CE - 461093

From GDPRhub
Revision as of 09:22, 14 February 2024 by Nzm (talk | contribs) (Created page with "{{COURTdecisionBOX |Jurisdiction=France |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=CE |Court_Original_Name=Conseil d'Etat |Court_English_Name=Supreme Administrative Court |Court_With_Country=CE (France) |Case_Number_Name=461093 |ECLI= |Original_Source_Name_1=Légifrance |Original_Source_Link_1=https://www.legifrance.gouv.fr/ceta/id/CETATEXT000049084997?juridiction=CONSEIL_ETAT&juridiction=COURS_APPEL&page=1&pageSize=10&query=2016%252F679&searchFie...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
CE - 461093
Courts logo1.png
Court: CE (France)
Jurisdiction: France
Relevant Law: Article 9(2)(d) GDPR
Article 17(1) GDPR
Article 21 GDPR
Decided: 02.02.2024
Published:
Parties: Association diocésaine d'Angers
National Case Number/Name: 461093
European Case Law Identifier:
Appeal from: CNIL
Appeal to:
Original Language(s): French
Original Source: Légifrance (in French)
Initial Contributor: nzm

The French Supreme Administrative Court rejected the data subject’s appeal regarding his right to erasure and objection of personal data concerning him contained in the baptism register of a religious association.

English Summary

Facts

On 15 February 2020, a data subject lodged a complaint with the French DPA (“CNIL”) regarding the refusal by the Diocesan association of Angers to grant his request for access to personal data concerning him contained in the baptism register of Angers’ diocese and to exercise his right to erasure and to object the processing of his personal data.

After noting that the access request had been granted by the controller, the CNIL considered that (i) the data subject could not rely on any of the grounds for deletion mentioned in Article 17(1) GDPR and (ii) the insertion in the margin of the register of a statement indicating that the data subject did not recognize the value of his baptism could be regarded as satisfying the exercise of his right to object under Article 21(1) GDPR. Therefore, in a letter dated 2 December 2021, the CNIL informed the data subject of their decision to close the complaint. The data subject appealed this decision asking the French Supreme Administrative court (“Conseil d’Etat”) to annul it.

Holding

Firstly, regarding the lawfulness pf the processing in itself, data revealing a person’s religious beliefs is, by virtue of Article 9 GDPR, sensitive data whose processing is, in principle, prohibited. By way of exception, the processing of such data is authorized, in particular under Article 9(2)(d) if it is carried out, in the context of their legitimate activities and subject to appropriate safeguards, by an association pursuing a religious aim, provided that the processing relates to members, former members or persons having regular contact with it.

The Conseil d’Etat noted that the baptism registers kept by the Catholic Church are intended to keep a record of every event. This personal data was only accessible to the persons concerned and the registers were kept in a closed place before being deposited in the diocese’s historical archives for a period of 120 years.

The Conseil d’Etat therefore considered that the mention of personal data in the baptismal register, relating to the civil status, filiation and contact details of the person baptised, which is justified by the very purpose of that document, did not constitute unlawful processing in the light of the provisions of Article 9(2)(d) of the GDPR and that the retention of the data thus collected for a period ending only after the death of the data subject is necessary in the light of the purposes of that processing.

Secondly, regarding the right to erasure, Article 17(1) states that this right may only be exercised if: (a) the personal data is no longer necessary in relation to the purposes for which they are processed; (b) if the processing is based on consent and the data subject withdraws their consent; (c) if the data subject objects to the processing under Article 21(1) GDPR and there is no overriding legitimate reason for the processing which prevails over the interests, rights and freedoms of the data subject; (d) if the data has been unlawfully processed; (e) if the personal data has to be erased in compliance with a legal obligation; (f) if the personal data has been collected in relation to the offer of information society services.

The Conseil d’Etat noted that baptism, which is the condition required to access marriage in particular, can only be received once in a person’s life according to the Catholic faith and the internal organization of this cult. This requirement could be impeded by the definitive erasure of the baptism record in the event that the person concerned, having obtained this erasure, wished to rejoin the Christian community and in particular to marry religiously.

The Conseil d’Etat also stated that a request for deletion of such data under Article 17(1)(a) or 17(1)(d) cannot be granted. Furthermore, the Conseil d’Etat indicated that since the processing is not based on consent under Article 6(1)(a) GDPR, the deletion cannot be granted on the basis of Article 17(1)(b) relating to the withdrawal of consent.

