Banner2.png

TA Luxembourg - 46578

From GDPRhub
TA Luxembourg - 46578
Courts logo1.png
Court: TA Luxembourg (Luxembourg)
Jurisdiction: Luxembourg
Relevant Law: Article 6(1) GDPR
Article 11 GDPR
Article 12 GDPR
Article 13 GDPR
Article 14 GDPR
Article 15 GDPR
Article 16 GDPR
Article 17 GDPR
Article 21 GDPR
Decided: 18.03.2025
Published: 18.03.2025
Parties: an Amazon subsidiary (AA)
National Case Number/Name: 46578
European Case Law Identifier: ECLI:LU:TADM:2025:46578
Appeal from: CNPD (Luxembourg)
[1]
Appeal to: Unknown
Original Language(s): French
Original Source: LU Administrative Court (in French)
Initial Contributor: cci

The Administrative Court of Luxembourg upheld a €746,000,000 fine against an Amazon subsidiary over the unlawful processing of website visitor’s data for the purpose of interest-based advertising, for failing to provide transparent information, and for violating several rights of data subjects.

English Summary

Facts

Several companies in the Amazon group collected data about the behavior of visitors (the data subjects) on Amazon websites and used them to displaying interest-based advertising, under the legal basis of legitimate interest. The data were also disclosed to third parties in order to enable interest-based advertising on third-party websites.

In 2018 French non-profit La Quadrature du Net filed a complaint with the French data protection authority. La Quadrature du Net claimed, among other things, that Amazon could not rely on the legal basis of legitimate interest for collecting personal data for the purpose of providing interest-based advertising. La Quadrature du Net also claimed that Amazon failed to comply with the exercise of several rights of the data subjects.

Under the European cooperation mechanism, the Luxembourgish DPA was the lead supervisory authority to decide on the matter under Article 56 GDPR.

In an unpublished decision from 2021, the Luxembourgish DPA held that the data controller (an unnamed Amazon subsidiary referred to as "AA") unlawfully processed personal data for interest-based advertising, did not properly inform the data subjects about the processing of their data, failed to transparently inform the data subjects about the processing of their data, failed to respond to access requests as well as requests for erasure, and did not provide data subjects with an easy way to opt out of interest-based advertising. Overall, the controller violated Articles 6(1), 12, Article 13, 14, 15, 16, 17 and 21 GDPR.

The data controller filed an appeal with the Luxembourgish Administrative Court seeking the reversal, if not the annulment, of the decision. The appeal challenged many aspects of the Luxembourgish DPA’s decision.

The legal basis of legitimate interest

The DPA held that the controller could not rely on the legal basis of legitimate interest to process personal data for the purpose of providing interest-based advertising. The controller challenged this finding in several ways.

During the procedure with DPA, the controller claimed that its processing of personal data was based not only on the controller’s own commercial interest but also on the interests of the wider community in a vital and growing Internet economy. The controller claimed that the DPA failed to take this broader interest into account in its assessment of legitimate interest.

Furthermore, the controller contested the DPA’s finding that the processing of personal data was not necessary to pursue the controller’s commercial interest.

Additionally, the controller claimed that the DPA failed to properly assess the balancing of legitimate interest. Specifically, the DPA did not take into account the limitations and safeguards put in place by the controller.

Finally, the controller claimed that it changed its interest-based practices and relied on consent “in almost all cases”.

The controller's transparency obligations

The DPA held that the data controller failed to properly inform data subjects about the processing of their data for interest-based advertising. In the DPA’s view, the privacy notices on the controller's websites lacked essential information, including:

-         Information about the specific legitimate interest pursued and the balancing of that interest against the rights and freedoms of data subjects;

-         the logic behind the processing of personal data and the consequences of the processing for the data subjects

-         the categories of recipients of personal data

-         the data retention periods

-         the categories of personal data obtained by third parties

-         the non-EEA countries to which the controller transferred personal data, and the non-EEA recipients of these data.

The DPA also held that the controller made the information unclear by dividing it between three distinct notices. Finally, the DPA held that one of these notices could lead data subjects to believe that their data were not processed and shared with third parties.

The controller contested all of the DPA's findings and claimed that its notices provided all the information required by the GDPR. The controller claimed that providing in-depth, item-by-item information on certain aspects of the data processing (the data retention times for each category of personal data collected, the categories of personal data collected from third parties, and the non-EEA jurisdictions and non-EEA recipients involved in the controller’s data transfers), would have made the information unclear. In the controller’s view, generic information on these topic was both sufficient under the GDPR, and more comprehensible for the data subjects. Likewise, the controller claimed that explicitly referring to legitimate interest as the legal basis for processing personal data, would have made the information unclear because the expression "legitimate interest" is not widely understood. Finally, with regards to data transfers, the controller claimed that the GDPR did not require it to provide information on every single non-EEA Country and recipient involved.

The right to object

In its original decision, the Luxembourgish DPA held that the data controller violated Article 21 GDPR by making it difficult for data subjects to opt out of interest-based advertising. This was the case because the controller offered different opt-outs for different forms of interest-based advertising. The data controller challenged this finding: it argued that offering granular choices is more respectful of the users’ wishes than offering a single, generalized opt-out.

Other data subject's rights

The Luxembourgish DPA’s decision held that the controller violated the GDPR by denying a data subject access to their data, by failing to allow data subjects to rectify their data, and by failing to comply with a request for erasure.

The controller challenged these findings. It claimed that interest-based advertising does not require the identification of the data subject and that the controller could not be required to identify the data subject under Article 11 GDPR. The controller also claimed that re-identification would have created privacy and security risks for all of the controller’s customers.

Holding

The Court upheld the Luxembourgish DPA’s decision.

The legal basis of legitimate interest

The Court rejected all the controller's arguments on the legal basis of legitimate interest. First, the Court held that the controller failed to provide evidence that the controller’s processing of personal data pursued the interest of the wider community in a vital Internet economy.

Second, the Court held that in the original procedure involving the Luxembourgish DPA, the controller failed to establish that processing personal data was necessary for interest-based advertising. The controller merely stated that personal data were necessary without carrying out a concrete analysis of necessity.

Third, the Court observed that the DPA did not need to assess the balancing of legitimate interest because the controller failed to establish that the processing of personal data was necessary to begin with. In this regard, the Court referred to the case law of the EU Court of Justice[1] and specifically to the so-called “three-step test” for legitimate interest.

Finally, the Court pointed out that the controller still relied on legitimate interest to some extent in order to provide targeted advertising. Therefore, the processing of personal data in the context of interest-based advertising was still unlawful. The controller also failed to specify which data processing operation relied on consent, and failed to mention its reliance on consent in any of the privacy notices on its websites.

The controller's transparency obligations

The Court essentially confirmed all of the DPA’s findings. With regards to recipients of personal data for the purpose of providing interest-based advertising, the Court observed that the controller did not even provide precise enough information on the categories of recipients involved.

The right to object

The Court rejected the controller's claim that its granular opt-out system was more respectful of the data subjects' wishes. In this regard, the Court observed that the controller merely stated this argument without providing any evidence. The Court also pointed out that the controller failed to show that the opt-out system retained the users’ advertising preferences when re-connecting to the controller’s websites.

Other data subject's rights

The Court rejected the controller’s argument about re-identification. The Court clarified that interest-based advertising necessarily requires the identification of the users’ terminal equipment. For this reason, the Court clarified that Article 11 did not apply to the case.

Comment

The Luxembourgish DPA's decision is still unpublished but received broad media attention due to the size of the fine and the involvement of the Amazon group.

La Quadrature du Net’salso challenged the controller’s use of cookies in its complaint. However, the use of cookies was expressly excluded from the scope of the Luxembourgish DPA’s decision. Therefore, the Court did not deal with cookie-related issues during the appeal.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details. 

Administrative Court No. 46578 of the Grand Duchy of Luxembourg ECLI:LU:TADM:2025:46578
4th Chamber Registered on October 15, 2021

Public hearing of March 18, 2025

Appeal filed by
the limited liability company (AA), …,
against a decision of the National Commission for Data Protection
in matters of data protection

________________________________________________________________________

JUDGMENT

Considering the application registered under number 46578 of the register and filed on October 15, 2021 with the registry of the administrative court by the limited partnership ALLEN&OVERY SCS,
registered on list V of the Luxembourg Bar Association, established and having its

registered office at L-1855 Luxembourg, 5, avenue J.F. Kennedy, registered in the Luxembourg Trade and Companies Register under number B178291, represented for the purposes of
presentation by Maître Thomas BERGER, Attorney at Law, registered with the Luxembourg Bar Association, on behalf of the limited liability company (AA), established and having its registered office in L-..., registered with the Luxembourg Trade and Companies Register under number ..., represented by its currently in office management board, seeking
the reversal, if not the annulment, of the decision of July 15, 2021, referenced under number ...,

of the National Commission for Data Protection, a public institution, located at L-4370 Belvaux, 15, boulevard du Jazz, imposing an administrative fine of €746,000,000, while requiring it to take corrective measures within six months of notification, under penalty of a daily penalty payment of €746,000;

Having regard to the writ of bailiff Pierre BIEL, residing in Luxembourg, dated October 15, 2021, serving this appeal on the public institution, the National Commission for Data Protection, pre-qualified;

Having regard to the appointment of attorney-at-law by the limited liability company NAUTADUTILH Avocats Luxembourg SARL, registered on List V of the Luxembourg Bar Association, established and having its registered office at L1233 Luxembourg, 2, rue Jean Bertholet, registered with the Luxembourg Trade and Companies Register under number B 189.905, represented for the purposes hereof by Vincent WELLENS, attorney-at-law, registered on the Luxembourg Bar Association, for the public institution, the National Commission for Data Protection, dated November 3, 2021;

Having regard to the order of the President of the Administrative Court dated December 17, 2021, entered under case list number 46630, which held that the enforcement of the decision of July 15, 2021, of the National Commission for Data Protection, regarding the corrective measures imposed on the limited liability company (AA), will be stayed pending the administrative court's ruling on the merits of the dispute; Having regard to the order issued on January 6, 2022, by the President of the Fourth Chamber of the Administrative Court, granting formal approval and declaring justified the application for an extension of the deadline for filing the response filed by the Luxembourg limited liability company NAUTADUTILH Avocats Luxembourg SARL, and extending the deadline for filing the response to February 1, 2022, as well as the deadline for filing the reply to April 1, 2022;

Having regard to the filing of the response dated February 1, 2022, with the Registry of the Administrative Court by the Luxembourg limited liability company NAUTADUTILH Avocats Luxembourg SARL, pre-qualified, on behalf of the National Commission for Data Protection; Having regard to the filing of the reply brief dated March 31, 2022, with the registry of the administrative court by the limited partnership ALLEN&OVERY SCS, pre-designated, on behalf of the company (AA);

Having regard to the order issued on April 11, 2022, by the President of the Fourth Chamber of the administrative court, granting in due form and declaring justified the application for an extension of the deadline for filing the rejoinder filed by the limited liability company incorporated under Luxembourg law, NAUTADUTILH Avocats Luxembourg SARL, and extending the deadline for filing the rejoinder to May 31, 2022;

Having regard to the filing of the rejoinder dated May 31, 2022, with the registry of the administrative court by the Luxembourg limited liability company NAUTADUTILH

Avocats Luxembourg SARL, pre-qualified on behalf of the National Commission for Data Protection;

Having regard to the documents submitted in question, and in particular the contested decision;

The reporting judge, along with Maître Thomas Berger, assisted by

Maître Catherine Di Lorenzo, and Maître Vincent Wellens, presented their respective arguments
at the public hearing on January 9, 2024.
___________________________________________________________________________

On May 28, 2018, the French defense association La Quadrature du Net, hereinafter referred to as "LQDN," filed a complaint with the French National Commission for Information Technology and Civil Liberties, hereinafter referred to as the "CNIL," regarding various practices attributed to the Luxembourg companies (AA), (BB), (CC), and (DD), as well as the British company (EE), in their capacities as data controllers of the personal data processed through the services of the (AA) group, pursuant to Article 80 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the
protection of natural persons with regard to the processing of personal data

and on the free movement of data, hereinafter referred to as "the GDPR".

As part of the European cooperation governed by Articles 60 to 62 of the GDPR,
the Luxembourg public institution, the National Commission for Data Protection, hereinafter referred to as the "CNPD", was identified through the European information exchange system as the competent lead supervisory authority in accordance with the provisions of Article 56 of the GDPR to handle the aforementioned complaint. On April 5, 2019, the CNPD decided to open an investigation and, to this end, appointed Mr.
..., CNPD Commissioner, as head of investigation, hereinafter referred to as the "Head

of Investigation," with the mission of verifying the compliance of the processing carried out by the company (AA), hereinafter referred to as "company (AA)," for the purposes of behavioral advertising, namely interest-based advertising, hereinafter referred to as the "PBI," with the GDPR, the Law of August 1, 2018 organizing the National Commission for Data Protection, and the general data protection regime, hereinafter referred to as "the Law of August 1, 2018," as well as with the amended Law of May 30, 2005, concerning the protection of privacy in the electronic communications sector, hereinafter referred to as "the Law of May 30, 2005," and more specifically with the provisions related to the legal basis and use of cookies, hereinafter referred to as "cookies."

The said decision to open an investigation, along with a preliminary questionnaire, was formally notified to the company (AA) by letter from the CNPD dated April 23, 2019. The company (AA) sent the duly completed questionnaire, along with annexes, to the CNPD by letter dated May 23, 2019.

Following two interviews between the CNPD and the company (AA) on July 17 and September 10, 2019, the head of investigation sent the latter his final audit report on February 17, 2020.

On June 25, 2020, following a request for additional information dated March 4, 2020, the head of investigation notified the company (AA) of the statement of objections, a document on which the company (AA) provided its position on August 20, 2020.

On November 10, On 2020, the CNPD's restricted panel, composed of the CNPD President, Ms. ..., and Commissioners Messrs. ... and ..., hereinafter referred to as "the Restricted Panel," conducted a hearing with the company (AA) in the presence of the head of investigation.

By emails dated July 5 and 10, 2021, the company (AA) requested, on the one hand, access to the entire investigation file of the Restricted Panel, including the documents, communications, and reasoned opinions of the other national supervisory authorities, as well as the Restricted Panel's response to these possible observations, and, on the other hand, the reopening of the investigation to allow it to present its observations on these documents.

On July 16, 2021, the Restricted Committee granted the company (AA) access to certain documents in its file, while refusing access to documents produced during the cooperation procedure with other national supervisory authorities. The Restricted Committee also rejected the request to reopen the investigation. By decision of July 15, 2021, referenced under No. ..., the Restricted Committee imposed
an administrative fine of €746,000,000 on the company (AA) for failing to comply
with Articles 6, paragraph (1), 12, 13, 14, 15, 16, 17, and 21 of the GDPR and issued an injunction against the company, accompanied by a penalty payment of €746,000 per day of delay, to bring its data processing into compliance with the aforementioned provisions of the GDPR within six months of notification of the decision in question and "(...) in particular:

1. to bring the processing of personal data carried out
for behavioral advertising purposes into compliance so that it is based on a valid condition of lawfulness within the meaning of Article 6.1 of the GDPR;

2. to bring the transparency measures concerning the processing of personal data for behavioral advertising purposes into line with Articles 12, 13, and 14 of the GDPR, as set out above;

3. to bring the responses given to any future requests for access, modification, or erasure into line with Articles 15 to 17 of the GDPR, as set out above;

4. to bring the opt-out mechanism into line with Article 21 of the GDPR to ensure that it covers all processing of personal data for marketing purposes, as set out above; (…).”

The decision of July 15, 2021, finally specified that it would be published on the CNPD's website once all appeals have been exhausted.

By letter dated August 20, 2021, the company (AA) asked the CNPD to confirm that the aforementioned decision should be interpreted as meaning that the fine and corrective measures would not be enforced by the CNPD until all appeals have been exhausted.

By letter dated September 22, 2021, the CNPD clarified to the company (AA) that only the President of the Administrative Court could order a stay of execution of an administrative decision, not an administrative authority itself, thus inviting the latter to file such a request.

By application filed with the registry of the administrative court on October 15, 2021, registered under case number 46578, the company (AA) filed an appeal seeking the reversal, or otherwise the annulment, of the aforementioned decision of the CNPD of July 15, 2021, while requesting the benefit of the suspensive effect of the appeal during the appeal period and the appeal proceedings in accordance with the provisions of Article 35 of the amended law of June 21, 1999, establishing the rules of procedure before administrative courts, hereinafter referred to as the "Law of June 21, 1999." By separate application filed on October 29, 2021, registered under case number 46630,
the company (AA) is again seeking a stay of execution of the CNPD's decision of July 15, 2021. By order of December 17, 2021, the President of the Administrative Court ordered, based on Article 11 of the Law of June 21, 1999, that the enforcement of the contested CNPD decision of July 15, 2021, with respect to the corrective measures imposed therein, be stayed pending the court's decision on the merits of the appeal registered under case number 46578. Regarding the admissibility of the appeal registered under case list number 46578, it should be noted that given that, under Article 55 of the Law of August 1, 2018, "[a]n appeal against decisions of the CNPD taken pursuant to this law is open
before the Administrative Court, which shall rule as the trial court.", the court has jurisdiction

to hear the principal appeal for reversal filed against the aforementioned decision of the CNPD of July 15, 2021, which is still admissible, having been filed in accordance
with the legal formalities and time limits.

4 It follows that there is no need to rule on the subsidiary appeal for annulment filed
by the company (AA) against the aforementioned decision. At the public hearing of the pleadings and as a preliminary matter, the court raised ex officio
the question of the admissibility of certain documents relied on, on the one hand, by the company (AA), namely Exhibit No. 39 filed with the registry of the administrative court on March 31, 2022, and entitled "Summary of erroneous facts and inaccurate representations in the CNPD's response brief," and, on the other hand, by the CNPD, namely Exhibits Nos. 29 and 30 filed on May 31, 2022, entitled "Clarifications provided by the CNPD in connection with Exhibit No. 39 of Allen & Overy," respectively "Critique of the opinion of Prof. Dr. ... (Exhibit No. 36 of Allen & Overy)," a question on which the litigants of the company (AA) and of the CNPD objected. referred to the prudence of justice.

It should be noted that the documents in question were prepared by the parties themselves, or by their representatives, and must therefore be considered as a statement of position by the respective parties and therefore, in their nature, similar, if not identical, to briefs. However, in this context, aside from the fact that the aforementioned documents are unsigned, the court must note that, in accordance with Article 7 of the Law of June 21, 1999, on the one hand, there may not be more than two briefs from each party, including the application introductory, a number which, in this case, has been exceeded with the filing of the disputed documents, and, on the other hand, the production of additional briefs was neither requested by the parties in question nor, a fortiori, granted to them by the court. It follows that Exhibit No. 39 filed by the company (AA) with the registry of the administrative court on March 31, 2022, entitled "Summary of erroneous facts and inaccurate representations in the CNPD's response," as well as Exhibits Nos. 29 and 30 filed by the CNPD on May 31, 2022, entitled "Clarifications provided by the CNPD in connection with Allen & Overy Exhibit No. 39," and "Critique of the opinion of Prof. Dr. ... (Allen & Overy Exhibit No. 36)" respectively, are to be excluded from the proceedings and will therefore not be taken into consideration by the court in the context of the dispute under review. In support of its appeal and in fact, the plaintiff reviews the background information, as cited above, further providing explanations regarding the factual context relating to the processing of personal data for PBI purposes.

In this regard, the plaintiff first states that its activities are primarily those of a retailer, whose objective is to offer various products and services for sale online through eight online stores, hereinafter referred to as the "Stores (AA)." Thus, on the one hand, more than 300,000 companies in the European Union sell hundreds of millions of types of physical and digital products, as well as various services, through the Stores (AA). It further specifies, in this context, that for a customer to purchase something
in a Shop (AA), they must create a digital account (AA) that they would then use
for future purchases or to access other services (AA), such as online video
and music services. This account, accessible on the customer's various devices, such as desktop or laptop computers, smartphones, smart speakers, e-book readers, and smart TVs, is the hub

for the customer's use of all Shops (AA) and the digital content offered therein.

The plaintiff claims to be the entity of the (AA) group responsible for operating the

Shops (AA), as well as for displaying the PBI in the Shops (AA) and on other websites
in the European Union. In this context, the plaintiff notes that the legal basis for the PBI, as operated by it, would be the criterion of legitimate interest, its advertising activity having been developed with the aim of understanding its customers' purchasing interests and displaying advertisements for products and services they might wish to purchase, or might need. To this end, its PBI activity would be based first and foremost on the data collected from its customers when they consult the Boutiques (AA), which would subsequently be used to display advertisements for products available in said boutiques. The plaintiff further specifies that it does not use data relating to third-party websites visited by its customers, or even their browsing behavior on these sites, even though, on the one hand, its customers would not expect (AA) to collect such data, and, on the other hand, such data would be less relevant for understanding customers' purchasing interests. Furthermore, in order to maintain the trust of its customers and prevent them from preferring to use other online stores offering products and services comparable to those of (AA), the plaintiff claims to have implemented several measures to protect the customer data it uses for the PBI (i) by using only a very small proportion of the data it allegedly possesses, (ii) by storing the data used in a dedicated and separate system, separate from other customer data, to which it applies strict security measures, and (iii) by also pseudonymizing data that allows individuals to be identified by storing it in the form of random strings of numbers and letters. While specifying that more than 75% of (AA)'s revenue from PBI in Europe comes from advertising for products and services that can be purchased in the (AA) Store, the plaintiff notes that it tailors its advertising to the interests of its customers, to ensure that it is relevant to them, by grouping them into interest groups based on their actions in the (AA) Stores over a certain period, each group comprising a certain number of customers.

In order to recognize a customer in order to collect information about their interactions with the (AA) Store in order to subsequently determine relevant advertising based on their interests, (AA) uses "cookies," i.e., small text files stored on a computer device or in a web browser, while protecting its customers' privacy. The plaintiff notes that, if applicable, it would add a limited amount of demographic information about its customers, such as age range and gender, obtained from third-party data providers, into its separate advertising system, in order, on the one hand, to enable it to make its PBI relevant to customers and, on the other hand, to ensure that it does not display PBI to potentially vulnerable individuals. This data would also be pseudonymized and subject to the same privacy-enhancing safeguards as the primary data of the Boutique (AA).It further states that some retailers reportedly make extensive use of third parties to collect and aggregate customer data across multiple sites, even third-party sites, in order to better target their advertising campaigns. This practice is not used by the plaintiff, despite having invested substantial resources and effort in developing its own pseudonymized PBI systems, which prevent third parties from tracking a customer's purchasing habits in the (AA) Store.

In this context, the company (AA) notes that it clearly informs its customers that it displays PBI and uses cookies for this purpose, through three short and easy-to-read information notices available in the footer of almost all (AA) Store pages. Thus, the "Privacy Notice" would generally describe the use of personal data to display advertisements, while the "Cookie Notice" would describe the use of cookies and the ability to control such use.

Finally, the "Interest-Based Advertising Notice" would provide additional details on how it would use personal data to display PBI. Furthermore, all of these documents would contain a link to its advertising preferences webpage, allowing customers to easily opt out of the use of their data for PBI.

The plaintiff further notes that more than 65% of its PBI-related revenue in Europe comes from advertising displayed in the Shops (AA) for customers of said shops, which would be similar to a store offering its regular customers new products that may be of interest to them. The company (AA) further specifies, in this context, that it does not share
information regarding its customers' activities in the (AA) Stores with third parties.

To a much lesser extent, the plaintiff also displays PBI on the
websites of other companies, with this activity representing less than 34% of all revenue

generated by the company (AA) from PBI in Europe. To display such advertisements, it relies on an industry standard called "real-time bidding" (hereinafter referred to as "RTB"), which allows companies to sell advertising space on their websites during the time it takes for a page of the website in question to load.

In this context, it explains that the website operator, called the publisher, earns money by allowing the display on its website of advertisements paid for by third parties. As the webpage loads, the publisher would share information about the visitor or their device with potential third-party marketers and ask them to submit a bid for that advertising space. The information contained in this bid request would be formatted according to an industry standard, with the components of this standard information being (i) contextual information that allows the advertisement to be displayed in the correct location on the website and in the correct size and format, such as the website name, device model, operating system version used on that device, and screen size; and (ii) user-specific information that may include IP address, year of birth, gender, user interests, and other user behaviors compiled by the publisher or data providers. It would be the publisher who
would determine which merchants could participate in this real-time auction of advertising space, based on the information transmitted to them about the customer or device

visiting the website in question, and the merchant winning the auction.

The plaintiff further specifies that buyers of these advertising spaces
submitting bids on behalf of advertisers would be able to identify the device visiting the
website in question by using their cookies or by accessing cookies created by other

companies, a process referred to as "cookie mapping" and "cookie synchronization" respectively. The choice of the advertisement to be displayed, as well as the decision to participate in such a sale, would be made by advertisers based on the bid and the personal information associated with the device visiting the website in question. The company (AA) specified that the personal information taken into consideration could come directly from the bid request or from the advertisers themselves, or from their agents, respectively, each advertiser having its own policy on this matter. As for its specific involvement in PBI matters, the plaintiff specifies that it only participates in advertising space auctions to a limited extent, while also specifying that it helps publishers sell advertising space on their websites. More specifically, publishers would share the bid requests with it, to the extent that it acts as an advertiser to distribute these off-site advertisements. It would then check, when receiving an auction request, for the presence of its advertising cookie or a similar identifier on the device to determine whether it belongs to one of the interest groups available on (AA), using the pseudonymized information it already possesses on this customer, information based primarily on the customer's purchase history in (AA) Stores. It also notes, in this context, that many advertising technology companies reportedly profile users by tracking their online behavior, following them across a considerable number of websites and mobile applications, with the aim of collecting data to better target their advertising. This would not be the case for the company, given that it had decided not to do so even before the GDPR came into force. After explaining the technical functioning of the PBI, the plaintiff explains its benefits for customers, advertisers, and publishers, as well as for the broader community.

As for customers, the PBI is one of the tools enabling them to efficiently find products or services of interest to them at competitive prices. The plaintiff further specifies that, in this context, it is taking measures to further limit the intrusive nature of advertising by prohibiting practices such as flashing ads or pop-ups that occupy a large portion of a device's screen. Furthermore, customers trust the company to provide them with an easy-to-use customer experience, based on their purchasing experience with the Stores (AA) and their experiences with the various services (AA). The plaintiff further specifies, in this context, linking the different devices used by a customer connected to (AA) to help understand their interests and display the PBI, in order to avoid irrelevant or annoying advertisements that result in a poorer customer experience.

With regard to third-party companies involved in the PBI's IT mechanism, the plaintiff explains, with regard to advertisers purchasing advertising space, that their benefit from the PBI would consist of reaching and connecting with customers and increasing their sales, in particular by being able to better identify potential customers and inform them, in a more targeted manner, of the launch of new products or services. This would apply to small and large advertisers, high-priced and low-priced brands, regardless of what they sell. The plaintiff further notes that the PBI could help small and medium-sized businesses be more competitive and establish themselves against larger companies without requiring them to conduct extensive and costly advertising campaigns primarily reaching people uninterested in their products and services. In this context, the plaintiff claims to support more than 8,185,000 small and medium-sized businesses in Europe through a series of tools and support services to enable them to sell globally from the AA Stores. The PBI would also present advantages for publishers selling advertising space on their websites, who would be able to generate more revenue to finance their core business. The plaintiff cited the example of a German publisher providing weather information, which reportedly saw its revenue increase by 20% by using the plaintiff's advertising services to display third-party advertisements on its websites (AA).

As for the benefit of the PBI to the wider community, the plaintiff argues that the disputed mechanism would promote the growth of the internet economy, and e-commerce in particular, a well-established policy objective of the European Union. It notes in particular that each euro invested in advertising contributes
on average around 7 euros to the European Union's gross domestic product and that advertising acts as a driver of innovation, further encouraging companies to develop new and different products and services in order to outperform their competitors, while highlighting that the advertising sector has created nearly 6 million jobs

in the European Union.

Thus, advertising, including PBI, would play, according to the applicant, an important role
in the effective development and competitiveness of local marketplaces, as well as
the European Digital Single Market. European integration and the completion of the single market could be accelerated by the cross-border nature of e-commerce, which has experienced significant growth over the past decade. Furthermore, e-commerce would have been particularly crucial for retailers during the COVID-19 pandemic, with the applicant pointing out that PBI would be one of the many tools used by businesses to achieve their prospecting and sales objectives, thus being one of the factors contributing to the growth of e-commerce. The company (AA) further clarifies its approach to data protection and privacy in relation to advertising, which reportedly only represented approximately 4% of its total revenue in 2020, and is therefore not its primary source of revenue, unlike other companies displaying PBI on their websites, such as social media platforms or search engines, whose business model is almost exclusively focused on selling as much advertising as possible, thus seeking to target this advertising using as much personal data as possible.

In order to maintain customer trust and loyalty in the (AA) Stores, the applicant is fully committed to protecting personal data in accordance with applicable laws, particularly the GDPR. Thus, it states that it does not share information about its customers' activities in its stores with third parties as part of its PBI activities, unlike some retailers who rely heavily on third parties to collect and aggregate data about their customers across multiple sites in order to target their PBI.

