Cour Administrative - 48964C
Cour Administrative - 48964C | |
---|---|
Court: | Cour Administrative (Luxembourg) |
Jurisdiction: | Luxembourg |
Relevant Law: | Article 77(2) GDPR Article 78(2) GDPR Article 55 National Data Protection Law |
Decided: | 28.11.2023 |
Published: | |
Parties: | |
National Case Number/Name: | 48964C |
European Case Law Identifier: | |
Appeal from: | |
Appeal to: | |
Original Language(s): | French |
Original Source: | Cour Administrative (in French) |
Initial Contributor: | ar |
The Luxembourgish Administrative Court decided that the complainant’s appeal of a DPA’s non-decision was admissible as Articles 77 and 78 GDPR were applicable and sent back the judgement to the Administrative Tribunal since the Tribunal was wrong to declare inadmissible the complainant’s appeal.
English Summary
Facts
A data subject having found that an American company had collected his personal data in order to publish it on its website, contacted it requesting for more information on the matter. On the same day, the data subject received an e-mail with a copy of the data, informing him that the company had deleted his personal data from its databases. Thus, the data subject filed a complaint with the Luxembourgish DPA requesting it to intervene and ask the controller responds to his request in accordance with the GDPR. Although the company had informed the data subject that it had deleted his profile from its website, it had at no time indicated whether, how, for how long and for what purposes it had stored the data subject’s personal data in its own databases or to which companies it had communicated that data.
Thus, on 18 July 2019, the DPA wrote to the company requesting information on the contact information of the company’s representative in the EU designated under Article 27 GDPR. To which the company replied to not consider itself the controller of the data since their users are the controller and are responsible for ensuring that they individually adhere to data protection laws and regulations such as GDPR. In light of this reply, the DPA informed the data subject that because of this, it would not have the power to impose sanctions on the controller.
By e-mail dated 29 May 2020, the data subject asked the DPA to send him a signed decision stating it could not, in accordance with Articles 12 and 13 of its internal rules of procedure, issue a decision. To which the DPA replied by e-mail on 8 July 2020. And on 18 September 2020 it reiterated to be unable to pursue the claim. Thus, on 1 March 2021, the data subject filed a complaint with the Administrative Tribunal.
The Tribunal noted that the personal data in question had been deleted from the company's website and that the complainant’s lawyer failed to prove that his data had been processed by the company both at the time the action under analysis was brought, as well as in that moment. Therefore, the court concluded that the complainant could not rely on an interest in bringing an action as a result of the company's unlawful processing of his data under GDPR, at the time his action was brought. Therefore, on 21 April 2023, the complainant lodged an appeal of the Tribunal’s decision to the Administrative Court.
Holding
The Administrative Court found the appeal admissible and declared itself competent to hear the complainant’s action for judicial review.
The Court pointed out that it is undisputable that the contested decision of the DPA allowed for Articles 77 and 78 GDPR to be applicable, which provide for a right to an effective judicial remedy against a decision of a supervisory authority. As also corroborated by Article 55 of the National Data Protection Law, as it does not distinguish between the types of decisions of the DPA.
In this context, the Court also noted that the DPA’s email of 8 July 2020 referred to Articles 77(2) and 78(2) GDPR and that the DPA's website states that if people are not satisfied with the action taken by the DPA, they are entitled to take the matter to court. In view of the foregoing, the Court concluded that the DPA's letter of 18 September 2020 constitutes a decision liable to give rise to a complaint.
The Court also noted that considering the extent and duration of the processing of the complainant's personal data by the company, it is clear from the complainant’s initial request to the DPA was not simply for the company to stop using his personal data, the extent of which remains unclear, but rather to order the company to comply with Article 27 GDPR and to give effect to his right of access on the basis of Article 15 GDPR, respectively to continue processing its complaint and, in the event of refusal of a right of access, to establish that there has been a breach of the GDPR and, if necessary, to take corrective action within the meaning of Article 58 GDPR.
