CE - 464445

From GDPRhub
CE - 464445
Courts logo1.png
Court: CE (France)
Jurisdiction: France
Relevant Law: Article 4(7) GDPR
Article 16 GDPR
Article 56 GDPR
Decided: 04.05.2023
Published: 04.05.2023
Parties: CNIL
National Case Number/Name: 464445
European Case Law Identifier: ECLI:FR:CECHR:2023:464445.20230504
Appeal from:
Appeal to: Unknown
Original Language(s): French
Original Source: Conseil d'État (in French)
Initial Contributor: Mgrd

The Conseil d'Etat dismissed an appeal for understanding that CNIL was correct in closing the Data Subject complaint since Irish DPA is the Supervisory Authority with competence to deal with the cross-border case, based on Article 56(2) GDPR.

English Summary

Facts

On March 27, 2018 the Data Subject filed a complaint on CNIL againt Euronext group, specifically addressing the handling of her personal data by the Irish Stock Exchange, her employer, a subsidiary of Euronext.

On March 28, 2022, the case was closed by CNIL because the Authority understood that the Irish Data Protection Authority is the one competente for addressing the issue, since the Data Subject employer, the Irish Stock Exchange, is a company located in Ireland. In addition, the Data subject and personal data processed was limited to this location.

Dissatisfied with this outcome, the Data Subject sought annulment of the CNIL's decision for abuse of power and requested that the CNIL be instructed to sanction the companies involved.

Holding

The Conseil d'État rejected the Data Subject's request, upholding the CNIL’s decision to close the complaint.

The Court found that the CNIL correctly applied GDPR regulations, specifically Article 55 and Article 56, which dictate that in cross-border data processing situations, the Lead Supervisory Authority is generally that of the main establishment of the controller, unless the data processing is confined to a single member state and significantly affects individuals only in that state.

In this case, the CNIL determined that the relevant data processing was indeed cross-border, handled by a central office in France, but the complaint was specific to the Data Subject employment in Ireland, making the Irish Data Protection Authority solely competent to address it.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

Council of State, 10th - 9th joint chambers, 04/05/2023, 464445
Council of State - 10th - 9th joint chambers
No. 464445
ECLI:FR:CECHR:2023:464445.20230504
Mentioned in the tables of the Lebon collection
Reading of Thursday, May 4, 2023
Rapporteur
Mr. Jean de L'Hermite
Public rapporteur
Ms. Esther de Moustier
Lawyer(s)
SCP PIWNICA, MOLINIE
Full text
FRENCH REPUBLIC
IN THE NAME OF THE FRENCH PEOPLE

Having regard to the following procedure:

By a request and three briefs, registered on May 27 and June 2, 2022 and January 14 and April 6, 2023 at the litigation secretariat of the Council of State, Ms. E... D... asks the Council of State:

1°) to annul for abuse of power the decision of the National Commission for Information Technology and Civil Liberties (CNIL) of March 28, 2022 deciding to close its complaint against the companies Irish Stock Exchange plc and Euronext;

2°) to order the CNIL to follow up on this complaint and sanction these companies.

Having regard to the other documents in the file;

Having regard to:
- Regulation (EU) No. 2016/679 of the European Parliament and of the Council of April 27, 2016;
- Law No. 78-17 of January 6, 1978;
- the Code of Administrative Justice;

Having heard in public session:

- the report of Mr. Jean de L'Hermite, State Councilor,

- the conclusions of Ms. Esther de Moustier, public rapporteur;

After the conclusions, the floor was given to SCP Piwnica, Molinié, lawyer for the companies Euronext Amsterdam, Euronext Paris and Euronext Dublin;

Considering the following:

1. Ms. D... filed a complaint with the National Commission for Information Technology and Civil Liberties (CNIL) against the companies of the Euronext group and relating to alleged breaches in the processing of personal data concerning her by the company Irish Stock Exchange of which she was an employee, and which was acquired by the company Euronext N.V, the parent company of the Euronext group, on March 27, 2018. By letter dated March 28, 2022, the President of the CNIL informed Ms. D... of the closure of her complaint. The latter requests that this decision be annulled for abuse of power.