Furthermore, the company (AA) has reportedly built its own advertising system to display relevant ads to customers while implementing privacy protection measures in accordance with its own high standards, such as relying primarily on data collected relating to customers' interactions with the (AA) Stores and other (AA) services. It also allegedly reviewed the provisions of Article 6 of the GDPR even before the GDPR came into force and determined, following this analysis, that it could rely on the legal basis of "legitimate interests" under Article 6(1)(f) of the GDPR to process personal data for the purposes of the PBI.

In an effort to improve its practices and maintain customer trust, following its analysis of the issues raised by the head of investigation, it allegedly voluntarily and proactively took a number of measures to address the latter's concerns and to further protect its customers when using their data.

In this context, it specifies that it will now provide customers with more information and a more detailed choice regarding how it uses cookies in its Stores, and that, when customers request a copy of their data, it will provide them with a greater portion of the personal data used to display PBI.

Furthermore, it has reportedly updated its privacy notices to include additional information on its processing of personal data for PBI purposes.

Finally, it has reportedly stopped, in almost all cases, displaying PBI on third-party sites, unless the customer has given their consent to such advertisements prior to their display. In this context, the plaintiff claims to use the Interactive Advertising Bureau Europe's Transparency Consent Framework (v.2) to obtain consent from its customers. This is an industry-standard tool providing a common method for website publishers to request consent from data subjects on behalf of third parties and to transmit to these third parties a file indicating whether or not the data subject has given such consent. Thus, as of December 2020, 99.5% of its PBI displays on third-party websites concerned customers who had given their consent, meaning that for these advertisements, the company (AA) no longer relied on the concept of legitimate interest within the meaning of Article 6(1)(f) of the GDPR as the legal basis for processing personal data. In law, the company (AA) argues, as a preliminary matter, that the fines imposed by the CNPD are criminal in nature, such that the natural and legal persons against whom they are imposed should benefit from the associated procedural guarantees, specifically the right to a fair trial, as provided for in Article 6 of the Convention for the Protection of Human Rights and Fundamental Freedoms, hereinafter referred to as "the ECHR," and Article 47 of the Charter of Fundamental Rights of the European Union, hereinafter referred to as "the Charter," respectively; the principles of guilt and presumption of innocence, referred to in Articles 48 of the Charter and 6, paragraph (2) of the ECHR, as well as the principle of the legality of offences and penalties guaranteed by Articles 14 of the Constitution, 49 of the Charter, and 7 of the ECHR. The plaintiff further explains, in this context, that the classification of a sanction as "criminal" in nature would depend on the nature of the conduct to which the sanction applies, and respectively on the nature and severity of the sanction provided.

10 Thus, with regard to the nature of the conduct to which the sanction applies, a sanction would be criminal in nature when the law applied is general in nature and does not target only a group of persons with a particular status, when the law is punitive or serves to deter future offenses, and when the imposition of a sanction depends on an assessment of guilt.

As for the nature of the sanction, the plaintiff specifies that a sanction would be criminal in nature as soon as it is "severe," taking into account the maximum possible penalty and the amount of the penalty actually imposed.

These criteria would be met in this case, as Article 83 of the GDPR would be

generally applicable to any data controller and would contain the "general conditions for imposing administrative fines," a finding that would be clearly established in this case by the imposition, in this case, of a fine of €746 million instead of a reprimand, or the requirement to correct the identified violations of the GDPR. Furthermore, Article 83 of the GDPR would require a finding of guilt and liability on the part of the sanctioned party. The applicant further notes, in this context, that in setting the total amount of the fine, it would be necessary to take into account the fact that the said amount should not exceed the amount set for the most serious violation if a controller or processor had "intentionally or negligently" violated several provisions of the GDPR. As for the nature of the penalty, the company (AA) considers both the maximum possible penalty, specifically 4% of the total annual worldwide turnover of a "company," and the actual penalty imposed, in this case €746 million, to be severe, which would constitute the largest fine imposed under the GDPR.

The plaintiff concludes that the fine imposed should be considered criminal in nature and that it should have benefited from all the "guarantees of criminal law" and not just those of administrative law. Furthermore, she should still have benefited from all the guarantees of criminal law before the CNPD, not only because the fine would be criminal in nature, but also because the CNPD should be considered a "tribunal" within the meaning of Article 6, paragraph (1) of the ECHR, in accordance, on the one hand, with the case law of the European Court of Human Rights, hereinafter referred to as the "ECtHR," which has recognized such status for administrative authorities fulfilling roles similar to those of the CNPD, and, on the other hand, with the parliamentary proceedings relating to the law of August 1, 2018.

However, the applicant considers that she did not benefit from all the guarantees of criminal law throughout the proceedings leading to the contested decision, insofar as her The case was allegedly marked by numerous procedural flaws, the final decision was insufficiently reasoned, his guilt was not indisputably established, and, to the extent that the sanction imposed was neither foreseeable nor proportionate, all these elements should lead, according to the applicant, in the context of the appeal for review under review, to the annulment of the contested decision.

The applicant thus relies, firstly, on flaws affecting the procedure that led to the adoption of the contested decision.

11 Based on Article 17 of the Law of August 1, 2018, the applicant argues, firstly, that the Restricted Committee was irregularly composed due to the fact that the term of office of one of its members exceeded the legally permitted maximum duration.

The applicant specifies, in this context, that the Restricted Committee should,
in accordance with Article 16 of the Law of August 1, 2018, be composed of four full members, called commissioners, and four alternate members, with the term of office of said members being limited to six years, with the possibility of a single renewal. Such a limitation on the commissioners' term of office already existed under the amended Law of August 2, 2002, on the protection of individuals with regard to the processing of personal data, hereinafter referred to as "the Law of August 2, 2002." The applicant further notes that, pursuant to Article 74 of the Law of August 1, 2018, terms of office completed before or during the year in which the GDPR fully entered into force, in this case 2018, would count toward the term limit. However, in this case, Mr. ... was sworn in as a new full member of the CNPD on October 18, 2005, and by Grand Ducal decree of October 7, 2008, his term of office was renewed for the first time for a period of six years until 2014, meaning that his term of office should have ended in 2014, at the end of his renewed term, or in 2017, respectively, after 12 years of service. However, his mandate was allegedly renewed a second time by Grand Ducal Decrees of November 21, 23, and 30, 2014, for an additional period of six years, and then a third time by Grand Ducal Decree of July 1, 2020, in violation of both the Law of August 2, 2002, and the Law of August 1, 2018, whereas at the end of his current term in 2026, he would have been a Commissioner within the CNPD for 21 years instead of the maximum period of 12 years permitted by law.

Thus, due to its incorrect composition due to the illegal duration of Mr. ...'s term, which would therefore no longer have been valid, the Restricted Committee would not have been competent to make the disputed decision, or would have rendered it illegal. The plaintiff further argues, in this context, that Mr. ...'s presence within the CNPD constituted a "usurpation of power," which would be established when a person in a position of authority continued to make decisions even though they had ceased, through revocation or expiration of their mandate or in any other manner, to exercise the powers conferred upon them. The plaintiff also notes that the actions thus taken would not only be voidable, but non-existent, and that the measures taken to implement said actions could, in certain cases, constitute acts of violence, engaging the personal liability of the perpetrator. Based on the consideration that limiting the term of office of Commissioners to a total term of 12 years would be a means of helping to ensure the independence of the CNPD, anchored in Articles 52, paragraph (1) of the GDPR, 16 of the Law of August 1, 2018, 6, paragraph (1) of the ECHR and 47 of the Charter, as well as Article 2 of the CNPD's Rules of Procedure, the applicant further argues that the circumstance that a CNPD Commissioner would remain in office beyond the legally authorized term would not only constitute a violation of the law, but would also undermine the institution's independence. Finally, due to the excessive length of Mr. ...'s term of office resulting in an irregular composition of the Restricted Panel that adopted the disputed decision,

12. The plaintiff argues that her rights of defense were violated, in that she was deprived of the assurance of having been judged by an administrative body that complied with the applicable procedural laws. To the extent that the administrative court, in a judgment of January 20, 2003, entered under case number 15054, had already held that the irregular composition of a committee whose opinion was not binding would have vitiated the entire administrative decision-making procedure, the irregular composition of a decision-making body, such as the Restricted Panel in this case, should also lead, in the context of the application for review under consideration, to the annulment of the disputed decision. In its reply, the plaintiff reiterates its argument regarding the irregularity of the composition of the Restricted Panel that made the disputed decision, based on the circumstance that the term of office of one of the commissioners who sat on said panel exceeded the maximum term of 12 years, as set out in Article 17 of the Law of August 1, 2018.

In this context, it refutes the CNPD's arguments based on Article 74 of the Law of August 1, 2018, arguing that the purpose of said provision was not to reset the term of office of CNPD commissioners, or the start date of the current term on the date of entry into force of said law, but that the objective of said article was to ensure that the maximum term of office of 12 years for commissioners could actually be respected. It also appears from the opinions of the Council of State and the CNPD issued in connection with the adoption of the law of August 1, 2018, that Article 74 of said law aims to maintain the continuity of the terms of office of commissioners during the transition from the law of August 2, 2002 to that of August 1, 2018, and to maintain their acquired rights, without resetting the number, or the total duration, of terms accumulated by said commissioners. Finally, the plaintiff submits that the CNPD's interpretation of Article 74 of the Law of August 1, 2018, would be incompatible with the latter's objective of ensuring the CNPD's independence, an independence that would be achieved through limiting the number of terms of office of commissioners, which was initially provided for in the Law of August 2, 2018, before being abolished in 2011 and finally reintroduced by the Law of August 1, 2018. Thus, it would be clear from the legislature's intention that the CNPD's independence could not be guaranteed without strict limits on the renewal of commissioners' terms, which would clearly imply that any renewal of a commissioner's term after the entry into force of the Law of August 1, 2018, would have to take into account the total length of the commissioner's term. Thus, due to Mr. ... exceeding the maximum term of office authorized by Article 17 of the Law of August 1, 2018, the contested decision should, in the context of the appeal for review under review, be subject to annulment, since the independence of the CNPD has been called into question and the Restricted Panel, when it made the said decision, had been improperly composed and, by extension, deprived the applicant of both its right to be heard by an independent tribunal and its rights of defense.

The CNPD rightly concludes that the argument relating to the irregularity of the composition of the Restricted Panel due to the total term of office of one of its commissioners should be dismissed. 13 First of all, the court must note that, pursuant to Article 17 of the Law of 1 August 2018, "The members of the college and alternate members are appointed and dismissed by the Grand Duke upon proposal from the Government Council. The president is appointed by the Grand Duke. The members of the college and alternate members are appointed for a term of six years, renewable once. (…)." Although Article 17 of the Law of August 1, 2018, currently provides for a limitation on the number of terms of office of a commissioner to two and therefore a limitation on the total term of said terms to 12 years, the court must note that the commissioner whose terms of office, according to the plaintiff, had been exceeded at the time the decision under appeal was made, in this case Mr. ..., was sworn in as a commissioner not under the aegis of the aforementioned law, but, as explicitly stated in the Grand Ducal Decree of October 7, 2005, on the basis of the Law of August 2, 2002. It should also be noted that Mr. ...'s first term of office was only three years due to the circumstance that he completed the term of office of a resigning commissioner. In this context, it is clear that although Article 34, paragraph (2) of the Law of August 2, 2002, in its initial version, as applicable on the date of Mr. ...'s first appointment on October 13, 2005, limited the term of office of commissioners to six years and the number of terms to two, as follows: "The National Commission is composed of three full members and three alternate members appointed and dismissed by the Grand Duke upon proposal of the Government in Council. The President is appointed by the Grand Duke. The members are appointed for a term of six years, renewable once." This article was amended by Article 8 of the Law of July 28, 2011, amending 1) the amended Law of May 30, 2005, concerning the protection of privacy in the electronic communications sector; 2) the amended law of August 2, 2002, relating

to the protection of individuals with regard to the processing of personal data; 3) the amended law of June 22, 1963, establishing the salary system for civil servants; 4) the Consumer Code, hereinafter referred to as "the law of July 28, 2011," which deleted the words "once," so that the number of terms of office for commissioners was no longer limited, the legislature's objective having been "(…) to guarantee basic stability in the exercise of the mandate of members of the National Commission. With reference to other public institutions, it is proposed to provide for the possibility of repeated renewal of mandates, which is also provided for members of the management of other public institutions, such as the CSSF, the Central Bank, and the Insurance Commission. (…)." 1

Thus, Mr. ...'s initial term as Commissioner, as granted to him by the Grand Ducal Decree of October 7, 2005, was validly renewed by Grand Ducal Decree of October 7, 2008, for a further term of six years, and then, following the removal of the limitation on the number of terms of office through the aforementioned Article 8 of the Law of July 28, 2011, for a further term of six years by Grand Ducal Decree of October 23, 2014.


         With regard to the third renewal of Mr. ...'s term of office for a further six years, effected by the Grand Ducal Decree of July 1, 2020, during which the disputed decision of July 15, 2021, was made, the court must note that said renewal was carried out on the basis of the aforementioned Article 17 of the Law of August 1, 2018, which reinstated the limitation on the number of terms and therefore on the maximum term of office of Commissioners, the legislature having opted to once again prioritize the CNPD's independence over the stability objective advocated by the Law of July 28, 2011.


In this context, it is also appropriate to refer to Article 74 of the Law of August 1, 2018, under which "The term The term of office of members of the college and alternate members, appointed prior to the entry into force of this law, is calculated from the date of appointment of their current term of office at the time of entry into force of this law."

Thus, contrary to the plaintiff's argument, Article 17 of the law of August 1, 2018 did not generally limit the number of terms of office of commissioners to two and the maximum term of said terms to 12 years, taking into account all terms granted prior to the entry into force of said law, under penalty of violating the principle of non-retroactivity of the law, but rather restricted the number of said terms of office to two, taking into account, in accordance with Article 74 of the law of August 1, 2018, the term of office in force at the time of entry into force of said law.

It should therefore be noted that Mr. ...'s mandate, at the time the contested decision was made, was valid, having been renewed only once, under the auspices of the first law of August 1, 2018, in accordance with Articles 17 and 74 of said law. Therefore, the applicant's relevant argument, together with the allegations of the CNPD's lack of jurisdiction, as well as the violation of his right to be heard by an independent tribunal and his rights of defense, must be dismissed as unfounded. The plaintiff then alleges that the CNPD, in its capacity as an independent authority exercising sanctioning powers, failed to comply with the general principle of impartiality enshrined in Articles 6, paragraph (1) of the ECHR and 47 of the Charter, both from an objective point of view, arising from the structural or organizational conditions of the CNPD, and from a subjective point of view. In this context, the plaintiff further argues that the CNPD failed to conduct its investigation, both incriminating and exonerating, in violation of Article 39 of the Law of August 1, 2018.

With regard, first of all, to the objective impartiality of the CNPD, the plaintiff argues that the rules allowing the CNPD to exercise its functions of referral, investigation, and judgment are not such as to avoid any suspicion of bias. Thus, based on the case law of the ECtHR, the applicant argues that the body responsible for adjudicating a case, in this case the Restricted Panel, should offer, in particular through its composition, sufficient guarantees to exclude any legitimate doubt as to its impartiality. It should therefore be the CNPD's responsibility to ensure that there were no elements that would give rise to suspicions as to its impartiality, in particular by maintaining a clear and watertight separation between the supervisory, investigative, and prosecutorial bodies, on the one hand, and the adjudicative body, on the other.

In this context, the applicant argues that the CNPD's regulations governing the investigation procedure, hereinafter referred to as the "Rules of Procedure," make no structural distinction between the roles of the four CNPD Commissioners in determining whether to open an investigation and in judging its outcome. Thus,
on the one hand, when the Commissioners decide to open an investigation, one of these Commissioners would be designated as head of investigation and would therefore participate in the decision leading to their own appointment. On the other hand, since a Commissioner would be designated as head of investigation or member of the Restricted Panel for each case, the same Commissioner would therefore have to carry out investigative and adjudicative functions in parallel on different cases, without any organic separation between these different functions existing or being visible within the CNPD. Noting that the internal rules applicable to the CNPD only require commissioners to take an oath and only prohibit the head of investigation from sitting or deliberating within the Restricted Panel in a given case, the applicant considers that the impartiality of the CNPD would not be sufficiently guaranteed, especially since the head of investigation in a case would be a member of the Restricted Panel in all cases where he or she did not act as head of investigation. Furthermore, according to the case law of the ECtHR, the existence of a hierarchical relationship
between the judge and the other participants in the proceedings would be sufficient to objectively justify doubts
regarding the impartiality of the body responsible for adjudicating, and therefore to undermine the requirement
of objective impartiality necessary to guarantee the right to a fair trial. This would be the case in this case, given that one of the commissioners would be the President of the CNPD, while

the other three commissioners would be subject to the authority of the President for the investigation of the alleged offenses, as well as for the adjudication of these offenses. Thus, the head of investigation
in the case under review—one of the four CNPD commissioners—would therefore be under the direct hierarchical authority of the President of the CNPD, a member of the Restricted Panel,
so that the existence of this hierarchical relationship between the head of investigation and the adjudicating body
would not, according to the applicant, guarantee objective impartiality. The applicant further relies, with regard to the CNPD's lack of objective impartiality, on the existence of a close relationship between the head of investigation and the members of the adjudicatory body, arguing, based on the case law of the ECtHR, that a court would not meet the objective impartiality criterion if one of its members were likely to favor, even unconsciously, one or other of the parties involved in the proceedings, in particular due to a close relationship they might have with that person, which would be the case in this instance due to the close relationship between the head of investigation and the members of the Restricted Panel, whose roles are interchangeable in cases handled by the CNPD. Thus, in other cases, the head of investigation would sit on the Restricted Panel with the commissioners who would have reviewed the results of his investigation in that case. Such a close relationship necessarily places the members of the Restricted Panel in a delicate situation, as disagreeing with the conclusions of the head of investigation would inevitably create professional tensions. In contrast, the members of the Restricted Panel would not have such a close relationship with the party under investigation, and disagreement with the latter's assessment of the case would not create such tensions. The applicant finally argues, as an element casting doubt on the objective impartiality of the CNPD, that although the Rules of Procedure prohibit the head of investigation from sitting on the Restricted Panel, the latter nevertheless participated, in the case under review, in the judgment on the company's disputed practices (AA) by recommending specific sanctions and corrective measures, a recommendation that was not required by any provision of the Rules of Procedure. This element allows one to conclude that the same individuals would investigate and determine the offenses to be charged, as well as the sanctions to be imposed, which would undermine the structural separation between the role of the investigator and that of the judge, in violation of the right to a fair trial under Article 6, paragraph (1) of the ECHR. Based on all of these elements, the applicant considers that there is a lack of objective impartiality within the CNPD, or at least an appearance of bias arising from its structure and internal procedural rules, which should lead, in the context of the appeal for review under review, to the annulment of the contested decision.

According to the applicant, in addition to the aforementioned finding of the CNPD's lack of objective impartiality, the head of investigation also lacked subjective impartiality in the case under review. Thus, the statement of objections by the head of investigation did not constitute
an objective presentation of his conclusions on the investigation conducted against him, but a

preliminary statement of his opinion that the company (AA) had violated the GDPR,
insofar as, in the statement of objections, he had expressly
recommended corrective measures, as well as an administrative fine of €400,000,000
for failure to comply with the obligations arising from the GDPR in relation to the processing
of personal data in the context of behavioral advertising, even though, pursuant to
Article 39 of the Law of August 1, 2018, the investigation should have been conducted both for the prosecution and the defense,

requiring the head of investigation to examine both the facts indicating that the GDPR had been violated and those in which it had been complied with.

        However, in this case, the head of investigation allegedly went beyond what he was required to do
by recommending corrective measures and specific sanctions that he deemed
appropriate, in violation of Article 39 of the Law of August 1, 2018, and without a legal basis, whereas

according to Article 8, paragraph (3) of the Rules of Procedure, the statement of objections
should be limited to specifying "(…) that the breaches noted are likely to be the subject
of a decision by the National Commission sitting in a restricted formation in accordance
with Article 41 of the Law of August 1, 2018 relating to the general regime on data protection (…)" and that said formation would be responsible for pronouncing, "(…) where appropriate,
corrective measures and/or sanctions against the person under investigation (…)", a proposal for a
sanction, respectively corrective measures, on the part of The head of investigation's role was not provided for in the statement of objections. Thus, the head of investigation should, according to the applicant, only identify the alleged violations of the GDPR, taking into account both the incriminating and exculpatory evidence relating to the finding of a violation, a position confirmed by the ECtHR's case law, according to which, when an investigating authority issues a judgment on the guilt or otherwise of the party under investigation, said authority would be going beyond its role as investigator.

By expressly stating in the statement of objections that the company (AA) had seriously violated the GDPR, and by proposing corrective measures and sanctions to the Restricted Panel, the head of investigation violated the principle of subjective impartiality. In its reply, the applicant further refutes the CNPD's argument that Luxembourg law allows it to combine the functions of investigation and decision-making, whereas, as an independent administrative authority, the CNPD should exercise its powers with the utmost objectivity and impartiality. In this context, the applicant relies on the 2010 opinion of the Council of State

concerning the draft Competition Act, in which the Council condemned the abolition of the Competition Inspectorate and the allocation of its functions to the Competition Council, on the grounds that such an arrangement would create a lack of structural separation, inconsistent with the principle of impartiality guaranteed by the ECHR, a position that would ipso facto be applicable to the CNPD. The company (AA) further specified that such a separation between the authorities responsible for investigations and those responsible for making decisions following these investigations exists, with regard to data protection, in both Belgium and France. Furthermore, its argument is not contradicted by the case law of the administrative courts concerning the Financial Sector Supervisory Commission, hereinafter referred to as the "CSSF," or the Disciplinary Council for State Civil Servants, insofar as these entities, unlike the CNPD, are not independent administrative authorities, which, according to the applicant, are by nature subject to a higher duty of impartiality. The applicant further argues in this context that while the case law of the CJEU, the ECtHR, and the Court of Justice of the European Free Trade Association suggests that the European Commission could combine the functions of investigation and decision-making while remaining impartial, while the party affected by a decision of the Commission could refer the matter to the General Court of the European Union, hereinafter referred to as the "TEU," such a conclusion cannot be accepted for the CNPD, since the European Commission, unlike the CNPD, should not be considered an independent administrative authority. Based on the premise that the CNPD should be classified as a tribunal under Article 6 of the ECHR and Article 47 of the Charter and should, therefore, separate its investigative and decision-making functions, the applicant argues that a tribunal is characterized, according to the case law of the ECtHR, in the substantive sense, by its judicial role of deciding, on the basis of legal norms and following an organized procedure, any question falling within its jurisdiction, while also meeting a series of other conditions, namely independence, particularly from the executive branch, impartiality, the length of the members' term of office, and the guarantees offered by the procedure. The applicant further notes, in this context, that the French Council of State has also adopted this approach with regard to the CNIL, which exercises exactly the same investigative and sanctioning powers as the CNPD. Based on the judgment of September 11, 2009, of the ECtHR in DUBUS SA v. France, which held that the courts, by confusing the functions of investigation and prosecution, violate Article 6 of the ECHR, to the extent that the independence and impartiality of said courts could be called into question, which would also be the case for the CNPD, even though its structural and organizational conditions allow a commissioner (i) to propose an investigation, which would demonstrate an unfavorable bias against the person concerned by said investigation, and (ii) to subsequently be appointed to lead it, while participating in the decision to appoint him or her. The applicant concludes that the contested decision should therefore be annulled in the context of the application for reversal. 18 In its reply, and with regard to the allegation of subjective bias on the part of the CNPD, the applicant reiterates its argument that it was not the responsibility of the head of investigation to propose a sanction or corrective measures, whereas in doing so, he exceeded his role as investigator by prejudging the guilt of the person targeted by the investigation. In this context, it further refutes the CNPD's argument that, on the one hand, this is a "common practice" - which constitutes neither an excuse nor a justification for this illegal practice - and, on the other hand, that said practice is based on Article 9 of the Grand Ducal Regulation of June 8, 1979, relating to the procedure to be followed by administrations under the jurisdiction of the State and municipalities, hereinafter referred to as the "Grand Ducal Regulation of June 8, 1979," whereas said article only applies, at most, to the Restricted Committee and that, if the head of investigation were to be affected by said provision, he should limit himself to communicating to the party concerned "the factual and legal elements that lead him to act," and not the exact sanction. Such an approach would ensure that the accused can take a position on the underlying facts and formulate a defense against a potential penalty before it is proposed.

Finally, she disputes the CNPD's assertion that the Restricted Panel made "its own assessment of the facts" without being influenced by the Head of Investigation's recommendation, when it imposed a fine representing exactly the same proportion of the American company's worldwide annual turnover (FF) as the fine recommended by the Head of Investigation, the only change being the reference year for calculating the said fine. Thus, far from conducting its own analysis, the Restricted Panel simply followed the Head of Investigation's analysis. The applicant concludes that the appealed decision, due to the CNPD's lack of objective and subjective impartiality, violates both the principle of impartiality and Article 39 of the Law of August 1, 2018, requiring that investigations be conducted both for the prosecution and the defense, such that it is subject to annulment in the context of the appeal for review under review.

The CNPD rightly concludes that the applicant's argument alleging a violation of the principle of impartiality should be dismissed as unfounded.

Under Article 6 of the ECHR, "1. In the determination of his civil rights and obligations or of any criminal charge against him, everyone has the right to a fair and public hearing within a reasonable time by an independent and impartial tribunal established by law."

The judgment shall be pronounced publicly, but access to the courtroom may be closed to the press and the public during all or part of the trial in the interests of morality, public order, or national security in a democratic society, when the interests of minors or the protection of the privacy of the parties to the trial so require, or to the extent considered strictly necessary by the court, when in special circumstances publicity would be likely to prejudice the interests of justice.

2. Everyone charged with an offence shall be presumed innocent until proved guilty according to law.

3. Everyone charged with an offence shall have the right, in particular, to:
(a) be informed promptly, in a language which he understands and in detail, of the nature and cause of the accusation against him;
(b) have adequate time and facilities for the preparation of his defence;

(c) to defend themselves in person or through legal assistance of their own choosing and, if they do not have the means to pay for legal assistance, to be assisted free of charge by a court-appointed lawyer, where the interests of justice so require;
(d) to examine or have examined witnesses against them and to obtain the attendance and examination of witnesses on their behalf under the same conditions as witnesses against them;

(e) to have the free assistance of an interpreter if they do not understand or speak the language used in court."

Under Article 47 of the Charter, applicable when implementing European law, such as the GDPR, "Everyone whose rights and freedoms guaranteed by Union law are violated has the right to an effective remedy before a tribunal in accordance with the conditions laid down in this Article."

Everyone has the right to a fair, public, and timely hearing by an independent and impartial tribunal previously established by law. Everyone has the opportunity to be advised, defended, and represented. (…).

Regarding the guarantees applicable to administrative sanctions, it should be noted that the CNPD, under national law, does not constitute a court within the meaning of Article 6 of the ECHR, although, in accordance with Article 3 of the Law of August 1, 2018, it is "an independent public institution endowed with legal personality." »

Indeed, it has been held, in relation to another administrative authority, in this case
the Disciplinary Council for State Civil Servants, an administrative authority that can also
impose sanctions on citizens falling within its jurisdiction, that
while Article 6 of the ECHR certainly imposes requirements to be respected in matters of fair trial,
the related guarantees are nevertheless not intended to apply at the level of purely administrative disciplinary proceedings, in that they only come into play
at a later stage, at the level of the judicial body competent to hear the appeal against the administrative decision reflecting the outcome of
the said disciplinary proceedings.

Thus, to the extent that the interested party has at their disposal a two-tier jurisdiction at the litigation level, with judicial bodies meeting the requirements of Article 6 of the ECHR, these requirements cannot be applied with the same rigor against bodies sitting at the pre-litigation level, namely the administrative level.

This conclusion, which was also upheld with regard to the CSSF, which is also a public institution, like the CNPD, and which must apply mutatis mutandis to the CNPD when it imposes administrative fines, is not undermined by the...

2By analogy: Administrative Court, July 14, 2016, No. 37460C of the roll, Admin. Pas. 2023, V° Civil Service, No. 249 and the other references cited therein.

3By analogy: Administrative Court, July 14, 2016, No. 37460C of the roll, Admin. Pas. 2023, V° Civil Service, No. 249 and the other references cited therein. December 17, 2009, No. 25839C of the roll, Admin. Pas. 2023, V° Civil Service, No. 294
and the other references cited therein.
4V. in particular adm. court. November 21, 2023, No. 40877 of the docket, available at www.jurad.etat.lu

20 findings of the ECtHR in its DUBUS SA v. France judgment, although this judgment does not allow any conclusions to be drawn with respect to the present case, given that, in addition to the fact that, at the time of the events, it had been noted that there was no double level of jurisdiction, but only an appeal "in cassation" before the French Council of State, the said banking commission was already considered, in domestic law, by French national case law, to be a court within the meaning of Article 6 of the ECHR, as is apparent from the considerations of the DUBUS SA v. France judgment, in particular under points 20, 26, 55, and 70, which is not the case in this case of the CNPD.

