Cour Administrative - 48964C
From GDPRhub
| Cour Administrative - 48964C | |
|---|---|
 | |
| Court: | Cour Administrative (Luxembourg) |
| Jurisdiction: | Luxembourg |
| Relevant Law: | Article 77(2) GDPR Article 78(2) GDPR Article 55 National Data Protection Law |
| Decided: | 28.11.2023 |
| Published: | |
| Parties: | |
| National Case Number/Name: | 48964C |
| European Case Law Identifier: | |
| Appeal from: | |
| Appeal to: | |
| Original Language(s): | French |
| Original Source: | Cour Administrative (in French) |
| Initial Contributor: | ar |
The Luxembourgish Administrative Court decided that the complainant’s appeal of a DPA’s non-decision was admissible as Articles 77 and 78 GDPR were applicable and sent back the judgement to the Administrative Tribunal since the Tribunal was wrong to declare inadmissible the complainant’s appeal.
English Summary
Facts
A data subject having found that an American company had collected his personal data in order to publish it on its website, contacted it requesting for more information on the matter. On the same day, the data subject received an e-mail with a copy of the data, informing him that the company had deleted his personal data from its databases. Thus, the data subject filed a complaint with the Luxembourgish DPA requesting it to intervene and ask the controller responds to his request in accordance with the GDPR. Although the company had informed the data subject that it had deleted his profile from its website, it had at no time indicated whether, how, for how long and for what purposes it had stored the data subject’s personal data in its own databases or to which companies it had communicated that data.
Thus, on 18 July 2019, the DPA wrote to the company requesting information on the contact information of the company’s representative in the EU designated under Article 27 GDPR. To which the company replied to not consider itself the controller of the data since their users are the controller and are responsible for ensuring that they individually adhere to data protection laws and regulations such as GDPR. In light of this reply, the DPA informed the data subject that because of this, it would not have the power to impose sanctions on the controller.
By e-mail dated 29 May 2020, the data subject asked the DPA to send him a signed decision stating it could not, in accordance with Articles 12 and 13 of its internal rules of procedure, issue a decision. To which the DPA replied by e-mail on 8 July 2020. And on 18 September 2020 it reiterated to be unable to pursue the claim. Thus, on 1 March 2021, the data subject filed a complaint with the Administrative Tribunal.
The Tribunal noted that the personal data in question had been deleted from the company's website and that the complainant’s lawyer failed to prove that his data had been processed by the company both at the time the action under analysis was brought, as well as in that moment. Therefore, the court concluded that the complainant could not rely on an interest in bringing an action as a result of the company's unlawful processing of his data under GDPR, at the time his action was brought. Therefore, on 21 April 2023, the complainant lodged an appeal of the Tribunal’s decision to the Administrative Court.
Holding
The Administrative Court found the appeal admissible and declared itself competent to hear the complainant’s action for judicial review.
The Court pointed out that it is undisputable that the contested decision of the DPA allowed for Articles 77 and 78 GDPR to be applicable, which provide for a right to an effective judicial remedy against a decision of a supervisory authority. As also corroborated by Article 55 of the National Data Protection Law, as it does not distinguish between the types of decisions of the DPA.
In this context, the Court also noted that the DPA’s email of 8 July 2020 referred to Articles 77(2) and 78(2) GDPR and that the DPA's website states that if people are not satisfied with the action taken by the DPA, they are entitled to take the matter to court. In view of the foregoing, the Court concluded that the DPA's letter of 18 September 2020 constitutes a decision liable to give rise to a complaint.
The Court also noted that considering the extent and duration of the processing of the complainant's personal data by the company, it is clear from the complainant’s initial request to the DPA was not simply for the company to stop using his personal data, the extent of which remains unclear, but rather to order the company to comply with Article 27 GDPR and to give effect to his right of access on the basis of Article 15 GDPR, respectively to continue processing its complaint and, in the event of refusal of a right of access, to establish that there has been a breach of the GDPR and, if necessary, to take corrective action within the meaning of Article 58 GDPR.
