TA Luxembourg - 45717
TA Luxembourg - 45717 | |
---|---|
Court: | TA Luxembourg (Luxembourg) |
Jurisdiction: | Luxembourg |
Relevant Law: | Article 15 GDPR Article 27 GDPR Article 57(1)(f) GDPR Article 77 GDPR Article 78 GDPR Article 79 GDPR |
Decided: | 21.04.2023 |
Published: | 01.05.2023 |
Parties: | |
National Case Number/Name: | 45717 |
European Case Law Identifier: | LU:TADM:2023:45717 |
Appeal from: | CNPD (Luxembourg) |
Appeal to: | Unknown |
Original Language(s): | French |
Original Source: | CNPD (Luxembourg) (in French) |
Initial Contributor: | n/a |
The Administrative Court considered, among other things, that a data subject could not prove its original access request and was therefore not adversely affected by the DPA decision to not handle his complaint.
English Summary
Facts
A data subject found that an American company (controller) had collected personal data about him and was marketing it on its website. The data subject contacted the controller about this, who responded with an automated message asking him to fill in an identity verification form in order to process his request.
On 8 July 2020, the data subject requested the Luxembourg DPA to order the controller to comply with his request. He believed that the controller had violated Article 15 GDPR for not handling his access request correctly and 27 GDPR for not having an establishment in the EU. The DPA asked the data subject to provide correspondence with the controller.
In August 2020, the DPA informed the data subject that it would no longer deal with his request as the controller was US based and the DPA therefore had no power to impose measures under the GDPR. The data subject insisted that the controller offered services on the internet and that a simple search via a search engine would find his personal data on the controller's website. He also asked why the DPA felt it did not have the authority to investigate in the US.
On 16 October 2020, the DPA replied by letter that it had contacted the controller but that without its response it was impossible to proceed. It also repeated that it had no means of action against a US based controller.
The data subject, represented by noyb, appealed this decision of the DPA to the administrative Court (hereafter the Court) to have the DPA's letter reversed or annulled. He considered that he had a standing to act under Article 78 GDPR, especially since his data was still present on the controller's site. He argued he was therefore damaged by the DPA's decision not to pursue with his request. The data subject also argued that the DPA had violated Article 77 GDPR. Finally, he explained that the controller did not provide a copy of his access request, reason why he could not provide this document.
Holding
First, the Court considered that the data subject only submitted the controller's automatic reply and not the rest of the correspondence, which prevented the Court from knowing the content of his request.
Second, with regard to the handling of the complaint, the Court considered that the DPA requested additional information from the data subject and communicated with him by email. It also provided explanations for not pursuing its examination. It therefore de facto dealt with the complaint and did not violate Article 77 GDPR. The Court added that Article 57(f) GDPR does not impose on the DPA an obligation to open an investigation or use its enforcement powers as soon as a controller is the subject of a complaint.
The Court therefore considered that the case had to be analysed under Article 78 GDPR. In this respect the court considered that the DPA letter informing the data subject that it would not initiate proceedings against the controller was not directly affecting the personal and financial situation of the data subject. Since the data subject did not provide enough documents to prove his request to the controller, his complaint with the DPA was limited to asking the DPA to request in his place information under Article 15 GDPR. According to the Court, the data subject retained his rights under Article 15 GDPR, thus, he did not suffer any damage from the refusal of the DPA.
The Court added that under Article 79 GDPR, a prior referral to the competent supervisory authority is not a condition to obtain compensation for damages resulting from the violation of data protection.
Third, regarding the violations by the controller, concerning Article 27 GDPR, the Court considered that the fact that the controller did not have an establishment in the EU did not constitute a violation of the data subjects right to data protection but could only constitute an obstacle to the exercise of his rights. As for Article 15 GDPR, the Court considered that the data subject did not prove that he was prevented from exercising his rights. The automatic response of the controller indeed included an email address he could have contacted. According to the Court, it implied that the data subject could not rely on a violation of Articles 15 and 27 GDPR which would be perpetuated by the refusal of the DPA to intervene.
In conclusion, the Court held that the refusal of the DPA to intervene did not cause a violation of a personal right of the data subject. The action was therefore inadmissible for lack of standing.
Comment
noyb is now considering the possibility to appeal this decision.
A positive point of this decision is that the Administrative Court declared itself competent to reverse/review the DPA decision and not only to annul it.
It however appears that the Luxembourg Administrative Court considers that a data subject must exercise his rights (and prove it) under Article 15 GDPR to be impacted by a DPA decision to refuse to act on his complaint and therefore have an interest in an appeal proceeding. This consideration does not seem to align with Article 77 GDPR which provides a right to lodge a complaint with a supervisory authority without prejudice to any other administrative or judicial remedy. Indeed, this article does not condition this right to the prior exercise of data subject's rights.
