... to pay the costs and expenses of the proceedings. Thus judged and pronounced at the public hearing of April 21, 2023 by: Paul Nourrissier, vice-president, Emilie Da Cruz De Sousa, judge, 6Laura Urbany, judge, in the presence of the clerk Marc Warken. sr Marc Warken sr Paul Nourrissier Reproduction certified true to the original Luxembourg, April 21, 2023 The clerk of the administrative court 7