Thus, the Administrative Court overturned the Administrative Tribunal’s judgment since the Tribunal was wrong to declare inadmissible the complainant’s appeal and sent back the case to the Administrative Tribunal for hearing.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
GRAND DUCHY OF LUXEMBOURG
ADMINISTRATIVE COURT
Roll number: 48964C
ECLI:LU:CADM:2023:48964
Registered on May 23, 2023
Public hearing of November 28, 2023
Appeal filed by
(A) – ....., ..... (AT),
against a judgment of the administrative court
of April 21, 2023 (No. 45716 of the roll)
having ruled on his appeal against a letter
of the National Commission for Data Protection, Belvaux,
regarding data protection
Having regard to the request for appeal registered under number 48964C of the role and filed with the Registry of the Court
administrative on May 23, 2023 by Maître Catherine WARIN, lawyer at the Court, entered in the table
of the Order of Lawyers in Luxembourg, in the name of (A) – ....., established and having its head office at AT-
… ..... (Austria), …., …, registered in the Austrian register of associations (Zentrales
Vereinsregister) under the number …., represented by its “Vorstandsvorsitzender” currently
in office, mandated by Mr. (B), residing at L-… …, …, …, directed against a judgment
of the administrative court of the Grand Duchy of Luxembourg of April 21, 2023 (no. 45716 of the roll) by
which the said court declared inadmissible its appeal seeking the reformation of a “decision”
of September 18, 2020 of the National Commission for Data Protection (“CNPD”),
informing Mr. (B) of his refusal to continue processing his complaint of April 5, 2019
and reiterated on August 10, 2020;
Considering the exploit of the bailiff Laura GEIGER, residing in Luxembourg and registered
near the district court of and in Luxembourg, of May 26, 2023 serving notice of
this request for appeal to the CNPD, a public establishment, registered in the trade and commerce register
Luxembourg companies under number J52, established at L-4370 Belvaux, 15, boulevard du Jazz,
represented by its college of commissioners currently in office;
Having regard to the response filed at the registry of the Administrative Court on June 22, 2023 by Maître
Elisabeth GUISSART, lawyer at the Court, registered on the roll of the Luxembourg Bar Association,
in the name and on behalf of the CNPD, prequalified;
Having regard to the reply filed at the registry of the Administrative Court on September 21, 2023 by
Maître Catherine WARIN on behalf of the appellant;
1Having regard to the rejoinder filed at the registry of the Administrative Court on October 20, 2023 by
Maître Elisabeth GUISSART in the name and on behalf of the CNPD, prequalified;
Considering the documents submitted in question and in particular the judgment appealed from;
The rapporteur heard his report as well as Maîtres Catherine WARIN and Elisabeth
GUISSART in their respective pleadings at the public hearing on November 7, 2023.
After noting that the American company (D) LLC, hereinafter “the company (D)”, had
collected personal data about him in order to publish them on his website
“https://(D).co”, Mr. (B) contacted the said company on this subject on April 5, 2019 and saw himself
send by the latter an email dated the same day to which a copy of their data was
attached and informing him that the company (D) had deleted the personal data on
regarding its databases.
Also on April 5, 2019, Mr. (B) filed a complaint with the
National Commission for Data Protection, hereinafter “the CNPD”, requesting it to intervene
to the company (D) so that the latter can respond to its request in accordance with the
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the
protection of natural persons with regard to the processing of personal data and
the free movement of these data, and repealing Directive 95/46/EC (general regulation on the
data protection), hereinafter referred to as “the GDPR”.
By email of April 9, 2019, the CNPD asked Mr. (B) to send it any correspondence
with the company's data controller (D), in particular the email containing his request
access and specific information, the automatic response to this request, as well as any
possible correspondence subsequent to the submission of his complaint, informing him, moreover,
that the link on the company's website (D) supposed to contain his personal data does not
doesn't seem to work.