It is surprising that the Court did not consider that the data subject had an interest even though the latter's personal data was still available on the controller's website.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
Administrative Court No. 45717 of the role of the Grand Duchy of Luxembourg ECLI:LU:TADM:2023:45717 4 bedroom Listed March 1, 2021 Public hearing of April 21, 2023 Appeal filed by the association under Austrian law ... – ..., (…), against a courier from National Commission for Data Protection, Belvaux, in terms of data protection ______________________________________________________________________________ JUDGEMENT er Having regard to the request entered under number 45717 of the roll and filed on March 1, 2021 at the registry of the administrative court by Maître Catherine Warin, lawyer at the Court, registered in the table of the Luxembourg Bar Association, on behalf of the association under Austrian law ... – ..., established and having its registered office at AT-… (Austria), …, registered in the Austrian register of associations (Zentrales Vereinsregister) under number …, represented by its “Vorstandsvorsitzender” currently in office and mandated by Mr...., residing at L-..., the said association taking up residence at the office of his litigant located at L-2763 Luxembourg, 10, rue Sainte Zithe, seeking the reversal, if not the annulment, of a decision, thus qualified, of October 16, 2020 the National Data Protection Commission (“CNPD”), a public institution, registered in the Luxembourg trade and companies register under number J52, established at L- 4370 Belvaux, 15, boulevard du Jazz, represented by its college of commissioners currently in office, informing Mr. ..., of his refusal to continue processing his complaint of July 8, 2020; Considering the exploit of the judicial officer Carlos Calvo, residing in Luxembourg, of March 4 2021, bearing service of the said request to the CNPD, prequalified; Constitution of a lawyer at the Court Maître Elisabeth Guissart, lawyer at the Court, registered on the roll of the Luxembourg Bar Association, in the name and on behalf of the CNPD, prequalified, filed with the registry of the administrative court on March 16, 2021; Having regard to the memorandum in response filed at the registry of the administrative court on June 3, 2021 by Maître Elisabeth Guissart in the name and on behalf of the CNPD, prequalified; Having regard to the brief in reply filed at the registry of the administrative court on July 2, 2021 by Maître Catherine Warin in the name and on behalf of the association under Austrian law ... – ..., prequalified; Having regard to the memorandum in rejoinder filed at the registry of the administrative court on September 28, 2021 by Maître Elisabeth Guissart in the name and on behalf of the CNPD, prequalified; 1 Having regard to the documents adduced in question and in particular the contested act; The judge-rapporteur heard in his report, as well as Maître Catherine Warin and Maître Elisabeth Guissart in their respective pleadings at the public hearing of November 8, 2022. __________________________________________________________________________ After noting that the company governed by American law ..., carrying out its activities under the denomination "...", hereinafter referred to as "the company..." had collected data of a personal on his person in order to market them on his website https://....io, Mr. contacted the said company on this subject and was sent by the latter an email dated June 13 2020 asking him to complete an identity verification form in order to allow the processing of his request, while also referring to the “Privacy Policy” of said website. On July 8, 2020, Mr. ... lodged a complaint with the Commission National Data Protection Authority, hereinafter referred to as “the CNPD”, requesting it to intervene with the company... so that the latter responds to its request in accordance with the regulations (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and to the free movement of such data, and repealing Directive 95/46/EC (general regulation on the protection data), hereinafter referred to as “the GDPR”. By email of July 28, 2020, the CNPD asked Mr. ... to send it any correspondence with the controller of the company ..., in particular the email containing their request for access and specific information, the automatic response to this request, as well as as well as any correspondence subsequent to the submission of his complaint. By email from same day, Mr. ... informed the CNPD that the company ... would be an American company, affirmed appended the requested documents to his complaint of July 8, 2020 and asked the CNPD to check receipt. By e-mail of August 1, 2020, Mr.... further informed the CNPD that the company... would not have not appointed a representative in the European Union, that he would judge the request of the said company in their email of June 13, 2020 to sign the form and provide them with details as to the identification of his disproportionate person and that he would no longer have had any correspondence with said company since their email of June 13, 2020. By email of August 13, 2020, the CNPD informed Mr...., after an initial review of his complaint of July 8, 2020 and referring to recital number (166) of the GDPR, that taking into account the fact that the company ..., the data controller disputed, would be established in the United States and therefore outside the European Union, it would be impossible for him to pursue his claim, whereas, while having the possibility of communicating with said society, the CNPD would not have the power to impose actions on it to improve its data protection practices. Emails of August 13 and 23, 2020, Mr...., while indicating that the company...would offer services via the Internet and that a simple search via a search engine would make it possible to find his personal data on the site of the said company for commercial purposes, requested the CNPD 2to "explain [his] means of action", as well as the reason why the CNPD would have arrived to the conclusion that it did not have the necessary authority to investigate in the United States and to what extent this incapacity would be related to the facts on the basis of his complaint. By letter dated October 16, 2020, the head of the CNPD's complaints department confirmed to Mr. ... his impossibility to continue processing his complaint of July 8, 2020, said letter being worded as follows: “(…) The National Commission for Data Protection (CNPD) is up to your complaint of July 8, 2020 relating to your request for access to your personal data personnel processed by the “....io” site. As indicated in our previous letter dated September 18, 2020, the CNPD has taken contact with the controller in order to try to resolve the issue raised by your complaint, in this case the sending of an automated form in response to your request access. We inform you that this contact unfortunately remained