The Conseil d’Etat added that from the combined provisions of Article 17(1)(c) and Article 21(1) GDPR, keeping the personal data relating to baptism contained in the register must be regarded as a compelling legitimate reason which prevails over the moral interests of the data subject in requesting that this data be definitively erased having regard to (i) the purpose of the register of baptisms and the conditions under which they may be consulted and (ii) the option open to any person baptized to have a note in the register stating their decision to renounce any link with the catholic religion.

The Conseil d’Etat considered that the CNIL sufficiently reasoned its decision by considering that none of the grounds for deletion provided for in Article 17(1) GDPR were applicable.

Finally, the Conseil d’Etat also confirmed the CNIL’s decision in considering that the exercise of the right to object under Article 21 GDPR could be satisfied by the addition of a note in the margin of that register expressing the data subject’s wish to renounce any link with the Catholic Church.

The Conseil d’Etat therefore rejected the data subject’s appeal.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

Full Text

FRENCH REPUBLIC
IN THE NAME OF THE FRENCH PEOPLE

Considering the following procedure:

By a request and two reply briefs, registered on February 3, 2022, May 9, 2023 and January 12, 2024 at the litigation secretariat of the Council of State, Mr. A... B... asks the Council of State:

1°) to annul for abuse of power the decision of December 2, 2021 by which the president of the National Commission for Information Technology and Liberties (CNIL) closed her complaint relating to the mention of personal data personnel concerning him contained in the baptism register of the diocese of Angers;

2°) to order the president of the CNIL to give formal notice, within one month, to the person responsible for the baptism register of the diocese of Angers to erase the data concerning him from this register;

3°) to charge the CNIL the sum of 3,000 euros under article L. 761-1 of the administrative justice code.

Considering the other documents in the file;

Seen :
- Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016;
- Law No. 78-17 of January 6, 1978;
- the administrative justice code;

After hearing in public session:

- the report of Mr. Philippe Bachschmidt, master of requests for extraordinary service,

- the conclusions of Mr. Laurent Domingo, public rapporteur;

The floor having been given, after the conclusions, to SCP Foussard, Froger, lawyer for Mr. B..., and to SARL Matuchansky, Poupot, Valdelièvre, Rameix, lawyer for the diocesan association of Angers;

Considering the following:

1. It appears from the documents in the file that Mr. B... filed a complaint with the National Commission for Information Technology and Liberties (CNIL) on February 15, 2020 relating to the refusal by the diocesan association of Angers to grant his request for access to personal data concerning him appearing in the baptism register of the diocese of Angers, as well as the exercise of his right to erasure and opposition to the processing of this data. By a letter dated December 2, 2021, the president of the CNIL informed him of her decision to close his complaint. Mr. B... asks the Council of State to annul this decision for abuse of power and to order the CNIL to order the erasure of personal data concerning him appearing in the baptism register of the diocese of Angers.

On the legal framework applicable to the dispute:

2. Under the terms of I of article 8 of the law of January 6, 1978 relating to data processing, files and freedoms: "The National Commission for Data Processing and Freedoms is an independent administrative authority. It is the national supervisory authority within the meaning and for the application of Regulation (EU) 2016/679 of April 27, 2016. It carries out the following missions: / (...) 2° It ensures that the processing of personal data personal data are implemented in accordance with the provisions of this law and other provisions relating to the protection of personal data provided for by legislative and regulatory texts, European Union law and France's international commitments. As such: / (...) d) It handles complaints, petitions and complaints lodged by a data subject or by a body, organization or association, examines or investigates the subject of the complaint, to the extent necessary, and informs the author of the complaint of the progress and outcome of the investigation within a reasonable time, in particular if further investigation or coordination with another supervisory authority is necessary (...) ".

3. It follows from the provisions mentioned in point 2 that it is up to the CNIL to proceed, when it receives a complaint or a claim relating to the implementation of its powers, to examine the facts who are at the origin and to decide on the follow-up to be given to them. To this end, it has a broad power of appreciation and may take into account the seriousness of the alleged breaches with regard to the legislation or regulations that it is responsible for enforcing, the seriousness of the evidence relating to these facts, the date on which they were committed, the context in which they were committed and, more generally, all the general interests for which it is responsible. The author of a complaint may refer the CNIL's refusal to respond to it to the judge for abuse of power. It is up to the judge to censure it, if necessary, for reasons of external illegality and, on the grounds of the merits of the decision, in the event of an error of fact or of law, of a manifest error of appreciation or misuse of power. However, when the author of the complaint relies on the lack of awareness by a data controller of the rights guaranteed by law with regard to personal data concerning him, in particular the rights of access, rectification, erasure , limitation and opposition mentioned in articles 49, 50, 51, 53 and 56 of the law of January 6, 1978, which refer respectively to articles 15, 16, 17, 18 and 21 of Regulation (EU) 2016/679 of April 27, 2016 relating to the protection of personal data and repealing Directive 95/46/EC (GDPR), the discretionary power of the CNIL to decide on the action to be taken is exercised, having regard to the nature of the individual right in question, under the full control of the judge of excess of power.