By email of the same day, Mr. (B) informed the CNPD that the company (D) seemed to have
deleted all of his data on their website following his contact with this
last, but that it would continue to collect and process the data of other citizens
Europeans.
On July 18, 2019, the CNPD sent a letter and email to the company (D), noting
in particular that:
“(…) We therefore understand that Article 3(2) of the GDPR applies to processing
activities performed by (D).
Considering the circumstances, the CNPD would like to know the contact details of the
(D)’s representative in the European Union designated pursuant to Article 27 GDPR or, should
there be none, the contact details of the relevant point of contact by (D) for data protection
2concerns raised by data protection authorities, in order to process further the abovementioned
“complaint”.
Email dated July 24, 2019, the company (D)informed the CNPD not having designated a representative
in the European Union under Article 27 of the GDPR, while considering that “(…) please note
that (D) is not the controller of the data on our site. Our users are the controller and therefore are
responsible for ensuring that they individually adhere to data protection laws and regulations such
as GDPR”.
By email of March 6, 2020, the CNPD informed Mr. (B) that “the company (D) has informed us
communicated that it considers that it is the users of its services, and not itself, who
are the data controllers with regard to personal data
processed on its website”, (…) “that the company (D) is a company located in the United States
of America not having a representative in the Union within the meaning of Article 27 of the Regulation
General Data Protection Regulation (GDPR)” and that, although she would not share the point of
view of society (D) (“we are indeed of the opinion that this society is indeed to be considered as
data controller for the processing of personal data carried out on its
website"), it would be impossible for him to pursue his claim, whereas, while having the
possibility of communicating with said company, the CNPD would not have the power to do so
impose actions to improve its data protection practices.
Mr. (B) responded by email of the same day, wondering “that the CNPD will not take
of actions? ".
By email of March 17, 2020, the CNPD confirmed to him that it was impossible to continue his
complaint, email to which Mr. (B) responded by emails of the same day and March 28, 19
and April 26, 2020, as well as by registered letter of May 4, 2020, to which the CNPD responded
by email of May 25, 2020 while referring to his emails of March 6 and 17, 2020.
By email of May 29, 2020, Mr. (B) asked the CNPD to send him a signed decision
in accordance with articles 12 and 13 of its internal regulations (“ROI”), email to which
the CNPD responded by email of July 8, 2020.
By registered letter of August 10, 2020, Mr. (B) again contacted the CNPD in the following terms:
following:
“(…) Man teilte mir mit, dass die CNPD entschieden hat (D) nicht zu verfolgen
obwohl man mir im Sinne der Beschwerde [R]echt gibt. Dies wohlgemerkt nachdem
die CNPD sich mit der Firma ausgetauscht hat. Auf Nachfrage teil[t]e man mir mit,
dass dies keine official „Entscheidung der CNPD sei“ and man sich deshalb auch
nicht an da[s] ROI der CNPD zu halten hätte.
We can see that the CNPD is the third entity that does not belong to it.
Unternehmen vorzugehen. Dies aber nicht officiell als „Entscheidung“ wertet?
We are among those who are part of the communi- zation and disk systems above.
behauptet es sei noch keine „Investigation“ laut ROI gewesen? ".
3By letter dated September 18, 2020, the CNPD informed Mr. (B) of its inability to
continue its complaint of April 5, 2019 in the following terms:
“(…) Mr. (B),
The National Commission for Data Protection (hereinafter “CNPD”) is responsible for
your email of July 8, 2020 relating to your complaint of April 5, 2019 against the company
(D).
Regarding your request for clarification on the reasons why the
articles 9 of the regulation of the National Commission for Data Protection (CNPD) relating to
to the investigation procedure (hereinafter “Investigation Regulations”) and 10 and 12 of the Order Regulations
Interior of the CNPD (hereinafter “ROI”) are not applicable in the present case, we
inform that it appears from the provisions of the ROI that the files of investigations and complaints
involve different procedures.
The Investigation Regulations are only applicable to investigation files, and articles 10
and 12 of the aforementioned ROI are only applicable to CNPD deliberation sessions,
including deliberations relating to investigation files.