unanswered. We therefore regret to inform you that, subject to a possible return later from the controller of which we would keep you informed, we consider that it it is impossible for us to effectively pursue the processing of your complaint. Indeed, as already mentioned in our previous answers of 13 July and 18 September 2020, the CNPD has no means of action against a manager of the treatment established on the territory of the United States of America having no establishment on the territory of the European Union (EU) or not having designated a representative in the EU under of Article 27 of the GDPR. Indeed, in these cases, it is impossible for him to enforce the provisions of the GDPR on the territory of the United States of America. (…)” By motion filed with the administrative court on March 1, 2021, the legal association Austrian ... – ..., hereinafter referred to as "the association ...", mandated for this purpose by Mr ... by a representation agreement signed on November 16, 2020, brought an appeal tending to the reform if not the cancellation of the aforementioned letter from the CNPD of October 16, 2020. In its memorandum in response, the CNPD first raises the lack of jurisdiction ratione matter of the administrative tribunal to hear the appeal lodged against the act referred, on the grounds that this would not constitute a decision-making administrative act adversely affecting Mr. ... having, in this same order of ideas, no personal interest in acting. In its reply and with regard to the jurisdiction ratione materiae of the administrative court to hear the appeal under consideration, the association ... argues that the CNPD's refusal to process Mr. ...'s complaint would be all the more problematic as violations of the rights of the latter would still be relevant, his profile on the site of the said company being always online. It would therefore be totally false for the CNPD to assert that its decision, thus qualified, not to pursue the processing of Mr. ...'s request would not 3no complaint to the latter, the latter having a fundamental right to the protection of his data and to have his complaint dealt with diligently by the CNPD. The refusal of such treatment and the act undertaken would therefore fall within the scenario envisaged by Article 78 of the GDPR, this provision, detailing the right of effective remedy already enshrined in Article 47 of the Charter of fundamental rights of the European Union, hereinafter referred to as "the Charter", would allow a such an act would cause harm and should be able to be challenged in court. In this context, it further argues that Article 28(4) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1994 on the protection of natural persons with regard to the processing of personal data and to the free circulation of this data, hereinafter referred to as “Directive 95/46/EC”, repealed and replaced by the GDPR, would also have provided for a right of judicial appeal against “the decisions of the supervisory authority complaining”, the wording of Article 78 of the GDPR being clearly intended more open and opening up a remedy to any person whose claim has been rejected or refused by the supervisory authority. The association also recalls that according to recital number (143) of the GDPR, said regulation would require that the right to an effective remedy be materialized in an appeal to a court with full jurisdiction, which is why the Luxembourg legislator would have provided for an appeal for reversal against the decisions of the CNPD. The association ... also notes that the judgment of the Court of Justice of the European Union of 6 October 2015, C-362/14, Schrems v Data Protection Commissioner, hereinafter referred to as “the CJEU”, respectively “the Schrems I judgment”, would precisely concern the case of an individual including the complaint relating to the cessation of the transfer by the Facebook site of its data to the United States United, would have been rejected by the Irish supervisory authority. The person whose data would have been targeted would have appealed against this decision before the Irish judge for request the examination of his case, which would have asked a preliminary question to the CJEU tending to whether a person whose complaint has been processed and rejected without foundation by the authority National Supervisory Authority, would have the right to challenge such a decision before the courts national. The association ... adds that the thesis put forward by the CNPD would be untenable given of the difference in treatment thus created between a national procedure and a procedure cross-border, the latter generating, in accordance with Articles 56, paragraph (1) and 60 of GDPR, a cooperation mechanism, in which the authority where the main establishment is located would adopt a decision addressed to the data controller, while the authority having received the complaint would address its decision to the complainant, the reason being, according to the doctrine, that it would be to guarantee the fundamental right of anyone who has lodged a complaint with their authority national control, to introduce an effective remedy against a decision which would not give him satisfaction. This right would, among other things, be recognized by Article 78 of the GDPR which would provide for such appeal, Article 60 of the same regulation providing for the systematic communication of the decision to the author of the complaint, so that the latter can bring legal proceedings against the decision of total or partial rejection. The association ... therefore concludes that the contested act adversely affects and would thus also be subject to appeal, referring, in this context, moreover, to its developments in relation to the right to an effective remedy contained in its originating application of instance. 4 In this context, the association ... takes up articles 47, paragraph (1) and 8 of the Charter, as well as Article 78, paragraph (2) of the GDPR, read in the light of recital (143) of the GDPR, to conclude that any decision adopted by the CNPD in the exercise of its powers, in particular in the context of the processing of complaints within the meaning of Article 77 of the GDPR, should be able to the subject of a full court appeal. It then considers that the judgment of the CJEU of July 16, 2020, Data protection Commissioner against Facebook Ireland and Schrems, C-311/18, hereinafter referred to as “the judgment Schrems II”, would have clarified the extent of the obligations of national data protection authorities. data and would have held that the supervisory authority should proceed with the processing of complaints with all due diligence and that recital (141) of the GDPR would refer to the right to effective judicial remedy within the meaning of Article 47 of the Charter in cases where the authority of control would have failed to act, even though action would be necessary to protect the rights of the data subject. These principles would also be