CE - 490417
From GDPRhub
| CE - 490417 | |
|---|---|
 | |
| Court: | CE (France) |
| Jurisdiction: | France |
| Relevant Law: | Article 9 GDPR Article 17 GDPR Article 21 GDPR Article L.114-5 French Code of relations between public and administration Article L.114-6 French Code of relations between public and administration |
| Decided: | 27.01.2025 |
| Published: | 27.01.2025 |
| Parties: | French DPA A data subject |
| National Case Number/Name: | 490417 |
| European Case Law Identifier: | FR:CECHR:2025:490417.20250127 |
| Appeal from: | |
| Appeal to: | |
| Original Language(s): | French |
| Original Source: | LégiFrance (in French) |
| Initial Contributor: | claratab |
The CE upheld the legality of the DPA’s decision to close the request of a data subject who had not exercise their rights with the controller in the first place. Also, CE affirms that a DPA is incompetent to exclude an evidence from a debate in a court proceeding.
English Summary
Facts
During a trial involving a data subject their medical report was presented to the court.
The data subject lodged a request to the DPA on 7 June 2023.
The DPA closed their request in a decision of the 24 October 2023. The DPA noticed that he must not substitute the data subject in the first exercise of their rights with the controller. What’s more, the DPA declared itself incompetent to examine the relevance of the personal information involved regarding to the dispute.
The 22 December 2023, the data subject lodged a complaint to the CE. The CE rendered its decision on 27 January 2025.
Holding
By rejecting the data subject’s complaint, the CE confirms the legality of the DPA’s decision to close the request of the data subject. The CE notices that without a first exercise of the rights with the controller, the data subject’s request to the DPA has no object so the DPA is founded in closing the request.
The CE also points out that an administration has the obligation to invite the data subject to regularize their request if it is defective in form or procedure or if incomplete (Article L.114-5 and Article L.114-6 French Code of relations between public and administration). As the absence of an object is not a formal or procedural defect, the DPA does not have an obligation to invite the data subject to regularize their request, as Articles L.114-5 and L.114-6 of the French Code of relations between public and administration are not applicable.
Additionally, the CE reminds that the legal ground of a processing can be the exercise or the defense of a right in a court of law. The CE underlines that this legal ground is an exception to the exercise of rights to erasure (Article 17 GDPR) and opposition (Article 21 GDPR), and to the interdiction of health related data processing according to Article 9 GDPR.
After recalling these legal provisions, the CE clarifies the distribution of roles between DPA and judges when personal information is produced in court proceedings. CE indicates that the DPA is not competent to consider the relevance of the processed information regarding the dispute, and confirms the judge’s exclusive role in appreciating evidences in terms of relevance or loyalty.
Comment
By qualifying the request as “without object”, the CE excludes the obligation for the DPA to invite the data subject to regularize their request. This qualification is consistent with the aim of a complaint to the DPA, which is to sanction respect for data subject’s rights and compliance with the rules by controllers.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
FRENCH REPUBLIC IN THE NAME OF THE FRENCH PEOPLE Having regard to the following procedure: By a summary application, a supplementary brief and a reply brief, registered on 22 December 2023 and 22 March and 23 September 2024 at the litigation secretariat of the Council of State, Ms B... D... asks the Council of State: 1°) to annul for abuse of power the decisions of 24 October 2023 by which the National Commission for Information Technology and Civil Liberties (CNIL) closed her complaints against Doctors G... F... and C... E... for the use of personal data concerning her health; 2°) to issue against Doctors F... and E... the injunctions that she requested the CNIL to issue; 3°) in the alternative, to refer a preliminary question to the Court of Justice of the European Union on the interpretation of Article 77 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016; 4°) in the alternative, to order the CNIL to follow up on its complaints; 5°) to order the CNIL to pay the sum of EUR 5,000 under Article L. 761-1 of the Code of Administrative Justice. Having regard to the other documents in the case file; Having regard to: - Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016; - the Code of Relations between the Public and the Administration; - Law No. 78-17 of 6 January 1978; - Decree No. 2019-536 of May 29, 2019; - the Code of Administrative Justice; After hearing in public session: - the report of Mr. Philippe Bachschmidt, Master of Requests in Extraordinary Service, - the conclusions of Mr. Frédéric Puigserver, Public Rapporteur; The floor having been given, after the conclusions, to SAS Boulloche, Colin, Stoclet et associés, lawyer of Mrs. D...; Having regard to the note under deliberation, registered on 10 January 2025, submitted by Ms D... Considering the following: 1. By two complaints filed with the National Commission for Information Technology and Civil Liberties (CNIL) on 7 June 2023, Ms D... requested the Commission to order Doctors F... and E..., whom she accuses of having carried out a medical assessment at the request of the insurer with whom she is in dispute following an accident of which she was the victim, to delete all personal data concerning her health that they received from the insurer and retained, pursuant to Article 17 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (known as GDPR), to interrupt all processing of this data, pursuant to Article 21 of this regulation, and to remove the reports they established from this data from the insurer's hands as well as from the legal proceedings to which they were submitted. By two decisions of 24 October 2023, the CNIL closed these complaints, considered to be manifestly unfounded, holding that it did not have to replace the persons concerned by processing in the exercise of their rights guaranteed in particular by the law of 6 January 1978 relating to information technology, files and freedoms and that it was up to them to exercise them beforehand with the data controller before referring to it the difficulties encountered in exercising them. It added that it was not authorized to control or assess the relevance of medical information communicated as evidence in the context of a legal debate. Ms D... requests the annulment of these decisions for abuse of power. 