Thus, the Administrative Court overturned the Administrative Tribunal’s judgment since the Tribunal was wrong to declare inadmissible the complainant’s appeal and sent back the case to the Administrative Tribunal for hearing.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
GRAND DUCHY OF LUXEMBOURG ADMINISTRATIVE COURT Roll number: 48964C ECLI:LU:CADM:2023:48964 Registered on May 23, 2023 Public hearing of November 28, 2023 Appeal filed by (A) – ....., ..... (AT), against a judgment of the administrative court of April 21, 2023 (No. 45716 of the roll) having ruled on his appeal against a letter of the National Commission for Data Protection, Belvaux, regarding data protection Having regard to the request for appeal registered under number 48964C of the role and filed with the Registry of the Court administrative on May 23, 2023 by Maître Catherine WARIN, lawyer at the Court, entered in the table of the Order of Lawyers in Luxembourg, in the name of (A) – ....., established and having its head office at AT- … ..... (Austria), …., …, registered in the Austrian register of associations (Zentrales Vereinsregister) under the number …., represented by its “Vorstandsvorsitzender” currently in office, mandated by Mr. (B), residing at L-… …, …, …, directed against a judgment of the administrative court of the Grand Duchy of Luxembourg of April 21, 2023 (no. 45716 of the roll) by which the said court declared inadmissible its appeal seeking the reformation of a “decision” of September 18, 2020 of the National Commission for Data Protection (“CNPD”), informing Mr. (B) of his refusal to continue processing his complaint of April 5, 2019 and reiterated on August 10, 2020; Considering the exploit of the bailiff Laura GEIGER, residing in Luxembourg and registered near the district court of and in Luxembourg, of May 26, 2023 serving notice of this request for appeal to the CNPD, a public establishment, registered in the trade and commerce register Luxembourg companies under number J52, established at L-4370 Belvaux, 15, boulevard du Jazz, represented by its college of commissioners currently in office; Having regard to the response filed at the registry of the Administrative Court on June 22, 2023 by Maître Elisabeth GUISSART, lawyer at the Court, registered on the roll of the Luxembourg Bar Association, in the name and on behalf of the CNPD, prequalified; Having regard to the reply filed at the registry of the Administrative Court on September 21, 2023 by Maître Catherine WARIN on behalf of the appellant; 1Having regard to the rejoinder filed at the registry of the Administrative Court on October 20, 2023 by Maître Elisabeth GUISSART in the name and on behalf of the CNPD, prequalified; Considering the documents submitted in question and in particular the judgment appealed from; The rapporteur heard his report as well as Maîtres Catherine WARIN and Elisabeth GUISSART in their respective pleadings at the public hearing on November 7, 2023. After noting that the American company (D) LLC, hereinafter “the company (D)”, had collected personal data about him in order to publish them on his website “https://(D).co”, Mr. (B) contacted the said company on this subject on April 5, 2019 and saw himself send by the latter an email dated the same day to which a copy of their data was attached and informing him that the company (D) had deleted the personal data on regarding its databases. Also on April 5, 2019, Mr. (B) filed a complaint with the National Commission for Data Protection, hereinafter “the CNPD”, requesting it to intervene to the company (D) so that the latter can respond to its request in accordance with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and the free movement of these data, and repealing Directive 95/46/EC (general regulation on the data protection), hereinafter referred to as “the GDPR”. By email of April 9, 2019, the CNPD asked Mr. (B) to send it any correspondence with the company's data controller (D), in particular the email containing his request access and specific information, the automatic response to this request, as well as any possible correspondence subsequent to the submission of his complaint, informing him, moreover, that the link on the company's website (D) supposed to contain his personal data does not doesn't seem to work. By email of the same day, Mr. (B) informed the CNPD that the company (D) seemed to have deleted all of his data on their website following his contact with this last, but that it would continue to collect and process the data of other citizens Europeans. On July 18, 2019, the CNPD sent a letter and email to the company (D), noting in particular that: “(…) We therefore understand that Article 3(2) of the GDPR applies to processing activities performed by (D). Considering the circumstances, the CNPD would like to know the contact details of the (D)’s representative in the European Union designated pursuant to Article 27 GDPR or, should there be none, the contact details of the relevant point of contact by (D) for data protection 2concerns raised by data protection authorities, in order to process further the abovementioned “complaint”. Email dated July 24, 2019, the company (D)informed the CNPD not having designated a representative in the European Union under Article 27 of the GDPR, while considering that “(…) please note that (D) is not the controller of the data on our site. Our users are the controller and therefore are responsible for ensuring that they individually adhere to data protection laws and regulations such as GDPR”. By email of March 6, 2020, the CNPD informed Mr. (B) that “the company (D) has informed us communicated that it considers