transposed into Article 55 of the law of August 1, 2018 on the organization of the National Commission for the Protection of er data and the general data protection regime, hereinafter referred to as "the law of 1 August 2018”, which would provide for an appeal against the decisions of the CNPD, as well as Articles 7 and 9 of the CNPD's internal regulations relating to complaints, which would provide expressly the obligation of the latter to notify its decisions of classification or closure to the claimant by indicating the remedies under Article 78 of the GDPR and 55 of the law of August 1, 2018. In his reply and as to his right to an effective remedy against the decision referred, the association ... further argues that the CNPD itself would announce on its website that people who are not satisfied with the follow-up given by the latter to a complaint addressed to him would be entitled to seize the administrative court and that under the principle of legitimate reliance and in view of the demonstration that Mr....would not be satisfied, in this case, of the follow-up given by the CNPD to his complaint, it should be allowed to exercise his recourse rights. With regard to the position of the CNPD according to which the appeal would only be admissible in the event of a lack of processing of the complaint, respectively of a absence of information from the complainant on the progress or the outcome of his complaint, the association ... argues that the CNPD would itself admit not to comment on the applicability of the GDPR to the practices denounced by Mr. ..., so that upstream of the question of the obligation of the CNPD to take sanctions or corrective measures in the event of violation of the GDPR, it should be noted that the CNPD would not have processed the complaint of Sir .... In this context, the association ... points out that the CNPD invokes, in the act referred, Article 54, paragraph (4) of the GDPR to indicate that it could refuse to act on a manifestly unfounded or excessive claim and that, even if at the litigation stage it would not more on this basis than the CNPD argues to have closed its intervention, this mention, in the the act referred, would demonstrate that the CNPD would conceive its letter of October 16, 2020 as a refusal to deal with Mr. ...'s complaint, so as to fall within the scope of GDPR Article 78. 5 In any case, the CNPD would make a particularly limited reading of the right to a effective remedy enshrined in Article 47 of the Charter in the context of the implementation of the GDPR, while the terms of recital (143) of the same regulation demonstrate that this does not would not be the only failure to process the complaint, which is the case in this case, but also the rejection or denial of a complaint which would give rise to the right to an effective remedy. A different reading of this article would deprive individuals of their fundamental right to data protection and of a recourse within the meaning of Article 47 of the Charter, the association ... considering, in this context, that such analysis would, moreover, be confirmed in particular by the Schrems I and II judgments, as well as by the doctrine. Finally, the association ... proposes the referral of two questions for a preliminary ruling to the CJEU on the basis of Article 267 of the Treaty on the Functioning of the European Union, hereinafter referred to as by “the TFEU”, worded as follows: “2.1. Article 78 (1) and (2) of the GDPR, and/or Article 47 of the Charter of Fundamental Rights, open an appeal against a decision of a competent authority of control not to pronounce on the applicability of the GDPR in the context of a claim ? 2.2. Article 78 (1) and (2) of the GDPR, and/or Article 47 of the Bill of Rights fundamental principles, open an appeal against a decision of a supervisory authority not to adopt a binding decision following a complaint against a company subject to the GDPR and who has not appointed a representative under Article 27 of the GDPR or fully responded to the complainant's request for access within the meaning of Article 15 of the GDPR? » In his memorandum in reply, with regard to the cause of action of Mr. ..., the association ... further argues, in the context of its developments in relation to the facts and retroactions at the basis of the dispute under examination, that Mr. ... would have addressed to the company ... on the basis of article 15 of the GDPR by means of a computer form on the website of this the latter by asking him “to provide him with all the information that he [would] be entitled to request under these provisions. », without a copy of his request for access having was subsequently sent, so that it would have been impossible to communicate a copy to the CNPD, respectively in the context of the appeal under exeren. It specifies, referring to the emails from Mr. ... to the CNPD of July 28 and August 1, 2020, that he would have, moreover, indicated to the CNPD that the company ... would have asked him "to sign documents and details not commensurate with his request. In response, the company ... allegedly sent an email with "some vague information" and a reference to its "Privacy Policy". The association ... further emphasizes that the request to the company ... could only have been made through one of the two options offered by the computer link contained in said email, or the individual could object to the processing of his data, or he could request access to a copy of his data, the use of these forms are only possible if you indicate the URL of the professional profile on the site of the company ... and by entering its e-mail address, an approach which the CNPD could have realized without having to consult another document, once it has inquired about the terms and conditions exercise of the right of access, as would appear from a document submitted by the latter and entitled ""Request Access to Collected Data" page of the ....io website (consulted on March 15, 2021)". 