Regarding the application of the so-called "Engel" criteria, as established by the ECtHR's judgment in Engel and Others v. the Netherlands, dated 8 June 1976 (Applications 5100/71; 5101/71; 5102/71; 5354/72; 5370/72), it must be noted that the legal classification of the offense in dispute under domestic law, more specifically derived from Community law, in this case the GDPR, corresponds to an administrative violation, even though it is punishable by a fixed-term fine. Furthermore, the very nature of the violation is

clearly administrative, given that it involves penalizing behavior that violates the rules of the GDPR, specifically Articles 6, 12, 13, 14, 15, 16, 17, and 21 of the said Community regulation. Finally, the severity of the possible penalty, excluding

any custodial sentence and limited to a financial fine of up to €20,000,000, or, in the case of a company, up to 4% of the total worldwide annual turnover for the previous financial year, in accordance with Article 83, paragraph (5) of the GDPR, when a violation of Articles 5, 6, 7, 9, and 12 to 22 of the GDPR is found, is still to be considered, overall, quite low. Indeed, even if at first glance the amount of €20,000,000, or 4% of turnover, may seem high, it must be assessed in the general context of the violation committed, as the authority imposing the said penalty must take into consideration a whole series of factors, in accordance with Article 83, paragraph (2) of the GDPR. It follows that the analysis of the criteria

5
"20. By a judgment of July 30, 2003, the Council of State dismissed this appeal, in particular on the following grounds (...)
6 the decision is taken, as provided for by law, in the exercise of a judicial power."
"26. According to the Council of State, the penalties imposed by the Banking Commission have the character of judicial decisions."
7 "55. The Court observes that the Banking Commission exercises two types of functions. (…) The second is disciplinary, and the Banking Commission exercises its power to impose sanctions by acting as an “administrative court.”
8 “70. As for the second part of the complaint, the Court observes that when the Banking Commission rules pursuant to Article L. 613-21, it is an administrative court.”
9 Pursuant to Article 83, paragraph (2) of the GDPR, with regard to the principle and the quantum of the administrative fine to be imposed, the competent authority must take into consideration “a) the nature, seriousness, and duration of the breach, taking into account the nature, scope, or purpose of the processing concerned, as well as the number of data subjects affected and the level of damage they have suffered;
b) whether the breach was committed deliberately or negligently;
c) any measures taken by the controller or processor to mitigate the damage suffered by the data subjects; (d) the degree of responsibility of the controller or processor, taking into account the technical and organizational measures they have implemented pursuant to Articles 25 and 32;
(e) any relevant previous breaches committed by the controller or processor;
(f) the degree of cooperation established with the supervisory authority to remedy the breach and mitigate its possible negative effects;
(g) the categories of personal data concerned by the breach;
(h) the manner in which the supervisory authority became aware of the breach, including whether and to what extent the controller or processor has notified the breach;
(i) where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned for the same purpose, compliance with those measures;

21, known as “Engel”, is also not likely to support the claim presented by the applicant that it was subject to a criminal sanction. 10

Concerning the criticisms directed at the CNPD for failing to meet the required guarantees of impartiality, the court must note, by analogy with a judgment of the Administrative Court of July 19, 2023, entered under case number 48647C in the case list in the context of an administrative sanction imposed by the CSSF, that a possible failure to comply with the principle of impartiality during the administrative procedure at the organizational level of an administrative authority having imposed an administrative sanction, whether with regard to supranational provisions or as a general principle of law, does not lead to the reversal of the sanction imposed, provided that the citizen concerned had at his or her disposal an appeal for reversal, in which the administrative courts were able to analyze the merits of the criticisms made against him or her and could have corrected any flaw affecting the decision if the The action taken by the competent authority was biased, provided that the appellant requested that they carry out this review. Indeed, as stated above, the CNPD does not correspond, under Luxembourg law, to a judicial body, and indeed should not be, since, even assuming that the sanctions it imposes have a criminal nature or a "criminal tinge," the ECtHR ruled, in its judgment of March 4, 2014, GRANDE STEVENS and Others v. Italy, Applications No. 18640/10 et al., regarding Article 6, paragraph 12 (1) of the ECHR, that there is nothing to prevent an administrative sanction meeting the ENGEL criteria from being imposed by an administrative authority, provided that the individual to whom the sanction is applied has a legal remedy before a court meeting the conditions of Article 6, paragraph (1) of the ECHR. The GRANDE STEVENS ruling is

in line with the case law of the ECtHR, as well as that of the CJEU,
which review compliance with Article 6 of the ECHR not in isolation, but in relation to
the procedure as a whole, including the litigation aspect. 14

The ECtHR held, after noting that the sanctions at issue in this case had not been imposed by a judge following adversarial legal proceedings, but by an administrative authority, that entrusting such authorities

with the task of prosecuting and punishing contraventions is not incompatible with the ECHR,
provided that the citizen has the right to appeal any decision taken against him or her before
a court offering the guarantees of Article 6 of the ECHR. The ECtHR concluded that
compliance with Article 6, paragraph (1) of the ECHR did not preclude the possibility that, in administrative proceedings, a "penalty" would first be imposed by an administrative authority, but that the decision of an administrative authority that does not itself meet the conditions of the aforementioned Article 6 would have to be subject to subsequent review by a body:

j) the application of codes of conduct approved pursuant to Article 40 or certification mechanisms approved pursuant to Article 42; and
k) any other aggravating or mitigating circumstance applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, directly or indirectly, as a result of the violation.

11v. by analogy, adm. court. November 23, 2021, No. 43856 of the docket, available at www.jurad.etat.lu
Admin. Court, July 19, 2023, No. 48647C of the docket.12 GRANDE STEVENS case, paragraphs 138 and 139.
13 Adm. Court, July 19, 2023, case number 48647C.
14 ECtHR, February 21, 1984, ÖZTÜRK v. Germany, paragraph 56; ECtHR, October 26, 2009, CHAUDET v. France, paragraphs 36-38; CJEU, September 9, 2010 (T-17/08 P).
15 GRANDE STEVENS case, paragraph 138.

22 judicial authority with unlimited jurisdiction, having in this case the power to reverse the contested decision on all points of fact and law.
16

The ECtHR also held in the same case, concerning a situation in which Article 6, paragraph (1) of the ECHR was applicable, that the findings made by it in that case regarding a lack of objective impartiality on the part of the Italian National Commission for Companies and the Stock Exchange due to the consecutive exercise of investigative and adjudicative functions within the same institution were in themselves insufficient to conclude that there had been a violation of Article 6, paragraph (1) of the ECHR, but it did examine the existence of subsequent review by a judicial body with full jurisdiction.17

It follows that, in accordance with the lessons to be drawn from the aforementioned ECtHR judgment, the fact that an administrative authority that issues a measure such as that at issue and which, as the case may be, does not itself meet all the conditions of Article 6, paragraph (1) of the ECHR, is not incompatible with the principle of fair trial. with respect for this provision - nor

for that matter with the principle of impartiality as a general principle of law -, provided that
a subsequent review of the measure could be carried out by a judicial body with full jurisdiction. Based on this ECtHR case law, it is clear that in this case,
regardless of the question of the classification of the disputed measure as a criminal sanction, and even assuming, as the applicant claims, that the CNPD itself did not meet the required guarantees of impartiality, in any event, the consequence is not the annulment of the disputed fine for procedural defects, as requested by the applicant. Rather, it is important to verify whether the applicant ultimately had access to a legal remedy meeting the conditions of Article 6, paragraph (1) of the ECHR, which implies that the entire procedure18 that led to the administrative sanction under attack must be taken into account, including the litigation procedure. To the extent that the applicant, in this matter, has a double level of jurisdiction before the administrative courts ruling on the merits, namely before the Administrative Court and the Administrative Court, whose compliance with the requirements of Article 6, paragraph (1) of the ECHR is not disputed, in that they are both vested with unlimited jurisdiction pursuant to Article 55 of the Law of 1 August 2018 and are therefore responsible not only for reviewing the legality of the decision imposing the administrative sanction, but can also replace the administration through a new assessment of the facts and the law, the conclusion must be drawn that the applicant was able to bring the allegations raised against it relating to non-compliance with the provisions of the GDPR before an independent and impartial tribunal following administrative proceedings. It follows that the criticisms made by the applicant against the CNPD are, in any event, not such as to lead to the annulment of the decision to impose a fine against it, regardless of the question of the justification of these criticisms, as any possible defect in the requirement of impartiality can be remedied by the administrative courts ruling in the context of a full jurisdiction appeal, in that they can review the penalty in fact and in law when it was not imposed in compliance with the requirements of impartiality.

16Ibid., paragraphs 139 and 161.
17Ibid., paragraph 139.
18Adm. Court, July 19, 2023, No. 48647C of the list.

23 It follows from all of the foregoing considerations that the allegation of a violation of the principle of impartiality, whether on the basis of Articles 6, paragraph (1) of the ECHR and 47 of the Charter or as a general principle of law, is unfounded.

The relevant ground of appeal must therefore be dismissed as unfounded, without the court having to analyze the applicant's argument regarding a violation of Article 39 of the Law of 1 August 2018, an argument put forward not as a stand-alone ground of appeal, but solely as an element likely to establish, on the part of the CNPD, a lack of subjective impartiality.

The applicant then argues that the contested decision should, in the context of the appeal for review, be annulled for violation of Articles 2 and 7 of the Rules of Procedure, as well as the right to a fair trial, and more specifically the principle of equality of arms and the rights of the defense, in that both the head of investigation and the Restricted Panel unlawfully extended the scope of the investigation as initially defined in the CNPD's engagement letter of April 23, 2019, which, according to the company (AA), was limited to two aspects, namely "the basis of lawfulness (for the processing of personal data) and cookies." She first clarifies, in this context, that the complaint filed against her by LQDN before the CNIL on May 28, 2018, allegedly only concerned the question of the validity of her legal basis for processing personal data under Article 6 of the GDPR with regard to the PBI. Based on this complaint, the minutes of the CNPD plenary session of April 5, 2019, which decided to open an investigation against her and designated a head of investigation, allegedly limited the subject of said investigation to two areas, namely "cookies and the basis of legality," a subject further included in the mission order of the head of investigation of April 23, 2019, as well as in the CNPD's letter of the same day informing the applicant of the opening of an investigation against her. Despite this precise and clear limitation of the initial scope of the investigation conducted against the plaintiff, the head of the investigation subsequently and through additional questions repeatedly extended the scope of his investigation without adequately notifying the plaintiff of this extension of the scope of the investigation. Thus, during the investigation phase, the applicant noted that the questionnaire sent to it on April 23, 2019, included questions regarding its compliance with the right to object under Article 21 of the GDPR and the right of access to personal data under Article 15 of the GDPR, as well as its compliance with transparency obligations under Article 5(3) of Directive 2002/58/EC of the European Parliament and of the Council of July 12, 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on Privacy and Electronic Communications), hereinafter referred to as the "ePrivacy Directive." Then, at the meeting on July 17, 2019, questions about its compliance with the right to erasure under Article 17 of the GDPR were raised for the first time. According to the applicant, the head of investigation, by raising these questions as relevant elements in his analysis regarding the valid legal basis for its processing of personal data under Article 6 of the GDPR, broadened the scope of his investigation to include an independent assessment of the company's compliance with all of the aforementioned articles of the GDPR. 24 Furthermore, in the context of the head of investigation's summary of the facts, the latter, while specifying that the seven objectives of the audit carried out would only concern the assessment of the basis for the lawfulness of the processing under Article 6 of the GDPR and its compliance with the rules relating to cookies, allegedly used, by using the term "in particular," an ambiguous formulation suggesting that the issues of the lawfulness of the processing and the use of cookies were not the sole subject of the investigation, especially since the document in question allegedly described, in specific sections, the applicant's approach to compliance with transparency obligations, as well as to the rights of access and erasure of data subjects. The applicant further notes, in this context, that, in the statement of objections, the purpose of the investigation was described as seeking to verify its compliance with the GDPR, the Law of August 1, 2018, and the Law of May 30, 2005, "and more specifically with the provisions relating to the basis of lawfulness and the use of cookies," meaning that it was, in reality, the subject of a broad investigation into compliance with data protection requirements in general, of which the aspects concerning the basis of lawfulness of the processing operations and cookies were only two elements. Thus, the statement of objections would have included, on the one hand, a section on the plaintiff's reliance on legitimate interest as the legal basis for the disputed processing, a claim that the head of investigation would have considered unjustified. On the other hand, it would have included three sections on the company's (AA) compliance with the transparency obligations provided for by the GDPR and a section on the rights of access, erasure, and rectification. Moreover, the latter aspect was not mentioned by the head of investigation in his summary of the facts.

This erroneous extension of the scope of the investigation by the head of investigation had, according to the applicant, a significant impact on the statement of objections, which reportedly recommended that the Restricted Committee impose, on the one hand, corrective measures not only regarding the legal basis for the disputed data processing and its use of cookies, but also regarding its transparency obligations, respectively regarding the rights of access, erasure, rectification, and objection, and, on the other hand, a fine of €400 million, an amount that took into account the violation of said rights and obligations. These errors were also reflected in the appealed decision, which, in its description of the scope of the investigation, had indeed repeated the disputed extension of the subject matter of the investigation, as formulated in the statement of objections, and imposed a fine of 746 million, as well as corrective measures in relation to all the deficiencies identified in the statement of objections concerning both the legal basis for the disputed data processing and the transparency obligation, respectively, in terms of the rights of access, erasure, rectification, and opposition. The applicant further notes that the contested decision also extended the scope of the investigation with regard to the processing activities analyzed, activities initially limited to the PBI and cookies, but subsequently extended in the complaint to personalized recommendations sent to its customers. The head of investigation thus wrongly assumed, in his analysis of the opt-out mechanism proposed by the applicant for the PBI, that these recommendations would be considered online behavioral advertising, an incorrect conflation repeated by the contested decision, without the applicant having been previously asked to provide explanations on this matter to enable him to correct such an error in reasoning. 25 However, the personalized recommendations would be generated from data different from those of the PBI and would not allow third parties to purchase space to present their products, and would only be displayed in the Boutiques (AA), while being controlled, as to their type, via an options mechanism offered to customers, such that said recommendations could not be considered PBI.

The applicant therefore requests, in the context of the appeal for review under review, that the decision appealed be annulled for violation of Articles 2 and 7 of the Rules of Procedure, requiring clarification, in particular, of the subject matter of the investigation, when the CNPD decides to open an investigation, or when the head of investigation drafts the mission order. Thus, the CNPD, by broadening the scope of the investigation through the communication of grievances, as well as through the decision under appeal, beyond the scope initially limited to "the basis of legality and the use of cookies," to include an analysis of the company's (AA) compliance with its transparency obligations, as well as the rights of access, rectification, erasure, and opposition, would have, in fact, conducted an investigation distinct from that opened by the April 2019 decision, as well as by the mission order of April 23, 2019, which would never have been the subject of a decision to open an investigation, or a mission order containing the elements required by Articles 2 and 7 of the Rules of Procedure. The applicant further argues in this context that the CNPD, aware of the extension of the scope of the investigation to the analysis of compliance with transparency obligations, as well as the rights of access, rectification, erasure, and objection, attempted to mask this procedural irregularity by including these elements in its examination of the legal basis invoked by the company (AA) to justify the processing of the disputed personal data, during the balancing test of the interests of the data controller and those of the data subjects concerned by the disputed data processing. However, such an approach would not be logical, since the data controllers should have carried out this balancing test before commencing the relevant processing activities, based on the premise that said processing would comply with the obligations arising from the GDPR. The applicant further considers, in this context, that the failure to implement Articles 12 to 17 and 21 of the GDPR in the precise manner envisaged by the CNPD cannot invalidate the entire balancing test, especially in this case, where the CNPD allegedly sanctioned it based on an erroneous interpretation of its information notices and wrongly rejected its argument based on Article 11 of the GDPR, which authorizes it to use the disputed data due to its pseudonymization, an operation that prevents it from identifying the data subjects. While acknowledging that the supervisory authorities' guidance explains that the "additional safeguards" implemented by the controller would influence the balance of interests and could contribute to "tipping the scales" in favor of relying on the legitimate interests test, the applicant argues that the failure to implement these additional safeguards should not necessarily tip the scales against relying on the legitimate interests test, as the CNPD erroneously held in the decision under appeal, given that the balancing test required to pursue a legitimate interest is entirely distinct from the controller's obligation to respect the rights of data subjects affected by the processing of their personal data. 26 It concludes that, given that the subject matter of the head of the investigation's disputed investigation
was limited to analyzing the legal basis invoked to justify the data processing in dispute, as well as the requirements relating to the use of cookies, the said investigation should not have independently covered the examination of its compliance with transparency obligations and the rights of the persons concerned by the data processing in dispute. Even if it were admitted that the analysis of compliance with the GDPR's requirements relating to transparency and the rights of data subjects could be relevant to the assessment of the legal basis invoked to justify the disputed data processing, the CNPD would still have been required to comply with Articles 2 and 7 of the Rules of Procedure and should have limited its analysis of GDPR compliance to what was necessary to assess the validity of its legal basis and its compliance with the rules relating to cookies, and not conduct a full assessment of its compliance with the GDPR.

This extension of both the purpose and scope of the investigation violated, according to the applicant, her right to a fair trial within the meaning of Article 6 of the ECHR and Article 47 of the Charter, and more specifically the principle of equality of arms between two parties to the proceedings and her rights of defense. The applicant further specifies, in this context, that the case law of administrative courts has also considered the principle of equality of arms to be a general principle of law. Furthermore, the ECtHR has held that in order to ensure procedural fairness, a person accused of a criminal offense must be actively informed by the prosecuting authority, promptly and in detail, of the nature and grounds of the charge against them, as well as of any change in the grounds of the charge, and must be entitled to the time and resources necessary to prepare their defense. However, in this case, the CNPD allegedly extended the purpose and scope of the investigation in a manner that undermined the applicant's ability to organize its defense, conferring an unfair advantage on the CNPD, an advantage that was even more blatant given that the CNPD had opened a separate investigation into the company's (AA) compliance with the data subject's right of access and related transparency rules, an investigation of which the latter was informed by letter dated February 6, 2020, such that it could reasonably have considered that the disputed investigation under review would have been limited to questions of the legality and use of cookies in relation to the PBI. The contested decision, by ordering a fine and imposing corrective measures for its failure to comply with the transparency and information obligations set out in Articles 12 to 14 of the GDPR, and the rights of data subjects set out in Articles 15 to 17 and 21 of the GDPR, should therefore be subject, in the context of the appeal for reversal under review, to annulment for having violated its right to a fair trial, or, alternatively, to reversal so as to focus only on the Restricted Committee's charges concerning the company's failure to comply with the obligation, under Article 6 of the GDPR, to have a valid legal basis for the processing of personal data and the use of cookies for GDPR purposes, without taking into consideration, either in terms of the fine or the corrective measures, the alleged violations of Articles 12 to 17. and 21 of the GDPR.

In its reply, the applicant reiterates its argument relating to the unlawful extension of the scope of the investigation to include an alleged violation of Articles 12 to 17 and 21 of the GDPR, while refuting the CNPD's argument that the main purpose of the investigation was "the lawfulness of processing and the use of cookies," but without having been limited to these two points. The applicant maintains, in this context, that it would have been up to the CNPD, had the investigation been broader to include an examination of the PBI's compliance with other aspects of the GDPR, to specify this from the outset in accordance with the principle of good administration, failing which it would have violated its rights of defense and its right to a fair trial.It further disputes the CNPD's assertion that an analysis of compliance with Articles 12 to 17 and 21 of the GDPR would have been relevant to determining whether it had a valid legal basis under Article 6(1)(f) of the GDPR. In this context, it explains that Opinion 06/2014 on the concept of legitimate interest pursued by the data controller within the meaning of Article 7 of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, hereinafter referred to as "Directive 95/46/EC", of the Article 29 Data Protection Working Party, hereinafter referred to as "Opinion 06/2014", respectively "the Article 29 Working Party", as cited by the CNPD, only mentions the relevance of compliance with "general obligations" for the assessment of legitimate interests, without considering that compliance with all the rights enshrined in Articles 12 to 17 and 21 of the GDPR would be necessary or appropriate for said

control. It further argues that the European Data Protection Board, hereinafter referred to as "the EDPB," the body that replaced the Article 29 Working Party when the GDPR entered into force, firstly, did not approve Opinion 06/2014, whereas it had done so for other opinions of the Article 29 Working Party, and secondly, published new guidelines, such as Guidelines 8/2020 on targeting social media users, having clearly stated that compliance with Articles 12 to 17 and 21 of the GDPR would not be relevant for the balancing of legitimate interests test, even though these are two different sets of obligations, just as compliance with Articles 13 and 14 of the GDPR does not constitute a transparency measure to be taken into consideration for the balancing of interests in accordance with Article 6(1)(f) of the GDPR.

The applicant further argues in this context that compliance with Articles 15 to 17 and 21 of the GDPR would, moreover, be irrelevant for the assessment of legitimate interests,
and would only create obligations for controllers when a data subject has requested it, i.e., after the processing of the data in question has begun - a request that could require a case-by-case analysis - whereas a controller would have to carry out the assessment of legitimate interests before the processing begins.

The company (AA) then notes that none of the other EU supervisory authorities, having had to assess whether a data controller could rely on the legal basis of legitimate interests under the GDPR, had conducted a detailed analysis of compliance with Articles 12 to 17 and 21 of the GDPR as part of that assessment. As for the CNPD's arguments that (i) the extension of the scope of the investigation was justified by information discovered during the investigation, (ii) such an extension did not go beyond assessing how it would pursue PBI's activities, and (iii) the CNPD only analyzed the legal consequences of these facts, the company (AA) argues that, in this context, a formal extension decision would always have been required, which was not the case in this case, in violation of the right to a fair trial and Articles 2 and 7 of the Rules of Procedure. The applicant further requests the rejection of the case law cited by the CNPD to refer to competition law and public procurement legislation, i.e., specific regulations unrelated to the present matter. While asserting that the extension of the scope of the investigation would have gone well beyond a simple reclassification of the facts under investigation, the applicant insists that in this case, the CNPD investigated facts that were completely unrelated to the subject matter of the investigation.

Based on all these considerations, the applicant concludes that the contested decision should, in the context of the application for reversal, be annulled, or alternatively, be reversed to exclude Articles 12 to 17 and 21 of the GDPR from its scope.

The CNPD concludes that the applicant's argument based on the unlawful extension of the scope and scope of the disputed investigation should be dismissed as unfounded. It should first be noted that an administrative authority capable of imposing administrative sanctions is not concerned with the legal classification of facts,

as carried out through a complaint, but with the facts underlying said act. It is up to the competent administrative authority to clarify the reality of the facts alleged against the legal entity
subject to its control, and then proceed to the legal classification of said facts according to the applicable legislation, before deciding on the legal measures to be adopted, if necessary, such as, in this case, the imposition of an administrative fine,
19
as well as the adoption of corrective measures. In this context, although LQDN's complaint, submitted to the CNIL on May 28, 2018, expressly seeks to challenge the legal basis invoked by the applicant to process the disputed personal data for PBI purposes, in this case the existence of legitimate interests within the meaning of Article 6, paragraph (1), f) of the GDPR, by presenting its legal analysis of the relevant Community provisions, it must be noted that the factual purpose of the complaint ultimately brought before the CNPD, as lead supervisory authority under European cooperation governed by Articles 60 to 62 of the GDPR, consists of challenging the processing of personal data for PBI purposes as carried out by the company (AA). Thus, the letter dated April 23, 2019, from the head of investigation informed the applicant of the CNPD's decision "(…) to open an investigation into your organization with the objective of verifying compliance with GDPR obligations regarding processing activities for behavioral advertising purposes (…)", specifying, in parentheses, that it specifically refers to the concepts of "lawful basis and use of cookies", while requesting, as part of the questionnaire submitted to the applicant on this occasion, additional information on its activities relating to PBI, and in particular "(…) What are the consequences for users of the services provided by (AA) if they exercise their right to opt out? If a user exercises their right to opt out, what actions does (AA) take with potential recipients of the data? [and]
Please indicate whether data subjects may access the data processed by (AA)
in the context of processing activities for behavioral advertising purposes within the framework

19 os
By analogy: Administrative Court of July 12, 2019, Nos. 40837 and 41256 of the roll, Admin. Pas. 2023, V° Civil Service, No.
261, as well as Administrative Court of June 27, 2016, No. 35997 of the roll, Admin. Pas. 2023, V° Civil Service, No. 262.
29 of an access request (Article 15 of the GDPR). If so, what is the scope of the data
provided by (AA) in response to an access request? (…)” 20

In its audit report of February 17, 2020, the CNPD also specified, in order to precisely define LQDN's complaint, the actual factual context of the disputed investigation under the heading "2.2 Scope of the audit," explaining that "(…) the following personal data processing activities, as carried out by (AA) for OBA [online behavioral advertising] purposes at the time of the complaint made by LQDN, are the core of that complaint and should therefore be covered by this audit: (…)." The court must also note that under the heading "3.1 Main purpose of the audit and list of control objectives," the head of investigation noted that "(…) The main purpose of the audit is to ensure that the investigation is in compliance with the requirements of the GDPR, Directive 2002/28/EC (ePrivacy Directive) and the Member State laws implementing the ePrivacy Directive, in particular with regard to the legal basis (Article 6 GDPR) to process personal data for OBA purposes and with the rules governing the use of cookies. (…)." The report also noted the lack of access by data subjects to the personal data processed under the PBI, the lack of possibility to have such data erased, and the lack of information to data subjects regarding the legal basis for the data processing carried out under the PBI. It should also be noted that in the statement of objections of June 25, 2020, the head of investigation noted, in describing the objective of the investigation, that it consisted of verifying the compliance of the processing of personal data under the PBI with the GDPR, the Law of August 1, 2018, the Law of May 30, 2005, and more specifically with the 25 provisions relating to the basis of lawfulness and the use of cookies, while submitting to the applicant his observations regarding the latter's failure to comply with the provisions of the GDPR relating to the transparency obligation, as well as the rights of access, rectification, erasure, and objection of the persons concerned by the processing of disputed personal data in connection with the PBI.

More specifically, the head of investigation noted these violations as part of his

analysis of the legal basis invoked by the company (AA) to justify the processing of personal data in relation to PBI, during the examination of the additional measures implemented by the latter in the interest of the data subjects, and more specifically the
26
pseudonymization mechanism. Thus, it should be noted that the scope of the investigation conducted against the company (AA) could validly encompass Articles 12 to 17 and 21 of the GDPR within the framework of the analysis of compliance with Article 6, paragraph (1), f) of the GDPR. It should also be noted, in this context, that Opinion 06/2014 expressly validates the CNPD's approach of taking into account the rights arising from the aforementioned provisions during the third stage of the analysis to be carried out in the context of Article 6, paragraph (1), f) of the GDPR. Thus, although Opinion 06/2014 was adopted
by the Article 29 Working Party on the basis of the provisions of Article 7(f) of Directive 95/46/EC, the said Opinion remains relevant in this case, insofar as Articles 7(f) of the aforementioned Directive and

20
21Page 7 of the questionnaire submitted to the applicant on April 23, 2019.
22Page 7 of the audit report of February 17, 2020.
23Page 9 of the audit report of February 17, 2020.
Page 24 of the audit report of February 17, 2020.
24Page 37 of the audit report of February 17, 2020.
25Page 1 of the Statement of Objections of June 25, 2020.
26Pages 27, 28, 32, and 34 to 59 of the statement of objections of June 25, 2020.

Article 306, paragraph (1), f) of the GDPR are identical, if not almost identical, with regard to the principles and procedures governing the use of the concept of "legitimate interests" as a legal basis for the processing of personal data. The court must also note, in this context, that the applicant itself relies, on numerous occasions, in its appeal, as well as in its reply, on the arguments in Opinion 06/2014 of the Article 29 Working Party.

This conclusion is not called into question by the applicant's argument relating to the fact that the EDPB did not expressly adopt said opinion, while the applicant has failed to invoke any legal provision according to which the 27 opinions of the Article 29 Working Party would be repealed if the EDPB has failed to approve them.

The court's finding that the scope of the investigation against the company (AA) could validly encompass Articles 12 to 17 and 21 of the GDPR is also not invalidated by the applicant's submissions that the EDPB issued an opinion, in this case Guidelines 08/2020 on the targeting of social media users, holding that Articles 13 and 14 of the GDPR, on the one hand, and Article 6(1)(f) of the GDPR, on the other, are separate sets of obligations and that compliance with Articles 13 to 14 of the GDPR is not a transparency measure to be taken into account within the framework of Article 6(1)(f) of the GDPR, and more specifically in the context of the third stage of the balancing of interests. It should be noted that the opinion in question merely states that mere compliance with Articles 13 and 14 of the GDPR does not constitute an additional measure that tips the balance of interests in favor of the entity processing the disputed personal data, so as not to exclude the possibility that the specific arrangements implemented by entities processing personal data in relation to Articles 12 to 17 and 21 of the GDPR, both with regard to their potential violation, as found in this case by the CNPD, and with regard to the possible additional guarantees offered to individuals whose personal data are processed, should be taken into consideration in the analysis to be carried out regarding the validity of the use of the concept of "legitimate interests" in Article 6, paragraph (1), f) of the GDPR, as additional measures. Finally, it should be noted that the court is not bound by decisions emanating from foreign administrative authorities or from the courts of other countries. In this context, the court must also reject the company's (AA) argument that the investigation was unlawfully extended to personalized recommendations sent to individuals whose personal data is being processed, given that neither the head of the investigation nor the Restricted Committee conducted an analysis of the compliance of said procedure with the GDPR in order to derive any sanction from it against the applicant. They only found, in the context of the analysis of the PBI objection mechanism implemented by the applicant, that exercising said mechanism would not result in stopping the sending of these advertising recommendations, which would also be classified as PBI. It should be noted that the conclusion to characterize the right to object, as implemented by the applicant, as insufficient to constitute an additional measure and to find, on this basis, a violation of Article 27.