2. First, paragraph 1 of Article 17 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR) provides that the "data subject has the right to obtain from the controller the erasure of personal data concerning him or her without undue delay" and lists the grounds that should in principle lead to this. Paragraph 3 of this article, however, provides that paragraph 1 does not apply, in particular, "to the extent that the processing is necessary for the establishment, exercise or defence of legal claims". According to Article 51(1) of the Law of 6 January 1978: "The right to erasure is exercised under the conditions set out in Article 17 of Regulation (EU) 2016/679 of 27 April 2016". According to II of the same article: "In the event of non-execution of the erasure of personal data or in the event of no response from the data controller within one month of the request, the data subject may refer the matter to the National Commission for Information Technology and Civil Liberties (...)". 3. For its part, Article 21 of the GDPR provides that: "1. The data subject has the right to object at any time, for reasons relating to his or her particular situation, to processing of personal data concerning him or her based on Article 6, paragraph 1, point (e) or (f), including profiling based on these provisions. The data controller shall no longer process the personal data unless he or she demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims". According to Article 56 of the law of 6 January 1978: "The right to object is exercised under the conditions provided for in Article 21 of Regulation (EU) 2016/679 of 27 April 2016". According to Article 113 of the decree of 29 May 2019 taken for the application of Law No. 78-17 of 6 January 1978 relating to information technology, files and freedoms: "The person who intends to object to the processing of personal data in the field of health concerning them may express their refusal by any means to either the data controller or the establishment or health professional holding this data, except in the case provided for in II of Article R. 1461-9 of the Public Health Code". 4. When a person intends to exercise, with regard to the processing of personal data concerning them, the rights guaranteed by the GDPR and the law of 6 January 1978, in particular the rights of access, rectification, erasure, limitation and opposition mentioned in Articles 49, 50, 51, 53 and 56 of this law, it is up to them, as follows from the provisions on which these rights are based, to address their request to the data controller to whom the obligations defined by these provisions fall, prior to a possible referral to the CNIL, responsible, pursuant to 2° of I of Article 8 of the same law, for handling claims, petitions and complaints filed by a data subject. In the absence of such prior referral to the data controller, the CNIL may declare the complaint addressed to it directly closed. 5. In this case, if Ms. D... produces an email from her lawyer dated 19 March 2021 recalling that she intended to assert her right to respect for medical confidentiality during exchanges between parties to a legal dispute and a summons dated 3 February 2022 sent by bailiff to Dr. F... so that he would withdraw a medical report from ongoing legal proceedings, it does not appear from the documents in the case file that she would have justified having, on the basis of the GDPR or the law of 6 January 1978, sent to Drs. F... and E..., responsible for the disputed processing of her health data, a request for their deletion, nor having asserted with them her right to object to their processing. The CNIL was, therefore, entitled to close the complaints that Ms. D... sent to it directly without first having notified the data controllers of her requests. 6. If Ms D... claims that the CNIL should have invited her to regularise her complaints by contacting the data controllers, she cannot usefully rely on the provisions of Article L. 114-5 of the Code of Relations between the Public and the Administration, according to which "When a request addressed to the administration is incomplete, the latter shall inform the applicant of the missing documents and information required by the legislative and regulatory texts in force. It shall set a deadline for the receipt of these documents and information", since her complaints were not closed due to their incomplete nature. Nor can it usefully invoke the provisions of Article L. 114-6 of the Code of Relations between the Public and the Administration, which provide that "When a request addressed to an administration is affected by a procedural or formal defect preventing its examination and this defect is likely to be covered within the legal time limits, the administration invites the author of the request to regularize it by indicating the time limit for this regularization, the formalities or procedures to be respected as well as the legal and regulatory provisions which provide for them", the failure to first refer the matter to the data controllers having the consequence not of tainting the complaints with a simple procedural or formal defect within the meaning of these provisions, but of depriving them of their purpose. 7. Secondly, under Article 9 of the GDPR: "1. (...) the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited. / 2. Paragraph 1 shall not apply if one of the following conditions is met: (...) / f) processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity; / (...)". It follows from these provisions, as well as those cited in points 2 and 3, that personal data concerning health may be processed, without being hindered by a request for erasure or a request to object to processing, when such processing is necessary for the establishment, exercise or defence of legal claims. 8. Having thus recalled the terms and scope of Articles 9, 17 and 21 of the GDPR and having stated that it is up to the judge, in accordance with the Code of Civil Procedure, to ensure that fairness is respected in the administration of evidence and the proceedings before him, it is without illegality that the CNIL stated that it was not up to it to assess the relevance of medical information communicated as evidence in the context of legal proceedings. 9. It follows from the above that the CNIL was right to hold that the applicant's complaints were manifestly unfounded and to close them. It follows that, without there being any need to refer the matter to the Court of Justice of the European Union in the absence, in any event, of reasonable doubt as to the interpretation of European Union law, the applicant is not entitled to request the annulment for abuse of power of the decisions she is contesting. Her applications must therefore be dismissed, including their conclusions presented under the provisions of Article L. 761-1 of the Code of Administrative Justice. 10. There is no reason, in the circumstances of the case, to charge Mrs. D... with the sum that Doctor F... is requesting under Article L. 761-1 of the Code of Administrative Justice. D E C I D E S : -------------- Article 1: Mrs. D...'s application is dismissed. Article 2: The conclusions presented by Doctor F... under Article L. 761-1 of the Code of Administrative Justice are dismissed. Article 3: This decision will be notified to Mrs. B... D..., Doctor G... F..., Doctor C... E... and the National Commission for Information Technology and Civil Liberties. ECLI:FR:CECHR:2025:490417.20250127