6 The automatic response returned by the company ... would also refer to the “Privacy Policy” that the CNPD could have analyzed without having to go to the United States. To date, Mr. ... still does not know the exact origin of the data processed at his subject by society ... and would always consider that they would be treated illegally, the association ... referring, in this context, to a statement of January 8, 2021 from the website Linkedin and entitled “An update on report of scraped data”, according to which the activities of "scraping" would violate their terms and conditions, so Mr.... would speculate reasonable that it would be by exploiting information found on said website that the company … would have cross-checked his data. The association ... specifies, moreover, that it could not have escaped the CNPD that the said "Privacy Policy" of the company ... would only provide information on the data of the users of its services, so that the reference to said "Privacy Policy" would not allow respond satisfactorily to the request of Mr.... With regard to the subject of Mr. ...'s complaint of July 8, 2020 and entitled "Subject of the complaint", the association ... argues that it would have indicated to the CNPD that the company ... would not have provided him with the necessary information relating to data processing concerning him, would not have responded to his request for access to his data personal data in violation of articles 12 and 15 of the GDPR, would have transmitted his personal data to third parties, would have proceeded to an excessive collection of his personal data violating the principle minimization of data provided for in Article 5, paragraph (1), point c) of the GDPR, as well as the principle of legality provided for in Article 6 of the same regulation and would not have respected his right of opposition, so that it would be impossible to follow the argument of the CNPD aimed at limiting the subject of Mr. ...'s complaint to his request for access to data and the non-compliance by the company ... of Article 15 of the GDPR. Regarding the CNPD's reproach that Mr. ... would not, as invited to do so, contacted the company ..., the association ... argues that it would not be disputed that this invitation would have been valid only to obtain a copy of Mr. ...'s data, which the latter would not have asked. It would even be "pungent" to reproach him for such a lack of collaboration, when the company ..., by sending only automatic replies, would have clearly failed in its obligations. She further argues that although Mr. ... would not be an infallible individual, he would nevertheless have a fundamental right to the protection of his private life and his data personal, being, moreover, a citizen who would be interested in the way in which his data personal data would be processed and who would be concerned about the collection and processing of said data contrary to the GDPR by the company ..., the fact that he would have made 12 complaints to the CNPD, or that he would have appealed to the Ombudsman in another case confirming this. The association ... wonders, in this context, what the CNPD would like to demonstrate by doing status of the activities of Mr. ... and whether he would be criticized for being a protection-conscious citizen of his rights. As for the reproach addressed to Mr. ... of wanting to defend the general interest, the association ... replies that it would be the mission of the CNPD to do this, but that in three years application of the GDPR, the latter would not have adopted any decision against a 7organization and that it was only recently, in June 2021, that it would have published 19 decisions on its website. The association ... further argues that the CNPD seems to reproach Mr. ... for having filed a complaint without having resolved "his question" directly with the company ..., whereas, not only would the GDPR not make the filing of a complaint conditional on contact with the data controller, but that this contact would have taken place in this case. SO that the CNPD would have confirmed itself that it had not received a response from the company ..., it cannot be reproached either to Mr. ... for not having insisted more with the latter. In any case, the association ... criticizes the fact that the CNPD, after having tried without success in obtaining information from the company ..., would not have obtained answers to its requests and would have motivated the decision referred by a lack of "prospect of collaboration of the controller" while informing Mr. ... of his impossibility to “effectively continue” the processing of his file to lack the means of action due to the absence of an establishment in the European Union of the company ... or representative under Article 27 of the GDPR. After having identified the context of the request addressed to the company ..., as well as the subject of its complaint, the association ... further affirms, with regard more specifically to the interest in bringing proceedings of Mr. ... as a result, that the latter would have a personal interest in lodging a complaint relating to the processing of his personal data and that, for the same reason, he would have a interest in taking action against the decision, thus qualified, of the CNPD refusing to follow up on the said claim. In this context, she considers that Mr. ... should not have to demonstrate the “adverse consequences” that the disputed decision would have caused him, when he was surprising that the violation of a fundamental right would not seem in itself to constitute a unfortunate consequence for the CNPD, which allegedly failed in its duty of care in its regard, which would establish its cause of action. As for the various aspects of the interest to act of Mr. ... to see reform if not annul the decision referred, the association ... considers that the latter would have a personal interest and directly, because the decision referred would relate to a complaint lodged by him and would be relating to the violation of his fundamental rights. The interest would still be effective, born and current, then that the CNPD would have refused to shed light on violations of his fundamental rights by the company .... At the very least, Mr. ...'s interest in acting would consist in the fact that the judgment of the administrative court noting the violation by the CNPD, respectively by the company ... of their fundamental rights protected by the Charter and the GDPR, would then allow them to seek the responsibility of the perpetrators of these violations before the civil courts, the association ... further recalling, in this context, that according to Article 82, paragraph (1) of the GDPR, any person having suffered material or moral damage as a result of a violation of the said regulations would have the right to obtain compensation from the controller or subcontractor for the damage suffered, the CNPD being, on its part, a public legal entity, liable to be held liable on the basis of the amended law of 1 September 1988 relating to the civil liability of 8the State and public authorities. Finally, Mr. ...'s interest in acting would still be legitimate in what he would do to protect his fundamental rights enshrined in the Charter and the GDPR. The association also emphasizes that the right of access would constitute the cornerstone for the protection of the rights of individuals, while without full access to their data and information surrounding the processing thereof, it would be impossible for them to exercise all of the other rights that the GDPR would confer on them, such as the right of opposition, erasure, rectification and the right to compensation, as also recalled by the protection authority Belgian data in a decision 15/2021 of February 9, 2021. Again relying on a piece entitled "Profile of Mr. ... on ...", the association ... insists, moreover, on the fact that the data of Mr. ... would always be processed by the company ..., without legal basis and without providing the requested