TA Luxembourg - 45716: Difference between revisions

From GDPRhub
No edit summary
No edit summary
Line 10: Line 10:


|Case_Number_Name=45716
|Case_Number_Name=45716
|ECLI=
|ECLI=LU:TADM:2023:45716


|Original_Source_Name_1=CNPD
|Original_Source_Name_1=CNPD

Revision as of 08:40, 10 May 2023

TA Luxembourg - 45716
Courts logo1.png
Court: TA Luxembourg (Luxembourg)
Jurisdiction: Luxembourg
Relevant Law: Article 51 GDPR
Article 78 GDPR
Article 79 GDPR
Decided: 21.04.2023
Published: 01.05.2023
Parties:
National Case Number/Name: 45716
European Case Law Identifier: LU:TADM:2023:45716
Appeal from: CNPD (Luxembourg)
Appeal to: Unknown
Original Language(s): French
Original Source: CNPD (in French)
Initial Contributor: n/a

The Administrative Court of Luxembourg held that a data subject who cannot prove that a processing was occuring at the time of his request lacks of standing to appeal a DPA decision.

English Summary

Facts

A data subject found that an American company (controller) had collected personal data about him and was marketing it on its website. On 5 April 2019, he contacted the controller, who replied the same day with a copy of his personal data and informed the data subject that it had deleted his personal data. Still on 5 April 2019, the data subject lodged a complaint with the Luxembourg DPA to have the controller act on his request in accordance with the GDPR.

After requesting the data subject to provide its correspondence with the controller, on 6 March 2020, the DPA informed the data subject that the controller was US based and that it would therefore be impossible to pursue his complaint. The data subject replied several times and asked among other things for clarification on the administrative procedure and in particular of the rules on investigations.

The DPA finally replied by letter that the opening of an investigation was not systematic whenever a controller is subject to a complaint. In this case, the DPA considered that it was not relevant to open an investigation since it had no means of action against a US based company.

On 1 March 2021, the data subject, represented by noyb, lodged an appeal with the administrative Court (hereafter the Court) requesting the reversal or cancellation of the DPA's letter. On the basis of Article 78 GDPR, the data subject considered that he had a standing in bringing the action.

Holding

The Court considered that both at the time of his complaint of 5 April 2019 and the lodging of the appeal, the data subject's data had already been deleted from the controller's website. Consequently, the court considered that the data subject did not prove that data processing was taking place when he lodged his appeal.

The Court also held that under Article 51 GDPR, the DPA is responsible for monitoring the application of the RGPD by controllers, "so that it is no longer called upon to intervene from the moment that any possible disregard of the RGPD by a controller has ceased". It considered that in this case, the data subject could therefore not rely on the GDPR to sanction a controller, except for an action for damages resulting from the violation of its rights.

The Court also noted that in order to obtain compensation for the damage resulting from the violation of the right to data protection, in accordance with Article 79 GDPR, it was not necessary to refer the matter to the DPA.

In conclusion, the appeal was declared inadmissible for lack of standing.

Comment

noyb will appeal this decision.

A positive point of this decision is that the Administrative Court declared itself competent to reverse/review the DPA decision and not only to annul it.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

Administrative Court No. 45716 of the role
of the Grand Duchy of Luxembourg ECLI:LU:TADM:2023:45716
4 bedroom Listed March 1, 2021


                             Public hearing of April 21, 2023

                                      Appeal filed by
                          the association under Austrian law ... – ..., …,
                                    against a courier from
               National Commission for Data Protection, Belvaux,

                             in terms of data protection
___________________________________________________________________________

                                         JUDGEMENT

       Having regard to the request entered under number 45716 of the roll and filed on March 1, 2021 at the

registry of the administrative tribunal by Maître Catherine Warin, lawyer at the Court, registered at the
table of the Luxembourg Bar Association, on behalf of the association under Austrian law ...
– ..., established and having its registered office at AT-… (Austria), …, entered in the register
Austrian Associations (Zentrales Vereinsregister) under number …, represented by its
"Vorstandsvorsitzender" currently in office and appointed by Mr. ..., residing
at L-…, said association taking up residence at the study of its litismandataire located at L-2763

Luxembourg, 10, rue Sainte Zithe, seeking the reversal, if not the annulment, of a decision
thus qualified as of September 18, 2020 of the National Commission for the Protection of
data (“CNPD”), a public establishment, registered in the register of commerce and companies of
Luxembourg under number J52, established at L-4370 Belvaux, 15, boulevard du Jazz,
represented by its college of Commissioners currently in office, informing Mr.
..., of his refusal to continue processing his complaint of July 8, 2020;


       Considering the exploit of the judicial officer Carlos Calvo, residing in Luxembourg, of March 4
2021, bearing service of the said request to the CNPD, prequalified;