Furthermore, although the processing of a complaint may result in the proposal and
the opening of an investigation in accordance with the procedures provided for in article 2 of the Investigation Regulations,
the opening of an investigation file following a complaint is not systematic.
Indeed, when a complaint is submitted, the “complaints” service tries to
resolve the issue raised without opening a formal investigation within the meaning of articles 37 to 41
of the law of August 1, 2018 organizing the National Commission for the protection of
er
data and the general regime on data protection (hereinafter: “law of August 1, 2018”).
Most complaints can be resolved and closed in this manner, after the
CNPD has intervened with the data controller concerned. When it turns out that the
complaint file cannot be investigated in this way, the College may decide
to open an investigation.
There are no legislative criteria that define when the CNPD must or must not open a
investigation. The CNPD is an independent supervisory authority which benefits from the principle of
the “opportunity for action” (see Opinion of the Council of State of June 26, 2018, doc. parl. No. 7184/28). She
may also refuse to follow up on a complaint which is manifestly unfounded or
excessive, in accordance with Article 57 (4) of the GDPR.
In the case of your complaint, the opening of an investigation file does not appear
relevant, because the CNPD has no means of action against a person responsible for
treatment established in the territory of the United States of America not having an establishment in the
territory of the European Union (EU) or having not designated a representative in the EU under
of article 27 of the GDPR. Indeed, in these cases, it is impossible for it to enforce the
provisions of the GDPR in the territory of the United States of America.
4 Considering having answered your questions, we believe that our intervention in the
Your complaint is now complete. (…)”.
er
By request filed at the administrative court registry on March 1, 2021, (A) – ....., designated
hereinafter by “(A)”, mandated for this purpose by Mr. (B) by a representation agreement
signed on November 16, 2020 in accordance with Article 80, paragraph (1), of the GDPR, introduced
an appeal aimed at the reformation if not the cancellation of the aforementioned letter from the CNPD of
September 18, 2020.
By judgment of April 21, 2023, the administrative court declared itself competent to hear the
main appeal for reform, declared it inadmissible for lack of interest in acting on behalf of
Mr (B), therefore rejecting it, said that there was no need to rule on the subsidiary appeal in
annulment, again rejected the request for allocation of procedural compensation made by (A),
while ordering the latter to pay the costs and expenses of the proceedings.
To do this, the court noted that it was constant, so as not to be contested by (A), that both at
time of Mr. (B)'s complaint of April 5, 2019 addressed to the CNPD, that at the time of
the introduction of the appeal under analysis, his personal data had been deleted
of the company's website (D) and that it did not appear from any document submitted to the debates that the
processing of Mr. (B)’s data by the company (D) was still current, the copy of a
product profile in question and entitled “(B)’s Email” not being dated and not including any
source reference. As (A) thus remained unable to prove processing of data from
Mr. (B) by the company (D) “both at the time of the filing of the appeal under analysis and at
"current time", the court came to the conclusion that he could not claim an interest
to act due to the processing of their data by the said company resulting in a violation of their rights
provided for by the GDPR at the time of filing the appeal.
The court further noted that this finding was not upset by the developments of (A) following
which the previous processing of personal data of Mr. (B) by the company (D)
would constitute a violation of its rights provided for in the GDPR and noted that the role of the CNPD
consisted, in application of article 51, paragraph (1), of the GDPR and article 4 of the law of 1
August 2018 organizing the National Commission for Data Protection and
general regime on data protection, hereinafter “the law of August 1, 2018”, in surveillance
of the application of the GDPR by data controllers and that it was no longer called upon to
intervene from the moment when a possible lack of knowledge of the GDPR by a manager
processing had ceased, Mr. (B) not being able to derive from the GDPR a personal right to see
sanction a data controller outside of an action for compensation for the damage
resulting from a violation of its rights, a right expressly provided for by the GDPR.