information, or beforehand, in accordance with article 12 of the GDPR, nor at his request, in accordance with article 15 of the same regulation. With regard more specifically to the cause of action of Mr. ... in relation to the refusal of the CNPD to investigate against the company ... because of a violation by the latter of Article 27 of the GDPR, the association ... considers, in its reply brief that even a provision of a regulation that does not expressly provide for an “individual right” could be invoked by an individual if it was sufficiently clear and precise. By grabbing a stop the CJEU of June 7, 2016, Ghezelbash v. Staatsecretaris van Veiligheid en Justitie, C- 63/15 relating to Regulation (EU) No 604/2013 of the European Parliament and of the Council of 26 June 2013 establishing the criteria and mechanisms for determining the Member State responsible for the examination an application for international protection lodged in one of the Member States by a third-country national or a stateless person, it argues that the individuals concerned by the implementation implementation of the determination criteria provided for in said regulation could invoke its provisions related regulations. There would therefore be no reason that Mr. ... could not invoke, in this case the misapplication "by the CNPD" of Article 27 of the GDPR, especially since Mr. ... allegedly asked him to order the company ... to comply with the provisions of that article. In because the CNPD would hide behind this violation by the controller in order not to act, the association ... notes, in this context, the bad faith of the CNPD which, on the one hand, part, would use the absence of a representative of the company ... to decide not to deal with the claim of Mr. ..., and, on the other hand, would claim, in its memorandum in response, that the fact that the said company would not have appointed a representative would not have prevented Mr. ... from able to communicate effectively with it. Thus, the primary purpose of Mr. ... would not be to ensure that the company ... appoints a representative in Europe, but that this company respects its fundamental rights, the violation of Article 27 GDPR, as indicated by the CNPD itself, preventing this objective from being achieved. In the alternative, the association ... proposes to ask two preliminary questions to the CJEU on the basis of Article 267 TFEU worded as follows: “4.1. GDPR Article 27 should it be interpreted as allowing a national authority seized of a complaint 9against a data controller to refuse or reject this complaint on the grounds that this controller does not have an establishment or a representative in the Union? 4.2. Should Article 27 of the GDPR be interpreted as meaning that it can be invoked by a individual seeking to challenge the denial or rejection of their complaint by a national authority of control, when the data controller is manifestly in violation of this provision in the sense that it has no establishment and no representative in the territory of The union ? » Court analysis Before any progress in question, the court notes that, following the repeal of the directive er 94/65/EC, the organization of the CNPD results from the law of August 1, 2018, adopted on the basis of the GDPR, so that the question of the applicability or not of the GDPR to the merits of this case does not not have any consequence with regard to the jurisdiction of the court hereby to hear decisions adopted by the CNPD. Indeed, the GDPR, a community regulation in essence of direct application under article 288 TFEU, provides for the establishment of of control in the Member States, and therefore constitutes the framework legislation, to which moreover the law of August 1, 2018, on the basis of which the CNPD was organized, so that the provisions of the GDPR relating to the organization, mission and decisions of the CNPD are, in in any event, applicable. As regards the question of an effective remedy offered by the GDPR against the various types of decisions, either refusal to process a complaint, or rejection of said complaint, emanating from a national supervisory authority, such as the CNPD, it must be noted that at the terms of article 55 of the law of August 1, 2018 “An appeal against the decisions of the CNPD taken in application of this law is open to the Administrative Court which decides as trial judge. ", said provision not distinguishing the type of decisions of the CNPD subject to appeal and therefore including a priori any decision emanating from the latter to condition to grieve. It follows that the court has jurisdiction to hear the appeal for reversal brought principally. There is therefore no need to rule on the subsidiary action for annulment. An individual administrative act, to meet the qualifier of administrative decision and therefore to be subject to appeal before the administrative courts, must also constitute a real decision of such a nature as to adversely affect, that is to say an act likely to produce by itself legal effects affecting the personal and financial situation of the person who claim. In this context, the court notes that in order to determine the adverse effect of the act referred, it is first necessary to identify the subject of the complaint addressed by Mr. ... to the CNPD, the CNPD's response, as well as the appeal under analysis. 1 Trib. Adm., 25 January 2010, No. 25720 of the roll, available at www.ja.etat.lu 10 With regard, first of all, to the subject of the complaint of 8 July 2020 lodged by Mr. ... with the CNPD, the court must find that no concrete element relating to the request made to the company ... on the part of Mr. ... has not been submitted to his analysis, even though this request underlies the alleged violations of the GDPR denounced by Mr. ... in the context of his complaint to the CNPD of July 8, 2020. The association ... in fact, only submits in support of its appeal the generic response automatically sent to Sir ... by the company ..., thus leaving the court unable to know the content exact request to which it responds. With regard to the subject of Mr. ...'s claim, the court further finds that it appears from the latter, that he submitted his complaint on July 8, 2020 within the following terms: “(…) Subject of the complaint: - did not provide me with the necessary information relating to the processing of personal data concerning me – did not respond to my request for access to personal data concerning me – has transmitted my personal data to third party(ies) – collected excessively my personal data – Did not comply my right of opposition (e.g. canvassing) (…)”. As regards the nature of the act referred, the court must note that, unlike to the developments of the association ..., the CNPD did not refuse to deal with the complaint of Sir ... in violation of Article 77 of the GDPR according to which "1. Without prejudice to any other administrative or judicial remedy, any data subject has the right to lodge a complaint to a supervisory authority, in particular in the Member State in which finds his habitual residence, his place of work or the place where the violation is alleged to have been committed, if it considers that the processing of personal data concerning it constitutes a violation of this regulation. 