that it is the users of its services, and not itself, who are the data controllers with regard to personal data processed on its website”, (…) “that the company (D) is a company located in the United States of America not having a representative in the Union within the meaning of Article 27 of the Regulation General Data Protection Regulation (GDPR)” and that, although she would not share the point of view of society (D) (“we are indeed of the opinion that this society is indeed to be considered as data controller for the processing of personal data carried out on its website"), it would be impossible for him to pursue his claim, whereas, while having the possibility of communicating with said company, the CNPD would not have the power to do so impose actions to improve its data protection practices. Mr. (B) responded by email of the same day, wondering “that the CNPD will not take of actions? ". By email of March 17, 2020, the CNPD confirmed to him that it was impossible to continue his complaint, email to which Mr. (B) responded by emails of the same day and March 28, 19 and April 26, 2020, as well as by registered letter of May 4, 2020, to which the CNPD responded by email of May 25, 2020 while referring to his emails of March 6 and 17, 2020. By email of May 29, 2020, Mr. (B) asked the CNPD to send him a signed decision in accordance with articles 12 and 13 of its internal regulations (“ROI”), email to which the CNPD responded by email of July 8, 2020. By registered letter of August 10, 2020, Mr. (B) again contacted the CNPD in the following terms: following: “(…) Man teilte mir mit, dass die CNPD entschieden hat (D) nicht zu verfolgen obwohl man mir im Sinne der Beschwerde [R]echt gibt. Dies wohlgemerkt nachdem die CNPD sich mit der Firma ausgetauscht hat. Auf Nachfrage teil[t]e man mir mit, dass dies keine official „Entscheidung der CNPD sei“ and man sich deshalb auch nicht an da[s] ROI der CNPD zu halten hätte. We can see that the CNPD is the third entity that does not belong to it. Unternehmen vorzugehen. Dies aber nicht officiell als „Entscheidung“ wertet? We are among those who are part of the communi- zation and disk systems above. behauptet es sei noch keine „Investigation“ laut ROI gewesen? ". 3By letter dated September 18, 2020, the CNPD informed Mr. (B) of its inability to continue its complaint of April 5, 2019 in the following terms: “(…) Mr. (B), The National Commission for Data Protection (hereinafter “CNPD”) is responsible for your email of July 8, 2020 relating to your complaint of April 5, 2019 against the company (D). Regarding your request for clarification on the reasons why the articles 9 of the regulation of the National Commission for Data Protection (CNPD) relating to to the investigation procedure (hereinafter “Investigation Regulations”) and 10 and 12 of the Order Regulations Interior of the CNPD (hereinafter “ROI”) are not applicable in the present case, we inform that it appears from the provisions of the ROI that the files of investigations and complaints involve different procedures. The Investigation Regulations are only applicable to investigation files, and articles 10 and 12 of the aforementioned ROI are only applicable to CNPD deliberation sessions, including deliberations relating to investigation files. Furthermore, although the processing of a complaint may result in the proposal and the opening of an investigation in accordance with the procedures provided for in article 2 of the Investigation Regulations, the opening of an investigation file following a complaint is not systematic. Indeed, when a complaint is submitted, the “complaints” service tries to resolve the issue raised without opening a formal investigation within the meaning of articles 37 to 41 of the law of August 1, 2018 organizing the National Commission for the protection of er data and the general regime on data protection (hereinafter: “law of August 1, 2018”). Most complaints can be resolved and closed in this manner, after the CNPD has intervened with the data controller concerned. When it turns out that the complaint file cannot be investigated in this way, the College may decide to open an investigation. There are no legislative criteria that define when the CNPD must or must not open a investigation. The CNPD is an independent supervisory authority which benefits from the principle of the “opportunity for action” (see Opinion of the Council of State of June 26, 2018, doc. parl. No. 7184/28). She may also refuse to follow up on a complaint which is manifestly unfounded or excessive, in accordance with Article 57 (4) of the GDPR. In the case of your complaint, the opening of an investigation file does not appear relevant, because the CNPD has no means of action against a person responsible for treatment established in the territory of the United States of America not having an establishment in the territory of the European Union (EU) or having not designated a representative in the EU under of article 27 of the GDPR. Indeed, in these cases, it is impossible for it to enforce the provisions of the GDPR in the territory of the United States of America. 