TA Luxembourg - 45717: Difference between revisions
From GDPRhub
No edit summary |
No edit summary |
||
| Line 70: | Line 70: | ||
}} | }} | ||
The Administrative Court | The Administrative Court considered, among other things, that a data subject could not prove its original access request and was therefore not adversely affected by the DPA decision to not handle his complaint. | ||
== English Summary == | == English Summary == | ||
| Line 83: | Line 83: | ||
On 16 October 2020, the DPA replied by letter that it had contacted the controller but that without its response it was impossible to proceed. It also repeated that it had no means of action against a US based controller. | On 16 October 2020, the DPA replied by letter that it had contacted the controller but that without its response it was impossible to proceed. It also repeated that it had no means of action against a US based controller. | ||
The data subject, represented by ''noyb'', appealed this decision of the DPA to the administrative Court (hereafter the Court) to have the DPA's letter reversed or annulled. He considered that he had a standing to act under [[Article 78 GDPR|Article 78 GDPR]], especially since his data was still present on the controller's site. He argued he was therefore damaged by the DPA's decision not to pursue with his request. The data subject also argued that the DPA had violated [[Article 77 GDPR|Article 77 GDPR]]. | The data subject, represented by ''noyb'', appealed this decision of the DPA to the administrative Court (hereafter the Court) to have the DPA's letter reversed or annulled. He considered that he had a standing to act under [[Article 78 GDPR|Article 78 GDPR]], especially since his data was still present on the controller's site. He argued he was therefore damaged by the DPA's decision not to pursue with his request. The data subject also argued that the DPA had violated [[Article 77 GDPR|Article 77 GDPR]]. Finally, he explained that the controller did not provide a copy of his access request, reason why he could not provide this document. | ||
=== Holding === | === Holding === | ||
Revision as of 13:23, 10 May 2023
| TA Luxembourg - 45717 | |
|---|---|
 | |
| Court: | TA Luxembourg (Luxembourg) |
| Jurisdiction: | Luxembourg |
| Relevant Law: | Article 15 GDPR Article 27 GDPR Article 57(1)(f) GDPR Article 77 GDPR Article 78 GDPR Article 79 GDPR |
| Decided: | 21.04.2023 |
| Published: | 01.05.2023 |
| Parties: | |
| National Case Number/Name: | 45717 |
| European Case Law Identifier: | LU:TADM:2023:45717 |
| Appeal from: | CNPD |
| Appeal to: | Unknown |
| Original Language(s): | French |
| Original Source: | CNPD (in French) |
| Initial Contributor: | n/a |
The Administrative Court considered, among other things, that a data subject could not prove its original access request and was therefore not adversely affected by the DPA decision to not handle his complaint.
English Summary
Facts
A data subject found that an American company (controller) had collected personal data about him and was marketing it on its website. The data subject contacted the controller about this, who responded with an automated message asking him to fill in an identity verification form in order to process his request.
On 8 July 2020, the data subject requested the Luxembourg DPA to order the controller to comply with his request. He believed that the controller had violated Article 15 GDPR for not handling his access request correctly and 27 GDPR for not having an establishment in the EU. The DPA asked the data subject to provide correspondence with the controller.
In August 2020, the DPA informed the data subject that it would no longer deal with his request as the controller was US based and the DPA therefore had no power to impose measures under the GDPR. The data subject insisted that the controller offered services on the internet and that a simple search via a search engine would find his personal data on the controller's website. He also asked why the DPA felt it did not have the authority to investigate in the US.
On 16 October 2020, the DPA replied by letter that it had contacted the controller but that without its response it was impossible to proceed. It also repeated that it had no means of action against a US based controller.
The data subject, represented by noyb, appealed this decision of the DPA to the administrative Court (hereafter the Court) to have the DPA's letter reversed or annulled. He considered that he had a standing to act under Article 78 GDPR, especially since his data was still present on the controller's site. He argued he was therefore damaged by the DPA's decision not to pursue with his request. The data subject also argued that the DPA had violated Article 77 GDPR. Finally, he explained that the controller did not provide a copy of his access request, reason why he could not provide this document.
Holding
First, the Court considered that the data subject only submitted the controller's automatic reply and not the rest of the correspondence, which prevented the Court from knowing the content of his request.
Second, with regard to the handling of the complaint, the Court considered that the DPA requested additional information from the data subject and communicated with him by email. It also provided explanations for not pursuing its examination. It therefore de facto dealt with the complaint and did not violate Article 77 GDPR. The Court added that Article 57(f) GDPR does not impose on the DPA an obligation to open an investigation or use its enforcement powers as soon as a controller is the subject of a complaint.
The Court therefore considered that the case had to be analysed under Article 78 GDPR. In this respect the court considered that the DPA letter informing the data subject that it would not initiate proceedings against the controller was not directly affecting the personal and financial situation of the data subject. Since the data subject did not provide enough documents to prove his request to the controller, his complaint with the DPA was limited to asking the DPA to request in his place information under Article 15 GDPR. According to the Court, the data subject retained his rights under Article 15 GDPR, thus, he did not suffer any damage from the refusal of the DPA.
The Court added that under Article 79 GDPR, a prior referral to the competent supervisory authority is not a condition to obtain compensation for damages resulting from the violation of data protection.
Third, regarding the violations by the controller, concerning Article 27 GDPR, the Court considered that the fact that the controller did not have an establishment in the EU did not constitute a violation of the data subjects right to data protection but could only constitute an obstacle to the exercise of his rights. As for Article 15 GDPR, the Court considered that the data subject did not prove that he was prevented from exercising his rights. The automatic response of the controller indeed included an email address he could have contacted. According to the Court, it implied that the data subject could not rely on a violation of Articles 15 and 27 GDPR which would be perpetuated by the refusal of the DPA to intervene.