Finally, the court noted that compensation for damage resulting, where applicable, from a
violation of the rights to the protection of personal data of a data subject
was neither conditional on a prior referral to the competent supervisory authority, such as
CNPD, nor by a decision of the latter sanctioning such violation, respectively by
a judicial decision relating thereto.
5By request for appeal filed at the registry of the Administrative Court on May 23, 2023, (A) filed an appeal
of the judgment of April 21, 2023.
In the operative part of its response brief, the CNPD requests that the appeal request be declared
inadmissible for lack of interest in acting on the part of the appellant respectively request to the Court
to declare itself incompetent due to the fact that the appeal was not filed against an act
final administrative complaint.
These requests must be rejected for lacking merit.
Indeed, regardless of the observation that the CNPD has not otherwise developed its means
of inadmissibility of the appeal request based on a lack of interest in taking action and that an appeal which does not have
was introduced against an administrative act addressing the grievance does not lead to a decision of incompetence
but in the event of a decision of inadmissibility by the administrative court seized, it should be remembered,
on the one hand, that the interest in filing an appeal is measured by the appellant's claims with regard to the
operative part of the judgment undertaken and, on the other hand, that the court which declares an appeal inadmissible
rules on a procedural exception and a plea of inadmissibility, namely a plea
of inadmissibility, and puts an end to the proceedings, so that an immediate appeal within the time limit of the law is
bet.
In addition, the CNPD's argument that the initial appeal was not filed against an act
grieving administrative officer does not constitute a question of admissibility of the appeal request, but,
as recalled above, a question of admissibility of the initial appeal, like the question
interest in acting.
However, as in the operative part of the judgment undertaken, the court declared itself competent to
hear the appeal for reform of (A), while declaring it inadmissible for lack of interest in
act, the appellant has a clear interest in filing an appeal on the basis of her argument aimed at
declare its initial appeal admissible.
The appeal having moreover been lodged according to the forms and time limit of the law, it is admissible.
In support of her request for appeal, the appellant argues more particularly that Mr.
(B) would have a personal and direct interest in acting against the decision taken in that
this concerns a complaint lodged by him relating to the violation of his rights
fundamental. It refers to the wording of article 78 of the GDPR opening recourse to
any person whose rights are impacted by the decision of the supervisory authority. This interest
would have been born, effective and current in that the CNPD refused to shed light on violations
of his fundamental rights by the company (D), which would have been a prerequisite for the cessation of
these violations.
(A) recalls in this context that Mr. (B) would have denounced the processing of his data without
appropriate legal basis, as well as a lack of information regarding the circumstances of processing
data to which it would be subject. If the company (D) had certainly informed Mr (B) that it had
deleted her profile from her website, she would not have indicated at any time if, how,
for how long and for what purposes she had kept Mr.
6(B) in its own databases or to which companies it communicated said data.
She further maintains that the right to information on data processing could not
disappear just because the treatment in question would have stopped. Thus, the right of access
would constitute the cornerstone of the rights of individual data subjects and the “gate
entry” which would allow the exercise of all the other rights conferred by the GDPR,
such as the right of opposition or the right to rectification or even the right to erasure. The right
from Mr. (B) to receive information concerning the processing of his data
would not disappear with the erasure of personal data in response to an
request access.
Finally, the appellant specifies that it is not indicated anywhere in the GDPR that
Complaints should only be processed regarding ongoing data processing and
that complaints about past treatments would be automatically excluded. In fact, it would be
It is possible for an individual to become aware of a violation of their rights only late.
In this way, imposing deadlines that are too tight to allow him to denounce this violation
would undermine the very effectiveness of the right to lodge a complaint.
The CNPD contests any born and current interest in acting on behalf of Mr. (B), maintaining in
firstly that a merely possible interest would not be sufficient for the appeal against a
act be declared admissible, especially since the “feasibility” of the measures requested with regard to
towards society (D) would be highly questionable.
She then refutes a personal interest on the part of the claimant who would not seek to
obtain personal satisfaction but who would position himself above all as a defender of the interest
collective.