As an anecdote, the court must note that the EDPB adopted guidelines on the point in dispute, incorporating the method recommended by the Article 29 Working Party, namely "Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR," a document that the court will not, however, take into consideration in the context of the appeal under review, as it is subsequent to the decision taken in the case.

Article 3121 of the GDPR, is based on a total of six points, including the consideration of personalized recommendations. In addition to this initial finding, according to which the CNPD did not unlawfully extend the investigation as part of its verification of the legal basis invoked by the applicant, in this case, that of legitimate interest, in accordance with Article 6, paragraph (1), f) of the GDPR, such that the grounds relating to a violation of Articles 2 and 7 of the Rules of Procedure

are liable to be dismissed for lack of factual grounds, there is the added fact that the CNPD, throughout the investigation, both through the questionnaire of April 23, 2019, the audit report of February 17, 2020, and the statement of objections of June 25, 2020, submitted to the applicant the elements necessary to enable the latter to take effective action. position regarding the alleged violation of Articles 12 to 17 and 21 of the GDPR before the decision referred to it on July 15, 2021, which the company (AA) did, moreover, in fact, in a detailed manner, through its position letter of August 20, 2020.

Based on all of the foregoing considerations, the applicant's argument based on a violation of Articles 2 and 7 of the Rules of Procedure for failure to act on a factual basis, as well as a violation of its right to a fair trial, and more specifically with regard to the principle of equality of arms, as well as respect for the rights of the defense within the meaning of Articles 6 of the ECHR and 47 of the Charter, must be rejected. The company (AA) then criticizes the CNPD for not granting its request of

July 10, 2021, for access to all documents comprising the file of the Restricted Committee, including all relevant and reasoned documents, communications, and objections from other data protection supervisory authorities made pursuant to Article 60 of the GDPR, as well as the relevant responses from the Restricted Committee,
the company's (AA) related request having been motivated by the circumstance of being able to effectively exercise its rights of defense. In this context, she specifies that, through the letter of July 16, 2021, the CNPD only granted her access to certain documents contained in the investigation file, but not to the documents exchanged between the various national data protection supervisory authorities under Article 60 of the GDPR, on the grounds, firstly, that disclosure of said information would constitute a breach of the CNPD's obligation of professional secrecy, and secondly, that no new evidence justifying the reopening of the investigation, on which the company (AA) had not yet been heard, had been added to the file. Based on Article 60 of the GDPR, which governs the cooperation mechanism between the CNPD and other relevant supervisory authorities when investigating cross-border processing as lead authority, the applicant explains that it has received no information on such cooperation between the CNPD and the other relevant supervisory authorities, the latter being those located in the Member States where the controller under investigation has an establishment or where the data subjects affected by the disputed processing of personal data are located. 28
29Pages 22 and 23 of the audit report of February 17, 2020, and page 70 of the contested decision of July 15, 2021.
Pages 31 and 32, as well as 50 to 63 of the company's letter (AA) of August 20, 2020.
32 While noting that neither the GDPR in general, nor Article 60 of said regulation in particular, prohibit a supervisory authority from sharing these documents with the data controller subject to the proceedings, it maintains that it has received virtually no information on any cooperation between the CNPD and the other supervisory authorities concerned. The applicant claims, in this context, to be unaware of the identity of the other supervisory authorities concerned, as well as the existence, or the content, of any relevant or reasoned objections made to the draft decision of the Restricted Panel pursuant to Article 60, paragraph (3) of the GDPR.

The CNPD's refusal of her request for access to the entire file that led to the contested decision would, according to the applicant, constitute a violation of her right to a fair trial, a right granted to her by Articles 6 of the ECHR and 47 of the Charter, and more specifically, the principles according to which parties to a trial are entitled to equality of arms and an adversarial procedure.

Thus, first of all, with regard to the violation, in this case, of the principle of equality of arms, said principle would require that she could not be disadvantaged during the investigation conducted against her, whether in relation to the Restricted Committee or to the other supervisory authorities involved, participating in the cooperation procedure under Article 60 of the GDPR. Thus, the applicant considers that it was disadvantaged by having been kept in the dark about the observations submitted to the CNPD by the other supervisory authorities regarding the fine imposed on it and by not having been able to take a position on said observations itself. It also states that the fine ultimately imposed by the CNPD in the decision under appeal was, without further explanation, almost double the €400 million recommended in the statement of objections, without taking into account the alleged violation of Article 4, paragraph (3), (e) of the Law of May 30, 2005, concerning the use of cookies. According to the applicant, this significant increase in the fine could only have resulted from additional documents or observations that the head of investigation did not take into account when preparing the statement of objections and to which it never had access, placing it at a disadvantage compared to the Restricted Panel.

Furthermore, the applicant believes it was disadvantaged in that it could not verify whether the members of the Restricted Panel had complied with their obligation to remain independent during the proceedings. In this context, it explains that, according to the information at its disposal, the CNIL actively participated in the proceedings before the CNPD, having cooperated closely with the latter throughout the proceedings, in the context of audits and analysis of the evidence obtained, and then during the examination of the draft decision, without the applicant knowing the exact terms and implications of this cooperation. It would therefore have been impossible for it to verify whether the CNPD had remained independent and, more specifically, free from any external influence. While highlighting the three aspects of the CNIL's cooperation with the head of investigation, namely (i) its presence at the meetings with the applicant on July 17, 2019, and September 10, 2019, (ii) the request for mutual assistance pursuant to Article 61 of the GDPR, in which the CNIL allegedly opened its own independent investigation into the practices of the company (AA), the results of which were recorded in a report communicated to it on December 13, 2019, and (iii) the reference to said report in the audit report of February 17, 2020, the applicant further explains that the contested decision also refers repeatedly to guidelines published by the CNIL, without mentioning any other national supervisory authority and without the statement of objections containing any such reference. Thus, it would appear that the CNIL made suggestions to the Restricted Panel, based on its own guidelines, during the Article 60 GDPR process, without the applicant being able, due to lack of access to the documents and observations exchanged in this case between the CNIL and the CNPD, to verify whether the Restricted Panel complied with its obligation to remain independent.

Furthermore, in addition to the work that the CNIL allegedly undertook in providing assistance to the CNPD, the CNPD also opened its own investigation into the company's (AA) cookie practices, an investigation that resulted in the imposition of an administrative fine of €35 million and an injunction to bring its cookie mechanisms into compliance with the French transposition of Article 5, paragraph (3) of the ePrivacy Directive. The plaintiff states, in this context, that the fact that the CNIL's decision was issued on December 7, 2020, after the CNPD hearing on November 10, 2020, and before the contested decision of July 15, 2021, in which the latter chose not to impose any sanctions on the company (AA) regarding the use of cookies, demonstrates the CNIL's influence over the CNPD, a finding that is particularly relevant to the plaintiff, given that the plaintiff considers that the CNIL's parallel investigation violates the principle of ne bis in idem. The refusal of access to all documents underlying the contested decision also constitutes a violation of the company's (AA) right to an adversarial procedure, whereas, pursuant to Article 6 of the ECHR and Article 47 of the Charter, as well as the related case law of the ECtHR and the CJEU, it should have had the right to examine and discuss all documents or observations submitted to the CNPD in order to enable it to influence its decision, in this case the observations and objections submitted to the CNPD by the supervisory authorities under the cooperation procedure under Article 60 of the GDPR, i.e., elements that the CNPD should have taken into account, in accordance with Article 60, paragraph (3) of the GDPR. The applicant further relies, in this context, on Article 58(4) of the GDPR, which requires that the exercise of the powers of supervisory authorities be subject to "appropriate safeguards," including the right to a fair trial. The applicant also invokes, still in this context, a GDPR-related case before the Irish Data Protection Commissioner involving WHATSAPP Ireland Limited, hereinafter referred to as "WHATSAPP," in which the latter allegedly obtained access to documents relating to the EDPB's cooperation procedure, which was not the case in this instance. Thus, not only did the EDPB fail to ensure that its approach to implementing the GDPR was consistent with that of other data protection supervisory authorities, but it also failed to follow the approach it would have approved as a member of the EDPB. The applicant further relies, with regard to the CNPD's refusal to grant it access to all the documents underlying the contested decision, and more specifically to the documents relating to the cooperation mechanism under Article 60 of the GDPR, on Articles 11 and 12 of the Grand-Ducal Regulation of June 8, 1979, while specifying that Article 8, paragraph (4) of the Rules of Procedure, which allows for refusal to disclose certain documents, particularly those from other national data protection supervisory authorities, would no longer apply after the investigation phase following the transfer of the file to the Restricted Committee. Furthermore, said Article cannot derogate from the Grand-Ducal Regulation of June 8, 1979, for failing to provide guarantees at least equivalent to those of said regulation. Furthermore, Article 13 of the Grand-Ducal Regulation of June 8, 1979, as a legal basis for justifying the refusal to disclose documents, should be interpreted strictly, such that the principle of transparency should prevail. Furthermore, the CNPD was not justified in invoking professional secrecy, the purpose of which was to protect, in particular, individuals filing complaints with a supervisory authority, such as whistleblowers, from the regulators themselves. Based on Articles 6 of the ECHR and 47 of the Charter, the applicant further argues that the use of professional secrecy cannot have the effect of preventing data controllers, who are the subject of investigations by a supervisory authority, from exercising their rights to a fair trial, a position further confirmed by the case law of the Administrative Court. Furthermore, neither the Irish Data Protection Commission nor the EDPB, of which the CNPD is a member, considered that the disclosure of documents to a party concerned by an investigation into the protection of personal data would constitute a breach of professional secrecy. The applicant further noted, in this context, that the CNPD had not identified any other public or private interests opposing the disclosure of the disputed documents and observations. Based on all of these considerations, the applicant, primarily, requests that the contested decision be annulled in the context of the appeal for review under review for violation of Article 8, paragraph (4) of the Rules of Procedure and Articles 11 and 12 of the Grand-Ducal Regulation of 8 June 1979. Alternatively, in the alternative, the applicant requests the administrative court to order the CNPD to provide it with all documents and observations, including those of other supervisory authorities, relating to the cooperation mechanism under Article 60 of the GDPR, respectively a written description of the essential content of these documents and observations, or even a summarized or aggregated version thereof, on the basis of Article 13 of the Grand-Ducal Regulation of 8 June 1979, or Article 42 of the Law of 1 August 2018, in order to allow it to examine them and provide their observations before a new decision is made.

         The applicant finally proposes to submit a preliminary ruling to the

CJEU on the basis of Article 267 of the Treaty on the Functioning of the European Union, hereinafter referred to as the "TFEU", worded as follows:

"In the light of the right to a fair trial under Article 47 of the Charter of Fundamental Rights of the European Union and the principles of good administration, must Article 58(4) of Regulation (EU) 2016/679 be interpreted:

(i) as requiring a supervisory authority to provide, at the request of the data controller under investigation, access to relevant documents and observations exchanged in accordance with the cooperation procedure provided for in Article 60 of Regulation (EU) 2016/679 between the lead supervisory authority and the supervisory authorities concerned regarding the draft decision of the lead supervisory authority?"

and

(ii) as granting the controller under investigation the right to be heard on the opinions of the supervisory authorities concerned, in

particular when these opinions significantly alter the draft decision of the lead supervisory authority?

In its reply, the applicant refutes the CNPD's argument that it should have filed a separate application for annulment regarding the refusal to grant it access to the full file underlying the contested decision, since this refusal should not be considered a separate decision, but rather a preparatory act for the contested decision, the illegality of which it could invoke incidentally. Furthermore, the existence of a separate appeal against the aforementioned refusal of access would be ineffective and illogical, since both applications would be based on the same investigation file.

Based on the consideration that the evidence in the case file to which the applicant
did not have access would have had an impact on the decision under appeal, including almost doubling the initially proposed fine, the company (AA) maintains that it
should have had the right to be heard on these elements. It further rejects the CNPD's argument that such an increase in the penalty was not motivated by the comments and objections of its European counterparts, but by the EDPS's decision in the WHATSAPP case, according to which the reference year for calculating the fine should be the year preceding the year of the decision. The plaintiff further argues, in this context, that the penalty recommended by the head of investigation also targeted an alleged violation of the rules on cookies, a violation for which the CNPD ultimately concluded it could not impose a fine, such that it would still be unable, based on the decision and the explanations provided by the CNPD in its response, to understand the doubling of the fine, despite the circumstance that the scope of the facts taken into consideration had been narrowed. The company (AA) further argues, firstly, that it does not fall within one of the scenarios set out in Article 13 of the Grand-Ducal Regulation of June 8, 1979, which allows for refusal to disclose certain documents forming part of the administrative file, and secondly, based on the same article, should have received at least a description of the essential content of the file relating to its case and the opportunity to present its observations. Furthermore, even if the CNPD had decided
to increase the fine solely on the basis of the EDPS's decision in the WhatsApp case, the CNPD's

refusal to grant her access to the entire file would still not be justified, since she would never have been informed of the reason for the increase in the amount of the fine imposed against her and would therefore not have had the opportunity to be heard on this decision, thus placing her at a disadvantage compared to the CNPD and thus depriving her of the right to a fair trial, just as she would have faced a violation of her right to good administration, enshrined in Article 41 of the Charter. The applicant also proposes,

in this context, to submit the following preliminary question to the CJEU:

"In the light of the right to a fair trial and the principles of good administration
set out in Articles 41 and 47 of the Charter of Fundamental Rights of the European Union,
must Article 58(4) of Regulation (EU) 2016/679 be interpreted:

(a) as requiring a supervisory authority to provide, at the request of the controller

of the data processing under investigation, access to relevant documents and observations
exchanged in accordance with the cooperation procedure provided for in
Article 60 of Regulation (EU) 2016/679 between the lead supervisory authority and
the supervisory authorities concerned regarding the lead supervisory authority's draft decision?"

36 and

(b) as granting the controller under investigation the

right to be heard on the opinions of the supervisory authorities concerned, in particular
when those opinions significantly alter the draft decision of the lead supervisory authority? The applicant finally argues that the CNPD could not rely on its professional secrecy obligations to refuse it access to the file, based on Article 42 of the Law of August 1, 2018, as well as Article 8, paragraph (4) of the Rules of Procedure, since the objective of the CNPD's professional secrecy obligation is to protect individuals filing complaints, as well as supervised entities, and not the supervisory authorities themselves. In this context, the applicant further refutes the CNPD's argument that its approach to refusing access to documents is identical to that of the competent competition law authorities, for lack of relevance, in that the procedure in competition law matters is in no way comparable and in that the guarantees provided for by the Grand-Ducal Regulation of June 8, 1979, do not apply to competition law cases. competition law, unlike in the present case. The CNPD concludes that the company (AA)'s plea relating to the refusal of access to certain documents should be dismissed, alleging a violation of Articles 6 of the ECHR, Articles 41 and 47 of the Charter, Article 8, paragraph (4) of the Rules of Procedure, and Articles 11 to 13 of the Grand-Ducal Regulation of June 8, 1979.

It is common ground, as evidenced by the evidence submitted to the court by the parties, and more specifically by the company's email sent to the CNPD on July 5, 2021, that the applicant expressly requested disclosure of the documents and reasoned observations from the other national supervisory authorities under Article 60 of the GDPR, while also requesting the reopening of the investigation against it in order to be able to comment on the new evidence it considered it should receive. By email dated July 16, 2021, the CNPD refused to reopen the investigation against it on the grounds that no new information had been added to the file following the hearing before the CNPD on November 10, 2020, on which the applicant had to take a position, while informing it of the communication, by providing a digital medium, of any information received after July 2, 2020, noting that the file thus communicated to it did not include the requested documents from other national supervisory authorities on the grounds that this "(…) would violate the obligation of professional secrecy to which all persons exercising or having exercised an activity for the CNPD are bound or their internal rules of the CNPD, which includes, inter alia, internal information and documents of the EDPB or other national supervisory authorities (…)", thereby explicitly refusing to disclose to the company (AA) the documents exchanged between the national authorities in the context of the case under review under Article 60 of the GDPR.

However, decisions refusing to grant requests for access to administrative files addressed to the administration during a pre-litigation phase, requests based, as is the case here, on Article 11 of the Grand-Ducal Regulation of June 8, 1979, are decisional acts that can be challenged independently, such that, in the presence of an explicit refusal decision, such as the CNPD's decision of July 16, 2021, it would have been up to the company (AA) to directly appeal the decision to the court, in the context of an action for annulment based on Article 2 of the amended law of November 7, 1996 on the organization of the administrative courts.

It follows from the foregoing considerations, and without there being any need to refer the preliminary questions proposed by the applicant to the CJEU, that the applicant's arguments relating to the failure to communicate documents and reasoned observations by other national supervisory authorities under Article 60 of the GDPR must be rejected in order to challenge a decision of the CNPD, in this case the one dated July 16, 2021, which is not before the court. Beyond the fact that the applicant did not directly refer to the court the CNPD's refusal to disclose confidential documents from other national supervisory authorities exchanged under Article 60 of the GDPR, the court must also note, in any event, as the CNPD explicitly stated in its response, that the observations from the other national supervisory authorities in relation to the initial draft of the contested decision of 15 July 2021 resulted only in the CNPD amending its decision with regard to the analysis of the complaints against the applicant, but rather in the CNPD (i) providing, in the contested decision, further details concerning its status as lead authority, a status not challenged by the applicant either in its position of 20 August 2020 with regard to the statement of objections or in the context of the contentious appeal under review,
and (ii) specified the turnover to be taken into consideration when determining
the amount of the fine to be imposed, while providing explanations as to the
effectiveness, proportionateness, and dissuasiveness of the fine imposed, these elements being legal
explanations which do not address the grievances alleged against the applicant, on which
the latter could legitimately demand an opportunity to express a position before a decision is made.

Finally, it should be noted that the company (AA), through its position of

August 20, 2020, in relation to the statement of objections of June 25, 2020, also took an extensive position on the proportionate, dissuasive, and effective nature of the fine,
as well as on the concept of the entity whose turnover is to be taken into consideration when determining the fine to be imposed on it, arguing in particular that only
the company targeted by the investigation, excluding the group of which it could, where applicable, be part, would be relevant.

Based on these findings, no violation, on the part of the applicant, of her right to a fair trial, and more specifically of the principles according to which the parties
to a trial have the right to equality of arms and to an adversarial procedure within the meaning of Articles
41 and 47 of the Charter, Article 6 of the ECHR, and Articles 11 to 13 of the Grand-Ducal Regulation of June 8, 1979,

can, in this case, be validly upheld. The applicant then alleges that the contested decision is fundamentally flawed due to its insufficient reasoning, such that it must be subject to annulment under the

30
31Pages 87 to 90 and 92 to 94 of the company's position (AA) of August 20, 2020.

Pages 90 to 92 of the company's position (AA) of August 20, 2020.

38 application for reversal under review, based on Article 6 of the Grand-Ducal Regulation of June 8, 1979. In this context, it argues that administrative bodies should ensure that their decisions are traceable in order to allow both the court seized of the case and the addressee of the decision to understand and verify the reasons, an obligation that also exists under Community law, insofar as the CJEU has held that the administration's obligation The obligation to provide reasons for its decisions is a general principle of European Union law in that it is included in the right to good administration and is a corollary of the principle of respect for the rights of the defense. The applicant also relies on recital 129 of the GDPR, which states that "any legally binding measure taken by the supervisory authority should be presented in writing, be clear and unambiguous, and state the reasons underlying the measure."

However, in this case, the CNPD failed to justify its conclusions on the basis of concrete and real evidence, and thus contained only general and abstract formulas, amounting to a lack of reasoning. The applicant notes in particular that it
provided, in support of its arguments, various empirical studies on the usefulness of the PBI and the expectations of the individuals concerned, elements that the contested decision allegedly failed to take into account and replaced with subjective assertions and speculation. As an example, the applicant cites the CNPD's argument regarding the possibility of a profiling error, in which it allegedly used the concepts of "possible" and "doubtful" respectively, while failing, according to the company (AA), to specifically specify in its specific case the factual reasons justifying its decision. Thus, the contested decision is largely based on abstract hypotheses

and unsubstantiated speculation, without analyzing the specific facts of the case and in ignorance of the economic actors that the CNPD is supposed to regulate and in relation to which the latter, in accordance with Article 57, paragraph (1), (i) of the GDPR, is obliged to monitor "relevant developments, insofar as they affect the protection of personal data, in particular in the field of information and communication technologies and business practices." The applicant finally argues that the decision under appeal is insufficiently reasoned, insofar as it does not establish that it acted negligently, which would be a mandatory condition for imposing a criminal fine, while failing to justify the choice of corrective measures adopted over other corrective measures available under the GDPR, the amount of the fine and the daily penalty payment, or its publication in accordance with the requirements of the Law of August 1, 2018.

Based on the consideration that neither the CNPD's response nor the court can remedy the CNPD's failure to provide reasons for its decision, without rendering void the obligation of administrative authorities to provide sufficient reasons for their decisions, allowing the persons concerned to assess the chances of success of a possible legal action, as well as violating the right to an effective remedy guaranteed by Article 13 of the GDPR. ECHR and Article 47 of the Charter, the applicant concludes

that the CNPD's contested decision of July 15, 2021, should, in the context of the application for review under review, primarily be annulled, or alternatively, reversed. In its reply brief, the applicant, while reiterating its argument
relating to a lack of reasoning in the contested decision, as well as the impossibility for the CNPD to supplement, through its response and rejoinder briefs, the reasoning underlying the decision, further criticizes the CNPD for asserting that it would have been sufficient for the Restricted Panel to have exercised common sense in assessing the impact of the disputed processing activities, when this notion of "common sense" would neither contradict empirical evidence, such as the scientific studies submitted by the applicant, nor constitute an appropriate standard for imposing a fine of €746 million. The applicant further claims that the CNPD, aware of the lack of reasoning in the contested decision, proposed entirely new grounds, even though, according to the terms of the decision, "the facts and the breach found do not reveal a deliberate intention to violate the GDPR." In its response, the CNPD suddenly asserts that it had "(…) demonstrated clear negligence with regard to the fundamental principles of the GDPR (…)." However, according to the applicant, the contested decision should have been reasoned from the outset, to allow it to understand the reasoning behind the sanction imposed on it, as well as to plan and develop legal action, so that the new elements put forward by the CNPD during the litigation proceedings should be disregarded. Finally, the applicant emphasizes, in this context, the fact that the contested decision would be subject to the cooperation procedure under Article 60 of the GDPR, requiring the CNPD to cooperate with the other supervisory authorities concerned in the European Union by submitting its draft decision to them in order to obtain their opinion and duly take their views into account. This means that the CNPD could only adopt the final decision once the cooperation procedure under Article 60 of the GDPR had been followed. Thus, allowing the CNPD to provide new grounds during the litigation proceedings before the administrative courts would circumvent and violate Article 60 of the GDPR, since the other supervisory authorities concerned would not have the opportunity to provide their opinion or express a "relevant and reasoned objection" to this additional ground. The CNPD concludes that the argument based on a lack of reasoning in the decision appealed for lack of foundation should be dismissed.

Under Article 6 of the Grand Ducal Regulation of June 8, 1979, "Every administrative decision must be based on legal grounds.

The decision must formally state the reasons by stating, at least briefly, the legal cause on which it is based and the factual circumstances underlying it, when it:

- refuses to grant the request of the person concerned;
- revokes or modifies a previous decision, unless it is made at the request of

the person concerned and grants it;
- is made following an administrative appeal, a hierarchical appeal, or a guardianship appeal;
- is made after an advisory procedure, when it differs from the opinion issued by the advisory body or when it grants an exemption from a general rule. (…)."

However, the court is forced to note from the outset that the case under review does not fall into any of the hypotheses listed in paragraph 2 of the aforementioned Article 6, such that the obligation
according to which the categories of decisions listed therein must formally state the reasons

by stating at least briefly the legal cause on which they are based and the factual circumstances underlying them, does not apply in this case. 40 It should also be added that, with regard to the applicant's submissions

seeking the outright annulment of the contested decision due to the alleged inadequacy of the reasoning, the sanction for the obligation to provide reasons for an administrative decision consists
in the suspension of the appeal deadlines, so that the decision remains valid a priori, with the administration generally being able to produce or supplement the reasons
subsequently and even for the first time during the litigation phase to allow
32
the individual to take a position and the administrative court to exercise its review.

In this case and in any event, the court must also note that the CNPD,
through the decision under appeal, indicated both the factual and legal grounds on which its
decision of July 15, 2021, was based. The CNPD provided an extensive position over 127 pages

on the GDPR violations found against the company (AA), as well as on the fine,
the corrective measures, and the need to publish its decision. Thus, the CNPD explicitly clarified the legal basis for the contested decision, referring, firstly, to Article 6, paragraph (1), (f) of the GDPR, while then noting that its legal and factual analysis had been carried out in accordance with recital 47 of the GDPR, the case law of the CJEU, and Opinion 06/2014 of the Article 29 Working Party.

Furthermore, as part of the verification of the additional measures implemented by the applicant in an effort to further protect individuals whose personal data are processed for PBI purposes, an analysis to be carried out as part of the third stage of the examination aimed at determining whether the company (AA) could validly rely on the existence of a legitimate interest, in accordance with Article 6, paragraph (1), (f) of the GDPR, to carry out the disputed data processing for the purposes of PBI, the CNPD found a violation

of Articles 12 to 17 and 21 of the GDPR, after having analyzed in detail the factual evidence provided
by the company (AA), and more specifically the IT mechanisms implemented by
the latter, as well as the information notices accessible to the data subjects.

Based on these considerations, the court must reject the plaintiff's argument alleging

a lack of reasoning in the appealed decision of July 15, 2021. It should be noted, however, that
the merits of the reasoning in the appealed decision of July 15, 2021, are analyzed below
in the context of the substantive arguments raised by the company (AA).

This conclusion is not called into question by the applicant's argument that the CNPD could not have provided additional reasons during the litigation proceedings, failing to violate Article 60 of the GDPR by failing to submit these additional reasons to obtain the opinions of the relevant national supervisory authorities as part of the cooperation procedure. The court must indeed note that the applicant's argument, in support of the relevant argument,

in that the CNPD allegedly held, on pages 117 and 118 of the decision under appeal, that it did not act with a deliberate intention to violate the GDPR, while, in its response, it accused it of clear negligence in respecting the fundamental principles of the GDPR, is far from constituting an additional reasoning regarding

32
Trier adm., April 26, 2004, No. 17153 of the roll, Pas. adm. 2023, V° Non-contentious Administrative Procedure, No.
90 (1 part) and the other references cited therein. 41 in principle and as to the quantum of the fine imposed on the applicant, whereas
the CNPD, in its response, only restated, in a summary manner, its arguments developed in the decision, without, however, supplementing them.

Indeed, according to Article 83, paragraph (2), b) of the GDPR, a violation was committed
either deliberately, i.e. intentionally, or non-deliberately, i.e. through negligence, such that by finding that the company (AA) had no intention,
the CNPD had, from the outset, necessarily and implicitly held that the violations of the provisions of the GDPR had been committed through negligence.

In any event, the court must note that the CNPD, in its briefs filed

in the context of the case under review, did not challenge the finding, made in the contested decision, that the plaintiff's wrongful acts were not committed
intentionally by the latter. Finally, it should be noted that the contested decision explicitly states that

"(...) the Restricted Committee considers that the processing activities for behavioral advertising purposes, as currently implemented by (AA), are not based on any valid legality condition, that the transparency measures do not comply with the requirements of Articles 12 to 14 of the GDPR, and that the rights provided for in Articles 15 (access), 16 (rectification), 17 (erasure), and 21 (objection) of the GDPR are not respected by (AA) [...],

that] the Restricted Committee notes that the breach of Article 6.1 of the GDPR (lack of a legality basis) constitutes a breach of one of the founding principles of the GDPR (and of data protection law in general) [and that as for] the breaches of Articles 12, 13, 14, 15, 16, 17, and 21 of the GDPR, the Restricted Committee considers that the rights of data subjects are part of the essence of the GDPR (…)”, so that it has therefore

necessarily already considered that the company (AA) had “(…) shown clear negligence
with regard to the fundamental principles of the GDPR (…)”, even though it did not
actually repeat this assertion in the decision where it took a position on
Article 83, paragraph (2), b) of the GDPR.34

In view of these considerations, the argument based on a lack of reasoning is unfounded
in all the aspects developed by the applicant. As to the merits, the applicant argues that the contested decision should be reversed, or annulled, for holding that it failed to comply with Article 6 of the GDPR, which requires that an entity responsible for processing personal data must have a legal basis for processing said data. In this context, the applicant explains that Article 6, paragraph (1) of the GDPR provides a list of six different legal bases to justify the processing of personal data, while specifying that it opted for the "legitimate interests" criterion, allowing it, within the meaning of Article 6, paragraph (1), f) of the GDPR, to process personal data for "the purposes of the legitimate interests pursued by the controller or by a third party, unless overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child." 33
34Pages 114 and 115 of the appealed decision of July 15, 2021.
Pages 117 and 118 of the appealed decision of July 15, 2021.
42 As a preliminary point, the court should emphasize that the applicant rightly explains, in this context, that a data controller must carry out a three-step analysis before being able to determine whether it can validly rely on the legal basis of legitimate interests to carry out the proposed processing of personal data. Thus, in accordance with CJEU case law, three cumulative conditions must be met, namely: i) the pursuit of a legitimate interest by the controller or by the third party(ies) to whom the data are disclosed, ii) the necessity of the processing of personal data for the purposes of the legitimate interest pursued, and iii) the condition that the fundamental rights and freedoms of the data subject do not override the data protection provisions.