In conclusion, the Court held that the refusal of the DPA to intervene did not cause a violation of a personal right of the data subject. The action was therefore inadmissible for lack of standing.
Comment
noyb is now considering the possibility to appeal this decision.
A positive point of this decision is that the Administrative Court declared itself competent to reverse/review the DPA decision and not only to annul it.
It however appears that the Luxembourg Administrative Court considers that a data subject must exercise his rights (and prove it) under Article 15 GDPR to be impacted by a DPA decision to refuse to act on his complaint and therefore have an interest in an appeal proceeding. This consideration does not seem to align with Article 77 GDPR which provides a right to lodge a complaint with a supervisory authority without prejudice to any other administrative or judicial remedy. Indeed, this article does not condition this right to the prior exercise of data subject's rights.
It is surprising that the Court did not consider that the data subject had an interest even though the latter's personal data was still available on the controller's website.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
Administrative Court No. 45717 of the role
of the Grand Duchy of Luxembourg ECLI:LU:TADM:2023:45717
4 bedroom Listed March 1, 2021
Public hearing of April 21, 2023
Appeal filed by
the association under Austrian law ... – ..., (…),
against a courier from
National Commission for Data Protection, Belvaux,
in terms of data protection
______________________________________________________________________________
JUDGEMENT
er
Having regard to the request entered under number 45717 of the roll and filed on March 1, 2021 at the registry
of the administrative court by Maître Catherine Warin, lawyer at the Court, registered in the table of
the Luxembourg Bar Association, on behalf of the association under Austrian law ... – ..., established and
having its registered office at AT-… (Austria), …, registered in the Austrian register of associations
(Zentrales Vereinsregister) under number …, represented by its “Vorstandsvorsitzender”
currently in office and mandated by Mr...., residing at L-..., the said association
taking up residence at the office of his litigant located at L-2763 Luxembourg, 10, rue Sainte Zithe,
seeking the reversal, if not the annulment, of a decision, thus qualified, of October 16, 2020
the National Data Protection Commission (“CNPD”), a public institution,
registered in the Luxembourg trade and companies register under number J52, established at L-
4370 Belvaux, 15, boulevard du Jazz, represented by its college of commissioners currently
in office, informing Mr. ..., of his refusal to continue processing his complaint of
July 8, 2020;
Considering the exploit of the judicial officer Carlos Calvo, residing in Luxembourg, of March 4
2021, bearing service of the said request to the CNPD, prequalified;
Constitution of a lawyer at the Court Maître Elisabeth Guissart, lawyer at the Court, registered
on the roll of the Luxembourg Bar Association, in the name and on behalf of the CNPD,
prequalified, filed with the registry of the administrative court on March 16, 2021;
Having regard to the memorandum in response filed at the registry of the administrative court on June 3, 2021 by
Maître Elisabeth Guissart in the name and on behalf of the CNPD, prequalified;
Having regard to the brief in reply filed at the registry of the administrative court on July 2, 2021 by
Maître Catherine Warin in the name and on behalf of the association under Austrian law ... – ...,
prequalified;
Having regard to the memorandum in rejoinder filed at the registry of the administrative court on September 28, 2021
by Maître Elisabeth Guissart in the name and on behalf of the CNPD, prequalified;
1 Having regard to the documents adduced in question and in particular the contested act;
The judge-rapporteur heard in his report, as well as Maître Catherine Warin and Maître
Elisabeth Guissart in their respective pleadings at the public hearing of November 8, 2022.
__________________________________________________________________________
After noting that the company governed by American law ..., carrying out its activities under the
denomination "...", hereinafter referred to as "the company..." had collected data of a
personal on his person in order to market them on his website https://....io, Mr.
contacted the said company on this subject and was sent by the latter an email dated June 13
2020 asking him to complete an identity verification form in order to allow the processing of
his request, while also referring to the “Privacy Policy” of said website.
On July 8, 2020, Mr. ... lodged a complaint with the Commission
National Data Protection Authority, hereinafter referred to as “the CNPD”, requesting it to intervene
with the company... so that the latter responds to its request in accordance with the regulations
(EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of
natural persons with regard to the processing of personal data and to the free
movement of such data, and repealing Directive 95/46/EC (general regulation on the protection
data), hereinafter referred to as “the GDPR”.
By email of July 28, 2020, the CNPD asked Mr. ... to send it any
correspondence with the controller of the company ..., in particular the email containing
their request for access and specific information, the automatic response to this request, as well as
as well as any correspondence subsequent to the submission of his complaint. By email from
same day, Mr. ... informed the CNPD that the company ... would be an American company, affirmed
appended the requested documents to his complaint of July 8, 2020 and asked the CNPD to
check receipt.
By e-mail of August 1, 2020, Mr.... further informed the CNPD that the company... would not have
not appointed a representative in the European Union, that he would judge the request of the said company
in their email of June 13, 2020 to sign the form and provide them with details as to
the identification of his disproportionate person and that he would no longer have had any correspondence with
said company since their email of June 13, 2020.
By email of August 13, 2020, the CNPD informed Mr...., after an initial review of
his complaint of July 8, 2020 and referring to recital number (166) of the GDPR, that
taking into account the fact that the company ..., the data controller
disputed, would be established in the United States and therefore outside the European Union, it would be impossible for him
to pursue his claim, whereas, while having the possibility of communicating with said
society, the CNPD would not have the power to impose actions on it to improve its
data protection practices.