The CNPD still denies any direct interest in the appellant in that the nature specifies
of the concrete “negative affect” of the situation of Mr. (B) of the specific fact and
uniqueness of the CNPD's decision would remain particularly nebulous. Thus, invoking the
general violation in principle and not circumstantial of a “right” would not be sufficient
to justify an interest in taking action. In this context, the respondent further points out that the company (D)
would have responded the same day to Mr. (B)'s initial request by providing him with a
first level of information and asking them to click on a link to obtain more
ample details and inviting him to write him an email if any other questions still arise.
survive, a possibility which the latter would not have made use of. It further indicates, on the one hand,
that the company (D) would have sent Mr. (B) a copy of the personal data and, furthermore
share, that at the time of lodging the complaint and lodging the appeal before
the administrative court, the processing of the data would have ceased. Therefore, the CNPD does not see
what would be the negative consequences that the decision taken would have caused to Mr.
(B).
Finally, in the same vein, the CNPD still considers that the decision taken does not
would not constitute an administrative act adversely affecting Mr. (B) and which would therefore confer on him
an interest in acting.
7Interest conditions the admissibility of a contentious appeal. In matters of litigation
administrative relating, as in the present case, to objective rights, the interest does not consist in a
alleged right, but in the verified fact that an administrative decision negatively affects the
situation in fact or in law of an individual who can therefore derive a correlative advantage from the
bone
sanction of this decision by the administrative judge (see Adm. Court July 14, 2009, no. 23857C and
23871C of the docket, Pas. adm. 2022, V° Contentious procedure, n° 2 and other references cited therein).
The interest in acting is not to be confused with the substance of the law in that it is not measured by the well-being
grounds invoked in support of a claim, but to the satisfaction that the claim is
intended to provide a party, assuming that the means invoked are justified (cf. Court adm.
December 13, 2007, No. 23330C of the roll, Pas. adm. 2022, V° Contentious procedure, n° 3 and others
references cited there).
On the other hand, concerning the absence of an administrative act adversely affecting, as supported by the
CNPD, it should be remembered that an individual administrative act, to meet the qualifier of
administrative decision and therefore to be subject to appeal before the courts
administrative decisions, must also constitute a real decision likely to cause grievance, that is to say
an act capable of producing by itself legal effects affecting the personal situation
and property of the person making the claim (see Adm. Court May 24, 2007, No. 22408C of the role,
Not. adm. 2022, V° Administrative Acts, No. 44 and other references cited therein).
In order to determine whether the CNPD letter of September 18, 2020, together with the decisions taken
previous positions, negatively affects the personal situation of Mr. (B) and constitutes
therefore a decision likely to harm him giving him a personal and direct, legitimate interest
and certain, born and present to act, it is first necessary to delimit the object of the complaint
sent on April 5, 2019 by Mr. (B) to the CNPD.
Thus, it appears from the said complaint that he criticized the use, according to him illegal, of his
personal data by the company (D) for commercial purposes (“I have no relation ship [sic]
with the data controller, yet the data controller sells my personal information”, (…) “Their
privacy policy stipulates no legal basis of processing as I have no customer account with them.
They claim to use data that is “public”, my email address isn’t”, (…) “No [l]egal basis of
processing my personal data [;] Reselling of my personal data for commercial gain"). He has
also criticized the company's (D) interpretation of the GDPR (“Their GDPR interpretation
which can be publicly read here, is non-sensical").
Finally, in the “subject of the complaint” section, he indicated:
“- did not provide me with the necessary information relating to data processing
personal about me
- transmitted my personal data to a third party(ies)
- carried out excessive collection of my personal data”.
In doing so, Mr (B) clearly indicated that he believed that the company (D) was using his data
personal in violation of the rights recognized by the GDPR, without however stating
expressly by what means he wanted the CNPD to remedy this alleged violation of
his rights.
8However, common sense requires us to remember that an administrator does not simply denounce
a violation of his rights for the sake of form, but only by contacting the supervisory authority
which is competent to note and sanction a violation of the GDPR, it requests this
authority to respond to its request and try to shed light on the violations
alleged and to take, if necessary, adequate measures to try to remedy them, or even
impose sanctions.