2. On the one hand, pursuant to Article 4(7) of Regulation (EU) No 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC, known as the GDPR, the concept of "data controller" means "the natural or legal person (...) who, alone or jointly with others, determines the purposes and means of the processing (...)". Under the terms of point 16) of the same article, the term "main establishment" must be understood as "(a) in the case of a controller established in several Member States, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and that latter establishment has the power to enforce those decisions, in which case the establishment having taken such decisions shall be considered to be the main establishment (...)". 23) of the same Article 4 defines cross-border processing as "(a) processing of personal data which takes place in the Union in the context of the activities of establishments in several Member States of a controller or processor where the controller or processor is established in several Member States; or (b) processing of personal data which takes place in the Union in the context of the activities of a single establishment of a controller or processor but which substantially affects or is likely to substantially affect data subjects in several Member States".

3. On the other hand, under the terms of Article 51 of the GDPR: "Each Member State shall provide for one or more independent public authorities to be responsible for monitoring the application of this Regulation, in order to protect the fundamental rights and freedoms of natural persons with regard to processing and to facilitate the free flow of personal data within the Union (hereinafter referred to as the "supervisory authority")". Pursuant to Article 55(1) of the same Regulation, each supervisory authority is competent to exercise the tasks and powers vested in it in accordance with this Regulation in the territory of the Member State to which it belongs. Article 56 of that Regulation provides that: "1. Without prejudice to Article 55, the supervisory authority of the main establishment or the single establishment of the controller or processor shall be competent to act as lead supervisory authority with regard to cross-border processing carried out by that controller or processor, in accordance with the procedure laid down in Article 60. / 2. By way of derogation from paragraph 1, each supervisory authority shall be competent to deal with a complaint lodged with it or a possible infringement of this Regulation, if its subject-matter concerns only an establishment in its Member State or significantly affects data subjects in that Member State only. / 3. In the cases referred to in paragraph 2 of this Article, the supervisory authority shall inform the lead supervisory authority of the matter without delay. Within three weeks of being informed, the lead supervisory authority shall decide whether or not to deal with the case in accordance with the procedure laid down in Article 60, taking into account whether or not there is an establishment of the controller or processor in the Member State of the supervisory authority which informed it. (...) ".

4. It is clear from the provisions cited in points 2 and 3 that, where cross-border processing of personal data carried out within the European Union is at issue, the supervisory authority of the main establishment in the Union of the controller is in principle competent, as lead authority, to monitor compliance with the requirements of the GDPR, subject to the case, provided for in paragraph 2 of Article 56 of that regulation, in which the subject matter of the complaint concerns only an establishment in the Member State to which another supervisory authority is subject or significantly affects data subjects in that Member State only. For the purpose of determining the lead authority, the central administration of the controller, that is to say the place where it is actually established, must in principle be regarded as its main establishment. The position is different if another of its establishments is competent to take decisions on the purposes and means of the processing and has the power to enforce them at Union level.

5. It is clear from the documents in the case that the human resources information system used by certain entities of the Euronext group, in particular by its subsidiary located in Dublin, is centrally managed by a department located in France, whose employees are authorized to consult and modify the data of employees of these entities. In this regard, the file shows in particular that operations relating to the applicant's data were recorded in this information system from 27 March 2018, the date of acquisition of the Irish Stock Exchange by Euronext N.V., that, on 12 April 2018, an employee of the Irish subsidiary entered into this system a set of personal data relating to the employees of the Irish subsidiary, in particular incorrectly stating the male gender of the applicant and that changes were subsequently made to the data by the department responsible for managing the information system in Paris, in particular the gender of the applicant, on 27 August 2018. The processing of personal data relating to the management of human resources of the entities of the Euronext group located abroad, including the operations relating to the applicant, takes place in the Union in the context of activities of establishments in several Member States of the Euronext N.V. group, the data controller established in several Member States, and is thus of a cross-border nature in the meaning of the GDPR. Since the Euronext group establishment located in France, which also employs the group's human resources manager, determines the purposes and means of this processing of personal data and has the power to apply them in the other establishments that are users of this same system, and must therefore be regarded as the main establishment of the Euronext group with regard to this processing, the CNIL is in principle competent to act as lead authority with regard to this cross-border processing.