Emails of August 13 and 23, 2020, Mr...., while indicating that the company...would offer
services via the Internet and that a simple search via a search engine would make it possible to
find his personal data on the site of the said company for commercial purposes, requested the CNPD
2to "explain [his] means of action", as well as the reason why the CNPD would have arrived
to the conclusion that it did not have the necessary authority to investigate in the United States and
to what extent this incapacity would be related to the facts on the basis of his complaint.
By letter dated October 16, 2020, the head of the CNPD's complaints department confirmed to
Mr. ... his impossibility to continue processing his complaint of July 8, 2020, said
letter being worded as follows:
“(…) The National Commission for Data Protection (CNPD) is up to your
complaint of July 8, 2020 relating to your request for access to your personal data
personnel processed by the “....io” site.
As indicated in our previous letter dated September 18, 2020, the CNPD has taken
contact with the controller in order to try to resolve the issue raised
by your complaint, in this case the sending of an automated form in response to your
request access.
We inform you that this contact unfortunately remained unanswered.
We therefore regret to inform you that, subject to a possible return
later from the controller of which we would keep you informed, we consider that it
it is impossible for us to effectively pursue the processing of your complaint.
Indeed, as already mentioned in our previous answers of 13 July and 18
September 2020, the CNPD has no means of action against a manager of the
treatment established on the territory of the United States of America having no establishment on the
territory of the European Union (EU) or not having designated a representative in the EU under
of Article 27 of the GDPR. Indeed, in these cases, it is impossible for him to enforce the
provisions of the GDPR on the territory of the United States of America. (…)”
By motion filed with the administrative court on March 1, 2021, the legal association
Austrian ... – ..., hereinafter referred to as "the association ...", mandated for this purpose by Mr ...
by a representation agreement signed on November 16, 2020, brought an appeal
tending to the reform if not the cancellation of the aforementioned letter from the CNPD of October 16, 2020.
In its memorandum in response, the CNPD first raises the lack of jurisdiction ratione
matter of the administrative tribunal to hear the appeal lodged against the act referred, on the grounds
that this would not constitute a decision-making administrative act adversely affecting Mr. ...
having, in this same order of ideas, no personal interest in acting.
In its reply and with regard to the jurisdiction ratione materiae of the
administrative court to hear the appeal under consideration, the association ... argues that the
CNPD's refusal to process Mr. ...'s complaint would be all the more problematic as
violations of the rights of the latter would still be relevant, his profile on the site of the said
company being always online. It would therefore be totally false for the CNPD to assert that its
decision, thus qualified, not to pursue the processing of Mr. ...'s request would not
3no complaint to the latter, the latter having a fundamental right to the protection of his data
and to have his complaint dealt with diligently by the CNPD. The refusal of such treatment and the act
undertaken would therefore fall within the scenario envisaged by Article 78 of the GDPR, this
provision, detailing the right of effective remedy already enshrined in Article 47 of the Charter of
fundamental rights of the European Union, hereinafter referred to as "the Charter", would allow a
such an act would cause harm and should be able to be challenged in court.
In this context, it further argues that Article 28(4) of Directive
95/46/EC of the European Parliament and of the Council of 24 October 1994 on the protection of
natural persons with regard to the processing of personal data and to the free
circulation of this data, hereinafter referred to as “Directive 95/46/EC”, repealed and replaced
by the GDPR, would also have provided for a right of judicial appeal against “the decisions of
the supervisory authority complaining”, the wording of Article 78 of the GDPR being clearly intended
more open and opening up a remedy to any person whose claim has been rejected or refused
by the supervisory authority. The association also recalls that according to recital number
(143) of the GDPR, said regulation would require that the right to an effective remedy be materialized in
an appeal to a court with full jurisdiction, which is why the
Luxembourg legislator would have provided for an appeal for reversal against the decisions of the
CNPD. The association ... also notes that the judgment of the Court of Justice of the European Union of
6 October 2015, C-362/14, Schrems v Data Protection Commissioner, hereinafter referred to as
“the CJEU”, respectively “the Schrems I judgment”, would precisely concern the case of an individual
including the complaint relating to the cessation of the transfer by the Facebook site of its data to the United States
United, would have been rejected by the Irish supervisory authority. The person whose data
would have been targeted would have appealed against this decision before the Irish judge for
request the examination of his case, which would have asked a preliminary question to the CJEU tending to
whether a person whose complaint has been processed and rejected without foundation by the authority
National Supervisory Authority, would have the right to challenge such a decision before the courts
national.
The association ... adds that the thesis put forward by the CNPD would be untenable given
of the difference in treatment thus created between a national procedure and a procedure
cross-border, the latter generating, in accordance with Articles 56, paragraph (1) and 60 of
GDPR, a cooperation mechanism, in which the authority where the main establishment is located
would adopt a decision addressed to the data controller, while the authority having received
the complaint would address its decision to the complainant, the reason being, according to the doctrine, that it would be
to guarantee the fundamental right of anyone who has lodged a complaint with their authority
national control, to introduce an effective remedy against a decision which would not give him
satisfaction. This right would, among other things, be recognized by Article 78 of the GDPR which would provide for such
appeal, Article 60 of the same regulation providing for the systematic communication of the decision
to the author of the complaint, so that the latter can bring legal proceedings against the
decision of total or partial rejection. The association ... therefore concludes that the contested act adversely affects
and would thus also be subject to appeal, referring, in this context, moreover, to its
developments in relation to the right to an effective remedy contained in its originating application
of instance.
4 In this context, the association ... takes up articles 47, paragraph (1) and 8 of the Charter,
as well as Article 78, paragraph (2) of the GDPR, read in the light of recital (143) of the GDPR,
to conclude that any decision adopted by the CNPD in the exercise of its powers, in particular
in the context of the processing of complaints within the meaning of Article 77 of the GDPR, should be able to
the subject of a full court appeal.