Regarding the first step of the assessment, which consists of identifying one or more legitimate interests arising from the processing of personal data, the applicant rightly points out that the concept of "interests" is a broad term covering the legal, commercial, and societal interests of both the controller and third parties, in accordance with Opinion 06/2024. In this context,
the company (AA) further validly noted that, in accordance with recital 47 of the GDPR,
the processing of personal data for prospecting purposes, of which the PBI is a part,
may be considered to be carried out in response to a legitimate interest. Furthermore, an interest
is considered legitimate if it is lawful, formulated in clear terms, as well as real, present, and

not hypothetical.

The court must also note, as part of the first step of the assessment to be carried out in the context of Article 6, paragraph (1), f) of the GDPR, that the parties agree
to recognize three legitimate interests in the processing activities relating to the PBI, all three
being economic in nature, and more specifically (i) the plaintiff's own interest in

providing useful and tailored advertising to its customers, allowing them to browse the extensive
catalogue of the Shops (AA), (ii) the interest of brands, manufacturers, sellers, and other
businesses relying on the plaintiff to advertise their products online, and
finally (iii) the interest of website publishers relying on the plaintiff to generate revenue through the sale of their advertising space to advertisers and other interested buyers. The court will also consider these three interests in its analysis of Article 6, paragraph (1), f) of the GDPR, noting that the lawful nature of these interests must also be considered, in this case, as they have not been called into question. As for the final interest put forward by the applicant, in this case, the interest of the European community in the broad sense, materialized, according to the applicant, by the growth of the internet economy in the European Union, stimulated by the PBI and by the creation of numerous jobs, both in the advertising sector within and outside the European Union, it must be noted that the CNPD rightly refused to take this interest into consideration by distinguishing between the PBI and advertising in the traditional sense, while recognizing only the latter's beneficial effects in stimulating competition and competitiveness, as well as the possible limitation of abuses of a dominant position and the encouragement of innovation in the internal market.

35
Judgment C-40/17 of the CJEU of July 29, 2019, Fashion ID.

43 Indeed, the CNPD rightly stated that it had refused to take into account the legitimate interests of the community in the broad sense, on the grounds that the applicant failed to sufficiently individualize the benefits of PBI compared to advertising in general, thereby failing to establish that the interests thus invoked were real, present, and not hypothetical. Like the CNPD, there is still reason to note, in this
framework, that the plaintiff, on page 17 of her responses of May 23, 2019 to the questionnaire
submitted as part of the investigation, did not invoke societal interest, but only made
argue under the heading “Interests of the Wider Community” that “These legitimate interests
align with the interests of the wider community in an accessible and innovative internet
economy. WP29 has noted, “[o]nline advertising is a key source of income for a wide range of
online services and is an important factor in the growth and expansion of the internet

economy.” The wider community have benefited from the innovation and creativity in online
services and the ability to make such online services available to all. Organizations have been
able to make their services accessible without a fee or at reduced pricing structures by
monetizing their sites through digital advertising. If organizations are forced to change their business models, they may be forced to adjust their fee structure, potentially limiting access to the economically vulnerable, or may cease to continue operating or restrict access of users in the EU." In this context, the applicant criticizes the contested decision for not having considered the empirical evidence it allegedly provided and for not providing factual evidence to support its conclusions.

The applicant therefore wrongly emphasized, in its reply, the societal impact of the PBI, which allegedly supports the interests of the broader community, materialized by the interest of publishers to share and the public to receive free content of public interest, specifying that this would also include the community's interest in the growth of the overall digital economy, while a strong European digital market would be essential to the economic success and resilience of the EU. The same applies to the argument that PBI, as operated by it, would be more effective than other types of advertising, the positive impacts of such advertising for the wider community would be enhanced, which would include publishers, Internet users, and advertisers, even though it relies, in this context, on the independent opinion of Dr. ..., which allegedly demonstrates precisely the value of its PBI for the community, emphasizing that targeted content would generate more engagement from individuals, particularly when such targeting is derived from information about a customer's interests, which would create more value for publishers and the economy as a whole, and demonstrate that the AA Stores have contributed to the growth of e-commerce, in part through data-driven digital marketing campaigns, including PBI, the latter being, according to CJEU case law, an inherent activity. and natural interests of online retailers and service providers.

While ultimately challenging the CNPD's argument that it did not sufficiently individualize the benefits of PBI, specifically for the broader community, compared to advertising in general, and thus failed to demonstrate that these interests were "real, present, and not hypothetical," even though it had clearly articulated the interests of the broader community in its appeal, while providing clear evidence regarding the effectiveness of PBI compared to other types of advertising, the court must nevertheless hold that the plaintiff cannot rely, as a legitimate interest for carrying out its personal data processing in the area of PBI, on the existence of a societal interest, since all the explanations provided by the plaintiff are not such as to individualize such an interest in a clear, real, current, and non-hypothetical manner. It must be noted that the plaintiff's argument consists solely of highlighting the

44 significant economic interests arising from the PBI for itself, customers, publishers
and advertisers, supporting its argument with unilateral scientific opinions, so that, with regard to the societal interest invoked, it has merely conflated, or added, under a single heading, the other economic interests previously

highlighted in isolation. Furthermore, it should be noted that the applicant has failed to demonstrate,
in the context of the appeal under review, that the PBI fulfills the same role of stimulating competition and competitiveness, potentially limiting abuses of a dominant position, and encouraging innovation, as generally recognized for advertising. It should be noted that the operating mode of the PBI, whose objective is to individually target Internet users based on the preferences attributed to them by collecting information about them, in order to offer them only isolated products and services likely to interest them, is thus fundamentally distinct from traditional advertising, which consists of bringing to the attention of a more or less broad public products or services that are a priori unknown to them in order to encourage them, if they are interested, to purchase or even consume them. Furthermore, any potential competition between companies offering their products and services through PBI occurs only at the level of

the bidding for advertising space, without the person targeted by said PBI being
informed of the different companies vying for their attention, thus preventing any
comparison between the different products and services offered, which are not
necessarily of the same nature. In contrast, with traditional advertising, the
targeted person may be confronted, through a media outlet, with similar products and services
that they can, in these circumstances, compare, thereby directly stimulating both
competitiveness and innovation due to the need to differentiate their products and services
from those of their direct competitors. Regarding the second step of the assessment to be carried out, under Article 6, paragraph (1), f) of the GDPR, consisting of analyzing whether the processing of personal data in dispute is strictly necessary to achieve the purpose pursued, or whether there are other means less intrusive on the privacy of the individuals whose personal data are processed, which would allow the identified legitimate interests to be equally effectively pursued, the applicant claims to have ensured that its data processing would be the minimum necessary to achieve the legitimate interests pursued, which the decision also recognized. Thus, the company (AA) considers that it carefully assessed whether each of the identified legitimate interests could reasonably be achieved equally effectively by means less intrusive on the rights of individuals, and determined that said interests could not be achieved. Thus, the plaintiff rightly concluded, after assessing the amount of data required to achieve its interests, that the data used represented the minimum necessary to achieve the PBI. In this context, the plaintiff highlights its decision to limit the scope of the data used for the purposes of the PBI by focusing on information relating to its customers' purchasing activities in its own stores, unlike many online advertisers who also target their customers on sites other than their own. The plaintiff further maintains, in this context, that it has decided to use only a tiny portion of the data potentially available on purchases in its stores by imposing numerous limitations on its own data collection and processing operations and by adopting multiple protective measures for these operations, going beyond what would be the industry standard, namely (i) the opt-out option allowing data subjects to refuse PBI, an option easily accessible at any time from all the group's (AA) websites and from all websites displaying PBI using the computer process implemented for this purpose by the plaintiff, (ii) the pseudonymization of the personal data collected, in order to mitigate the risks of harm to data subjects in the event of a data breach, (iii) the provision of concise, intelligible, transparent, and easily accessible information notices, including a general notice on the protection of privacy, as well as a separate notice entitled "Interest-Based Advertising," available on almost all of the websites of the Boutiques (AA), (iv) the limitation of the processing of certain special categories of personal data revealing racial or ethnic origin, political and social opinions, religious or philosophical beliefs, medical data, as well as data relating to the potential for future or even rapid profit, respectively, concerning travel destinations, as well as the use of various forms of advertising that have the effect of diverting attention from the website being visited to the advertising space displayed therein; (v) short retention periods for the personal data collected, of a maximum of 13 months, with the plaintiff specifying that third-party web addresses submitted to it under the RTB would be kept for a maximum of 90 days; (vi) restrictions in contracts concluded with third parties, such as publishers and providers of demographic data, for the display of PBI; enabling it to ensure compliance with the
protections in place and (vii) capping the frequencies at which a person
would be exposed to a given advertisement. Based on these elements, the plaintiff claims
to have rightly determined that there would have been no less intrusive means to
achieve the legitimate interests as effectively.

In this second stage of the legitimate interest assessment, the applicant further criticizes the contested decision for failing to properly consider the fact that it used only the minimum amount of data for its processing activity in the context of the PBI, with the company (AA) explaining that it eliminated more than 99% of the available information on its customers' purchasing behavior and only incorporated the remaining percentage into the pseudonymized PBI targeting profiles. In this context, it further argues that the CNPD, although it accepted that the disputed data processing was necessary to validate the second stage, relied almost exclusively on generic and hypothetical speculation, which, however, cannot suffice to conclude that it violated Article 6, paragraph (1), (f) of the GDPR. In a similar vein, the applicant criticizes the CNPD for not being aware of widespread practices in the PBI sector, information about which is allegedly available to the public, even though, pursuant to Article 57, paragraph (1), (i) of the GDPR, the CNPD should have monitored relevant developments impacting the protection of personal data, particularly in the field of information and communication technologies and business practices, a failure that could not harm the company (AA). The applicant further refutes the CNPD's assertion that the pursuit
of a data controller's economic interest rarely appears to pass the necessity and proportionality test when balancing it with a fundamental right,
such as the right to privacy or the protection of personal data, since

46 such substantial case law of the CJEU does not exist and the latter,
in a judgment C-597/19 of June 17, 2021 in a M.I.C.M. case, even expressly noted that the protection of intellectual property, and therefore a commercial interest, could satisfy the necessity requirement. In this context, the applicant further argues that the analysis under Article 6(1)(f) of the GDPR should, in accordance with CJEU case law, be carried out on a case-by-case basis, based on the specific circumstances of the case. The court must immediately reject the applicant's argument regarding the CJEU's judgment in Case C-597/19 of 17 June 2021 M.I.C.M., cited above, even though it is expressly stated in that judgment that the protection of intellectual property as a commercial interest that could be considered a legitimate interest within the meaning of Article 6(1)(f) of the GDPR was not the aim, but the proper recovery of debts. The dispute before the CJEU concerned the communication, by the internet service provider, of contact details intended to enable the identification of internet users whose internet connections had been used to upload protected works to peer-to-peer networks in order to seek compensation from them in court for the resulting increased damage. The company (AA) finally criticizes the contested decision for, firstly, on the one hand, holding that the limitations and safeguards implemented should not be taken into account when analyzing the necessity of processing personal data as carried out in this case, but rather during the third stage, which consists of verifying whether the legitimate interests invoked by the applicant would create an imbalance to the detriment of the rights and interests of the individuals whose data would be processed, and then, on the other hand, ignoring, during this final stage, some of the safeguards and limitations applied. In its reply, the applicant emphasizes the fact that it has provided proof of the necessity of its processing of the disputed personal data within the framework of the PBI, arguing that it assessed both the types of data and the manner in which they would be processed, concluding that the legitimate interest pursued could not reasonably be achieved as effectively by other means less prejudicial to the rights of the data subjects. In this context, it criticizes the CNPD's argument, put forward for the first time in the latter's response, which consists of arguing that it has not sufficiently demonstrated that its processing would be necessary, since the CNPD should not be authorized to introduce new grounds in the context of the litigation procedure, when, in such a case, these grounds would not have been the subject of cooperation between the lead supervisory authority and the other supervisory authorities concerned. Even if the CNPD had been entitled to supplement the grounds for the contested decision through its briefs, the applicant criticizes the CNPD for focusing on a single category of personal data processed, in this case demographic data, and for drawing the conclusion that the overall processing carried out by the company (AA) did not meet the necessity criterion.

Furthermore, it would be wrong to conclude that the demographic data collected were not necessary solely on the basis that such data would not be available in all Member States, when the only conclusion to be drawn from this circumstance should have been that in the countries in question, the pursuit of legitimate interests related to the PBI could not be carried out as effectively. The use of said data should not,

47in this case, be considered particularly intrusive either, given that this assertion by the CNPD is not supported by any evidence and, moreover, does not correspond to reality, especially since it would only use a limited subset of this data.

The applicant reiterates its argument regarding the relevance of the limitations and safeguards implemented, in particular pseudonymization, safeguards which are essential, on the one hand, to ensure that there are no "less intrusive" means to achieve its legitimate interests, and, on the other hand, to demonstrate that it would have chosen, despite having other means at its disposal, the approach with the least impact on the rights of the data subjects. Finally, the company (AA) argues that the CNPD failed to take current market practices into account, despite asserting the contrary in its response.

The court must note that the CNPD, in its response and rejoinder, rightly concludes that the company (AA) failed to establish the necessity of its processing of the disputed personal data in relation to the legitimate interests pursued, as stated above.

In this context, the court must immediately note that the CNPD, in the contested decision under appeal, contrary to the claimant's assertion, explicitly held that the condition relating to the necessity of the processing of personal data, as carried out in this case by the company (AA), was not established. Indeed, it is clear from the aforementioned decision that the CNPD first reiterated the finding
of the head of investigation that the applicant had failed to provide proof of the
necessity of the processing activities for PBI purposes, or to carry out an analysis
regarding the existence of less privacy-invasive measures to carry out this processing. The CNPD then reiterated that the second step concerning the principle of necessity of processing must be carried out in accordance with the principle of data minimization enshrined in Article 5, paragraph (1), c) of the GDPR and, in this context, rejected the arguments put forward by the applicant to justify compliance with said principle, by retaining, in the decision under appeal, on the one hand, the possibility of collecting and using ever more data in order to better target advertising based on customer profiles, and, on the other hand, that the practices of other market players not otherwise specified by the company (AA) would not have allowed it to assess whether the processing carried out by the applicant complied with the principle of minimization. This finding that the CNPD had, in the contested decision, directly found that the applicant failed to comply with the condition of necessity of its processing activities for PBI purposes is further corroborated by the details provided in its response, where it states that "it is clear that at no time has [the applicant] demonstrated how all the data processed within the framework of PBI, namely the data contained in the profiles created (...) are not only useful for the PBI deployed [by the company (AA)] but also truly 'necessary' for it. (...)" and that it "(...) could have stopped there [i.e., at the analysis of the second condition] and already...

36
Paragraph 100, page 65 of the CNPD's response.

48 reject the PBI deployed by [company (AA)] on this basis alone without even having to analyze

the third condition. By analyzing the third step, the CNPD sought
to strengthen its argument that legitimate interest cannot be invoked and
can in no way be considered as an admission that the second condition of
"necessity" has been met. (…)". The CNPD finally reiterates its position in its
rejoinder, where it states unequivocally that it "(…) has always maintained that [the applicant] had never sought to demonstrate the necessity of its processing in light of
the legitimate interests pursued and that it was therefore superfluous that it examined
the third condition of the test. » .8

It follows that the related argument based on a lack of compliance with the procedure

for collaboration with other national supervisory authorities must also be rejected as being factually flawed.It should then be noted that, in the context of the examination of the second condition

aimed at examining the necessity of the processing of personal data, it is necessary
to verify, in accordance with the case law of the CJEU, and more specifically the judgment
C-708/18 of 11 December 2019 in Asociaţia de Proprietari bloc M5A-ScaraA, which was issued
on the basis of Directive 95/46/EC, since repealed by the GDPR, but whose principles have been
fully adopted with regard to the use of legitimate interest as a legal basis

for processing personal data, as well as the judgment C-252/21 of 4 July 2023 in Meta v. Bundeskartellamt, according to which the legitimate interest pursued in data processing cannot reasonably be achieved as effectively by other means that are less intrusive on the fundamental rights and freedoms of the data subjects, in particular the rights to privacy and the protection of personal data guaranteed by Articles 7 and 8 of the Charter. Furthermore, the condition relating to the necessity of processing must be examined in conjunction with the so-called "data minimization" principle enshrined in Article 5(1)(c) of the GDPR, which requires that personal data be "adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed." In this context, the court must first note that the plaintiff, as part of its PBI activity, collects a significant amount of data, the nature of which it specified in its May 2019 impact assessment as follows:

"(...) • Search for products or services;

• Place an order through (CC);

• Download, stream, view, or use content on a device, or through a service or application on a device;

• Configure settings on, provide data access permissions for, or interact with a device or another (CC);

• User's name, address and phone number, payment information, age, location information;

37Paragraph 105, page 66 of the CNPD's response brief.
38Paragraph 73, page 45 of the CNPD's rejoinder brief.

49 • The Internet Protocol (IP) address used to connect the user’s computer to the
         Internet;

     • Email address;


     • The location of the user’s device or computer;

     • Content interaction information, such as content downloads, streams, and playback
         details including duration and number of simultaneous streams and downloads, and

         network details for streaming and download quality, including information about the
         user’s internet service provider;

     • Purchase and content use history;


     • The full Uniform Resource Locators (URL) clickstream to, through and from our
         website (including date and time); cookie number, products and/or content the user
         viewed or searched for; and


     • Account information, purchase or redemption information and page-view information
         search results and links.

     Some third parties may provide (AA) non-personally identifiable information about users

(such as demographic information or sites where the user has been shown ads) from offline and
online sources. (…)”. With regard to the data used by the plaintiff and provided to it by third-party entities, in this case the companies (GG) and (HH), it appears from the documents submitted for analysis by the court, and more specifically from the CNPD audit report of February 17, 2020, which was not challenged by the plaintiff, that the latter receives the following personal data, depending on their availability in the various Member States, and in Great Britain respectively:

• Age ranges (excluding less than 18 and older than 65) ((HH): [United Kingdom, Germany, France, Italy, and Spain], (GG): [France, Italy, Spain])
• Gender ((HH): [United Kingdom, Germany, France, Italy, and Spain])
• Relationship ((HH): [United Kingdom, Germany, France, Italy, and Spain])
• Occupation (excluding low-income professions) ((HH): [United Kingdom, Germany, France])
• Income (excluding low income) ((HH): [United Kingdom, Germany, France])
• Number of adults ((HH): [United Kingdom, Germany])
• Presence of children ((HH): [United Kingdom, Germany])

• Number of children ((HH): [United Kingdom, France])
• Age ranges of children ((HH): [United Kingdom])
• Education ((HH): [Italy])
• Property ownership ((HH): [United Kingdom, Germany, France, Italy and

Spain])
• Property gas access ((HH): [United Kingdom, Germany])
• Property residency ((HH): [United Kingdom, Germany])
• Property value ((HH): [United Kingdom])
• Directorship ((HH): [United Kingdom])

• Affluence ((HH): [United Kingdom, Germany])

50 • Home office ((HH): [United Kingdom]) (…)”.

Furthermore, the applicant further noted, without the CNPD challenging the company's (AA) position on this point, that it does not target individuals based on data relating to:

“• Financial distress (e.g., debt, bankruptcy, credit problems, etc.)

• Gambling (e.g., online poker, lotteries)
• Health and Medical Conditions
• Illegal activities or interests
• Individuals under 18 years of age

• Political affiliation or political views
• Race or ethnic origin
• Religious affiliations or beliefs

• Sexual health products or sexual aid devices
• Sexual orientation or sex life
• Sexually explicit content
• Trade union membership (…)”.

The plaintiff further claims to exclude from the data collected (i) data relating to the income of individuals whose personal data is processed from the point at which the income in question is below the poverty threshold defined for each country where data is collected, and (ii) data relating to the age of the individuals concerned if they are under 18 or over 65 years of age, while not including all of certain data, or limiting their accuracy, such as IP addresses and geolocation data. Furthermore, in its position paper of August 20, 2020, the plaintiff further specified that it prohibits the use of categories of data relating to social attitudes and opinions, future earnings potential, and travel destinations. It also emerges from the plaintiff's explanations, in its position of August 20, 2020, regarding the CNPD's statement of objections of June 25, 2020, that it "(…) eliminates more than 99% of the available information on the purchasing behavior of (AA) customers in stores in order to integrate the remaining 1% into a pseudonymous profile for targeting interest-based advertising. (…)". 43

In this context, it should also be noted that the applicant collects the aforementioned personal data, on the one hand, through various websites of the (AA) group, as well as through various other services provided by the said group, such as, in particular, …, …, …, respectively …, and, on the other hand, through the various terminal devices that the individuals whose personal data is collected use to access the aforementioned websites and services, so as to result, as correctly noted by the CNPD, in the regular monitoring of individuals.

39
Page 24 of the applicant's response of May 23, 2019, to the CNPD's questionnaire;
40Page 25 of the applicant's response of May 23, 2019, to the CNPD's questionnaire; 41Page 8 of the impact assessment, in its May 2019 version and entitled "Interest-Based Advertising, Data Protection Impact Assessment, May 2019".
42Page 33, paragraph (83), d) of the company's position paper (AA) of August 20, 2020.
43Page 26, paragraph (69) of the company's position paper (AA) of August 20, 2020.

51concerned parties, on all relevant devices, of their daily activities on the internet and in connection

with the aforementioned services.

Regarding the retention period of the collected personal data, the applicant specified, in its response of May 23, 2019, to the CNPD questionnaire, repeating the explanations provided in its impact assessment, in its May 2019 version, that "(…) Data within our interest-based ads profiles are retained for no more than 13 months.
We also follow the data minimization principle where data is only retained for the duration
that is required. Some of our systems retain data for only a few days, others for 1-3 months as
required. For example, when advertisers bring their audience lists, we delete the matching data soon after the match has occurred. (…)." 44

It should also be noted that the applicant, based on this data, created a particularly high number of profiles targeted by its PBI - the profiles corresponding, according to the applicant's explanations, not to a user, a natural person, but to a terminal device - whereas it is common ground, and not to be contested by the parties, that the applicant holds, according to its own statements, as provided in its response of May 23, 2019, to the questionnaire submitted to it by the CNPD and as retained by the latter's audit report of February 17, 2020, (i) 560,300,000 active European advertising profiles linked to a terminal device associated with an authenticated visit to a website (AA), to which should be added 317,900,000 profiles inactive for 9 months, (ii) 1,591,000,000 such active profiles relating to an unauthenticated visit to a website (AA), to which should be added 979,300,000 profiles inactive for 9 months, and (iii) 5,786,600,000 active profiles established based on unauthenticated terminal equipment, having not visited a website (AA) and having browsed a website presenting PBI provided through the computer system set up by application 45sse, to which should be added 7,813,900,000 profiles inactive for 9 months.

With regard to the nature, volume, and retention period of the personal data collected and processed by the plaintiff, the court must note that the plaintiff

has failed to establish the necessity of processing said personal data, as it actually does, within the framework of the PBI. It must first be noted that neither in its impact assessment, in its May 2019 version, nor in its response of May 23, 2019, to the CNPD questionnaire, does the applicant conduct a concrete analysis of the said condition, other than to state, in the context of its impact assessment, under the heading "(c) Data minimization" that "(…) The personal data processed in this case meet [the] requirements [that the processing is adequate, relevant, and limited to what is necessary in relation to the purposes for which the data are processed]", 46

while specifying, in summary, to use the practice of pseudonymizing the data collected, not to use overly persistent and invasive technical recognition mechanisms, respectively to limit the scope of, or even prohibit, the collection of certain categories of personal data collected, and to have implemented "(…) a retention policy based on data minimization principles (…)” while referring, in Appendix 2 of said document,

to the various additional measures implemented by it concerning data

44Page 21 of the company's response (AA) dated May 23, 2019, and page 14 of the impact assessment, in its May 2019 version, entitled “Interest-Based Advertising, Data Protection Impact Assessment, May 2019”.
45Pages 8 and 9 of the (AA) response dated May 23, 2019.
46Page 8 of the impact assessment, in its May 2019 version, entitled “Interest-Based Advertising, Data Protection Impact Assessment, May 2019”.

52 personal data collected and processed for the purposes of the PBI in order to protect the fundamental interests and rights of the data subjects, an annex to which the applicant still provides only a general description of said measures, without a precise, detailed, and detailed technical explanation.

The same observation applies to the lack of detailed and precise information relating thereto provided by the applicant in its position statement of August 20, 2020, following the CNPD's statement of objections dated June 25, 2020, in which the latter merely states, after recalling the relevant legal principles, that "(…) Here again, [it] did what the law requires." It carefully assessed whether each of the legitimate interests identified in the first step could "reasonably be achieved just as effectively by other means that are less intrusive of the fundamental rights and freedoms of data subjects" and determined in good faith that they could not. This conclusion is firmly grounded in empirical data. For example, research shows that customers significantly prefer interest-based ads to other types of ads. Research confirms that non-personalized ads are significantly less effective than interest-based ads in connecting people with products that match their interests. (…)" , respectively, that it
"(…) also analyzed whether effective alternatives would be less restrictive of data subjects' rights. As we have already indicated, (AA) imposes numerous limitations on its own data collection and processing operations and has adopted multiple safeguards over these operations [as summarized by the court above]. Due to these limitations and safeguards – which go well beyond the industry standard – [company (AA)] determined that there was no less intrusive means to equally effectively address the legitimate interests of [company (AA)], publishers, third-party companies, and the community (…),” while highlighting the allegedly more intrusive and broader practices of other companies active in the PBI field, regarding the scope of the data collected (the applicant claims to limit itself to its own websites), as well as the scope of the data used, and challenging the manner in which the CNPD allegedly determined and assessed this condition of necessity, and more specifically regarding the notion of the existence of less intrusive means to equally effectively achieve the legitimate interests pursued. Thus, it must be noted that the applicant merely highlights

the advantages of its method of collecting and processing personal data, namely, an a priori increasingly precise targeting of individuals whose personal data is processed with PBI, more likely to interest them and encourage them to consume the products and services thus offered to them, without establishing, in detail, the necessity thereof. The plaintiff is content to adopt, both at the pre-litigation stage and during the proceedings before the court, a purely descriptive approach to the data collected, as well as the processing carried out, stating, without providing the slightest evidence in this regard, - such as precise and detailed technical and factual explanations, as well as an analysis of the necessity, in particular (i) regarding the various personal data collected, (ii) regarding the composition of the profiles, respectively (iii) regarding the various

Page 25, paragraph (67) of the company's position (AA) of August 20, 2020.
Page 26, paragraph (70) of the company's position (AA) of August 20, 2020.

The court is thus, by way of non-exhaustive example, unable to verify, and a fortiori
to carry out any assessment of the necessity to collect and process personal data for

53 retention periods - that its approach to the collection and processing of the disputed personal data would be the minimum necessary and that it would not be possible to achieve

the legitimate interests identified above as effectively through a less intrusive approach, particularly in view of the large amount of data collected initially
and which the plaintiff would ultimately not use (99% of the data collected),
an approach which must be described as manifestly insufficient, as it makes it impossible for the court
to weigh up the competing interests at stake. This conclusion is not called into question by the documents submitted for analysis by the court in this context, and more specifically the opinion of Professor Dr. ... dated March 30, 2022, entitled "Legal Implications for Data Processing Based on an Interest (Art. 6 (1) UAbs. 1 lit. F GDPR)," which provides only a general legal analysis of the concept and conditions of legitimate interest as a legal basis for processing personal data under Article 6(1)(f) of the GDPR, without taking a position on the elements of the processing actually carried out by the applicant in the context of PBI. Thus, the said opinion provides no concrete argumentation regarding the

necessity of the processing activities of the company (AA) for PBI purposes, or the
existence of less privacy-invasive measures to carry out such processing.

The same observation must be made with regard to the opinion of Dr.... of the company ... dated February 21, 2022, entitled "Expert Opinion" regarding the CNPD's contested decision, insofar as the said document, apart from the fact that it was directly commissioned by the applicant, which calls into question its probative value, focuses almost exclusively on the usefulness of the processing of personal data at issue, as carried out by the latter, taking an even more specific position on the benefit of the demographic data used in the context of profiling in order to assess the income of the data subjects with a view to refining advertising targeting accordingly. Thus, the said opinion also fails to provide any concrete arguments relating, on the one hand, to the necessity of the company's processing activities (AA) for PBI purposes, or, on the other hand, to the existence of less privacy-invasive measures to carry out such processing. As for the company's (AA) argument that the CNPD violated its obligation, as a supervisory authority, to monitor relevant developments impacting the protection of personal data, particularly in the field of information and communication technologies and commercial practices, in accordance with Article 57, paragraph (1)(i) of the GDPR, this argument must also be rejected, insofar as the CNPD cannot be criticized for not having been able to compare the applicant's operating method with the practices of other entities active in the area of PBI, given that the applicant failed to submit any evidence to the CNPD on this subject, a finding that must be reiterated during the litigation phase of the dispute under review.