6. However, the complaint lodged by Ms D... with the CNIL only concerns the implementation of the aforementioned processing of personal data with regard to her situation and her activity as an employee within the Irish Stock Exchange company and is not likely to affect data subjects in Member States other than Ireland. Consequently, and by way of derogation from the CNIL's competence as lead authority, which has not decided to exercise the power granted to it by paragraph 3 of Article 56 of the GDPR, the Irish supervisory authority, which was also contacted in parallel by Ms D..., has sole jurisdiction to deal with her complaint, on the basis of paragraph 2 of the same article.

7. It follows that Ms D... is not justified in arguing that by closing her complaint due to its lack of competence, the CNIL has disregarded this regulation. Consequently, Ms D...'s application must be dismissed, including her conclusions for an injunction.

D E C I D E S :
--------------

Article 1: The application of Mrs. D... is rejected.
Article 2: This decision will be notified to Mrs. E... D..., to the National Commission for Information Technology and Civil Liberties and to the companies Euronext Paris, Euronext Dublin and Euronext Amsterdam.

Deliberated at the end of the session of April 12, 2023, attended by: Mr. Jacques-Henri Stahl, Deputy President of the Litigation Section, presiding; Mr. Bertrand Dacosta, Mrs. Anne Egerszegi, Chamber Presidents; Mrs. Nathalie Escaut, Mr. Alexandre Lallet, Mr. Vincent Daumas, Mr. Didier Ribes, State Councilors; Mr. David Moreau, Master of Requests and Mr. Jean de L'Hermite, State Councilor-Rapporteur.

Delivered on May 4, 2023.
The President:
Signed: Mr. Jacques-Henri Stahl

The Rapporteur:
Signed: Mr. Jean de L'Hermite

The Secretary:
Signed: Ms. Claudine Ramalahanoharana

ECLI:FR:CECHR:2023:464445.20230504
Analysis
Abstracts
CETAT26-07-10 CIVIL AND INDIVIDUAL RIGHTS. - MONITORING COMPLIANCE WITH GDPR REQUIREMENTS IN THE EVENT OF CROSS-BORDER PROCESSING OF PERSONAL DATA WITHIN THE EU – 1) COMPETENT SUPERVISORY AUTHORITY – A) PRINCIPLE – AUTHORITY OF THE MAIN ESTABLISHMENT IN THE UNION OF THE CONTROLLER – B) EXCEPTION – AUTHORITY OF ANOTHER STATE, WHEN THE COMPLAINT CONCERNS ONLY AN ESTABLISHMENT OF THAT STATE OR SIGNIFICANTLY AFFECTS DATA SUBJECTS IN THAT STATE ONLY (2 OF ART. 56 OF THE GDPR) – 2) METHODS FOR DETERMINING THE MAIN ESTABLISHMENT – A) PRINCIPLE – LOCATION OF THE REAL SEAT – B) EXCEPTION – ESTABLISHMENT WITH DECISION-MAKING POWER AS TO THE PURPOSES AND MEANS OF PROCESSING [RJ1].
Summary
26-07-10 1) a) It is clear from 7, 16 and 23 of Article 4 of Regulation (EU) No 2016/679 of 27 April 2016 (GDPR) and from Articles 51, 55 and 56 thereof that, when cross-border processing of personal data carried out within the European Union (EU) is at issue, the supervisory authority of the main establishment in the Union of the controller is in principle competent, as lead authority, to monitor compliance with the requirements of the GDPR, b) subject to the case, provided for in paragraph 2 of Article 56 of that Regulation, in which the subject matter of the complaint concerns only an establishment in the Member State to which another supervisory authority is subject or significantly affects data subjects in that Member State only. ...2) (a) For the purpose of determining the lead authority, the central administration of the controller, i.e. the place of its actual headquarters, must in principle be regarded as its main establishment. ...(b) The position is different if another of its establishments is competent to take decisions on the purposes and means of processing and has the power to enforce them at Union level.
Case law references
[RJ1] Cf., specifying the case provided for in paragraph 2 of Article 56 of the GDPR, EC, 19 June 2020, Google LLC Company, No. 430810, p. 229.