It then considers that the judgment of the CJEU of July 16, 2020, Data protection
Commissioner against Facebook Ireland and Schrems, C-311/18, hereinafter referred to as “the judgment
Schrems II”, would have clarified the extent of the obligations of national data protection authorities.
data and would have held that the supervisory authority should proceed with the processing of complaints
with all due diligence and that recital (141) of the GDPR would refer to the right to
effective judicial remedy within the meaning of Article 47 of the Charter in cases where the authority of
control would have failed to act, even though action would be necessary to protect
the rights of the data subject. These principles would also be transposed into Article 55 of
the law of August 1, 2018 on the organization of the National Commission for the Protection of
er
data and the general data protection regime, hereinafter referred to as "the law of 1
August 2018”, which would provide for an appeal against the decisions of the CNPD, as well as
Articles 7 and 9 of the CNPD's internal regulations relating to complaints, which would provide
expressly the obligation of the latter to notify its decisions of classification or closure
to the claimant by indicating the remedies under Article 78 of the GDPR and 55 of the law of
August 1, 2018.
In his reply and as to his right to an effective remedy against the decision
referred, the association ... further argues that the CNPD itself would announce on its website
that people who are not satisfied with the follow-up given by the latter to a complaint
addressed to him would be entitled to seize the administrative court and that under the principle of
legitimate reliance and in view of the demonstration that Mr....would not be satisfied, in this case,
of the follow-up given by the CNPD to his complaint, it should be allowed to exercise his
recourse rights.
With regard to the position of the CNPD according to which the appeal would only be
admissible in the event of a lack of processing of the complaint, respectively of a
absence of information from the complainant on the progress or the outcome of his complaint,
the association ... argues that the CNPD would itself admit not to comment on
the applicability of the GDPR to the practices denounced by Mr. ..., so that upstream of the
question of the obligation of the CNPD to take sanctions or corrective measures in the event of
violation of the GDPR, it should be noted that the CNPD would not have processed the complaint of
Sir ....
In this context, the association ... points out that the CNPD invokes, in the act referred,
Article 54, paragraph (4) of the GDPR to indicate that it could refuse to act on a
manifestly unfounded or excessive claim and that, even if at the litigation stage it would not
more on this basis than the CNPD argues to have closed its intervention, this mention, in the
the act referred, would demonstrate that the CNPD would conceive its letter of October 16, 2020 as a
refusal to deal with Mr. ...'s complaint, so as to fall within the scope of
GDPR Article 78.
5 In any case, the CNPD would make a particularly limited reading of the right to a
effective remedy enshrined in Article 47 of the Charter in the context of the implementation of the
GDPR, while the terms of recital (143) of the same regulation demonstrate that this does not
would not be the only failure to process the complaint, which is the case in this case, but also the
rejection or denial of a complaint which would give rise to the right to an effective remedy. A different reading
of this article would deprive individuals of their fundamental right to data protection and of a
recourse within the meaning of Article 47 of the Charter, the association ... considering, in this context, that such
analysis would, moreover, be confirmed in particular by the Schrems I and II judgments, as well as by the
doctrine.
Finally, the association ... proposes the referral of two questions for a preliminary ruling to the CJEU
on the basis of Article 267 of the Treaty on the Functioning of the European Union, hereinafter referred to as
by “the TFEU”, worded as follows: “2.1. Article 78 (1) and (2) of the GDPR, and/or Article 47
of the Charter of Fundamental Rights, open an appeal against a decision of a competent authority
of control not to pronounce on the applicability of the GDPR in the context of a
claim ?
2.2. Article 78 (1) and (2) of the GDPR, and/or Article 47 of the Bill of Rights
fundamental principles, open an appeal against a decision of a supervisory authority not to
adopt a binding decision following a complaint against a company subject to the
GDPR and who has not appointed a representative under Article 27 of the GDPR or fully
responded to the complainant's request for access within the meaning of Article 15 of the GDPR? »
In his memorandum in reply, with regard to the cause of action of Mr. ...,
the association ... further argues, in the context of its developments in relation to the facts and
retroactions at the basis of the dispute under examination, that Mr. ... would have addressed to the company ... on the basis
of article 15 of the GDPR by means of a computer form on the website of this
the latter by asking him “to provide him with all the information that he [would] be entitled to
request under these provisions. », without a copy of his request for access having
was subsequently sent, so that it would have been impossible to communicate a copy to
the CNPD, respectively in the context of the appeal under exeren. It specifies, referring to the
emails from Mr. ... to the CNPD of July 28 and August 1, 2020, that he would have, moreover,
indicated to the CNPD that the company ... would have asked him "to sign documents and details not
commensurate with his request. In response, the company ... allegedly sent an email with "some
vague information" and a reference to its "Privacy Policy". The association ... further emphasizes that
the request to the company ... could only have been made through one of the two options offered by the
computer link contained in said email, or the individual could object to the processing of
his data, or he could request access to a copy of his data, the use of these
forms are only possible if you indicate the URL of the professional profile on the site of
the company ... and by entering its e-mail address, an approach which the CNPD could have realized
without having to consult another document, once it has inquired about the terms and conditions
exercise of the right of access, as would appear from a document submitted by the latter and entitled
""Request Access to Collected Data" page of the ....io website (consulted on March 15, 2021)".
6 The automatic response returned by the company ... would also refer to the “Privacy
Policy” that the CNPD could have analyzed without having to go to the United States.