The court must specifically note, in this context, that the applicant has not submitted any documents for the court's analysis regarding the practices of other entities in the area of PBI. The only element the court was able to detect in this context was the reference, made in this case, based solely on the company (AA)'s assertion that it "(…) eliminates more than 99% of the available information on the purchasing behavior of (AA) customers in stores before integrating the remaining 1% into a pseudonymized profile for targeting interest-based advertising (…)" (page 26, paragraph (69) of the plaintiff's position paper of August 20, 2020), while the plaintiff provides no indication of the data ultimately retained in the creation of the profiles and whether such data are necessary to achieve the legitimate interests pursued.

54 by the plaintiff in its position paper of August 20, 2020, to the press article published on October 21, 2016, on the website of the organization Propublica, entitled "Google Has Quietly Dropped Ban on Personally Identifiable Web Tracking," an article which was not submitted in the context of these proceedings and which, moreover, must be considered too distant in time to reflect current practices in the area of PBI. It must be noted that the applicant has failed to assert, and a fortiori to establish, that other entities active in the field of PBI base their processing of personal data on the same legal basis as it does, in this case, legitimate interest in accordance with Article 6, paragraph (1), f) of the GDPR, thereby rendering any possible comparison of the practices of these entities with those of the company (AA) impossible.

It follows from all of the foregoing considerations that the CNPD was entitled, even at this stage, to conclude that the company (AA) could not rely on the concept of legitimate interest, within the meaning of Article 6, paragraph (1), f) of the GDPR, as a legal basis justifying the processing of the personal data in dispute, since compliance with one of the cumulative conditions has not been established. This conclusion regarding the violation of Article 6, paragraph (1), f) of the GDPR still persists
according to the latest submissions, despite the fact that the applicant
indicates that it has made, before the decision under appeal, or since,

amendments to the legal basis for its disputed processing of personal data,
specifically by relying on the consent of the data subjects, as
provided for in Article 6, paragraph (1), a) of the GDPR. Indeed, it should be noted, in this context, that it is clear from the plaintiff's own statements that, in order to display PBI on third-party sites, it relies on the legal basis of the data subject's consent, in "almost all cases," respectively for "99.5% of PBI displays," thus leading to the conclusion that for certain processing operations, which the court is unable to determine due to the lack of details provided on this subject by the company (AA), the plaintiff continues to rely on the legal basis of legitimate interest, for which the criticisms raised above still persist today. Finally, it should also be noted that the applicant's

notices concerning the protection of processed personal information, analyzed in more detail below in the context of the alleged violation of Articles 12 to 14 of the GDPR, also still refer to legitimate interest.

The court must also note that the fact that the CNPD nevertheless continued its
analysis by examining the final step – in this case, the balancing, on the one hand,
the applicant's legitimate interests, validly identified, and, on the other hand,
the rights and interests of the individuals whose personal data were processed, while taking into account the additional measures implemented by the data controller to limit the impacts of said processing – does not, however, have any impact on the legality of the decision under appeal.

50The applicant also cites, in the same context, a quotation that it reproduces in its appeal (page 72, paragraph 354 of its appeal), another document that it designates as "Oracle, Submission to the Australian Competition and Consumer Commission," without submitting said document to the court and without providing the exact references enabling it to be located, a step that, moreover, is not the court's responsibility to take, whereas the parties themselves must (i) clearly and precisely formulate the factual and legal arguments and (ii) submit directly to the court seized of the case the documents on which they wish to rely.
51Page 24, paragraph (23) of the application instituting proceedings.

55 Indeed, it must be recalled in this context that the purpose of the CNPD's investigation was not limited, as stated above, to examining the legal basis of the legitimate interest invoked by the applicant to support its processing of personal data in relation to PBI, but rather aimed to verify the compliance of the company's (AA) processing activities for behavioral advertising purposes with the obligations of the GDPR, such that no criticism can be leveled at the CNPD for having sought to carry out, as far as possible, an exhaustive examination of the file submitted to it in relation to the data processing and for having carried out the aforementioned balancing analysis and thus having discovered other violations of the GDPR, in this case Articles 12 to 17 and 21 of the GDPR. Given that the conditions of Article 6, paragraph (1), f of the GDPR are cumulative, and that the court has just held that the plaintiff has not established that it complied with the condition relating to the necessity of its processing of personal data in relation to PBI, such that it has violated the aforementioned article, the court's analysis will subsequently be limited to the alleged violation of Articles 12 to 17 and 21 of the GDPR, as established by the decision under appeal, in respect of the company (AA). An examination of the balancing between, on the one hand, the legitimate interests validly identified by the plaintiff, and, on the other hand, the rights and interests of the individuals whose personal data have been processed has become superfluous, as have the preliminary questions that the parties wish to see submitted to the CJEU in this context. With regard, first of all, to the alleged failures of the plaintiff to comply with the transparency obligations set out in Articles 12 to 14 of the GDPR, the company (AA) claims, in its appeal, that it provides data subjects with various information about its processing of personal data "in a concise, transparent, understandable, and easily accessible manner" through a general privacy notice, as well as a separate "Interest-Based Advertising" notice, available on almost all pages of the (AA) Stores. In this context, she criticizes the CNPD's decision to require that it provide data subjects with all the required transparency information in a single document, even though such a requirement does not arise from the GDPR. She specifies that she chose to comply with this requirement for access to information by providing several shorter policies, with the aim of avoiding overwhelming consumers with information and facilitating their understanding by dividing it into several distinct parts, especially since a 2015 Eurobarometer survey reportedly found that two-thirds of data subjects stated they did not read privacy policies because they were too long. It further denies that it provided insufficient information (i) on the fact that it relied on its legitimate interests as the legal basis for the processing of personal data in dispute, (ii) on the specific legitimate interests it pursues, and (iii) on the balancing test it performed, including information on the safeguards it implemented, even though its notice on interest-based advertising clearly states that it serves ads based on customers' interests, and that

"third-party advertisers or advertising companies ... may ... measure the effectiveness of their ads, show you more relevant advertising content, and provide services on behalf of (AA)." The technical term "legitimate interests" is, according to the applicant, not "understandable" for the majority of customers. The said notice would also provide information on the safeguards implemented to protect the privacy of the data subjects, and therefore on crucial elements of the balancing test, such as "We do not use information that identifies individuals, such as name or email, to present interest-based advertising," that "we only retain... the information collected for as long as necessary to provide you with our advertising services," and that "if we know the advertisements that have been presented on your browser, we can ensure that we do not systematically show the same advertisements." Furthermore, no criticism could be leveled at the company for having referred to the legal basis of legitimate interests in an update to its notices, since its practices are not static and it appreciates the comments received from regulators, the update having been made in response to its understanding of the expectations of the head of investigation following the CNPD's statement of objections. However, its efforts to cooperate with the CNPD should under no circumstances justify any sanction.

It then refutes the CNPD's conclusion that its notice on interest-based advertising could lead data subjects to believe that it would not process any personal data and would not share it with third parties. Indeed, the disputed notice provides clear indications on the types of data it uses (use of AA's sites, content, or services), and does not use (name and email), and transparently states that it works with third parties (advertisers, publishers, social networks, search engines, and ad publishing companies, advertising companies acting on their own behalf to improve the relevance of the ads displayed) that may use cookies to obtain a customer's IP address.

Contrary to the assertion in the appealed decision of July 15, 2021, that it did not provide sufficient information on the logic underlying its use of personal data to display PBIs and the consequences of this processing, the applicant claims to provide clear information so that customers would not be "taken by surprise," even though its notice on interest-based advertising expressly states that it would evaluate the types of products or services a customer visits and present them with ads for similar or related products or services. Furthermore, it is unclear what additional information the CNPD expects it to include in its notices, especially since, under Article 14 of the GDPR, such information would only be required when the data is not collected from the data subject, which is not the case in this instance. As for the complaint that it does not inform data subjects about the categories of third parties receiving data as part of the RTB process and the consequences for said individuals, so that it is up to it to explain the process to ensure that data subjects are not surprised by the processing in question, the company (AA) further refers to its notice on interest-based advertising, which expressly states, on the one hand, that it works with "third parties, such as advertisers, publishers, social networks, search engines and ad serving companies, as well as with advertising companies acting on their own behalf to improve the relevance of the advertisements we present" and, on the other hand, that said third parties may sometimes use cookies "when they deliver content, including advertisements, directly to your browser or device and, in this case, they may automatically receive your IP address." They may also

use cookies to measure the effectiveness of their advertising, show you more relevant advertising content, and provide services on behalf of (AA). The applicant concludes that the categories of third parties receiving personal data under the PBI would be described in transparent, concise, simple, and understandable language, so as to avoid any surprises for data subjects and without the need to use technical terms to explain the mechanism of the PBI, and more specifically the RTB.

Furthermore, the applicant further criticizes the contested decision for requiring its information notices to provide more details on transfers of personal data to third parties located outside the European Union, including details on the recipients, destination countries, appropriate safeguards in place, and how to obtain a copy, even though the required information is clearly provided in the notices. Furthermore, the GDPR would not require data controllers to identify each recipient of personal data located outside the European Economic Area, nor the destination countries, but only to indicate their intention to transfer personal data to a third country or an international organization and to refer either to the adequacy decisions of the European Commission, or to the appropriate or suitable safeguards, as well as the means to obtain a copy or the location where they have been made available, information that the applicant would provide.
The company (AA) further emphasizes that its customers could, in any event, completely object to transfers of personal data for PBI purposes by using the opt-out mechanism made available to them. Regarding the criticism raised in the contested decision regarding the retention periods

for personal data processed by the applicant, the applicant
argues that since it regularly provides new and updated services and
retention periods vary depending on the specific service and functionality,
it would be impractical and of little use to customers to be provided with details on the
retention periods for each data element processed for each of the purposes set out in
the "protection of your personal information" notice. Therefore, the applicant considers that it
would have been more appropriate to provide, in the said notice, details on the criteria used to
determine the relevant retention periods, in accordance with Article 13(2)(a) of the GDPR. As for the requirement for data controllers to provide customers with information on the "categories" of personal data obtained from sources other than directly from the data subjects, the applicant argues that Article 14, paragraph (1), d) of the GDPR does not require the provision of an inventory of each data element, a list which, moreover, in its specific case, would be impossible for customers to easily consult and therefore would not meet the overriding requirement of conciseness.

Finally, the applicant argues that it has provided sufficient information within the meaning of Article 14, paragraph (2), f) of the GDPR on the sources of the personal data, even though its information notices specify that it obtains such data from third parties. Based on the premise that the information to be provided to data subjects regarding the processing of their personal data should be presented in a concise, transparent, and understandable manner, using clear and simple language, the applicant allegedly considered that it would not be useful for data subjects to have a list of third-party names, which could also be confusing. Thus, the CNPD could not validly require that it specifically identify its sources in its information notices.

In its reply, the company (AA), while refuting the analysis carried out by the CNPD in its response, which largely repeats the allegations in the contested decision, emphasizes the fact that its information notices are concise, understandable, transparent, and easily accessible from the footer of almost all pages of the (AA) Stores. It concludes that it cannot be held to have violated Articles 12 to 14 of the GDPR, and therefore the contested decision should be reversed on this basis.

The CNPD concludes that the applicant's argument regarding the absence of any violation of Articles 12 to 14 of the GDPR should be rejected and requests that the contested decision be upheld on this point.

The court must first note that, pursuant to Article 12 of the GDPR, "The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14, as well as any communication under Articles 15 to 22 and Article 34 concerning the processing, to the data subject in a concise, transparent, intelligible, and easily accessible manner, using clear and plain language, in particular any information specifically addressed to a child." The information
shall be provided in writing or by other means, including, where appropriate, electronically. Upon request from the data subject, the information may be provided orally, provided that the data subject's identity is established by other means.

According to Article 13 of the GDPR, "1. Where personal data relating to a data subject are collected from that data subject, the controller shall, at the time the data are obtained, provide the data subject with all of the following information:

a) the identity and contact details of the controller and, where applicable, the controller's representative;
b) where applicable, the contact details of the Data Protection Officer;
c) the purposes of the processing for which the personal data are intended and the legal basis for the processing;
(d) where processing is based on Article 6(1)(f), the legitimate interests pursued by the controller or by a third party;

(e) the recipients or categories of recipients of the personal data, where applicable; and
(f) where applicable, the fact that the controller intends to transfer personal data to a third country or an international organization, and the existence or absence of an adequacy decision issued by the Commission or, in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), a reference to the appropriate or suitable safeguards and the means of obtaining a copy or the location where they have been made available. 2. In addition to the information referred to in paragraph 1, the controller shall provide the data subject, at the time the personal data are obtained, with the following additional information necessary to ensure fair and transparent processing:

a) the period for which the personal data will be stored or, where this is not possible, the criteria used to determine that period;

b) the existence of the right to request from the controller access to, rectification or erasure of, or restriction of processing of, personal data relating to the data subject, or the right to object to processing, and the right to data portability; (c) where processing is based on point (a) of Article 6(1) or point (a) of Article 9(2) of the GDPR, the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent given before its withdrawal;
(d) the right to lodge a complaint with a supervisory authority;
(e) information on whether the requirement to provide personal data is statutory or contractual, or is required for the conclusion of a contract, and whether the data subject is obliged to provide the personal data, as well as the possible consequences of failure to provide such data; (f) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4), and, at least in those cases, meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing for the data subject.3. Where the controller intends to further process personal data for a purpose other than that for which the personal data were collected, the controller shall first provide the data subject with information about that other purpose and any other relevant information referred to in paragraph 2.

4. Paragraphs 1, 2, and 3 shall not apply where and to the extent that such information is already available to the data subject.

Finally, Article 14 of the GDPR provides that:

1. Where the personal data have not been collected from the data subject, the controller shall provide the data subject with all of the following information:

a) the identity and contact details of the controller and, where applicable, the controller's representative;

b) where applicable, the contact details of the Data Protection Officer;

(c) the purposes of the processing for which the personal data are intended and the legal basis for the processing;
(d) the categories of personal data concerned;
(e) where applicable, the recipients or categories of recipients of the personal data;
(f) where applicable, the fact that the controller intends to transfer personal data to a recipient in a third country or an international organization, and the existence or absence of an adequacy decision issued by the Commission or, in the case of transfers referred to in Articles 46 or 47, or the second subparagraph of Article 49(1), the reference to the appropriate or suitable safeguards and the means of obtaining a copy or the location where they have been made available. 2. In addition to the information referred to in paragraph 1, the controller shall provide the data subject with the following information necessary to ensure fair and transparent processing:

a) the period for which the personal data will be stored or, where this is not possible, the criteria used to determine that period;
b) where processing is based on point (f) of Article 6(1) of the GDPR, the legitimate interests pursued by the controller or by a third party;

c) the existence of the right to request from the controller access to, rectification or erasure of, or restriction of processing of personal data relating to the data subject, as well as the right to object to processing and the right to data portability; (d) where processing is based on point (a) of Article 6(1) or point (a) of Article 9(2) of the European Parliament and of the Council, the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent given before its withdrawal;
(e) the right to lodge a complaint with a supervisory authority;
(f) the source from which the personal data originate and, where applicable,
an indication of whether they come from publicly available sources;
(g) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information

about the logic involved, as well as the significance and envisaged consequences of such processing for the data subject. (…).”

It follows from the foregoing legal provisions that the data controller must provide individuals whose personal data is collected and processed with certain information in a concise, transparent, comprehensible, and easily accessible manner, both when the data is collected directly from the individuals concerned and when it is not. These obligations, as rightly noted by the CNPD and further clarified in Opinion WP260 of the Article 29 Working Party on transparency within the meaning of the GDPR, adopted on November 29, 2017, and approved by the EDPB on May 25, 2018, hereinafter referred to as "Opinion WP260," are consistent with the more general principle of fairness and transparency set out in Article 5 of the GDPR, and the principle of fairness set out in Article 8 of the Charter. It should also be noted that the GDPR specifies, in its recitals 58 and 60, that
"The principle of transparency requires that any information addressed to the public or to the data subject be concise, easily accessible, and easy to understand, and formulated in clear and plain language and, furthermore, where appropriate, illustrated with visual elements. This information could be provided in electronic form, for example via a website when addressed to the public. This is particularly true in situations where the

multiplication of actors and the complexity of the technologies used make it difficult for the data subject to know and understand whether personal data concerning them are being collected, by whom, and for what purpose, such as in the case of online advertising. (...)" and that "The principle of fair and transparent processing requires that the data subject be informed of the existence of the processing operation and its purposes." The controller should provide the data subject with any other information necessary to ensure fair and transparent processing, taking into account the specific circumstances and context in which the personal data are processed. Furthermore, the data subject should be informed of the existence of profiling and of the consequences thereof. When personal data are collected from the data subject, it is important that the data subject also knows whether they are obliged to provide such personal data and is informed of the consequences of not providing them. This information may be provided with standardized icons to provide a clear, easily visible, understandable, and clearly legible overview of the intended processing. When the icons are presented electronically, they should be machine-readable. The court must first note that the CNPD, in the context of the contested decision, relied on the following documents, in their version in effect on October 9, 2018, to examine whether the information provided by the company (AA) to the individuals whose personal data it processes meets the requirements of Articles 12 to 14 of the GDPR:

− The "Notice: Protection of your personal information" page;
− The "Cookies" page;

− The "Interest-based ads" page;
− The "Advertising preferences on (AA)" page;
− The "Security and privacy" help and customer service section;
− The "Third-party cookies" page.

However, the plaintiff only submitted the following documents for the court's analysis, and more specifically (i) a document entitled "(AA).fr Notice: Protection of your personal information 2018.05.22", (ii) a document entitled "(AA).fr Notice: Protection of your personal information 2021.02-24", (iii) a document entitled "(AA).fr Cookies
2018.05.23", (iv) a document entitled "(AA).fr Cookies 2020.09.09", as well as (v) a document entitled "(AA).fr Interest-based ads 2018.05.23", it being further specified that documents (iii) and (iv) relating to cookies are not to be taken into consideration in the context of this dispute, whereas the issue relating to the computer processing of cookies was expressly excluded from the scope of the contested decision of July 15. 2021, so as not to be the subject of the appeal under review.

Finally, it should be recalled that in the context of an appeal for reversal, the court is required to consider the factual and legal elements of the case at the time it rules, taking into account changes that have occurred since the contested decision.

It should also be noted that on December 21, 2023, the company (AA) finally filed with the registry of the administrative court a document prepared by itself entitled

"Summary of changes made to the processing of personal data
by (AA) ("(AA)") for the purposes of interest-based advertising ("IBA")", in which it states that as of "December 2020: (AA) updates its information notice
to more clearly indicate that (AA) relies on its legitimate business interests and the interests of its customers to display IBA." The information notice (as applicable today) is available at

52
Admin. Court, July 15, 2004, No. 18353 of the docket, Admin. Pas. 2023, V° Appeal for Reconsideration, No. 19 and the other references cited therein.

62https://www.(AA).fr/gp/help/customer/display.html?nodeId=201909010&ref=footer_privacy.
", it being specified, on the one hand, that footnote No. 3 indicated therein refers to the document
entitled "(AA).fr Notice: Protection of your personal information 2021.02 24", as well as

paragraphs 93 of the appeal, as well as 306 and 307 of the reply brief, and, on the other hand,
that the plaintiff did not directly submit the aforementioned notice to the court, thus making it impossible for the court to accurately determine the temporally applicable version, nor did it take any position on it in its appeal, its reply brief, or even during the hearing of the pleadings. It follows that the court will not take this element into consideration, which, moreover, was not the subject of any adversarial debate, whereas it must be considered as being simply suggested without being effectively supported, it being recalled that it is not up to the court to compensate for the parties' failure to act by itself seeking the legal and factual grounds that could have been the basis for their conclusions.The court must then note that the CNPD, both in the contested decision of July 15, 2021, and in its response, described the company's (AA) breaches in a precise, detailed, and exhaustive manner with regard to its obligations under Articles 12 to 14 of the GDPR, detailing the corresponding articles of the GDPR for each type of breach, as well as the relevant passages of the WP260 notice, while also taking into consideration the amendments made by the applicant to its notices during the proceedings, amendments which, however, it rightly characterized as insufficient to establish compliance with the aforementioned articles of the GDPR in this case. Thus, the court must specifically note, first of all, with regard to

the criticism relating to the chosen format of the information notices, that the CNPD rightly held
that said notices do not comply with the requirements of Article 12 of the GDPR, insofar as they are not accessible in a single location, or in a single document, even though Internet users are confronted with at least three separate documents, namely notices on the protection of personal information, on cookies, and on interest-based advertising. It is not clear from the evidence validly submitted to the court for analysis that said notices were, or are currently, directly viewable on a single webpage, such as through a notice with several levels ("layered privacy statements/notices"). The plaintiff also fails to state in its notices that the collection and processing of personal data as it carries out them within the framework of the PBI have as their legal basis the legitimate interest within the meaning of Article 6, paragraph (1), f) of the GDPR, and to specify its exact content. The simple statement that "third-party advertisers or advertising companies ... may ... measure the effectiveness of their advertisements, show you more relevant advertising content, and provide services on behalf of (AA)" is insufficient to overturn this finding, insofar as it does not specify the various legitimate interests at issue, as the court has just upheld them in the first stage of assessing the conditions of Article 6, paragraph (1), f) of the GDPR. The same observation must be made regarding the update of the notice: Protection of your personal information, in its version of February 24, 2021, which only mentions, without further clarification, "our legitimate commercial interests and the interests of our customers (...) when we provide you with interest-based advertising." The CNPD was therefore right to find a violation of Articles 13, paragraph (1) d), and 14, paragraph (2) b) of the GDPR. The court must also note, notwithstanding the finding that the wording of certain
55
passages of the notice relating to the PBI may lead to the conclusion that the applicant
does not process personal data, that the applicant has failed to provide,
in its notices, clear and precise information regarding the profiling of the
individuals whose personal data it collects and processes, and regarding
the consequences of this processing, even though the Article 29 Working Party, in paragraphs 10 and

43 of its Opinion WP260, expressly specified the need to provide such information
as part of the obligations imposed on the controller under Articles 13 and 14
of the GDPR. Similarly, the notices submitted for analysis by the court provide no specific information regarding the recipients or categories of recipients of personal data under the RTB - a mechanism whose operation is also not mentioned or even described in the aforementioned notices - even though such an obligation rests on the company (AA) under Articles 13, paragraph (1), e) and 14, paragraph (1), e) of the GDPR, and WP260 expressly states on this subject that "(…) The actual (named) recipients of the personal data, or the categories of recipients, must be provided. In accordance with the principle of fairness, controllers must provide information on the recipients that is most meaningful for data subjects. In practice, this will generally be the named recipients, so that data subjects know exactly who has their personal data." If controllers opt to provide categories of recipients, the information should be as specific as possible by indicating the type of recipient (i.e., by reference to the activities it carries out), the industry, sector, and subsector, and the location of the recipients. (…)", the indication that personal data is transmitted to advertisers, publishers, social networks, search engines, ad publishing companies, or advertising companies acting in their own name is clearly insufficient in this regard. The same conclusion should be drawn regarding the statement relating to the transfer of personal data to third parties located outside the European Economic Area, obligations arising from Articles 13, paragraph (1), f) and 14, paragraph (1), f) of the GDPR, insofar as the company (AA) limits itself to ensuring "(…) that this information is transferred in accordance

with this57Notice and in accordance with applicable personal data protection laws," even though the WP260 notice specifies in particular that "(…) In accordance
with the principle of fairness, the information provided on transfers to third countries should

55Page 1 of the notice "Interest-based ads 2018.05.23": "(…) We do not use information identifying individuals, such as name or email, to present interest-based ads (…)", respectively "(…) we do not provide information personally identifying individuals to advertisers, nor to third-party sites that display our interest-based ads. (…)”.
56Page 37 of the WP260 notice.
57Page 4 of the document entitled “(AA).fr Notice: Protection of your personal information 2018.05.22”, Page
5 of the document entitled “(AA).fr Notice: Protection of your personal information 2021.02.24”, which further specifies
that the applicant relies on the European Commission's adequacy decisions,
respectively on contracts with standard guarantees published by the latter.

64be as meaningful as possible to date subjects; this will generally mean that the third countries
be named. (…)”. 58

The same conclusion is also required of the court regarding the indication of the retention periods
for the personal data collected and processed, and the criteria used to determine said periods, in accordance with Articles 13, paragraph (2), a) and 14, paragraph (2), a) of the GDPR, given that the only mention made by the applicant
in its "Protection of your personal information 2018.05.22" and "Protection of

your personal information 2021.02.24" notices is to state that the data are
retained for "a period necessary to achieve" the relevant purposes under the
conditions described in the aforementioned notices, and legal obligations, respectively, a formulation
which is expressly excluded by WP260 59 and which in no way allows data subjects to precisely determine any period. Finally, the court must also find, with regard to the obligations of Article 14, paragraph (1), d) of the GDPR regarding the identification of categories of data that were not collected from the data subject and the sources, that the applicant merely indicates, in a summary manner, in its "Interest-Based Ads 2018.05.23" notice, that it collects demographic data from third parties, without providing any details regarding the various data thus concerned and the third parties concerned. In this context, the court must still reject the applicant's claim that such a list would be impossible to easily consult, given that the company (AA) was able to provide, at a pre-litigation stage, as specified in the audit report of February 17, 2020, both the various demographic data and the companies that transmitted them to it in a precise and concise manner. It follows from all of the foregoing considerations that the applicant's entire argument relating to its alleged violation of Articles 12 to 14 of the GDPR must be dismissed as unfounded, a violation that still exists today.

Regarding the violation of Articles 15 to 17 of the GDPR relating to the right of access, the right to rectification, and the right to erasure, the applicant argues that the CNPD, in the contested decision, did not properly take into account the interests and risks involved. In this context, (AA) insists that it pseudonymizes all advertising profiles to prevent direct identification of an individual. To return or modify this data, it would have to re-identify it, which would likely create a risk to the privacy and security interests of all of (AA)'s customers. In this context, it relies, on the one hand, on the case law of the CJEU, according to which it may be appropriate to limit a party's data protection and privacy rights for "the protection of the rights and freedoms of others."

and, on the other hand, on Article 11 of the GDPR, according to which controllers would not be required to process additional personal data if the sole purpose of such processing was to identify an individual for the purpose of responding to an access request. Thus, the applicant could reasonably have considered that it would not be required to carry out such additional processing, which it would have had to do solely to comply with such a request. Furthermore, since it had always provided key attributes, such as...

58
59Page 38 of Opinion WP260.Ibid.

65, including recent purchases, product searches, and information on downloaded applications (AAs), used to display PBIs, elements that it would also process in other systems, it could have legitimately concluded that the actual impact on individuals refused access to the remaining pseudonymized data would be low and would also be justified by the importance of ensuring a very high level of security for the personal data concerned. The applicant further refutes the CNPD's analysis that it would be likely to provide information about individuals to other individuals using the same device, thus leading to a breach of security obligations. The CNPD's argument is based on the right to data portability and is in contradiction with Article 15, paragraph (4) of the GDPR, which states that the right to obtain a copy of personal data should not adversely affect the rights and freedoms of others. Furthermore, the CNPD's analysis also suggests that the nature of the data in question is not particularly sensitive or intrusive, whereas, otherwise, it would be strange to require it to provide information from one individual to another. The company (AA) finally argues that the CNPD's assertion that

reidentifications following an access request should be considered occasional,
so that this process cannot be characterized as systematic and large-scale,
such as to jeopardize the pseudonymization protection mechanism, should result in
the alleged failure to comply with reidentification requests having, in
this case, no impact, if any, at all. In its reply, the company (AA) insists that the CNPD's assertion that improving data security cannot justify preventing data subjects from exercising their rights is erroneous, given that the CJEU has expressly confirmed that the right to data protection, including the right of access, may be limited to protect the rights and freedoms of others, which would include the protection of their rights to privacy and the protection of personal data under Articles 7 and 8 of the Charter.

Regarding the issue of erasure of pseudonymized data, the applicant explains that it only retains the personal data used to display the PBI for a maximum period of 13 months from the date of an opt-out. Such a duration,
compliant with the requirements of the retention limitation principle set out in Article 5, paragraph
(1), (e) of the GDPR, would not have a substantial impact on the rights, freedoms, and interests of the data subjects, while the risk of harm would be very low, if not virtually zero, due to the pseudonymization of the data.

Regarding the violation of Article 21 of the GDPR relating to the inadequacy of the opt-out mechanism, as implemented by the plaintiff, the latter argues that the said mechanism would, on the contrary, be strong and favorable to the consumer, whereas if a person refused PBI, they would no longer be shown to them, which would negate all the negative impacts alleged by the CNPD, such as the fact that a person could self-censor their behavior due to fear of PBI on a shared device.