4 Considering having answered your questions, we believe that our intervention in the Your complaint is now complete. (…)”. er By request filed at the administrative court registry on March 1, 2021, (A) – ....., designated hereinafter by “(A)”, mandated for this purpose by Mr. (B) by a representation agreement signed on November 16, 2020 in accordance with Article 80, paragraph (1), of the GDPR, introduced an appeal aimed at the reformation if not the cancellation of the aforementioned letter from the CNPD of September 18, 2020. By judgment of April 21, 2023, the administrative court declared itself competent to hear the main appeal for reform, declared it inadmissible for lack of interest in acting on behalf of Mr (B), therefore rejecting it, said that there was no need to rule on the subsidiary appeal in annulment, again rejected the request for allocation of procedural compensation made by (A), while ordering the latter to pay the costs and expenses of the proceedings. To do this, the court noted that it was constant, so as not to be contested by (A), that both at time of Mr. (B)'s complaint of April 5, 2019 addressed to the CNPD, that at the time of the introduction of the appeal under analysis, his personal data had been deleted of the company's website (D) and that it did not appear from any document submitted to the debates that the processing of Mr. (B)’s data by the company (D) was still current, the copy of a product profile in question and entitled “(B)’s Email” not being dated and not including any source reference. As (A) thus remained unable to prove processing of data from Mr. (B) by the company (D) “both at the time of the filing of the appeal under analysis and at "current time", the court came to the conclusion that he could not claim an interest to act due to the processing of their data by the said company resulting in a violation of their rights provided for by the GDPR at the time of filing the appeal. The court further noted that this finding was not upset by the developments of (A) following which the previous processing of personal data of Mr. (B) by the company (D) would constitute a violation of its rights provided for in the GDPR and noted that the role of the CNPD consisted, in application of article 51, paragraph (1), of the GDPR and article 4 of the law of 1 August 2018 organizing the National Commission for Data Protection and general regime on data protection, hereinafter “the law of August 1, 2018”, in surveillance of the application of the GDPR by data controllers and that it was no longer called upon to intervene from the moment when a possible lack of knowledge of the GDPR by a manager processing had ceased, Mr. (B) not being able to derive from the GDPR a personal right to see sanction a data controller outside of an action for compensation for the damage resulting from a violation of its rights, a right expressly provided for by the GDPR. Finally, the court noted that compensation for damage resulting, where applicable, from a violation of the rights to the protection of personal data of a data subject was neither conditional on a prior referral to the competent supervisory authority, such as CNPD, nor by a decision of the latter sanctioning such violation, respectively by a judicial decision relating thereto. 5By request for appeal filed at the registry of the Administrative Court on May 23, 2023, (A) filed an appeal of the judgment of April 21, 2023. In the operative part of its response brief, the CNPD requests that the appeal request be declared inadmissible for lack of interest in acting on the part of the appellant respectively request to the Court to declare itself incompetent due to the fact that the appeal was not filed against an act final administrative complaint. These requests must be rejected for lacking merit. Indeed, regardless of the observation that the CNPD has not otherwise developed its means of inadmissibility of the appeal request based on a lack of interest in taking action and that an appeal which does not have was introduced against an administrative act addressing the grievance does not lead to a decision of incompetence but in the event of a decision of inadmissibility by the administrative court seized, it should be remembered, on the one hand, that the interest in filing an appeal is measured by the appellant's claims with regard to the operative part of the judgment undertaken and, on the other hand, that the court which declares an appeal inadmissible rules on a procedural exception and a plea of inadmissibility, namely a plea of inadmissibility, and puts an end to the proceedings, so that an immediate appeal within the time limit of the law is bet. In addition, the CNPD's argument that the initial appeal was not filed against an act grieving administrative officer does not constitute a question of admissibility of the appeal request, but, as recalled above, a question of admissibility of the initial appeal, like the question interest in acting. However, as in the operative part of the judgment undertaken, the court declared itself competent to hear the appeal for reform of (A), while declaring it inadmissible for lack of interest in act, the appellant has a clear interest in filing an appeal on the basis of her argument aimed at declare its initial appeal admissible. The appeal having moreover been lodged according to the forms and time limit of the law, it is admissible. In support of her request for appeal, the appellant argues more particularly that Mr. (B) would have a personal and direct interest in acting against the decision taken in that this concerns a complaint lodged by him relating to the violation of his rights fundamental. It refers to the wording of article 78 of the GDPR opening recourse to any person whose rights are impacted by the decision of the supervisory authority. This interest would have been born, effective and current in that the CNPD refused to shed light on violations of his fundamental rights by the company (D), which would have been a prerequisite for the cessation of these violations. (A) recalls in this context that Mr. (B) would have denounced the processing of his data without appropriate legal basis, as well as a lack