To date, Mr. ... still does not know the exact origin of the data processed at
his subject by society ... and would always consider that they would be treated illegally,
the association ... referring, in this context, to a statement of January 8, 2021 from the website
Linkedin and entitled “An update on report of scraped data”, according to which the activities of
"scraping" would violate their terms and conditions, so Mr.... would speculate
reasonable that it would be by exploiting information found on said website that the
company … would have cross-checked his data.
The association ... specifies, moreover, that it could not have escaped the CNPD that the said
"Privacy Policy" of the company ... would only provide information on the data of the
users of its services, so that the reference to said "Privacy Policy" would not allow
respond satisfactorily to the request of Mr....
With regard to the subject of Mr. ...'s complaint of July 8, 2020 and entitled
"Subject of the complaint", the association ... argues that it would have indicated to the CNPD that the
company ... would not have provided him with the necessary information relating to data processing
concerning him, would not have responded to his request for access to his data
personal data in violation of articles 12 and 15 of the GDPR, would have transmitted his personal data
to third parties, would have proceeded to an excessive collection of his personal data violating the principle
minimization of data provided for in Article 5, paragraph (1), point c) of the GDPR, as well as the
principle of legality provided for in Article 6 of the same regulation and would not have respected his right
of opposition, so that it would be impossible to follow the argument of the CNPD aimed at limiting
the subject of Mr. ...'s complaint to his request for access to data and the non-compliance by the
company ... of Article 15 of the GDPR.
Regarding the CNPD's reproach that Mr. ... would not, as invited to do so,
contacted the company ..., the association ... argues that it would not be disputed that this invitation
would have been valid only to obtain a copy of Mr. ...'s data, which the latter would not have
asked. It would even be "pungent" to reproach him for such a lack of collaboration, when the
company ..., by sending only automatic replies, would have clearly failed in its obligations.
She further argues that although Mr. ... would not be an infallible individual, he
would nevertheless have a fundamental right to the protection of his private life and his data
personal, being, moreover, a citizen who would be interested in the way in which his data
personal data would be processed and who would be concerned about the collection and processing of said
data contrary to the GDPR by the company ..., the fact that he would have made 12 complaints to
the CNPD, or that he would have appealed to the Ombudsman in another case confirming this.
The association ... wonders, in this context, what the CNPD would like to demonstrate by doing
status of the activities of Mr. ... and whether he would be criticized for being a protection-conscious citizen
of his rights. As for the reproach addressed to Mr. ... of wanting to defend the general interest,
the association ... replies that it would be the mission of the CNPD to do this, but that in three years
application of the GDPR, the latter would not have adopted any decision against a
7organization and that it was only recently, in June 2021, that it would have published 19
decisions on its website.
The association ... further argues that the CNPD seems to reproach Mr. ... for having
filed a complaint without having resolved "his question" directly with the company ..., whereas,
not only would the GDPR not make the filing of a complaint conditional on contact
with the data controller, but that this contact would have taken place in this case. SO
that the CNPD would have confirmed itself that it had not received a response from the company ..., it
cannot be reproached either to Mr. ... for not having insisted more with
the latter.
In any case, the association ... criticizes the fact that the CNPD, after having tried without
success in obtaining information from the company ..., would not have obtained answers to
its requests and would have motivated the decision referred by a lack of "prospect of
collaboration of the controller" while informing Mr. ... of his impossibility
to “effectively continue” the processing of his file to lack the means of action
due to the absence of an establishment in the European Union of the company ... or
representative under Article 27 of the GDPR.
After having identified the context of the request addressed to the company ..., as well as the subject of its
complaint, the association ... further affirms, with regard more specifically to the interest in bringing proceedings
of Mr. ... as a result, that the latter would have a personal interest in lodging a complaint
relating to the processing of his personal data and that, for the same reason, he would have a
interest in taking action against the decision, thus qualified, of the CNPD refusing to follow up on the said
claim.
In this context, she considers that Mr. ... should not have to demonstrate the
“adverse consequences” that the disputed decision would have caused him, when he was
surprising that the violation of a fundamental right would not seem in itself to constitute a
unfortunate consequence for the CNPD, which allegedly failed in its duty of care in its
regard, which would establish its cause of action.
As for the various aspects of the interest to act of Mr. ... to see reform if not
annul the decision referred, the association ... considers that the latter would have a personal interest and
directly, because the decision referred would relate to a complaint lodged by him and would be
relating to the violation of his fundamental rights. The interest would still be effective, born and current, then
that the CNPD would have refused to shed light on violations of his fundamental rights by the
company .... At the very least, Mr. ...'s interest in acting would consist in the fact that the judgment
of the administrative court noting the violation by the CNPD, respectively by the company ... of
their fundamental rights protected by the Charter and the GDPR, would then allow them to seek
the responsibility of the perpetrators of these violations before the civil courts, the association ...
further recalling, in this context, that according to Article 82, paragraph (1) of the GDPR, any person
having suffered material or moral damage as a result of a violation of the said regulations would have the right
to obtain compensation from the controller or subcontractor for the damage suffered, the CNPD
being, on its part, a public legal entity, liable to be held liable
on the basis of the amended law of 1 September 1988 relating to the civil liability of
8the State and public authorities. Finally, Mr. ...'s interest in acting would still be legitimate in
what he would do to protect his fundamental rights enshrined in the Charter and the GDPR.
The association also emphasizes that the right of access would constitute the cornerstone for the
protection of the rights of individuals, while without full access to their data and
information surrounding the processing thereof, it would be impossible for them to exercise all of the
other rights that the GDPR would confer on them, such as the right of opposition, erasure,
rectification and the right to compensation, as also recalled by the protection authority
Belgian data in a decision 15/2021 of February 9, 2021.