Concerning more specifically the steps taken by the CNPD, the Court notes that
on July 18, 2019, the latter sent a letter to the company (D) concluding that the
personal data of Mr. (B) and the consequent applicability of the GDPR in the case
of species, while requesting from the company (D) the contact details of its representative in the Union
European Union, as required by Article 27 of the GDPR.
On this, the company (D), following email of July 24, 2019, informed the CNPD that it had not
designated as a representative in the European Union under Article 27 of the GDPR, while considering
that users of its website would be responsible for data processing
personal information appearing therein. (“(…) please note that (D) is not the controller of the data on our site.
Our users are the controller and therefore are responsible for ensuring that they individually
adhere to data protection laws and regulations such as GDPR).
By an email of March 6, 2020, after various reminders from Mr. (B), the CNPD informed him
here of the content of the company's response (D) of July 24, 2019, while informing it that it was
of the opinion that the said company “is indeed to be considered as responsible for the processing for the
processing of personal data carried out on its website”, but that it does not
did not have the powers to conduct investigations and enforce the decisions that it would
taken into the territory of the United States of America.
After a new exchange of emails and two registered letters from Mr. (B) of May 4 and
August 10, 2020 to the address of the CNPD, the latter, through its commissioner T. L., made
send the claimant the aforementioned letter of September 18, 2020, informing the latter that
the intervention of the CNPD in the context of its complaint “is now over”, given
that the opening of an investigation file would not appear relevant on the grounds that it would not have
of any means of action against the company (D) established in the United States and that it would be
therefore impossible to enforce the provisions of the GDPR in this territory, and this after having
informed Mr (B) that “investigation and complaint files are subject to procedures
different”, that “the opening of an investigation file following a complaint is not
systematic” and “there are no legislative criteria that define when the CNPD must or
not open an investigation. The CNPD is an independent supervisory authority which benefits from the
principle of “opportunity for action” (…). It may also refuse to follow up on a
claim which is manifestly unfounded or excessive, in accordance with Article 57 (4) of the
GDPR”.
However, without wishing to take a position, at the current stage of the case, as to the merits of the dispute, the Court notes
that it is common ground that the contested decision of the CNPD was taken within the framework of the GDPR
making applicable Articles 77 and 78 of the GDPR establishing a right to legal recourse
effective against a decision of a supervisory authority, articles of the following content:
9 (Art. 77) “1. Without prejudice to any other administrative or judicial remedy, any
data subject has the right to lodge a complaint with a supervisory authority, in
particular in the Member State in which his habitual residence is located, his place of work
or the place where the violation was committed, if it considers that the processing of personal data
personnel concerning it constitutes a violation of these regulations.
2. The supervisory authority to which the complaint was lodged informs the author
of the complaint the progress and outcome of the complaint, including the possibility
of a judicial remedy under Article 78.
(Art. 78) “1. Without prejudice to any other administrative or extrajudicial remedy, any
natural or legal person has the right to seek effective legal recourse against a
legally binding decision of a supervisory authority which concerns it.
2. Without prejudice to any other administrative or extrajudicial remedy, any person
concerned has the right to seek an effective judicial remedy when the supervisory authority which
has jurisdiction under Articles 55 and 56 does not deal with a complaint or inform the
person concerned, within three months, of the progress or outcome of the
complaint which she lodged under Article 77.
3. Any action against a supervisory authority is brought before the courts of the State
member in whose territory the supervisory authority is established. (…)”.
er
It should also be noted that article 55 of the law of August 1, 2018, under the terms of which “[a]n
appeal against the decisions of the CNPD taken in application of this law is open to
the Administrative Court which rules as judge on the merits. », does not distinguish the type of decisions
of the CNPD subject to appeal, so as to include a priori any decision emanating from this
last on condition of grievance.