       Having regard to the appointment of lawyer at the Court of Maître Elisabeth Guissart, lawyer at the Court,
registered on the roll of the Luxembourg Bar Association, on behalf of and on behalf of the CNPD,

prequalified, filed with the registry of the administrative court on March 16, 2021;

       Having regard to the memorandum in response filed at the registry of the administrative court on June 3, 2021 by
Maître Elisabeth Guissart in the name and on behalf of the CNPD, prequalified;

       Having regard to the memorandum in reply filed at the registry of the administrative court on July 2, 2021

by Maître Catherine Warin in the name and on behalf of the association under Austrian law ... –
..., prequalified;

       Having regard to the memorandum in rejoinder filed at the registry of the administrative court on September 28
2021 by Maître Elisabeth Guissart in the name and on behalf of the CNPD, prequalified;


       Having regard to the documents submitted in question and in particular the act complained of;

       The judge-rapporteur heard in his report, as well as Maître Catherine Warin and Maître
Elisabeth Guissart in their respective pleadings at the public hearing of November 8, 2022.


                                               1____________________________________________________________________________

        After finding that the company under American law ... had collected data from
personal character on his person in order to market them on his website https://....co,
Mr. ... contacted the said company on this subject on April 5, 2019 and was addressed by this

last an email dated the same day to which a copy of his data was attached and
informing him that the company ... had deleted his personal data from
its databases.

        Also on April 5, 2019, Mr. ... lodged a complaint with the
National Commission for Data Protection, hereinafter referred to as “the CNPD”, the

asking to intervene with the company ... so that the latter responds to its request
in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April
2016 on the protection of natural persons with regard to the processing of personal data
personal character and on the free movement of such data, and repealing Directive 95/46/EC
(General Data Protection Regulation), hereinafter referred to as “the GDPR”.

        By email of April 9, 2019, the CNPD asked Mr. ... to send it any

correspondence with the controller of the company ..., including email
containing his request for access and specific information, the automatic response to this
request, as well as any correspondence subsequent to the introduction of his
complaint, informing him, moreover, that the link on the company's website ... supposed
containing his personal data would not seem to work. By e-mail of the same day,
Mr. ... informed the CNPD that the company ... would seem to have canceled all of its
data on their website following its contact with the latter, but that it

would continue to collect and process the data of other European citizens.

        By email of March 6, 2020, the CNPD informed Mr. ..., after an initial examination
of his complaint of April 5, 2019 and referring to recital number (166) of the GDPR, that
taking into account the fact that the company ..., the data controller
disputed, would be established in the United States and therefore outside the European Union, it would be
impossible to pursue his complaint, whereas, while having the possibility of communicating

with said company, the CNPD would not have the power to impose actions on it with a view to
to improve its data protection practices, email to which Mr.
replied on the same day.

        By email of March 17, 2020, the CNPD confirmed to him that it was impossible to continue his
complaint, email to which Mr. ... replied by emails of the same day and March 28

and April 19 and 26, 2020, as well as by registered letter of May 4, 2020, to which the CNPD
replied by email of May 25, 2020 while referring to his emails of March 6 and 17, 2020.

        By email of May 29, 2020, Mr. ... asked the CNPD to send him a decision
signed in accordance with Articles 12 and 13 of its internal rules, which the CNPD
refused by email of July 8, 2020.


        By letter dated August 10, 2020, Mr. ... contacted the CNPD again.

        By letter dated September 18, 2020, the CNPD informed Mr. ... of his impossibility
to pursue his complaint of April 5, 2019 in the following terms:



                                                2 “(…) Mr....,

        The National Data Protection Commission (hereinafter “CNPD”) returns
to your email of July 8, 2020 relating to your complaint of April 5, 2019 against the

Company ....

        Regarding your request for clarification of the reasons why the
articles 9 of the regulations of the National Commission for Data Protection (CNPD)
relating to the investigation procedure (hereinafter "Investigations Regulation") and 10 and 12 of the
of Internal Order of the CNPD (hereinafter "ROI") are not applicable in the case

case, we inform you that it appears from the provisions of the ROI that the investigation files
and complaints fall under different procedures.

        The Investigations Regulation is only applicable to investigation files, and the
articles 10 and 12 of the aforementioned ROI are only applicable to the sessions of
deliberation of the CNPD, including deliberations relating to investigation files.


        In addition, although the processing of a complaint may result in the proposal and
the opening of an investigation according to the procedures provided for in Article 2 of the Investigations Regulation,
the opening of an investigation file following a complaint is not systematic.

        Indeed, when a complaint is submitted, the "complaints" service tries to

resolve the issue raised without opening a formal investigation within the meaning of Articles 37 to
41 of the law of 1 August 2018 on the organization of the National Commission for the
data protection and the general data protection regime (hereinafter: “Law of the
August 1, 2018”). Most complaints can be resolved and closed from this
manner, after the CNPD has intervened with the data controller concerned.
When it turns out that the complaint file cannot be processed in this way, the

College may decide to open an investigation.