Again relying on a piece entitled "Profile of Mr. ... on ...", the association
... insists, moreover, on the fact that the data of Mr. ... would always be processed by the
company ..., without legal basis and without providing the requested information, or beforehand,
in accordance with article 12 of the GDPR, nor at his request, in accordance with article 15 of the same
regulation.
With regard more specifically to the cause of action of Mr. ... in relation to the
refusal of the CNPD to investigate against the company ... because of a violation by the latter of
Article 27 of the GDPR, the association ... considers, in its reply brief that even a
provision of a regulation that does not expressly provide for an “individual right” could be
invoked by an individual if it was sufficiently clear and precise. By grabbing a stop
the CJEU of June 7, 2016, Ghezelbash v. Staatsecretaris van Veiligheid en Justitie, C- 63/15
relating to Regulation (EU) No 604/2013 of the European Parliament and of the Council of 26 June 2013
establishing the criteria and mechanisms for determining the Member State responsible for the examination
an application for international protection lodged in one of the Member States by a
third-country national or a stateless person, it argues that the individuals concerned by the implementation
implementation of the determination criteria provided for in said regulation could invoke its provisions
related regulations.
There would therefore be no reason that Mr. ... could not invoke, in this case the
misapplication "by the CNPD" of Article 27 of the GDPR, especially since Mr.
... allegedly asked him to order the company ... to comply with the provisions of that article. In
because the CNPD would hide behind this violation by the controller
in order not to act, the association ... notes, in this context, the bad faith of the CNPD which, on the one hand,
part, would use the absence of a representative of the company ... to decide not to deal with the
claim of Mr. ..., and, on the other hand, would claim, in its memorandum in response, that the fact
that the said company would not have appointed a representative would not have prevented Mr. ... from
able to communicate effectively with it.
Thus, the primary purpose of Mr. ... would not be to ensure that the company ... appoints a
representative in Europe, but that this company respects its fundamental rights, the violation of
Article 27 GDPR, as indicated by the CNPD itself, preventing this objective from being achieved.
In the alternative, the association ... proposes to ask two preliminary questions to the
CJEU on the basis of Article 267 TFEU worded as follows: “4.1. GDPR Article 27
should it be interpreted as allowing a national authority seized of a complaint
9against a data controller to refuse or reject this complaint on the grounds that this
controller does not have an establishment or a representative in the Union?
4.2. Should Article 27 of the GDPR be interpreted as meaning that it can be invoked by a
individual seeking to challenge the denial or rejection of their complaint by a national authority
of control, when the data controller is manifestly in violation of this
provision in the sense that it has no establishment and no representative in the territory of
The union ? »
Court analysis
Before any progress in question, the court notes that, following the repeal of the directive
er
94/65/EC, the organization of the CNPD results from the law of August 1, 2018, adopted on the basis of the GDPR,
so that the question of the applicability or not of the GDPR to the merits of this case does not
not have any consequence with regard to the jurisdiction of the court hereby to hear
decisions adopted by the CNPD. Indeed, the GDPR, a community regulation in essence
of direct application under article 288 TFEU, provides for the establishment of
of control in the Member States, and therefore constitutes the framework legislation, to which
moreover the law of August 1, 2018, on the basis of which the CNPD was organized, so that the
provisions of the GDPR relating to the organization, mission and decisions of the CNPD are, in
in any event, applicable.
As regards the question of an effective remedy offered by the GDPR against the various
types of decisions, either refusal to process a complaint, or rejection of said complaint,
emanating from a national supervisory authority, such as the CNPD, it must be noted that at the
terms of article 55 of the law of August 1, 2018 “An appeal against the decisions of the CNPD
taken in application of this law is open to the Administrative Court which decides
as trial judge. ", said provision not distinguishing the type of decisions of the CNPD
subject to appeal and therefore including a priori any decision emanating from the latter to
condition to grieve.
It follows that the court has jurisdiction to hear the appeal for reversal brought
principally.
There is therefore no need to rule on the subsidiary action for annulment.
An individual administrative act, to meet the qualifier of administrative decision
and therefore to be subject to appeal before the administrative courts, must also
constitute a real decision of such a nature as to adversely affect, that is to say an act likely to produce
by itself legal effects affecting the personal and financial situation of the person who
claim.
In this context, the court notes that in order to determine the adverse effect of
the act referred, it is first necessary to identify the subject of the complaint addressed by Mr. ... to the
CNPD, the CNPD's response, as well as the appeal under analysis.
1
Trib. Adm., 25 January 2010, No. 25720 of the roll, available at www.ja.etat.lu
10 With regard, first of all, to the subject of the complaint of 8 July 2020 lodged by
Mr. ... with the CNPD, the court must find that no concrete element relating to the
request made to the company ... on the part of Mr. ... has not been submitted to his analysis,
even though this request underlies the alleged violations of the GDPR denounced by
Mr. ... in the context of his complaint to the CNPD of July 8, 2020. The association ...
in fact, only submits in support of its appeal the generic response automatically sent to
Sir ... by the company ..., thus leaving the court unable to know the content
exact request to which it responds.
With regard to the subject of Mr. ...'s claim, the court further finds
that it appears from the latter, that he submitted his complaint on July 8, 2020 within the
following terms: “(…) Subject of the complaint: - did not provide me with the necessary information
relating to the processing of personal data concerning me – did not respond to my
request for access to personal data concerning me – has transmitted my personal data
to third party(ies) – collected excessively my personal data – Did not comply
my right of opposition (e.g. canvassing) (…)”.