Without wishing at this stage to comment on the principle of opportunity for action put forward by the
CNPD in the signed file – a question which relates to the merits of the file –, especially since
all light on the extent and duration of the processing of personal data of
Mr. (B) by the company (D) could not be carried out to date, it appears from the file that
the subject of Mr. (B)’s initial request to the CNPD was not only aimed at
cessation by the company (D) of the use of its personal data, use of which
the extent remains uncertain, but, as stated in the operative part of his request initiating proceedings,
see the dismissal of the case annulled and order the company (D) to comply with article
27 of the GDPR and to follow up on its right of access on the basis of article 15 of the GDPR,
respectively to continue processing their complaint and, in the event of refusal of a right of access,
to note a violation of the GDPR, and to pronounce, if necessary, a corrective measure within the meaning
of article 58 of the GDPR.
In this context, it should also be noted that the CNPD email of July 8, 2020 refers
among others respectively Articles 77, paragraph (2), and 78, paragraph (2), of the GDPR,
articles providing for the benefit of the person concerned a right to effective legal recourse,
10right which is also recalled on the CNPD’s own website under the heading
“enforce your rights”, the CNPD notes that “if the action taken by the CNPD does not
appear unsatisfactory, you are always entitled to take the matter to court.”
In view of the above, the Court comes to the conclusion that the letter from the CNPD of
September 18, 2020 constitutes a decision likely to cause harm and that the related disputes
of the CNPD are to be rejected.
It follows that (A)’s interest in taking action against the said decision is sufficiently verified.
and the judgment undertaken is subject to reformation in that it declared inadmissible for lack
of interest in taking action on the appeal of the appellant.
In the case where the first judges declared the appeal inadmissible and did not consider the
merits, the requirements of double level of jurisdiction, together those resulting from respect for rights
of the defence, indicate that the appeal court will, in principle, be required to send the case back to
the first judges in prosecution of cases, in the event that the Court will be led to reform the
first judgment on the point holding the appeal inadmissible (see Adm. Court March 12, 2019,
No. 42002C of the roll, Pas. adm. 2022, V° Contentious procedure, n° 1189 and other references
cited there).
This solution is all the more necessary in this case since the mechanism of the initial appeal of
first instance directly if not indirectly targets the company (D), so that the question
of a possible intervention of the latter arises.
Indeed, it should be remembered that the intervention of an interested third party is necessary,
whenever it is reasonably achievable, in that it tends in essence to avoid a
subsequent third-party opposition procedure. It is the preventive nature of the intervention which
justifies its implementation against interested third parties as quickly as possible,
while the absence of a related deadline provided for by law is explained by the fact that in all instances the
crystallization of the status of interested third party is likely to only take place after a
more advanced investigation of the data in the file (see Adm. Court February 1, 2007, n°21572C of the role,
Not. adm. 2022, V° Contentious procedure, n° 554 and other references cited therein).
The CNPD further requests the ordering of (A) to pay procedural compensation for
5,000.- €.
Said request must however be rejected, the relevant legal conditions not being met in
the species.
For these reasons,
the Administrative Court, ruling with regard to all parties involved;
receives the appeal of May 23, 2023 in the form;
11 by reformation of the judgment undertaken on April 21, 2023, says that the court was wrong to
administrative department declared the appeal originating on March 1, 2021 inadmissible for lack of interest in
act in the head of (A) – .....;
sends the file back to the administrative court for prosecution;
dismisses the National Commission for Data Protection of its request in
allocation of procedural compensation;
charges the costs of this appeal instance to the National Commission for the
Data protection ;
reserves the costs of first instance.
Thus deliberated and judged by:
Lynn S PIELMANN, first advisor,
Martine G ILLARDIN, advisor,
Annick B RAUN, advisor,
and read by the first advisor at the public hearing in Luxembourg at the ordinary premises of the
hearings of the Court on the date indicated at the top, in the presence of the appointed Registrar of the Court…….
s. …. s. SPIELMANN
Certified reproduction true to the original
Luxembourg, November 28, 2023
The clerk of the Administrative Court
12