4. Article 4 of the law of January 6, 1978 relating to data processing, files and freedoms provides that: "Personal data must be: / 1° Processed lawfully, fairly and, for processing covered by Title II, transparent with regard to the person concerned; / 2° Collected for specific, explicit and legitimate purposes, and not to be subsequently processed in a manner incompatible with these purposes. However, subsequent processing of data for archival purposes in the public interest, scientific or historical research purposes, or statistical purposes is considered compatible with the original purposes of the data collection, if it is carried out in compliance with the provisions of Regulation (EU ) 2016/679 of April 27, 2016 and this law, applicable to such processing and if it is not used to make decisions with regard to the persons concerned; / 3° Adequate, relevant and, with regard to the purposes for which they are processed, limited to what is necessary or, for processing under Titles III and IV, not excessive; / 4° Accurate and, if necessary, kept up to date. All reasonable measures must be taken to ensure that personal data which are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay; 5° Kept in a form allowing the identification of the persons concerned for a period not exceeding that necessary for the purposes for which they are processed. However, personal data may be retained beyond this period to the extent that they are processed exclusively for archival purposes in the public interest, for scientific or historical research purposes, or for statistical purposes. The choice of data kept for archival purposes in the public interest is made under the conditions provided for in Article L. 212-3 of the Heritage Code; / 6° Processed in such a way as to ensure appropriate security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, or access by persons unauthorized, using appropriate technical or organizational measures". Data which reveals the religious beliefs of a person are, under article 6 of the law of January 6, 1978 and article 9 of the GDPR , sensitive data whose processing is, in principle, prohibited. As an exception, their processing is authorized in particular, under d) of paragraph 2 of the latter article, if it "is carried out, within the framework of their legitimate activities and subject to appropriate guarantees, by a foundation, an association or any other non-profit organization pursuing a political, philosophical, religious or trade union purpose, provided that said processing relates exclusively to members or former members of said organization or to persons maintaining regular contact with it in connection with its purposes and that personal data are not communicated outside this organization without the consent of the persons concerned.

5. Paragraph 1 of Article 6 of the GDPR provides that: “Processing is lawful only if and to the extent that at least one of the following conditions is met: a) The data subject has consented to the processing of their personal data for one or more specific purposes / (...) f) the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, unless the interests or freedoms and fundamental rights of the data subject which require protection of personal data, in particular when the data subject is a child. According to paragraph 1 of Article 17: "The data subject has the right to obtain from the controller the erasure, as soon as possible, of personal data concerning him or her and the controller has the obligation to erase such personal data as soon as possible, when one of the following reasons applies: / a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed manner; / (b) the data subject withdraws consent on which the processing is based, in accordance with point (a) of Article 6(1) or point (a) of Article 9(2) and there is no other legal ground for the processing; / c) the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2); / d) the personal data have been the subject of unlawful processing; (...) ". Under paragraph 1 of Article 21: "The data subject has the right to object at any time, for reasons relating to his or her particular situation, to processing of personal data concerning based on Article 6(1)(e) or (f), including profiling based on these provisions. The controller shall no longer process the personal data, unless he or she demonstrates compelling legitimate grounds for the processing which override the interests and rights and freedoms of the data subject, or for the establishment, exercise or defense of legal rights.

On the conclusions of the request:

6. To close Mr. B...'s complaint, the CNIL, after noting that the interested party's request for access to the information appearing in the baptism register of the diocese of Angers had been satisfied, considered, on the one hand, that he could not rely on any of the grounds for erasure mentioned in paragraph 1 of article 17 of the GDPR and, on the other hand, that the affixing in the margin of the register of a mention according to which Mr. B... did not recognize the value of his baptism could be considered as satisfying the exercise of his right of opposition based on paragraph 1 of article 21 of the GDPR.