As regards the nature of the act referred, the court must note that, unlike
to the developments of the association ..., the CNPD did not refuse to deal with the complaint of
Sir ... in violation of Article 77 of the GDPR according to which "1. Without prejudice to any
other administrative or judicial remedy, any data subject has the right to lodge a
complaint to a supervisory authority, in particular in the Member State in which
finds his habitual residence, his place of work or the place where the violation is alleged to have been committed, if
it considers that the processing of personal data concerning it constitutes a
violation of this regulation. 2. The supervisory authority with which the complaint was filed
lodged informs the author of the complaint of the progress and the outcome of the complaint,
including the possibility of a legal remedy under Article 78.”.
Indeed, it is constant in question to emerge from the documents tendered to the debate and not to
be contested by the parties, that the CNPD, by email of July 9, 2020, acknowledged receipt of the
complaint from Mr. ... of July 8, 2020, a, during email exchanges dated July 28
2020 and August 13, 2020, requested additional information and documents from the latter,
informed that it would process his complaint, and informed him, by letter dated October 16, 2020, of
the lack of further examination of his complaint by providing him with explanations
detailed, this finding not being irritated by the reference, in the letter referred, to Article
54, paragraph (4) of the GDPR which relates to the refusal to process a complaint, the CNPD having,
as noted above, de facto handled the complaint of Mr. ....
In this context, the court also finds that, as rightly noted by the
CNPD, the competent supervisory authorities referred to in the GDPR, have, pursuant to Article 57,
point f) of the GDPR, as well as article 8, point 6) of the law of August 1, 2018, certainly, for mission
to process complaints lodged by a data subject, to investigate the subject of the
complaint, to the extent necessary, and to inform the author of the complaint of the state
progress and outcome of the investigation within a reasonable time, in particular if additional
investigation or coordination with another supervisory authority is necessary, the powers of which
11it provides for this purpose being provided for in Articles 58 of the GDPR and 12 to 14 of the law of 1 August 2018,
without there being any obligation on their part to open an investigation or to use
of their binding powers against any data controller who is the subject of a
complaint, the merits of the complaint being in essence the trigger for
the use of the powers of the CNPD and the act of processing the request that may result from the
simple examination of the complaint lodged.
The court then notes that Article 78 of the GDPR provides for recourse against two types of
decisions of the competent supervisory authority, such as in this case the CNPD, paragraph (1)
providing that "Without prejudice to any other administrative or extrajudicial remedy, any
natural or legal person has the right to seek an effective judicial remedy against a
legally binding decision of a supervisory authority which concerns it.”, paragraph
(2) providing that “Without prejudice to any other administrative or extrajudicial remedy, any
data subject has the right to an effective judicial remedy when the authority of
control which is competent under Articles 55 and 56 does not deal with a complaint or
does not inform the data subject, within three months, of the progress or
the outcome of her complaint under Article 77.”
Insofar as, as stated above, Mr. ... cannot rely on a grievance
caused by the act referred on his part, due to a refusal to process his complaint by the
CNPD in violation of Article 77 GDPR, it follows that the analysis of the alleged grievance caused by said
act must necessarily fall within the scope of paragraph (1) of Article 78 of the GDPR, the
CNPD not having opened an investigation with regard to the company ... following the complaint of Mr.
....
With regard then to the subject-matter of the present appeal, the subject-matter of an appeal being, in a manner
general, consisting of the result that the plaintiff intends to obtain, it is necessary to note
that, according to the operative part of the motion to institute proceedings, the association ... intends to reform
the deed referred so that the CNPD continues to examine Mr. ...'s complaint with regard to
concerns the company's non-compliance ... with articles 15 and 27 of the GDPR, so the question
grievance caused by the act referred is necessarily limited to this request, any debate relating to
other possible violations on the part of the company ..., being therefore irrelevant at this stage
to the extent that such violations relate to the merits of the dispute.
In this case, it must be noted that the letter from the CNPD of October 16, 2020 informing
Sir...that she would not sue the company...is not likely
to directly affect the personal and patrimonial situation of Mr.... Indeed, such as
noted above and following the example of the developments of the CNPD, Mr. ... remained in default
to provide proof of having asserted its rights with the company .... Faced with the impossibility for
the CNPD and the court to verify the existence of a request presented by Mr. ... to the company
..., as well as the defective nature of the response given thereto by the said company, the claim of
Mr. ... of July 8, 2020 boils down to asking the CNPD to ask, in its place, the company ... the
confirmation of the information provided for in Article 15 of the GDPR.
2
Trib. Adm. October 27, 2004, No. 17634, No. Adm. 2022, V° Contentious procedure, n°372 and the other references therein
quoted
12 This observation is not upset by the developments of Mr. ... who insisted on establishing
the impossibility on his part to produce proof of the request made to the company
… in that he would not have received any copy of his request sent by online form on the site
….io, whereas, as rightly noted by the CNPD, the automatic response sent by the
company ... included an email address to which Mr. ... could have sent his request to the
with regard to Article 15 of the GDPR and thus provide themselves with proof of their own procedures.
While Articles 57, paragraph (1), point a) and (4) of the law of 1 August 2018 provide, admittedly,
that the CNPD is responsible for controlling and verifying whether the data subject to processing is
processed in accordance with the GDPR, the fact remains that this authorization to act
leaves intact the right to act of the applicant himself, who is not dependent in this respect on a decision
of the CNPD to use its rights provided for in Article 15 of the GDPR and to formulate a first
request to this effect from the data controller, so that the CNPD's refusal to
formulate, in place of Mr. ..., a request within the meaning of Article 15 of the GDPR to the company ...
did not cause any grievance affecting the personal situation of Mr. ....
This observation is also not irritated by the developments of the association ... next
which the GDPR would not provide for any initiative to be taken by the data subject with a
controller prior to referral to the competent supervisory authority, then
whereas, on the contrary, it follows from the very terms of Article 15 of the GDPR that the obligation provided for therein
on the part of the data controller consists of a "confirmation" of the
information referred to therein which can only necessarily occur at the express request of the
concerned person.