of information regarding the circumstances of processing data to which it would be subject. If the company (D) had certainly informed Mr (B) that it had deleted her profile from her website, she would not have indicated at any time if, how, for how long and for what purposes she had kept Mr. 6(B) in its own databases or to which companies it communicated said data. She further maintains that the right to information on data processing could not disappear just because the treatment in question would have stopped. Thus, the right of access would constitute the cornerstone of the rights of individual data subjects and the “gate entry” which would allow the exercise of all the other rights conferred by the GDPR, such as the right of opposition or the right to rectification or even the right to erasure. The right from Mr. (B) to receive information concerning the processing of his data would not disappear with the erasure of personal data in response to an request access. Finally, the appellant specifies that it is not indicated anywhere in the GDPR that Complaints should only be processed regarding ongoing data processing and that complaints about past treatments would be automatically excluded. In fact, it would be It is possible for an individual to become aware of a violation of their rights only late. In this way, imposing deadlines that are too tight to allow him to denounce this violation would undermine the very effectiveness of the right to lodge a complaint. The CNPD contests any born and current interest in acting on behalf of Mr. (B), maintaining in firstly that a merely possible interest would not be sufficient for the appeal against a act be declared admissible, especially since the “feasibility” of the measures requested with regard to towards society (D) would be highly questionable. She then refutes a personal interest on the part of the claimant who would not seek to obtain personal satisfaction but who would position himself above all as a defender of the interest collective. The CNPD still denies any direct interest in the appellant in that the nature specifies of the concrete “negative affect” of the situation of Mr. (B) of the specific fact and uniqueness of the CNPD's decision would remain particularly nebulous. Thus, invoking the general violation in principle and not circumstantial of a “right” would not be sufficient to justify an interest in taking action. In this context, the respondent further points out that the company (D) would have responded the same day to Mr. (B)'s initial request by providing him with a first level of information and asking them to click on a link to obtain more ample details and inviting him to write him an email if any other questions still arise. survive, a possibility which the latter would not have made use of. It further indicates, on the one hand, that the company (D) would have sent Mr. (B) a copy of the personal data and, furthermore share, that at the time of lodging the complaint and lodging the appeal before the administrative court, the processing of the data would have ceased. Therefore, the CNPD does not see what would be the negative consequences that the decision taken would have caused to Mr. (B). Finally, in the same vein, the CNPD still considers that the decision taken does not would not constitute an administrative act adversely affecting Mr. (B) and which would therefore confer on him an interest in acting. 7Interest conditions the admissibility of a contentious appeal. In matters of litigation administrative relating, as in the present case, to objective rights, the interest does not consist in a alleged right, but in the verified fact that an administrative decision negatively affects the situation in fact or in law of an individual who can therefore derive a correlative advantage from the bone sanction of this decision by the administrative judge (see Adm. Court July 14, 2009, no. 23857C and 23871C of the docket, Pas. adm. 2022, V° Contentious procedure, n° 2 and other references cited therein). The interest in acting is not to be confused with the substance of the law in that it is not measured by the well-being grounds invoked in support of a claim, but to the satisfaction that the claim is intended to provide a party, assuming that the means invoked are justified (cf. Court adm. December 13, 2007, No. 23330C of the roll, Pas. adm. 2022, V° Contentious procedure, n° 3 and others references cited there). On the other hand, concerning the absence of an administrative act adversely affecting, as supported by the CNPD, it should be remembered that an individual administrative act, to meet the qualifier of administrative decision and therefore to be subject to appeal before the courts administrative decisions, must also constitute a real decision likely to cause grievance, that is to say an act capable of producing by itself legal effects affecting the personal situation and property of the person making the claim (see Adm. Court May 24, 2007, No. 22408C of the role, Not. adm. 2022, V° Administrative Acts, No. 44 and other references cited therein). In order to determine whether the CNPD letter of September 18, 2020, together with the decisions taken previous positions, negatively affects the personal situation of Mr. (B) and constitutes therefore a decision likely to harm him giving him a personal and direct, legitimate interest and certain, born and present to act, it is first necessary to delimit the object of the complaint sent on April 5, 2019 by Mr. (B) to the CNPD. Thus, it appears from the said complaint that he criticized the use, according to him illegal, of his personal data by the company (D) for commercial purposes (“I have no relation ship [sic] with the data controller, yet the data controller sells my personal information”, (…) “Their privacy policy stipulates no legal basis of processing as I have no customer account with them. They claim to use data that is “public”, my email address isn’t”, (…) “No [l]egal basis of processing my personal data [;] Reselling of my personal data for commercial gain"). He has also criticized the company's (D) interpretation of the GDPR (“Their GDPR interpretation which can be publicly read here, is non-sensical"). Finally, in the “subject of the complaint” section, he indicated: “- did not provide me with the necessary information relating to data processing personal about me - transmitted my personal data to a third party(ies) - carried out excessive collection of my personal data”. In doing so, Mr (B) clearly indicated that he believed that the company (D) was using his data personal in violation of the rights recognized by the GDPR, without however stating expressly by what means he wanted the CNPD to remedy this alleged violation of his rights. 8However, common sense requires us to remember that an administrator does not simply denounce a violation of his rights for the sake of form, but only by contacting the supervisory authority which is competent to note and sanction a violation of the GDPR, it requests this authority to respond to its request and try to shed light on the violations alleged and to take, if necessary, adequate measures to try to remedy them, or even impose sanctions. Concerning more specifically the steps taken by the CNPD, the Court notes that on July 18, 2019, the latter sent a letter to the company (D) concluding that the personal data of Mr. (B) and the consequent applicability of the GDPR in the case of species, while requesting from the company (D) the contact details of its representative in the Union European Union, as required by Article 27 of the GDPR. On this, the company (D), following email of July 24, 2019, informed the CNPD that it had not designated as a representative in the European Union under Article 27 of the GDPR, while considering that users of its website would be responsible for data processing personal information appearing therein. (“(…) please note that (D) is not the controller of the data on our site. Our users are the controller and therefore are responsible for ensuring that they individually adhere to data protection laws and regulations such as GDPR). By an email of March 6, 2020, after various reminders from Mr. (B), the CNPD informed him here of the content of the company's response (D) of July 24, 2019, while informing it that it was of the opinion that the said company “is indeed to be considered as responsible for the processing for the processing of personal data carried out on its website”, but that it does not did not have the powers to conduct investigations and enforce the decisions that it would taken into the territory of the United States of America. After a new exchange of emails and two registered letters from Mr. (B) of May 4 and August 10, 2020 to the address of the CNPD, the latter, through its commissioner T. L., made send the claimant the aforementioned letter of September 18, 2020, informing the latter that the intervention of the CNPD in the context of its complaint “is now over”, given that the opening of an investigation file would not appear relevant on the grounds that it would not have of any means of action against the company (D) established in the United States and that it would be therefore impossible to enforce the provisions of the GDPR in this territory, and this after having informed Mr (B) that “investigation and complaint files are subject to procedures different”, that “the opening of an investigation file following a complaint is not systematic” and “there are no legislative criteria that define when the CNPD must or not open an investigation. The CNPD is an independent supervisory authority which benefits from the principle of “opportunity for action” (…). It may also refuse to follow up on a claim which is manifestly unfounded or excessive, in accordance with Article 57 (4) of the GDPR”. However, without wishing to take a position, at the current stage of the case, as to the merits of the dispute, the Court notes that it is common ground that the contested decision of the CNPD was taken within the framework of the GDPR making applicable Articles 77 and 78 of the GDPR establishing a right to legal recourse effective against a decision of a supervisory authority, articles of the following content: 9 (Art. 77) “1. Without prejudice to any other administrative or judicial remedy, any data subject has the right to lodge a complaint with a supervisory authority, in particular in the Member State in which his habitual residence is located, his place of work or the place where the violation was committed, if it considers that the processing of personal data personnel concerning it constitutes a violation of these regulations. 2. The supervisory authority to which the complaint was lodged informs the author of the complaint the progress and outcome of the complaint, including the possibility of a judicial remedy under Article 78. (Art. 78) “1. Without prejudice to any other administrative or extrajudicial remedy, any natural or legal person has the right to seek effective legal recourse against a legally binding decision of a supervisory authority which concerns it. 2. Without prejudice to any other administrative or extrajudicial remedy, any person concerned has the right to seek an effective judicial remedy when the supervisory authority which has jurisdiction under Articles 55 and 56 does not deal with a complaint or inform the person concerned, within three months, of the progress or outcome of the complaint which she lodged under Article 77. 