2. The supervisory authority with which the complaint was filed lodged informs the author of the complaint of the progress and the outcome of the complaint, including the possibility of a legal remedy under Article 78.”. Indeed, it is constant in question to emerge from the documents tendered to the debate and not to be contested by the parties, that the CNPD, by email of July 9, 2020, acknowledged receipt of the complaint from Mr. ... of July 8, 2020, a, during email exchanges dated July 28 2020 and August 13, 2020, requested additional information and documents from the latter, informed that it would process his complaint, and informed him, by letter dated October 16, 2020, of the lack of further examination of his complaint by providing him with explanations detailed, this finding not being irritated by the reference, in the letter referred, to Article 54, paragraph (4) of the GDPR which relates to the refusal to process a complaint, the CNPD having, as noted above, de facto handled the complaint of Mr. .... In this context, the court also finds that, as rightly noted by the CNPD, the competent supervisory authorities referred to in the GDPR, have, pursuant to Article 57, point f) of the GDPR, as well as article 8, point 6) of the law of August 1, 2018, certainly, for mission to process complaints lodged by a data subject, to investigate the subject of the complaint, to the extent necessary, and to inform the author of the complaint of the state progress and outcome of the investigation within a reasonable time, in particular if additional investigation or coordination with another supervisory authority is necessary, the powers of which 11it provides for this purpose being provided for in Articles 58 of the GDPR and 12 to 14 of the law of 1 August 2018, without there being any obligation on their part to open an investigation or to use of their binding powers against any data controller who is the subject of a complaint, the merits of the complaint being in essence the trigger for the use of the powers of the CNPD and the act of processing the request that may result from the simple examination of the complaint lodged. The court then notes that Article 78 of the GDPR provides for recourse against two types of decisions of the competent supervisory authority, such as in this case the CNPD, paragraph (1) providing that "Without prejudice to any other administrative or extrajudicial remedy, any natural or legal person has the right to seek an effective judicial remedy against a legally binding decision of a supervisory authority which concerns it.”, paragraph (2) providing that “Without prejudice to any other administrative or extrajudicial remedy, any data subject has the right to an effective judicial remedy when the authority of control which is competent under Articles 55 and 56 does not deal with a complaint or does not inform the data subject, within three months, of the progress or the outcome of her complaint under Article 77.” Insofar as, as stated above, Mr. ... cannot rely on a grievance caused by the act referred on his part, due to a refusal to process his complaint by the CNPD in violation of Article 77 GDPR, it follows that the analysis of the alleged grievance caused by said act must necessarily fall within the scope of paragraph (1) of Article 78 of the GDPR, the CNPD not having opened an investigation with regard to the company ... following the complaint of Mr. .... With regard then to the subject-matter of the present appeal, the subject-matter of an appeal being, in a manner general, consisting of the result that the plaintiff intends to obtain, it is necessary to note that, according to the operative part of the motion to institute proceedings, the association ... intends to reform the deed referred so that the CNPD continues to examine Mr. ...'s complaint with regard to concerns the company's non-compliance ... with articles 15 and 27 of the GDPR, so the question grievance caused by the act referred is necessarily limited to this request, any debate relating to other possible violations on the part of the company ..., being therefore irrelevant at this stage to the extent that such violations relate to the merits of the dispute. In this case, it must be noted that the letter from the CNPD of October 16, 2020 informing Sir...that she would not sue the company...is not likely to directly affect the personal and patrimonial situation of Mr.... Indeed, such as noted above and following the example of the developments of the CNPD, Mr. ... remained in default to provide proof of having asserted its rights with the company .... Faced with the impossibility for the CNPD and the court to verify the existence of a request presented by Mr. ... to the company ..., as well as the defective nature of the response given thereto by the said company, the claim of Mr. ... of July 8, 2020 boils down to asking the CNPD to ask, in its place, the company ... the confirmation of the information provided for in Article 15 of the GDPR. 2 Trib. Adm. October 27, 2004, No. 17634, No. Adm. 2022, V° Contentious procedure, n°372 and the other references therein quoted 12 This observation is not upset by the developments of Mr. ... who insisted on establishing the impossibility on his part to produce proof of the request made to the company … in that he would not have received any copy of his request sent by online form on the site ….io, whereas, as rightly noted by the CNPD, the automatic response sent by the company ... included an email address to which Mr. ... could have sent his request to the with regard to Article 15 of the GDPR and thus provide themselves with proof of their own procedures. While Articles 57, paragraph (1), point a) and (4) of the law of 1 August 2018 provide, admittedly, that the CNPD is responsible for controlling and verifying whether the data subject to processing is processed in accordance with the GDPR, the fact remains that this authorization to act leaves intact the right to act of the applicant himself, who is not dependent in this respect on a decision of the CNPD to use its rights provided for in Article 15 of the GDPR and to formulate a first request to this effect from the data controller, so that the CNPD's refusal to formulate, in place of Mr. ..., a request within the meaning of Article 15 of the GDPR to the company ... did not cause any grievance affecting the personal situation of Mr. .... This observation is also not irritated by the developments of the association ... next which the GDPR would not provide for any initiative to be taken by the data subject with a controller prior to referral to the competent supervisory authority, then whereas, on the contrary, it follows from the very