This observation is also not irritated by the developments of the association ...
in relation to the interest of Mr. ... to have the referred act reformed or annulled in order to
allow the company to be sued ... under Article 82 of the GDPR. Indeed, it results from
Article 79, entitled “Right to an effective judicial remedy against a controller
or a processor”, paragraph (1) of the GDPR that “Without prejudice to any administrative remedy
or extrajudicial procedure open to him, including the right to lodge a complaint with a
supervisory authority under Article 77, each data subject has the right to a remedy
effective jurisdiction if it considers that the rights conferred on it by this Regulation have been
violated due to the processing of his personal data carried out in violation of this
regulation.”. Thus, compensation for damage resulting, where applicable, from a violation of the rights
to the protection of the personal data of a data subject is neither conditioned
by prior referral to the competent supervisory authority, such as the CNPD, or by a decision
of the latter sanctioning such a violation, so that this argument is factually lacking.
With regard, then, to the lack of implementation of its powers by the
CNPD in order to put an end to a possible violation by the company ... of article 27 of the GDPR,
apart from the observation that the violation of the said article was not the subject of the complaint of Mr.
July 8, 2020, it must be noted that under said article a data controller who is not
not established in the European Union but to which the GDPR applies is required to appoint a
representative in the European Union
13 In this regard, the court notes that a possible breach of Article 27 of the GDPR by the
company ... does not constitute a violation, as such, of the protection of personal data
Mr. ...'s staff, so as not to affect the said data alone. If indeed a
violation of article 27 of the GDPR on the part of a data controller is likely to
constitute an obstacle for a data subject to the exercise of his rights, the fact remains
UNLESS THIS PERSON IS BURDEN OF THE PROOF OF ESTABLISHING WHICH PERSONAL RIGHTS PROVIDED FOR IN THE GDPR
it would have been prevented from asserting as a result of this violation of Article 27 GDPR by the
responsible for the processing in question.
However, as noted above, Mr....remains unable to establish that he would indeed be
addressed to the company ... in order to assert its rights under Article 15 of the GDPR, a violation
of his rights provided for is therefore not established, so that he cannot rely either
of damage by ricochet on its part as a result of a violation by the company ... of article 27 of the
GDPR and correlatively due to the lack of opening of an investigation by the CNPD in
that Sens.
Mr. ... also fails to establish that a possible ignorance of the
part of the company ... would have prevented him from asserting his rights under Article 15 of the GDPR
directly from her, the automatic response of June 13, 2020 from the latter having indeed
included a contact e-mail address in the event of any question relating to the processing of data at
personal character by the latter. It follows, in the same order of ideas, that Mr. ...
cannot, at this stage, claim damages resulting from a possible breach of Article 27
GDPR by the company ... which would be perpetuated by the act referred in that the CNPD would have refused
to intervene in this capacity with the latter.
It follows that the absence of an investigation by the CNPD against the said company does not cause
no unfortunate consequences in the head of Mr...., nor does it affect the personal situation
of the last.
As regards the alleged grievance caused by the contested act as a result of it,
still at the present time, unlawful processing by the company ... of personal data
of Mr. ..., the court notes that a treatment, if necessary still at the present time, of
personal data of Mr., does not result, in the absence of a request for erasure of
his data with the company ... on behalf of Mr. ... and in the absence of proof of
the impossibility of doing so on the part of the latter, not of the act referred, so that this argument
is to be rejected for missing in fact.
In view of all the above, it should be considered that the letter from the CNPD informing
Mr. ... of the fact that she is not continuing to process her complaint and that she will not formulate
not, in lieu of the latter, a request in accordance with Article 15 of the GDPR to
of the company ... and that it will not sanction the violation of article 27 RGPD by the said company,
in the absence of a violation of a personal and direct right of the claimant relating to his data provided
to the GDPR, does not constitute an act of such a nature as to adversely affect, that is to say an act likely to
produce by itself legal effects affecting the personal or financial situation of
Mr...., so that the action brought against him is inadmissible.
14 In view of the foregoing considerations, there is no need to ask the questions
preliminary rulings to the CJEU, as proposed by the association ..., whereas, on the one hand, under the terms
even Article 78, paragraph (1) of the GDPR provides for a right of appeal against the sole
“legally binding” decisions of the competent supervisory authority, this notion is
covering with the notion of decision "of such a nature as to adversely affect", respectively, on the other hand,
are missing in fact and are, in any event, not relevant to the resolution of this dispute.
Regarding the request for the allocation of procedural compensation made by the
plaintiff, a request for the allocation of procedural compensation which fails to specify the
nature of the sums exposed not included in the costs and which does not specify how it would be
unfair to leave these costs to his charge is to be rejected, the simple reference to the article of the law
applicable is not sufficient in this regard.
For these reasons,
the administrative court, fourth chamber, ruling contradictorily;
declares itself competent to hear the main appeal for reversal;
declares the main appeal for reform inadmissible, therefore rejects it;
holds that there is no need to rule on the subsidiary action for annulment;
rejects the association's request for procedural compensation
... – ...;
orders the association ... – ... to pay the costs and expenses of the proceedings.
Thus judged and pronounced at the public hearing of April 21, 2023 by:
Paul Nourrissier, vice-president,
Emilie Da Cruz De Sousa, judge,
Laura Urbany, judge,
in the presence of the clerk Marc Warken.
s. Marc Warken s.Paul Nourrissier
Reproduction certified true to the original
Luxembourg, April 21, 2023
The clerk of the administrative court
15