As for the more specific criticisms raised by the CNPD regarding the applicant's opt-out mechanisms, such as, more specifically, (i) the fact that said mechanism does not cover certain processing operations, in this case personalized recommendations, (ii) the fact that exercising the right to object in relation to PBI should not be limited to stopping all processing of the data subject's data for advertising purposes, and (iii) the fact that the opt-out mechanism must be provided before the processing takes place, the applicant argues, first of all, that Article 21, paragraphs (2) and (5) of the GDPR do not require it to provide a single general "switch" for all processing operations, covering marketing emails, personalized recommendations, postal mail, and PBI, while specifying that its "granular opt-outs" "
would be more respectful of the choices and desires of consumers, who could thus opt to receive only certain types of advertising.

As for the CNPD's criticism that the right to object to receiving behavioral advertising should be exercised before processing takes place, the applicant insists that Article 21 of the GDPR only requires the opt-out to be made available "at any time," which is the case in this instance, whereas the opt-out is located on its public website, accessible to both customers and non-customers before, during, and after the creation of an account (AA). Furthermore, each advertisement displayed on third-party publishers' websites is accompanied by an "AdChoices" icon allowing (i) access to its opt-out mechanism, (ii) to ensure transparency regarding the identity of the person displaying the advertisement in question, and (iii) to provide its transparency information directly to its customers, unlike what other companies would do by linking to a generic page allowing them to refuse the PBI of various companies.

The plaintiff finally argues that its opt-out mechanism is in practice easier to access and more comprehensive than those of other providers, while it takes only two clicks to access it from almost all of its store pages. In its reply brief, the company (AA), while reiterating its argument
relating to the absence of a requirement, under Article 21 of the GDPR, for a single "switch"
for all types of direct marketing, or to offer an opt-out before processing takes place, still maintains that it honors a customer's opt-out choice when it could have recognized a device as being linked to an account for which a logged-in customer had opted out and ensured that its Advertising Preferences page would reflect this choice regarding the opt-out made by a customer while logged in. It thus refutes the CNPD's criticism
that the Advertising Preferences page could indicate that a customer would remain registered with the PBI if they had opted out and then logged in from a new device
or from the same device after deleting their browser cookies. While reiterating that not deleting data immediately after an opt-out would have no tangible impact on the data subjects, and that it would rely, as a legal basis, on the data subject's consent to display PBI on third-party sites in almost all cases, the plaintiff finally emphasizes the fact that it would not display PBI based on customer data it collected on third-party social media sites or search engines, when customers objected to the display of PBI on the Advertising Preferences page, an opt-out that would also apply to its subcontractors, in this case social media and search engine providers, by virtue of their contractual obligations. The CNPD concludes that the applicant's arguments regarding the alleged violation of Articles 15 to 17 and 21 of the GDPR should be dismissed as unfounded.

67 It should first be noted that the right of access of data subjects to their personal data collected and processed by the controller arises from Article 15 of the GDPR, which provides: "1. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed and, where that is the case, access to those personal data and the following information:
a) the purposes of the processing
b) the categories of personal data concerned; (c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients established in third countries or international organizations;
(d) where possible, the envisaged period for which the personal data will be stored or, where not possible, the criteria used to determine that period;
(e) the existence of the right to request from the controller rectification or erasure of personal data, or restriction of the processing of personal data relating to the data subject, or the right to object to such processing;
(f) the right to lodge a complaint with a supervisory authority;
(g) where the personal data are not collected from the data subject, any available information as to their source; (h) the existence of automated decision-making, including profiling, referred to in Article 22(9) and (4), and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.2. When personal data are transferred to a third country or to an international organization, the data subject shall have the right to be informed of the appropriate safeguards, pursuant to Article 46, relating to the transfer.
3. The controller shall provide a copy of the personal data being processed. The controller may charge a reasonable fee based on administrative costs for any additional copies requested by the data subject. Where the data subject makes the request by electronic means, the information shall be provided in a commonly used electronic format, unless the data subject requests otherwise.
4. The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others. »

In this context, it is also appropriate to refer to Recital 63 of the GDPR, which states that "a data subject should have the right to access the personal data collected about them and to exercise this right easily and at reasonable intervals, in order to be aware of the processing and to verify its lawfulness. (...) Consequently, every data subject should have the right to know and to be informed, in particular, of the purposes of the processing of personal data, where possible, the duration of the processing, the identity of the recipients of the personal data, the logic underlying any automated processing, and the possible consequences of such processing, at least in the case of profiling. Where possible, the controller should be able to grant remote access to a secure system allowing the data subject direct access to their personal data. (...). »

The court is obliged to note that the company (AA) initially refused
to comply with the access requests sent to it on the grounds that it had protected
personal data collected and processed within the framework of the PBI through their
pseudonymization and that re-identification of said data thus protected would require the
processing of additional information, which would contravene Article 11, paragraph (1) of the

GDPR, which states: "If the purposes for which personal data
are processed do not or no longer require the controller to identify a
data subject, the controller shall not be obliged to store, obtain, or process
additional information to identify the data subject solely for the purpose of complying
with this Regulation." However, as rightly noted by the CNPD, the PBI procedure necessarily requires continuous identification of terminal equipment in order to target it with personalized advertising offers, such that the applicant could not validly rely on Article 11, paragraph (1) of the GDPR, which establishes as a basic premise the absence of a need to identify a data subject, to refuse, on the one hand, to re-identify pseudonymized personal data and, on the other hand, to comply with a request from data subjects for access to their advertising profile.

The finding of a violation of Article 15 of the GDPR is not called into question by the applicant's approach of providing only certain key attributes following a request for access to the data. Thus, the applicant clarified, in its position of August 20, 2020, that "(...) our centralized data subject access request system collects personal data from (AA) systems, databases, and services to respond to them. In doing so, the system relies on numerous services and activities on which the advertising profile is built. (...) In addition, most of the information we use to create or improve an advertising profile is also available to customers instantly, upon request (and has been for many years) via the "My Account" function in their (AA) online account settings." Customers
can view items in their order history via their account settings (…),” which is insufficient to conclude that the company (AA) complied with the aforementioned Article 15 of the GDPR, which requires the disclosure of all personal data collected and processed, as well as, in particular, the purposes of the processing, the recipients or categories of recipients to whom the personal data has been or will be disclosed, and the retention period for said data. Although the company (AA) adopted additional measures during the pre-litigation procedure regarding the right of access to profiles created for PBI purposes, in this case, to communicate the corresponding data to authenticated terminal equipment, the court must find that the plaintiff still fails to comply with its obligations under Article 15 of the GDPR, even though it is a fact, and not disputed by the parties, that the company (AA) still fails to respond to access requests sent to it by unauthenticated terminal equipment, even though it is clear from the detailed explanations in the case, and not questioned by the plaintiff, that identification of such equipment is possible, and

60
Paragraphs 161 and 163 of the position of the company (AA) dated August 20, 2020.

69 is, by elsewhere, carried out by the company (AA) while targeting said devices with PBI based on advertising profiles established with the data thus collected through the technical process of cookies, which constitutes, in particular, an element of identification of a terminal device.

It follows from the above considerations that the CNPD was right to find a violation, on the part of the company (AA), of Article 15 of the GDPR, as well as, correlatively, of Article 16 of the GDPR relating to the right of rectification, according to which "The data subject has the right to obtain from the controller, without undue delay, the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject has the right to have incomplete personal data completed, including by providing a supplementary declaration." ", to the extent that the applicant, by not providing access to the personal data collected and processed within the framework of the PBI in accordance with Article 15 of the GDPR, prevents the data subjects from knowing precisely and accurately said data and the content of the advertising profile established on the basis of the latter, thereby making it impossible for them to request any rectification of elements unknown to them. Finally, it should be noted that the violation of Article 16 of the GDPR still exists today, even though it is clear from the evidence submitted to the court for analysis, and more specifically from the document filed by the company (AA) with the registry of the administrative court on December 21, 2023, entitled "Summary of changes made to the processing of personal data by (AA) ("(AA)") for the purposes of interest-based advertising ("IBA")," in which it states that, starting in July 2023, it would have allowed its "(…) customers to influence the advertisements they see by updating (i.e., correcting) their interests and other information," while providing a related screenshot, that the options available to data subjects to modify the data collected and processed under the IBA are limited to their "interests," although the screenshot specifies that screenshot provided by the plaintiff that
the said persons could update "(…) the settings concerning your interests and demographic information. (…)". It should be noted that on the

webpage that was the subject of the aforementioned screenshot, there is no section relating to demographic data with respect to which the persons concerned could exercise their right of rectification. With regard to the applicant's alleged failures regarding the right to object, as well as the right to erasure for the persons whose personal data it collects and processes, it should first be noted that, pursuant to Article 21 of the GDPR, "1. The data subject shall have the right to object at any time, on grounds relating to his or her particular situation, to processing of personal data concerning him or her based on point (e) or (f) of Article 6(1), including profiling based on these provisions. The controller shall no longer process the personal data unless he or she demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise, or defense of legal claims." 2. Where personal data are processed for direct marketing purposes, the data subject has the right to object at any time to the processing of personal data concerning them for such marketing purposes, including profiling to the extent that it is related to such marketing.

3. Where the data subject objects to processing for direct marketing purposes, the

personal data shall no longer be processed for such purposes.

and that, pursuant to Article
17 of the GDPR, "1. The data subject shall have the right to obtain from the controller
the erasure, without undue delay, of personal data concerning him or her, and the
controller shall have the obligation to erase such personal data without undue delay, where one of the following grounds applies: (…)

c) the data subject objects to the processing pursuant to Article 21(1)

and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);

2. Where the controller has made personal data public and is obliged to erase them pursuant to paragraph 1, the controller, taking into account available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers processing the personal data that the data subject has requested erasure by such controllers of any links to, or copy or replication of, those personal data.

3. Paragraphs 1 and 2 shall not apply to the extent that such processing is necessary:

(a) for exercising the right to freedom of expression and information;

(b) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; (c) for reasons of public interest in the area of public health, in accordance with Article 9(2)(h) and (i) and Article 9(3);

(d) for archiving purposes in the public interest, for scientific or historical research purposes, or for statistical purposes in accordance with Article 89(1), to the extent that the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of such processing; or

(e) for the establishment, exercise, or defense of legal claims. It should first be recalled that an individual administrative act, and more particularly one that is likely to cause harm either to its addressee or to third parties, benefits from the presumption of legality as well as conformity with the objectives of the law on the basis of which it was adopted. Therefore, it is up to the party claiming to suffer unjustified harm or inconvenience as a result of the administrative act in question, and who therefore wishes to have it amended or annulled in order to achieve a more favorable factual situation, to establish concretely how the administrative act in question violates a rule established by a Grand Ducal implementing law or regulation, or in this case, a Community regulation. In this case, it is up to the applicant to provide concrete proof that the IT mechanisms it has implemented comply with the requirements of Articles 17 and 21 of the GDPR, it being recalled that it is not up to the court to compensate for the litigants' failure to present their arguments.

Based on this consideration, the court must note that the plaintiff has limited itself to refuting, without providing the slightest explanation or evidence in this context, the CNPD's criticism that the opt-out mechanism, as it

has implemented, does not take into account the opt-out choice exercised by the data subject,
insofar as if the latter exercises said right, then logs out and logs back in on another device or logs back in on the same device after deleting existing cookies, the data subject's "Advertising Preferences on (AA)" webpage again indicates that the data subject wishes to receive PBI.

The plaintiff must ultimately disagree with its argument, which is not otherwise supported by evidence submitted for analysis by the court, that its opt-out mechanism, made available—both directly through its advertising preferences webpage and through the "AdChoices" icon appearing on the advertising spaces used to display its PBI and linking to the aforementioned webpage—to individuals whose personal data is collected and processed to present them with PBI, would be "strong and favorable" to them, and that they would benefit more from "granular opt-out" mechanisms, which are more respectful of their choices and desires than a "master switch." In this context, the CNPD was able to validly argue that
accessibility of the opt-out mechanism via the "AdChoices" icon does not meet the
62
requirements of Article 21 of the GDPR, since, apart from the fact that said icon is very small, it does not provide, at first glance, information on the possibility of accessing
the webpage allowing one to exercise one's right to object.

Furthermore, it should be noted that exercising the opt-out via the applicant's webpage relating to advertising preferences does not have general scope in that it does not concern personalized recommendations, for which additional steps must be taken. 63

In this context, it should be recalled, as the court held above, that the CNPD
was able to take into consideration the plaintiff's practices regarding the right to object
regarding personalized recommendations as a factual element to
assess the compliance of the mechanism implemented by the company (AA) with Article
21 of the GDPR, without unlawfully extending the scope of the investigation.

61Adm. Court, July 16, 2003, No. 15207 of the roll, Adm. Pas. 2023, V° Actes administratifs, No. 158 and the other
references cited therein. 62The court must also note that this mechanism also fails to comply with the provisions of Article 12, paragraph (2) of the GDPR, which requires the data controller to facilitate the exercise of the rights granted to the data subject under Articles 15 to 22 of the GDPR, which therefore also includes the exercise of the right to object.
63According to the CNPD's information, which was not challenged by the company (AA), individuals wishing to stop the processing of their personal data for the purpose of receiving personalized recommendations must access their computer account settings, or their browsing history settings, to express their choice. 72 The court must confirm the CNPD's position that exercising the right to object via the applicant's website relating to advertising preferences does not comply with Article 15 of the GDPR, whereas data subjects must, in order to stop the processing of their personal data for PBI purposes, take several steps across several websites. Indeed, although Article 15 of the GDPR does not require a "master switch" for exercising the right to object, the fact that the applicant has implemented several processes on separate web pages, far from being more respectful of the choices and wishes of data subjects, unduly complicates the exercise of said right, contrary to the requirements of Article 12, paragraph (2) of the GDPR, whereas it would be much more useful to differentiate, on a single web page, the various forms of digital advertising with respect to which the data subject could thus individually express their right of option. Along the same lines, it should be noted that the plaintiff does not assert, and a fortiori does not establish, that it will delete the disputed personal data as quickly as possible following the exercise of the opt-out by the person whose data is collected and processed in the context of the PBI. Its explanations, in fact, boil down to arguing, on the one hand, that such deletion would have no tangible impact on the data subjects, and, on the other hand, that it would no longer provide PBI after exercising the right to object, which is not relevant to the right to erasure. In this context, it should also be noted that the violation of Article 17 of the GDPR by (AA) still persists, although it is not clear from the document filed with the registry of the Administrative Court on December 21, 2023, entitled "Summary of changes made to the processing of personal data by (AA) ("(AA)") for the purposes of interest-based advertising ("IBA")," in which the plaintiff states that, from November 2022, it would have allowed its "(…) customers to request the deletion of personal data from (AA)'s advertising systems, regardless of the closure of their (AA) account," while providing a screenshot thereof, within what timeframe(s) the disputed data are actually deleted, such that the court is unable to assess whether the deletion is carried out "as soon as possible." ", especially since, in the context of the dispute under review, the plaintiff has always stated that it retains,
generally speaking, the disputed personal data for a maximum period of 13 months

after the opt-out, as has just been noted in the court's analysis of Article
6, paragraph (1), f) of the GDPR.

In light of all the foregoing considerations, the CNPD was validly able to
find a violation of Articles 6, 12 to 17, and 21 of the GDPR by the plaintiff, violations that persist, as the court has just found above based on all

the evidence validly submitted to it, still according to the latest submissions. The court
must finally note, in this context, that the reference made by the plaintiff, in various places in its appeal and in its reply, to the fact that it uses the Interactive Advertising Bureau's "Transparency and Consent Framework" does not invalidate the aforementioned finding of a violation of the aforementioned provisions of the GDPR, insofar as the plaintiff has failed to specifically explain the operating mode of said IT system, as well as to provide documents supporting its explanations, such that the invocation of said system must be characterized as merely suggested and therefore cannot invalidate the CNPD's finding of violations by the company (AA) of the relevant provisions of the GDPR. 73 At this stage, the court must also note that it is not bound by the order of the pleas, as presented by the parties, but has the power to assess them in accordance with the proper administration of justice and the useful effect resulting therefrom, so that with regard to the applicant's pleas concerning the sanctions and measures adopted by the CNPD following the finding of a violation, on the part of the company (AA), of Articles 6, 12 to 17 and 21 of the GDPR, it is necessary, first of all, to analyze the pleas of the company (AA) based on a violation of fundamental rights arising from the Charter, as well as from the ECHR, apart from the plea based on a violation of the applicant's right to a fair trial in relation to the amount of both the fine and the periodic penalty payment that the court will assess, after having examined the pleas relating to misappropriation, respectively abuse of power on the part of the CNPD, as well as the
st
grounds relating to a violation of articles of the GDPR and the Law of August 1, 2018, as well as
relating to a violation of the principle of proportionality in relation to the sanctions imposed on the applicant.

Thus, the applicant requests that the contested decision be reversed for violation of the principle of legality, as enshrined in Articles 49, paragraph (1) of the Charter and 7, paragraph (1) of the ECHR and as clarified by the case law of the CJEU, as well as that of the Constitutional Court, according to which offenses and penalties should be clearly defined by law in order to enable the person concerned to know the acts and omissions giving rise to their criminal liability. However, according to the plaintiff, the penalty imposed on it through the contested decision was not legally based, while CNPD allegedly alleged a violation of Article 6, paragraph (1), f) of the GDPR for not agreeing with its balancing test. In this context, the company (AA) further notes that the general methodology of the balancing test, as required of data controllers under Article 6, paragraph (1), f) of the GDPR, results from the case law of the CJEU, such that only the aforementioned article of the GDPR, together with the related case law of the CJEU, are the relevant standards for determining whether conduct is authorized or not and for imposing sanctions, if necessary. However, the CNPD relied, in the context of the contested decision, to a large extent on the guidelines of the Article 29 Working Party, which, however, cannot be classified as law, in accordance with the case law of the ECtHR, until they are sanctioned by a court or enshrined in law. Furthermore, the fact that the CNPD must rely on guidelines published before the entry into force of the GDPR also demonstrates that the GDPR rules, in themselves, are not sufficiently developed, precise, and predictable to serve as a basis for the imposition of criminal sanctions. The applicant further criticizes, still in the context of a violation of Articles

49, paragraph (1) of the Charter and 7, paragraph (1) of the ECHR, the foreseeability of the sanctions
imposed on it, suggesting that Article 48 of the Law of August 1, 2018, only establishes
the principle for the CNPD to be able to impose a fine, and that Article 83 of the
GDPR only determines a broad range between the minimum and maximum amounts of possible fines, while defining very broadly which offenses
could result in what level of fine. Thus, in the absence of case law or precise guidelines allowing the calculation of the amount of fines, the plaintiff considers that Articles 48 of the Law of August 1, 2018 and 83 of the GDPR are insufficient to allow data controllers to assess the penalties likely to result from their conduct, such that said penalties cannot be considered foreseeable. In its reply, the applicant, while emphasizing the criminal nature

of the penalty imposed against it in the contested decision of July 15, 2021, and the obligation to benefit from the related guarantees, maintains its argument regarding
the violation of the principle of legality, in that, in the absence of guidance provided by the CNPD through the contested decision, as well as clarification from the GDPR and the law of August 1, 2018, data controllers would be unaware, on the one hand, of what behavior
to adopt to comply with the law, and, on the other hand, what behavior would result in a fine of €746 million. The same observation should be made, in this case, regarding the injunction to comply, under penalty of a daily penalty payment of €746,000. Regarding the fine imposed on it, the applicant first argues that Article 6, paragraph (1), f) of the GDPR provides no guidance on the conduct necessary to avoid penalties when processing personal data for PBI purposes, while specifying that there is no case law from the CJEU or guidelines making the penalties in question more predictable. Based on the CNPD's claims that the PBI was "controversial" and that its choice to use legitimate interest as a legal basis would have been risky, the company (AA), while refuting this argument, maintains that the CNPD's statements demonstrate that the requirements relating to the use of the legal basis of legitimate interests for the purposes of the PBI are unclear and therefore require additional clarification, which the CNPD has failed to provide, in violation of the principle of legality and foreseeability. Similarly, the contested decision does not provide clear guidance on how to implement the compliance injunction in practice, measures that would be indeterminate and indeterminable, even if they were read and interpreted in light of the reasons for the decision, as stated in the aforementioned presidential order of December 17, 2021. Therefore, the compliance injunction also violates the principle of legality.

The CNPD concludes that the argument alleging a violation of the principle of legality should be dismissed as unfounded. As for the violation of the principle of the legality of penalties, as set out in particular
by Article 7 of the ECHR, which provides that "1. No one shall be held guilty of a criminal offense on account of any act or omission which, at the time when it was committed, did not constitute an offence under national or international law. Similarly, no heavier penalty shall be imposed than the one applicable at the time the offence was committed. (…)", by Article 49, paragraph (1) of the Charter, which states "No one shall be held guilty of a criminal offense on account of any act or omission which, at the time when it was committed, did not constitute an offence under national or international law. Similarly, no heavier penalty shall be imposed than the one applicable at the time the offence was committed." If, subsequent to this offense, the law provides for a lighter penalty, it must be applied," as

formally by Article 14 of the Constitution, which states: "No penalty may be established or applied except by virtue of the law." ", a provision currently contained in Article 19 of the Constitution, it should be noted that in the area of disciplinary law for civil servants, which also relates to administrative sanctions, the Constitutional Court has already held, in a ruling of March 22, 2002, that the principle of the legality of penalties enshrined in the former Article 14 of the Constitution follows the general principles of criminal law and has formulated the requirement that disciplinary law observe the same basic constitutional requirements, noting, with regard to the criminalization of a disciplinary sanction, "the need to define offenses in sufficiently clear and precise terms to exclude arbitrariness and allow those concerned to accurately assess the nature and type of punishable conduct." This case law is still relevant in light of the current Article 19 of the Constitution.

To the extent that the administrative sanction system is similar in form and substance to criminal matters, the aforementioned principles apply to administrative sanctions and therefore to Article 12 of the Law of August 1, 2018, which conferred the power to adopt the aforementioned administrative sanctions under Article 58, paragraph (2) of the GDPR on the CNPD, which provides that "Within the framework of the tasks set out in Article 7, the CNPD has the powers provided for in Article 58 of Regulation (EU) 2016/679. ", while
Articles 48 and 49, paragraph (1) of the said law allow, more specifically, the said authority to impose administrative fines in accordance with Article 83 of the GDPR,
respectively to impose "(…) periodic penalty payments of up to 5 percent of the average daily turnover achieved during the preceding financial year, or during the last closed financial year, per day of delay from the date it sets in its decision,
to compel it: (…)
2° to comply with a corrective measure adopted by the CNPD pursuant to Article 58, paragraph 2, letters c), d), e), f), g), h) and j) of Regulation (EU) 2016/679. »

Under Article 58(2) of the GDPR, "2. Each supervisory authority shall have the power to adopt all of the following corrective measures:

a) warn a controller or processor that the intended processing operations may infringe the provisions of this Regulation;

b) remind a controller or processor where the processing operations have resulted in an infringement of the provisions of this Regulation;

c) order the controller or processor to comply with requests made by the data subject to exercise their rights under this Regulation;

d) order the controller or processor to bring the processing operations into compliance with the provisions of this Regulation, where applicable, specifically and within a specified time period;

e) order the controller to notify the data subject of a personal data breach; (f) impose a temporary or permanent restriction, including a prohibition, on processing;
(g) order the rectification or erasure of personal data or
(the restriction of processing pursuant to Articles 16, 17, and 18 and the
notification of these measures to the recipients to whom the personal data have been
disclosed pursuant to Articles 17(2) and
19;

64
65Constitutional Court, 22 March 2002, No. 12/02, available at www.justice.public.lu
Ibid.
(h) withdraw a certification or order the certification body to withdraw
a certification issued pursuant to Articles 42 and 43, or order the
certification body not to issue a certification if the requirements
applicable to the certification are not or no longer met;

(i) impose an administrative fine pursuant to Article 83, in addition to or instead of the measures referred to in this paragraph, depending on the specific characteristics of each case;
(j) order the suspension of data flows addressed to a recipient located in a third country or an international organization."

With more specific regard to the fines that may be imposed by the CNPD, it should be noted that, under Article 83 of the GDPR, "1. Each supervisory authority shall ensure that administrative fines imposed pursuant to this Article for infringements of this Regulation referred to in paragraphs 4, 5, and 6 are, in each case, effective, proportionate, and dissuasive.

2. Depending on the specific characteristics of each case, administrative fines shall be imposed in addition to or instead of the measures referred to in Article 58(2)(a) to (h) and (j). When deciding whether to impose an administrative fine and when deciding on the amount of the administrative fine, due account shall be taken, in each individual case, of the following:

(a) the nature, gravity, and duration of the breach, taking into account the nature, scope, or purpose of the processing concerned, as well as the number of data subjects affected and the level of damage they have suffered;

(b) whether the breach was committed intentionally or negligently;
(c) any measures taken by the controller or processor to mitigate the damage suffered by data subjects;
(d) the degree of responsibility of the controller or processor, taking into account the technical and organizational measures they have implemented pursuant to Articles 25 and 32;
(e) any relevant previous breaches committed by the controller or processor; (f) the degree of cooperation established with the supervisory authority to remedy
the breach and mitigate its possible negative effects;
(g) the categories of personal data affected by the breach;
(h) the manner in which the supervisory authority became aware of the breach,
in particular whether and to what extent the controller or processor has notified the breach;
(i) where measures referred to in Article 58(2) have previously been
ordered against the controller or processor concerned for the same purpose, compliance with those measures;
(j) the application of codes of conduct approved pursuant to Article 40 or
certification mechanisms approved pursuant to Article 42; and
(k) any other aggravating or mitigating circumstances applicable to the

circumstances of the case, such as financial benefits gained or losses avoided, directly or indirectly, as a result of the breach. 3. If a controller or processor intentionally or negligently infringes several provisions of this Regulation in the context of the same processing operation or related processing operations, the total amount of the administrative fine may not exceed the amount determined for the most serious infringement.

(…) 5. Violations of the following provisions shall be subject, in accordance with paragraph 2, to administrative fines of up to EUR 20 million or, in the case of an undertaking, up to 4% of the total worldwide annual turnover for the preceding financial year, whichever is higher:

(a) the basic principles of processing, including the conditions for consent pursuant to Articles 5, 6, 7, and 9; (b) the rights of data subjects under Articles 12 to

22

(c) transfers of personal data to a recipient in a third country or to an international organisation under Articles 44 to 49;
(d) all obligations arising from Member State law adopted under
Chapter IX; (e) failure to comply with an injunction, a temporary or permanent restriction of processing, or a suspension of data flows ordered by the supervisory authority pursuant to Article 58(2), or failure to grant access as provided for, in violation of Article 58(1).

6. Failure to comply with an injunction issued by the supervisory authority pursuant to Article 58(2) shall be subject, in accordance with paragraph 2 of this Article, to administrative fines of up to EUR 20,000,000 or, in the case of an undertaking, up to 4% of the total worldwide annual turnover for the preceding financial year, whichever is the higher.

7. Without prejudice to the powers of supervisory authorities to adopt corrective measures under Article 58(2), each Member State may lay down rules determining whether and to what extent administrative fines may be imposed on public authorities and public bodies established within its territory. (…).

While Articles 58 and 83 of the GDPR do not provide an exhaustive and restrictive list of all conduct that may be sanctioned by an administrative fine, and while the latter article is limited to providing a scale for these fines ranging from €20,000,000 or, in the case of a company, up to 4% of the total worldwide annual turnover of the preceding financial year, with regard to violations of Articles 5, 6, 7 and 9, and Articles 12 to 22 respectively, thus allowing the CNPD a certain degree of latitude in setting the amount of the fine, on the one hand, Article 58, paragraph (2), a) to j) of the GDPR provides for a gradation of the measures that may be imposed by the CNPD, in this case, in particular, the injunction to comply, as well as the administrative fine, and, on the other hand, Article 83, paragraph (2) of the GDPR lists the circumstances to be taken into account by the CNPD in determining both the principle and the amount of the fine.