terms of Article 15 of the GDPR that the obligation provided for therein on the part of the data controller consists of a "confirmation" of the information referred to therein which can only necessarily occur at the express request of the concerned person. This observation is also not irritated by the developments of the association ... in relation to the interest of Mr. ... to have the referred act reformed or annulled in order to allow the company to be sued ... under Article 82 of the GDPR. Indeed, it results from Article 79, entitled “Right to an effective judicial remedy against a controller or a processor”, paragraph (1) of the GDPR that “Without prejudice to any administrative remedy or extrajudicial procedure open to him, including the right to lodge a complaint with a supervisory authority under Article 77, each data subject has the right to a remedy effective jurisdiction if it considers that the rights conferred on it by this Regulation have been violated due to the processing of his personal data carried out in violation of this regulation.”. Thus, compensation for damage resulting, where applicable, from a violation of the rights to the protection of the personal data of a data subject is neither conditioned by prior referral to the competent supervisory authority, such as the CNPD, or by a decision of the latter sanctioning such a violation, so that this argument is factually lacking. With regard, then, to the lack of implementation of its powers by the CNPD in order to put an end to a possible violation by the company ... of article 27 of the GDPR, apart from the observation that the violation of the said article was not the subject of the complaint of Mr. July 8, 2020, it must be noted that under said article a data controller who is not not established in the European Union but to which the GDPR applies is required to appoint a representative in the European Union 13 In this regard, the court notes that a possible breach of Article 27 of the GDPR by the company ... does not constitute a violation, as such, of the protection of personal data Mr. ...'s staff, so as not to affect the said data alone. If indeed a violation of article 27 of the GDPR on the part of a data controller is likely to constitute an obstacle for a data subject to the exercise of his rights, the fact remains UNLESS THIS PERSON IS BURDEN OF THE PROOF OF ESTABLISHING WHICH PERSONAL RIGHTS PROVIDED FOR IN THE GDPR it would have been prevented from asserting as a result of this violation of Article 27 GDPR by the responsible for the processing in question. However, as noted above, Mr....remains unable to establish that he would indeed be addressed to the company ... in order to assert its rights under Article 15 of the GDPR, a violation of his rights provided for is therefore not established, so that he cannot rely either of damage by ricochet on its part as a result of a violation by the company ... of article 27 of the GDPR and correlatively due to the lack of opening of an investigation by the CNPD in that Sens. Mr. ... also fails to establish that a possible ignorance of the part of the company ... would have prevented him from asserting his rights under Article 15 of the GDPR directly from her, the automatic response of June 13, 2020 from the latter having indeed included a contact e-mail address in the event of any question relating to the processing of data at personal character by the latter. It follows, in the same order of ideas, that Mr. ... cannot, at this stage, claim damages resulting from a possible breach of Article 27 GDPR by the company ... which would be perpetuated by the act referred in that the CNPD would have refused to intervene in this capacity with the latter. It follows that the absence of an investigation by the CNPD against the said company does not cause no unfortunate consequences in the head of Mr...., nor does it affect the personal situation of the last. As regards the alleged grievance caused by the contested act as a result of it, still at the present time, unlawful processing by the company ... of personal data of Mr. ..., the court notes that a treatment, if necessary still at the present time, of personal data of Mr., does not result, in the absence of a request for erasure of his data with the company ... on behalf of Mr. ... and in the absence of proof of the impossibility of doing so on the part of the latter, not of the act referred, so that this argument is to be rejected for missing in fact. In view of all the above, it should be considered that the letter from the CNPD informing Mr. ... of the fact that she is not continuing to process her complaint and that she will not formulate not, in lieu of the latter, a request in accordance with Article 15 of the GDPR to of the company ... and that it will not sanction the violation of article 27 RGPD by the said company, in the absence of a violation of a personal and direct right of the claimant relating to his data provided to the GDPR, does not constitute an act of such a nature as to adversely affect, that is to say an act likely to produce by itself legal effects affecting the personal or financial situation of Mr...., so that the action brought against him is inadmissible. 14 In view of the foregoing considerations, there is no need to ask the questions preliminary rulings to the CJEU, as proposed by the association ..., whereas, on the one hand, under the terms even Article 78, paragraph (1) of the GDPR provides for a right of appeal against the sole “legally binding” decisions of the competent supervisory authority, this notion is covering with the notion of decision "of such a nature as to adversely affect", respectively, on the other hand, are missing in fact and are, in any event, not relevant to the resolution of this dispute. Regarding the request for the allocation of procedural compensation made by the plaintiff, a request for the allocation of procedural compensation which fails to specify the nature of the sums exposed not included in the costs and which does not specify how it would be unfair to leave these costs to his charge is to be rejected, the simple reference to the article of the law applicable is not sufficient in this regard. For these reasons, the administrative court, fourth chamber, ruling contradictorily; declares itself competent to hear the main appeal for reversal; declares the main appeal for reform inadmissible, therefore rejects it; holds that there is no need to rule on the subsidiary action for annulment; rejects the association's request for procedural compensation ... – ...; orders the association ... – ... to pay the costs and expenses of the proceedings. Thus judged and pronounced at the public hearing of April 21, 2023 by: Paul Nourrissier, vice-president, Emilie Da Cruz De Sousa, judge, Laura Urbany, judge, in the presence of the clerk Marc Warken. s. Marc Warken s.Paul Nourrissier Reproduction certified true to the original Luxembourg, April 21, 2023 The clerk of the administrative court 15