        There are no legislative criteria that define when the CNPD must or must not open
investigation. The CNPD is an independent supervisory authority that benefits from the principle of
the “opportunity for action” (cf. Opinion of the Council of State of June 26, 2018, doc. parl. N° 7184/28).
It may also refuse to follow up on a complaint that is manifestly unfounded.

or excessive, in accordance with Article 57 (4) of the GDPR.

        In the case of your complaint, the opening of an investigation file does not appear
relevant, because the CNPD has no means of action against a person responsible for the
treatment established on the territory of the United States of America having no establishment on the
territory of the European Union (EU) or not having designated a representative in the EU in

pursuant to Article 27 of the GDPR. Indeed, in these cases, it is impossible for him to enforce the
provisions of the GDPR on the territory of the United States of America.

        Considering that we have answered your questions, we consider that our intervention in
part of your claim is now complete. (…)”

                                                            er
        By motion filed with the administrative court on March 1, 2021, the legal association
Austrian ... – ..., hereinafter referred to as "the association ...", mandated for this purpose by Mr.
...through a representation agreement signed on November 16, 2020, an appeal was brought



                                                3tending to the reform if not the cancellation of the aforementioned letter from the CNPD of September 18
2020.

        In its memorandum in response, the CNPD first raises the lack of jurisdiction ratione
matter of the administrative tribunal to hear the appeal lodged against the act referred, at the

reason that this would not constitute a decision-making administrative act adversely affecting Mr.
... having, in this same order of ideas, no personal and present interest to act, then
that the company ... would have deleted his personal data from its database and would have
then stopped all processing of his data.

        In its brief in response, the association ... asserts first of all that the company ...

reportedly put Mr....'s profile back online after deleting it.

        As regards Mr. ...'s cause of action, the association ... submits that the
data collected by the company ... would indeed constitute personal data that the GDPR
would like to protect. She then points out that Mr. ... would have had a personal interest in
lodge a complaint relating to the processing of his personal data and would thus have
also interest in taking action against the letter from the CNPD of September 18, 2020.


        The association ... considers, in this context and by referring to Article 78 of the GDPR, that
Sir ... should not have to demonstrate the unfortunate consequences that the courier of the
CNPD of September 18, 2020 would have caused him, while the simple fact that his fundamental right
to the protection of his data would not have been respected would be sufficient to establish his interest in taking action.

        She then specifies that Mr. ...'s interest in acting would be both personal and direct

effective, born, current and legitimate, whereas the act referred would concern him directly in that it
relate to his complaint lodged with the CNPD, said complaint relating to the
violation of his fundamental rights which the CNPD would refuse to investigate.

        It further argues that despite the fact that all of the personal data of
Mr.... would have been suppressed by the company..., the violation of the fundamental right of this
the latter would be an unfortunate consequence, whereas otherwise it would suffice for a manager to

processing to erase the disputed data so that “the problem disappears”. However, the right
of access would constitute the cornerstone of the rights of individuals, so that without access
full to their data and to the information that surrounds the processing of these, it would be
impossible to exercise all the other rights provided for by the GDPR, as would be recalled
also the Belgian data protection authority in its decision no. 15/2021.


        The association ... considers, moreover, that Mr. ... would have an interest in acting, whereas a
judgment by the administrative tribunal would allow it to then seek liability both
of the perpetrators of these violations before the civil courts and the CNPD.

        As to the legitimate nature of Mr. ...'s interest in acting, the association ... specifies
although it would not matter if this one would have been worried about not being the only particular
concerned by the practice of the company ... and that it would not be relevant that he would have introduced

several complaints against several entities with the CNPD.

        Before any progress in question, the court notes that, following the repeal of the directive
95/46/EC of the European Parliament and of the Council of 24 October 1994 on the protection of
natural persons with regard to the processing of personal data and to the free


                                                 4circulation of these data, hereinafter referred to as “Directive 95/46/EC”, the organization of
                                 er
the CNPD results from the law of August 1, 2018 on the organization of the National Commission
for data protection and the general data protection regime, referred to below.
afterwards by “the law of August 1, 2018”, adopted on the basis of the GDPR, so that the question of
the applicability or not of the GDPR to the merits of this case does not have any consequence in

with regard to the jurisdiction of the court of this court to hear decisions adopted by the
CNPD. Indeed, the GDPR, a community regulation by essence of direct application under
of Article 288 of the Treaty on the Functioning of the European Union, hereinafter referred to as
“the TFEU”, provides in its article 51 for the creation of supervisory authorities in the Member States
members, and therefore constitutes the framework legislation, to which the law of 1 August

2018, on the basis of which the CNPD was organized, so that the provisions of the GDPR
relating to the organization, mission and decisions of the CNPD are, in any case,
applicable.