3. Any action against a supervisory authority is brought before the courts of the State member in whose territory the supervisory authority is established. (…)”. er It should also be noted that article 55 of the law of August 1, 2018, under the terms of which “[a]n appeal against the decisions of the CNPD taken in application of this law is open to the Administrative Court which rules as judge on the merits. », does not distinguish the type of decisions of the CNPD subject to appeal, so as to include a priori any decision emanating from this last on condition of grievance. Without wishing at this stage to comment on the principle of opportunity for action put forward by the CNPD in the signed file – a question which relates to the merits of the file –, especially since all light on the extent and duration of the processing of personal data of Mr. (B) by the company (D) could not be carried out to date, it appears from the file that the subject of Mr. (B)’s initial request to the CNPD was not only aimed at cessation by the company (D) of the use of its personal data, use of which the extent remains uncertain, but, as stated in the operative part of his request initiating proceedings, see the dismissal of the case annulled and order the company (D) to comply with article 27 of the GDPR and to follow up on its right of access on the basis of article 15 of the GDPR, respectively to continue processing their complaint and, in the event of refusal of a right of access, to note a violation of the GDPR, and to pronounce, if necessary, a corrective measure within the meaning of article 58 of the GDPR. In this context, it should also be noted that the CNPD email of July 8, 2020 refers among others respectively Articles 77, paragraph (2), and 78, paragraph (2), of the GDPR, articles providing for the benefit of the person concerned a right to effective legal recourse, 10right which is also recalled on the CNPD’s own website under the heading “enforce your rights”, the CNPD notes that “if the action taken by the CNPD does not appear unsatisfactory, you are always entitled to take the matter to court.” In view of the above, the Court comes to the conclusion that the letter from the CNPD of September 18, 2020 constitutes a decision likely to cause harm and that the related disputes of the CNPD are to be rejected. It follows that (A)’s interest in taking action against the said decision is sufficiently verified. and the judgment undertaken is subject to reformation in that it declared inadmissible for lack of interest in taking action on the appeal of the appellant. In the case where the first judges declared the appeal inadmissible and did not consider the merits, the requirements of double level of jurisdiction, together those resulting from respect for rights of the defence, indicate that the appeal court will, in principle, be required to send the case back to the first judges in prosecution of cases, in the event that the Court will be led to reform the first judgment on the point holding the appeal inadmissible (see Adm. Court March 12, 2019, No. 42002C of the roll, Pas. adm. 2022, V° Contentious procedure, n° 1189 and other references cited there). This solution is all the more necessary in this case since the mechanism of the initial appeal of first instance directly if not indirectly targets the company (D), so that the question of a possible intervention of the latter arises. Indeed, it should be remembered that the intervention of an interested third party is necessary, whenever it is reasonably achievable, in that it tends in essence to avoid a subsequent third-party opposition procedure. It is the preventive nature of the intervention which justifies its implementation against interested third parties as quickly as possible, while the absence of a related deadline provided for by law is explained by the fact that in all instances the crystallization of the status of interested third party is likely to only take place after a more advanced investigation of the data in the file (see Adm. Court February 1, 2007, n°21572C of the role, Not. adm. 2022, V° Contentious procedure, n° 554 and other references cited therein). The CNPD further requests the ordering of (A) to pay procedural compensation for 5,000.- €. Said request must however be rejected, the relevant legal conditions not being met in the species. For these reasons, the Administrative Court, ruling with regard to all parties involved; receives the appeal of May 23, 2023 in the form; 11 by reformation of the judgment undertaken on April 21, 2023, says that the court was wrong to administrative department declared the appeal originating on March 1, 2021 inadmissible for lack of interest in act in the head of (A) – .....; sends the file back to the administrative court for prosecution; dismisses the National Commission for Data Protection of its request in allocation of procedural compensation; charges the costs of this appeal instance to the National Commission for the Data protection ; reserves the costs of first instance. Thus deliberated and judged by: Lynn S PIELMANN, first advisor, Martine G ILLARDIN, advisor, Annick B RAUN, advisor, and read by the first advisor at the public hearing in Luxembourg at the ordinary premises of the hearings of the Court on the date indicated at the top, in the presence of the appointed Registrar of the Court……. s. …. s. SPIELMANN Certified reproduction true to the original Luxembourg, November 28, 2023 The clerk of the Administrative Court 12