7. Firstly, it appears from the documents in the file that the baptism registers kept by the Catholic Church are intended to preserve the trace of an event which, for it, constitutes entry into the Christian community. Baptism, which is the condition required by the Catholic Church to access marriage in particular, can only be received, according to the Catholic faith and the internal organization specific to this cult, once in a person's life. , a requirement which could be hindered by the definitive erasure of the baptismal registration in the event that the person concerned, after having obtained this erasure, wishes to reintegrate the Christian community and in particular to marry religiously. The baptized person who intends to assert his or her desire to renounce any link with the Catholic religion can obtain an entry to this effect in the baptismal register. It also appears from the documents in the file that the baptism registers kept by the Catholic Church are non-dematerialized documents, the data of which is only accessible to those interested for the mentions which concern them, as well as to ministers of religion and to persons working under their authority, for the sole purpose of monitoring the religious journey of baptized persons and the possible establishment of subsequent acts within the framework of the administration of Catholic worship. This data is not accessible to third parties and the registers are kept in a closed place, before, at the end of a period of 120 years, being added to the historical archives of the diocese.

8. It follows from the above that the mention of personal data in the baptism register, relating to the civil status, filiation and contact details of the person baptized, which finds its justification in the very subject of this document , does not constitute unlawful processing with regard to the provisions of d) of paragraph 2 of Article 9 of the GDPR and that the retention of the data thus collected for a period ending only after the death of the person concerned is necessary with regard to the purposes of this processing. A request for erasure of this data cannot therefore be granted on the basis of the provisions of a) or d) of paragraph 1 of Article 17 of the GDPR. Furthermore, since the mention of these personal data in the baptism register is not based on the consent of the person baptized within the meaning of a) of paragraph 1 of Article 6 of this regulation, cited in point 5 , concept included in a) of paragraph 2 of Article 9 of the same text, a request for erasure of this data cannot be granted on the basis of the provisions of b) of paragraph 1 of Article 17 of the GDPR relating to the withdrawal of consent.

9. If it follows from the combined provisions of paragraph 1 (c) of Article 17 and those of paragraph 1 of Article 21 of the GDPR that the data subject has the right to obtain from the controller the erasure of personal data concerning them when they object to the processing for reasons relating to their particular situation, and there is no overriding legitimate reason for the processing which takes precedence over their interests and their rights and freedoms, The interest attached, for the Catholic Church, to the conservation of personal data relating to baptism appearing in the register, must be considered as a compelling legitimate reason, prevailing over the moral interest of the applicant in requesting that this data be definitively erased, having regard, on the one hand, to the purpose of the baptismal register and the conditions under which it can be consulted, as set out in point 7, as well as, on the other hand, to the option open to any baptized person to have an entry placed in the register stating their decision to renounce all links with the Catholic religion.

10. It follows from the above that the CNIL, whose decision is sufficiently reasoned, did not taint its decision with an error of law or an error of assessment by considering that none of the reasons for erasure provided for by paragraph 1 of article 17 of the GDPR did not apply. Furthermore, if it cited, in the reasons for its decision, case law of the judicial judge prior to the entry into force of the GDPR, it cannot be considered as having considered itself bound by it, since whereas, as has been indicated, it was on the basis of the provisions of the GDPR that it examined the erasure request made by Mr. B....

11. Secondly, the CNIL did not taint its decision with an error of law or an error of assessment by considering that the exercise of the right of opposition provided for by Article 21 of the GDPR could be satisfied , having regard to the nature of the baptismal register kept by the Catholic Church, by the addition of a note, in the margin of this register, expressing the desire of the person concerned to renounce any link with the Catholic Church.

12. It follows from all of the above that Mr. B... is not justified in requesting the annulment of the decision of December 2, 2021 by which the president of the CNIL closed his complaint. Its conclusions presented under article L. 761-1 of the administrative justice code can, therefore, only be rejected.

DECIDED :
--------------
Article 1: Mr. B...'s request is rejected.
Article 2: This decision will be notified to Mr. A... B..., to the diocesan association of Angers and to the National Commission for Information Technology and Liberties.

Deliberated at the end of the meeting of January 17, 2024 at which sat: Mr. Rémy Schwartz, deputy president of the litigation section, presiding; Mr. Bertrand Dacosta, Ms. Anne Egerszegi, presidents of chambers; Mr. Olivier Yeznikian, Ms. Rozen Noguellou, Mr. Nicolas Polge, Mr. Vincent Daumas, Mr. Didier Ribes, State Councilors, and Mr. Philippe Bachschmidt, master of requests in extraordinary service-rapporteur.

Returned on February 2, 2024.

President :
Signed: Mr. Rémy Schwartz
The rapporteur :
Signed: Mr. Philippe Bachschmidt
The Secretary :
Signed: Ms. Chloé-Claudia Sediang

ECLI:FR:CECHR:2024:461093.20240202