                                                                                 er
        It must then be noted that under the terms of article 55 of the law of August 1, 2018 "A
appeal against the decisions of the CNPD taken pursuant to this law is open
before the Administrative Tribunal which rules as judge of the merits. ", said provision
not distinguishing the type of CNPD decisions subject to appeal and therefore including a

a priori any decision emanating from the latter on the condition of grievance.

        It follows that the court has jurisdiction to hear the appeal for reversal
introduced as the main.


        There is therefore no need to rule on the subsidiary action for annulment.

        The admissibility of an appeal is conditioned by the existence of an act likely to
grievance and having produced that effect on the person of the plaintiff. However, to justify an interest in

to act, one must be able to rely on the injury of a personal interest in the sense that the
reversal or annulment of the contested act confers on the plaintiff certain satisfaction and
personal. It is therefore important that the interest be not impersonal and general but personal. 2


        In this case, it must be noted that it is constant, so as not to be contested by
the association ... that both at the time of Mr. ...'s complaint of April 5, 2019 addressed
to the CNPD, that at the time of the introduction of the appeal under analysis, the personal data
of it had been deleted from the company's website ..., being, moreover, noted,
that it does not appear from any document tendered to the debates that the processing of the data of Mr ...

by the company ... would still be relevant, the copy of a profile entitled "...'s Email" not being
undated and without any source reference. The association thus remains in default of
prove a treatment, both at the time of the introduction of the appeal under analysis, and at the time
data of Mr. ... by the company ..., so that Mr. ... cannot be

assert an interest in acting because of the processing of his data by the said company at the time
the introduction of his appeal involving a violation of his rights under the GDPR.

        This observation is not upset by the developments of the association ... according to which
the prior processing of the personal data of Mr. ... by the company ... would constitute

a violation of its rights provided for in the GDPR, whereas the role of the CNPD consists, in

1Trib. adm. October 22, 2007, No. 22489 of the list, No. adm. 2022, V° Contentious procedure, n° 12 and the others
references cited therein.
2Trib. adm. November 7, 2016, No. 36132 of the list, No. adm. 2022, V° Contentious procedure, n° 14 and the others
references cited therein.

                                                 5application of Article 51, paragraph (1) of the GDPR and Article 4 of the law of 1 August 2018
monitoring the application of the GDPR by data controllers, so that it
is no longer called upon to intervene from the moment when a possible ignorance of the GDPR
by a data controller has ceased, which, in the absence of evidence to the contrary, must be retained
in this case. It must also be noted that Mr. ... cannot draw from the GDPR a

personal right to have a data controller sanctioned outside of an action for
compensation for damage resulting from a violation of his rights, a right expressly provided for by the
GDPR.

        This observation is also not irritated by the developments of the association ...
with respect to the interest of Mr. ... to have the decision referred amended or annulled in order to

allow him to sue the company ... under Article 82 of the GDPR. Indeed, he
results from Article 79, entitled “Right to an effective judicial remedy against a person responsible for
processing or a processor”, paragraph (1) of the GDPR that “Without prejudice to any
administrative or extrajudicial remedy available to him, including the right to lodge a
complaint to a supervisory authority under Article 77, each person
concerned has the right to an effective judicial remedy if he considers that the rights
conferred by this Regulation have been infringed by the processing of his personal data

personnel carried out in violation of this Regulation”. Thus, compensation for damage
resulting, where applicable, from a violation of the rights to the protection of personal data
of a person concerned is neither conditioned by a prior referral to
the competent supervisory authority, such as the CNPD, or by a decision of the latter
sanctioning such violation, respectively by a court decision relating thereto, of
so that this argument is in fact lacking.


        Regarding the request for the allocation of procedural compensation made by the
applicant, which fails to specify the nature of the sums exposed and not included in
the costs and does not specify in what way it would be unfair to leave these costs at his expense is at
reject, the mere reference to the article of the applicable law not being sufficient in this respect.


                                             For these reasons,

        the administrative court, fourth chamber, ruling contradictorily;


        declares itself competent to hear the main appeal for reversal;

        declares the main appeal for reform inadmissible, therefore rejects it;

        holds that there is no need to rule on the subsidiary action for annulment;


        rejects the request for the allocation of procedural compensation made by
the association ... – ...;

        orders the association ... – ... to pay the costs and expenses of the proceedings.

        Thus judged and pronounced at the public hearing of April 21, 2023 by:


        Paul Nourrissier, vice-president,
        Emilie Da Cruz De Sousa, judge,


                                                 6Laura Urbany, judge,

in the presence of the clerk Marc Warken.




     sr Marc Warken sr Paul Nourrissier

                 Reproduction certified true to the original
                        Luxembourg, April 21, 2023
                     The clerk of the administrative court















































                                      7