In this context, the court must first reject the plaintiff's argument that the CNPD's finding of a violation of Article 6(1)(f) of the GDPR in its case was not based on the "law," but primarily on the Guidelines. On the contrary, the CNPD relied, as the legal basis for its analysis, both on the aforementioned Community provision, while invoking Recital 7847 of the GDPR, and on the relevant case law of the CJEU, which clarified the various conditions to be analyzed in assessing compliance with Article 6(1)(f) of the GDPR. The CNPD's references to the Guidelines were made solely to explain certain elements of its factual analysis, but not as the legal basis for its decision. Thus, these elements are not such as to violate Articles 7 of the ECHR, 49, paragraph (1) of the Charter, or former Article 14, and currently Article 19, of the Constitution. Furthermore, it should be noted that Article 58, paragraph (2) of the GDPR, cited above,

beyond the observation that it clearly specifies the persons concerned by its provisions, in this case the data controllers, such as the applicant, and their subcontractors,
establishes, by reference to Article 83 of the GDPR, as administrative offenses certain
specific obligations arising from the GDPR, such as, more specifically, those with which

the applicant company is accused of non-compliance, namely failure to comply with the lawful basis for its processing of personal data under Article 6, paragraph (1), f) of the GDPR, failure to comply with the transparency obligation under Article 12 of the GDPR, failure to comply with the obligation to provide information to the persons concerned by the processing of their personal data under Articles 13 and 14 of the GDPR, and violation of the right of access. of the said persons, as set out in Article 15 of the GDPR, the violation of the right to rectification and the right to erasure provided for in Articles 16 and 17 of the GDPR, as well as the violation of the right to object, as provided for in Article 21 of the GDPR. It should be noted, in this context, that Article 83, paragraph (5) of the GDPR also expressly provides for an increase in the fine incurred when the violations found concern Articles 6, 12 to 17, and 21 of the GDPR, respectively. On this subject, the Constitutional Court has already held, in a ruling of December 12, 2014, after recalling that the principle of specifying the offense is a corollary to the principle of the legality of the penalty enshrined in former Article 14 of the Constitution, that disciplinary law allows, in the formulation of unlawful conduct, a margin of indeterminacy without affecting the principle of specifying the offense, if logical, technical and professional experience criteria allow for the conduct to be sanctioned to be predicted with sufficient certainty, which is proven in this case, in view of the obligations clearly defined in the GDPR, and, moreover, clarified both by the aforementioned case law of the CJEU and by the various guidelines of the Article 29 Working Party, especially since it results from another ruling of the Constitutional Court of December 14, 2007, that the principle of the legality of penalties does not prevent offenses from being defined in disciplinary matters by reference to the legal and regulatory obligations to which a person is subject by virtue of the functions they perform, the profession to which they belong, or the institution to which they belong. As for the predictability of the severity of sanctions, it should be noted that while the Constitutional Court held that sanctions must be reasonably assessable in terms of their severity, the fact that Article 58 of the GDPR provides for several sanctions, including administrative fines, as well as compliance measures,

66 Constitutional Court, December 12, 2014, No. 115/14, available at www.justice.public.lu
67 Constitutional Court, December 14, 2007, No. 41/07, available at www.justice.public.lu
68 Ibid.

79. Similarly, the fact that Article 83 of the GDPR provides, in paragraph (5), a maximum limit on the amount of the fine incurred, while specifying, in paragraph (2), the circumstances to be taken into consideration, is amply sufficient to satisfy the requirement of the legality of penalties. It should be noted that the need to include a specific provision to guide the administrative authority in the choice of the penalty to be imposed is only required by the Constitutional Court, in the aforementioned judgment of 14 December 2007, in the case of the existence of a "very broad range of penalties" that does not allow for the effective exercise of the rights of the defence. The same finding of compliance with the principle of legality must also be made with regard to the four compliance measures, as issued by the CNPD, in relation to Articles 6, paragraph (1), 12 to 17, and 21 of the GDPR, insofar as said measures are based, as a legal basis, on the one hand, on the aforementioned Article 58, paragraph (2), d) of the GDPR, under which the supervisory authority, in this case the CNPD, is entitled to order "(…) the controller or processor to bring processing operations into compliance with the provisions of this Regulation, where applicable, specifically and within a specified time period," and on the other hand, on the aforementioned Article 49, paragraph (1) of the Law of 1 August 2018, allowing it to attach a penalty payment to corrective measures. It is noted that the specific nature of the corrective measures results, in

this case, from the CNPD's reference to the Community provisions that
the company (AA) rightly found to have violated, namely, in this case,
Articles 6, paragraph (1), 12 to 17, and 21 of the GDPR, such that the principle of legality was also respected with respect to the said corrective measures.

In this context, the court must still reject the applicant's argument

alleging that the contested decision is imprecise regarding the corrective measures imposed on it. Indeed, with regard more specifically to the violation of the lawful basis for the processing of personal data in dispute, the court must note that Article 6, paragraph (1) provides for six different bases, and it is up to the data controller to choose the one that best corresponds to its activities in compliance with the GDPR, and not for the CNPD to impose one of its six bases, failing which it would interfere in the management and technical organization of the data controller. Furthermore, the CNPD detailed the elements that led it to the conclusion that the applicant could not rely on Article 6, paragraph (1), f) of the GDPR, by analyzing, in detail, the three cumulative conditions to be met, and by holding that both the condition relating to the necessity of processing personal data and the condition relating to the balancing of the interests invoked by the applicant with the rights and interests of the data subjects had not been respected by the company (AA), such that the court must hold that, in the event that the applicant wishes to maintain Article 6, paragraph (1), f) of the GDPR as the basis for the lawfulness of its processing of personal data under the PBI, the latter has all the necessary elements to be able to adopt the corrective measures required of it in relation to the aforementioned article. These elements have been further refined in the context of this judgment. This finding, regarding the provision, by the contested decision, of sufficient details so that the data controller could understand the measures to be adopted, must also be reiterated regarding the corrective measures aimed at ensuring compliance with Articles 12 to 17 and 21 of the GDPR, whereas the CNPD has adequately specified the company's (AA) failures with regard to its transparency and information obligations, as well as the rights of access, rectification, erasure, and objection, and therefore the applicant's related arguments must be rejected. The court must finally note that the amount of the fine cannot be criticized,
from the perspective of compliance with the principle of legality and predictability of sanctions, to the extent that
Article 83, paragraph (5) of the GDPR expressly sets a maximum amount in the event of

violation of, in particular, Articles 6, 12 to 17, and 21 of the GDPR, and to the extent that recital 150 of the GDPR specifically defines the concept of "undertaking" whose turnover is to be taken into consideration when setting the amount of the fine, by reference to Articles 101 and 102 of the TFEU, a concept further clarified by the case law of the CJEU relating to those articles. In this context, reference must also be made to Article 83, paragraph (1) of the GDPR, which requires supervisory authorities to ensure that administrative fines are imposed that are, in each case, "effective, proportionate, and dissuasive," so as to expressly provide for a certain margin of discretion in the amount of the fine to be imposed, subject to compliance with the maximum amount directly set by the GDPR.

It follows from the above that the argument alleging violation of the principle of legality of penalties is liable to be dismissed in all its aspects as unfounded.

The company (AA) then criticizes the appealed decision for violating the principle that sanctions may only be imposed after proof of guilt, in accordance with Articles 48, paragraph (1) of the Charter, and 6, paragraph (2) of the ECHR.

In this context, the applicant argues that the concept of culpability requires the determination of the degree of culpability—intention, recklessness, or negligence—specifying that conduct that does not meet or exceed the lowest threshold of negligence could not serve as a basis for a criminal fine. However, in this case, the company (AA) argues, based on Article 83(2)(b) of the GDPR, which requires the supervisory authority to examine whether the infringement was based on intentional or negligent conduct, that the decision under appeal did not establish that it had infringed the GDPR culpably, intentionally, or negligently, even though the decision expressly acknowledged that it had carried out its balancing exercise in accordance with the principle of liability and that the facts and the breach found did not reflect a deliberate intention on its part to violate the GDPR. It further notes, in this context, that in accordance with the case law of the CJEU, negligence implies "an involuntary act or omission by which the person responsible clearly breaches the duty of care that he or she should and could have observed, taking into account his or her qualities, knowledge, and abilities," which is not the case here, since the legislation on the matter

70
It should also be noted, by analogy, that "the fact that an operator cannot, in advance, know precisely the level of the fines that the Commission will impose in each case cannot constitute a violation of the principle of the legality of penalties, given that, due to the seriousness of the infringements that the Commission is called upon to sanction, the objectives of repression and deterrence justify preventing undertakings from being able to assess the benefits they would derive from their participation in an offense by
taking into account, in advance, the amount of the fine that would be imposed on them as a result of this unlawful conduct"
CFI, April 5, 2006, Degussa v. Commission, Case T-279/02, pt. 70.

Article 81 of the protection of personal data, in itself and at this stage, would not have been
sufficiently developed and precise and would have left considerable room for interpretation. Thus, to the extent that it had carefully examined the legal requirements

set out in the GDPR, taking into account available case law, or even non-legally binding guidelines, and to the extent that it had thoroughly carried out the balancing test to ensure that the privacy and fundamental rights of the data subjects would remain protected, the company (AA) considers that it acted in good faith, in accordance with the principle of liability, without negligence and in an unintentional manner, such that no sanction could have been imposed on it by the CNPD.

In its reply, the applicant further argues that the burden of proving that it violated the GDPR and that it is guilty of any offense rests with the CNPD, and that arguing otherwise, as the CNPD would nevertheless do, would violate Article 48, paragraph (1) of the Charter.

Furthermore, based on the same article of the Charter, as well as Article 7 of the ECHR, the applicant refutes the CNPD's argument that it demonstrated clear negligence with regard to the fundamental principles of the GDPR, whereas it should have been up to the CNPD to demonstrate that its conduct, which resulted in criminal sanctions, could have been avoided if it had properly implemented appropriate safeguards in light of the guidance available at the time of its assessment. In addition to the problem of the foreseeability of conduct giving rise to sanctions under the GDPR, the applicant argues that the CNPD would have been required to demonstrate that it had violated the GDPR and that it was guilty of this violation, evidence that the CNPD, however, failed to provide. The company (AA) also claims to be entitled to the benefit of the doubt, noting that it carefully conducted the analysis of legitimate interests to arrive at the conclusion that it could have validly relied on Article 6, paragraph (1), f) of the GDPR and that the fact that the CNPD carried out its own balancing of interests to conclude otherwise does not prove wrongful conduct on its part, and that it would have been unreasonable for it to rely on Article 6, paragraph (1), f) of the GDPR in light of the applicable case law.

The CNPD submits that this argument should be dismissed as unfounded.

As a preliminary point, the court must note that the applicant, during the public hearing, waived the preliminary questions it proposed to submit to the CJEU in connection with its argument relating to the principle of culpability, so the court will not consider them. It should also be recalled that, pursuant to the presumption of legality of administrative acts, the burden of proof lies with the person seeking to have an administrative act annulled. The applicant must explain the suspected illegality. The burden of proof requires the applicant to provide concrete evidence on which to base their claim in order to establish the alleged illegality.

The court must reiterate, at this stage, its conclusions reached above regarding the violation of Articles 6, paragraph (1), (f), 12 to 17, and 21 of the GDPR, violations that the CNPD was able to validly find on the part of the company (AA). 82 In this context, there are still grounds to reject the applicant's argument that it conducted an exhaustive analysis of the conditions of Article 6, paragraph (1), f) of the GDPR and that the CNPD's sole finding, contrary to its own, at the level of the third condition of said article relating to the balancing of the legitimate interests of the data controller and the rights and interests of the data subjects, cannot establish its guilt. It must be noted that the CNPD not only had an assessment
contrary to that of the plaintiff regarding the balancing criterion of Article 6, paragraph (1), f) of the GDPR, but also rightly, as the court has just held

above, noted the plaintiff's failure to establish the necessity of the processing of the disputed personal data, such that it also established a breach of the company's (AA) obligation under the second condition of the aforementioned article. It should also be noted, in this context, that the CNPD found a violation of Articles 6, paragraph (1)(f), 12 to 17, and 21 of the GDPR, after a thorough and detailed examination of the relevant provisions, also relying on the relevant case law of the CJEU, while taking into consideration the clarifications emerging from the appropriate guidelines of the Article 29 Working Party, a legal framework that the court has just identified above as respecting the principle of legality and foreseeability. This finding of a violation of the aforementioned Community provisions further confirms

the CNPD's analysis that the company (AA) acted with clear negligence, - the intentional nature of said violations having been rightly dismissed by the CNPD, even though it
does not appear from any evidence submitted to the court's analysis that the violations found against the company (AA) were committed deliberately by the latter -, insofar as the plaintiff manifestly failed to grant the data subjects the basic and fundamental rights guaranteed to them by the GDPR, as specified above and

regarding the obligations of transparency and the provision of information, as well as the rights
of access, rectification, erasure, and opposition.

Therefore, no criticism can be directed against the CNPD regarding the legal and factual evidence underlying the sanctions imposed against the company (AA). It follows from all of the foregoing considerations that the applicant's argument based on a violation of the principle of culpability must be dismissed in all its aspects.

The company (AA) then claims that the contested decision violates its right to a fair trial, enshrined in Articles 41, paragraph (2)(c) and 47 of the Charter, as well as Article 6, paragraph (1) of the ECHR, in that the CNPD failed to provide reasons for the contested decision, insofar as it failed to establish, beyond a reasonable doubt, all the elements of the "administrative crime" against it and failed to provide clear and precise conclusions enabling it to understand and challenge this attribution of liability.

In its reply, the plaintiff reiterates its argument regarding the violation of its right to an effective remedy, while still highlighting the vagueness of the compliance injunctions imposed on it through the contested decision, which thus violate its right to an effective judicial remedy, insofar as it makes it impossible for the court to assess the legality of the contested decision.The CNPD concludes that the argument alleging a violation of the right to a fair trial, with regard to the GDPR violations alleged against the applicant, should be dismissed as unfounded.

The court must immediately dismiss the applicant's argument, insofar as it relies on Article 41 of the Charter, which provides that "(…) Everyone has the right to have his or her affairs handled impartially, fairly and within a reasonable time by the institutions and bodies of the Union. (…)", given that said article cannot be directly invoked before national courts. The CJEU has indeed held in this regard that it clearly follows from the wording of Article 41 of the Charter that it is addressed not to Member States, but only to the institutions, bodies, and agencies of the Union. 71

Based on the above conclusions, according to which (i) the CNPD cannot be classified as a court within the meaning of Article 6 of the ECHR, a reasoning which must apply, by analogy, with regard to Article 47 of the Charter, (ii) the principle of legality is respected in this case, (iii) the CNPD respected the principle of culpability, and (iv) the decision appealed is sufficiently reasoned, both with regard to the violations of Articles 6, 12 to 17 and 21 of the GDPR, violations which the court has just confirmed in full, and with regard to the corrective measures imposed on the company under penalty of a fine (AA), the court must reject the applicant's argument based on a violation of the right to a fair trial in this context. This conclusion is not called into question by the plaintiff's argument that she was unable to understand and challenge the evidence against her due to the CNPD's lack of clear and precise explanations on the matter in the decision under appeal. On the contrary, it must be noted that the plaintiff took a detailed and extensive position on all the alleged violations of the GDPR, both in her application instituting proceedings and in her reply, both of which total more than 200 pages. The court must ultimately reject the plaintiff's assertion regarding the alleged vagueness of the compliance measures imposed on her by the CNPD, reiterating the above-mentioned finding regarding compliance with the principle of legality regarding said measures. The company (AA) further accuses the CNPD of misusing and exceeding its powers by imposing an unprecedented fine, as well as a series of injunctions subject to additional daily penalty payments for any delay, while ordering the publication of its decision, without even considering other corrective measures, thereby violating both Article 58 of the GDPR and fundamental principles of European Union law.

In this context, the applicant argues, first, that under Article 58, paragraph (2) of the GDPR, national data protection authorities, such as the CNPD, have discretionary power to choose between the 10 measures proposed by the aforementioned article. Thus, the imposition of an administrative fine could be "in addition to or instead of" the other measures referred to in Article 58, paragraph (2) of the GDPR, and should depend on the specific characteristics of each case. Furthermore, pursuant to Article

71
CJEU, 17 July 2014, YS v. Minister for Immigration, Integration and Asylum and Minister for Immigration, Integration and Asylum v. M, S, Joined Cases C-372/12 and C-141/12, paragraph 67.

8483, paragraph (2) of the GDPR, it would be up to the supervisory authorities to decide not only the amount of administrative fines, but also to decide "whether to impose an administrative fine," which also follows from Recital 148 of the GDPR, as well as from Opinion WP253 of the Article 29 Working Party concerning Guidelines on the assessment and setting of administrative fines for the purposes of the GDPR. Furthermore, the law of August 1, 2018 also provides the CNPD with discretionary power regarding corrective measures. The law supplements the CNPD's powers in this area by granting it the power, under certain conditions, (i) to impose a daily penalty payment on a corrective measure and (ii) to order the publication in full, or in part, of its decisions.

Based on these considerations, the plaintiff argues that the CNPD violated Article 58 of the GDPR by directly imposing a fine without exercising its discretion regarding the choice of the appropriate measure to adopt. Thus, when the CNPD found a violation by the applicant of the various GDPR obligations specified above, it directly imposed a fine on the applicant, while referring to certain criteria in Article 83, paragraph (2) of the GDPR, without making an explicit, reasoned, reasoned, and transparent decision regarding its choice among the various measures available to it under Article 58 of the GDPR. This constituted a manifest error of assessment, both under Luxembourg national law and under European Union law, according to which the right to good administration includes the obligation for the administration to provide reasons for its decisions, in accordance with Article 41, paragraph (2), c) of the Charter and the case law of the CJEU. Thus, the objective of the obligation to provide reasons would be to enable a review of the legality of the decision. The applicant further specifies, in this context, that the scope and extent of the reasoning would depend on the nature of the act and the context in which it was adopted, such that the requirements for appropriate reasoning would increase with the seriousness of the act in question and its context. However, in this case, given the dramatic consequences resulting from the decision under appeal for it, namely financial, commercial, and reputational damage, the applicant believes that it would have been up to the CNPD to provide substantial details and conduct a reasoned analysis of the reasons why a fine of €746 million would have been necessary and appropriate, which it, however, failed to do. Such an approach

would clearly show that the CNPD, by failing to provide reasons for its decision to impose a fine,
had not considered other, less lenient measures, or had automatically imposed an administrative fine, thus violating Article 58 of the GDPR by failing to exercise its relevant discretion. In this context, the applicant also relies on the decision of the Irish supervisory authority, which also imposed a significant fine, and which, unlike the CNPD, provided reasons for this decision over more than 33 pages of its decision. Based on a judgment of the Administrative Court dated January 22, 2019, entered under case number 41999, the applicant further argues that under Luxembourg national law, a discretionary power, such as that of the CNPD, should not be understood as absolute, unconditional, or arbitrary in any respect, but should be imposed within the framework of the laws and subject to appropriate safeguards. This, however, was not the case in this case when the CNPD exercised its discretionary power to choose between the various corrective measures set out in Article 58, paragraph (2) of the GDPR.

Furthermore, the CNPD allegedly misused its powers for purposes not provided for by the GDPR, such that the contested decision should be subject to annulment in the context of the appeal under review. Thus, the company (AA) argues that the CNPD unlawfully sought to sanction it instead of ensuring the protection of personal data through corrective measures less onerous than a fine of €746 million, a series of injunctions subject to a daily penalty payment of €746,000, and the publication of the contested decision. The applicant also relies, in this context, on the one hand, on recital 129 of the GDPR, according to which "(…) any [corrective] measure should in particular be appropriate, necessary, and proportionate to ensure compliance with this Regulation, taking into account the circumstances of the case," and, on the other hand, on judgment No. 2021/AR/163 of 26 May 2021 of the 19th Chamber of the Brussels Court of Appeal, which also held that the fundamental purpose of European legislation is not to sanction, by imposing fines, but to ensure data protection. Based on the consideration that the CNPD failed to provide any grounds justifying the compliance injunctions and the daily penalty payment, apart from asserting that the administrative fine would be effective given the very serious nature of the violations found, as well as the fact that it cooperated with the CNPD during the investigation and proactively implemented numerous measures to address its concerns, the plaintiff considers that the decision's primary objective was to penalize it rather than promote compliance with the GDPR, which constitutes an abuse of power on the part of the CNPD. The Brussels Court of Appeal, in its aforementioned judgment, reached the same conclusion in the case before it. The contested decision also runs counter to the objective of ensuring harmonized implementation of the GDPR throughout the European Union, since imposing a substantial administrative fine as a first resort would not be consistent with the practice of other supervisory authorities, which, in cases also concerning online advertising, have only formally notified the companies concerned to comply with the GDPR, or have had them sign commitments, and then closed the cases once they had taken the necessary action on said injunctions.

The company (AA) further argues in this context that the CNPD's power to combine an injunction with a daily penalty payment, based on Article 49 of the Law of August 1, 2018, would not be compliant with the GDPR. Indeed, in this case, the CNPD supplemented the corrective measures imposed with a daily penalty payment as a tool to punish it for violations already sanctioned by administrative fines under Article 83 of the GDPR. However, in accordance with Article 84, paragraph (1) of the GDPR, the additional powers created by Member States could only be imposed for violations that were not already subject to administrative fines under Article 83 of the GDPR. To do otherwise, as would have been the case in this instance, would undermine the uniform application of Community law, as well as the principle of equality enshrined in particular in Articles 20 and 21 of the Charter, by leading to a risk of differential treatment of data controllers and their processors depending on the Member State of their principal establishment. The opinion of the Luxembourg Chamber of Commerce on the draft law on the organization of the CNPD and the implementation of the GDPR has already noted the incompatibility between the daily penalty payment provided for by the law of August 1, 2018, and Article 84, paragraph (1) of the GDPR. Finally, the practical implementation of the daily penalty payment would not be consistent with the GDPR, since, on the one hand, the combination of an administrative fine with a daily penalty payment could result in an amount exceeding the maximum amount provided for in Article 83, paragraphs (3) and (5) of the GDPR, and, on the other hand, the CNPD's decision on whether or not to comply with the injunction would be outside the scope of the cooperation mechanism of Article 60 of the GDPR, being based on a national provision and not the GDPR, which would also undermine the uniform application of the GDPR throughout the European Union. The applicant further argues that the CNPD exceeded its discretionary power under Article 58, paragraph (2) of the GDPR by imposing a penalty that violates the principle of proportionality, a principle provided for by both Luxembourg and Community law, which in this case requires the CNPD to choose an appropriate measure to ensure compliance with the GDPR and which does not go beyond what is necessary to achieve this objective. However, based on the consideration that Article 58, paragraph (2) of the GDPR essentially provides for three levels of severity for corrective measures, the applicant considers, on the one hand, that imposing a fine would serve as a measure of last resort to punish a violation of the GDPR for which Article 83, paragraph (2)(b) of the GDPR requires consideration of the intentional or negligent nature of the actions of the controller or its processor, and, on the other hand, that the combined imposition of an injunction and an administrative fine should therefore be primarily intended for intentional violations, while mere negligent conduct should only be punished by a fine in exceptional aggravating circumstances, which are not present in this case. Thus, the company (AA) considers that the contested decision violates the principle of proportionality and therefore constitutes an excess of power on the part of the CNPD, a similar conclusion also reached by the Brussels Court of Appeal in its aforementioned judgment of 26 May 2021.

Furthermore, the legal situation in the case under review is very complex, insofar as the GDPR defines a broad and open set of principles that cannot be applied in a linear manner, but must be put into practice through a cooperative and iterative process between regulators and controlled entities. It would therefore have been inappropriate for the CNPD to have imposed a fine on a controller as an immediate and primary sanction in this case, especially if the controller had acted in good faith during its assessment and if the CNPD had expressly acknowledged the absence of an intentional violation of the relevant provisions of the GDPR. Thus,
jumping directly to a fine, without first providing the data controller with guidelines for compliance, definitively runs counter to the principle of legality of former Article 14 of the Luxembourg Constitution and the general principle of legal certainty, requiring that offenses be defined in sufficiently clear and precise terms to exclude arbitrariness and allow those concerned to accurately assess the nature and type of punishable conduct. The plaintiff concludes that the CNPD's misuse and excess of power could not be corrected by the court, since the choice between the various corrective measures provided for by Article 58, paragraph (2) of the GDPR would be eminently political, an area that does not fall within the jurisdiction of the administrative courts, while the latter cannot extend their review of appropriateness in such a way as to encroach on the realm of general policy choices, while also risking, through their power of review, making a decision that falls outside the cooperation mechanism of Article 60 of the GDPR. In its reply, the applicant reiterates its considerations relating to
a violation by the CNPD of Article 58, paragraph (2) of the GDPR by directly imposing an administrative fine, resulting, in this case, in a misuse of powers,

87 as well as a violation of the principle of proportionality, while noting that, contrary to
the CNPD's arguments, the latter has other means at its disposal to enforce
its injunctions, without resorting to daily penalty payments, whereas Article 83, paragraph (6)
of the GDPR allows it to impose fines in the event of non-compliance with its injunctions. As part of its argument regarding the violation of the principles of proportionality and effectiveness, the plaintiff ultimately relies on the presidential order of December 17, 2021, entered under case number 46630, to assert that the CNPD could have found that there were less onerous and more effective measures to ensure the protection of personal data. Thus, the CNPD could have (i) imposed only a compliance injunction specifying the measures it should have taken to comply with the GDPR, or (ii) ordered it to identify corrective measures and, once it had approved these measures, then imposed an injunction to bring said measures into compliance. The applicant finally proposes to submit the following two preliminary questions to the CJEU, its representative having confirmed at the public hearing that it would waive the third preliminary question:

(i) "In light of the general principles of EU law of respect for the rights of the defence and the right to good administration, if a supervisory authority fails to provide reasons for its decision to exercise its power to adopt specific corrective measures rather than others under Article 58(2) of Regulation (EU) 2016/679, does this constitute an error of assessment under EU law in the sense that it must be assumed that that supervisory authority did not exercise its discretion to select an effective and proportionate corrective measure under Article 58(2) of Regulation (EU) 2016/679?" » and

(ii) "Does a supervisory authority fail to exercise its discretion to select an effective and proportionate corrective measure under Article 58(2) of Regulation (EU) 2016/679 if it does not provide reasons for the corrective measure it has selected?"

In the alternative, the applicant requests the court, by way of reversal of the contested decision, to adopt a decision of principle by ordering the CNPD to choose a more appropriate and less onerous corrective measure in accordance with the GDPR's objective of ensuring the protection of personal data and the free movement of such data within the European Union, and in a manner that does not go beyond what is necessary to achieve that objective.

The CNPD concludes that the grounds thus set out by the applicant should be dismissed as unfounded.

As a preliminary point, the plaintiff's argument, developed in its plea relating to the existence of an excess or misuse of power on the part of the CNPD, based on former Article 14, now Article 19, of the Constitution, regarding the violation of the principle of legality and legal certainty, must be rejected from the outset, given that the court has held above that said principles are respected in this case. 88 The court must also note, while reiterating its findings in the context of the company's (AA) argument relating to a violation, in this case, of the principle of legality, that the CNPD, within the framework of the measures it may adopt on the basis of the aforementioned Article 58 of the GDPR, has discretionary power to choose the measures it considers, for the specific case submitted to it, the most appropriate to achieve the objectives of the GDPR.In this context, it should be recalled that the discretionary power of administrative authorities is not, however, understood as an absolute, unconditional, or in any respect arbitrary power, but as the ability they have to choose, within the framework of the law, the solution
72
that seems preferable to them for the satisfaction of the public interests for which they are responsible. The administrative judge is called upon, in appeals for reversal, not to examine whether the administration has remained within its margin of appreciation, as such an approach is required in appeals for annulment, but to verify whether its assessment is consistent

with that of the administration and, if not, to substitute its own decision for that of the administration. 3

In this context, recital 148 of the GDPR also specifies that in order to "(…) strengthen the application of the rules of this Regulation, sanctions, including administrative fines, should Penalties may be imposed for any infringement of this Regulation, in addition to or instead of appropriate measures imposed by the supervisory authority under this Regulation. In the case of a minor infringement or if the fine that may be imposed would constitute a disproportionate burden for a natural person, a warning may be issued instead of a fine. However, due account should be taken of the nature, seriousness, and duration of the infringement, the intentional nature of the infringement and the measures taken to mitigate the damage suffered, the degree of responsibility or any previous relevant infringements, the manner in which the supervisory authority became aware of the infringement, compliance with measures ordered against the controller or processor, the application of a code of conduct, and any other aggravating or mitigating circumstances. The application of sanctions, including administrative fines, should be subject to appropriate procedural safeguards in accordance with the general principles of Union law and the Charter, including the right to effective judicial protection and due process. ", so it should be noted that

the objective of the measures recommended in Article 58 of the GDPR is twofold: they are intended, on the one hand, to ensure compliance with the GDPR by enabling the competent national supervisory authorities to put an end to any violation of the GDPR and to ensure that data controllers comply with it in the future, and, on the other hand, to sanction the latter for the breaches identified. This approach was followed in this case by the CNPD through the fine imposed on the company (AA), the corrective measures imposed subject to a periodic penalty payment, as well as the decision to publish the contested decision under the conditions of Article 52 of the Law of August 1, 2018.

72nd
Tribunal. Adm. Court, October 10, 2007, No. 22641 of the docket, Adm. Pas. 2023, V° Appeal for annulment, No. 60 (3rd part) and
the other references cited therein.
73Adm. Court, November 23, 2010, No. 26851C of the docket, Adm. Pas. 2023, V° Appeal for revision, No. 12 (2nd part)
and the other references cited therein. 74This dual objective of the measures to be adopted by the competent supervisory authorities for the protection of private data also stems from Recital 129 of the GDPR, which states that "In order to ensure that this Regulation is enforced and monitored consistently throughout the Union, supervisory authorities should have, in each Member State, the same tasks and the same effective powers, including investigatory powers, the power to adopt corrective measures and to impose sanctions."

89 Indeed, these measures aim to sanction the applicant for the violations of the GDPR found against it, as well as to compel it to remedy them so that these violations cease, while providing, through the publication of the contested decision, clarification, both for other national supervisory authorities competent for the protection of personal data and for other controllers regarding the application of Articles 6, 12 to 17. and 21 of the GDPR with the aim of enabling harmonized application of said Community rules within the European Union, it being specified that Article 58, paragraph (2), i) of the GDPR expressly provides for the option for national supervisory authorities to impose an administrative fine, "(…) in addition to or instead of the measures referred to (…)" in points (a) to (j) of the same article.

Based on the foregoing considerations, the applicant's argument that the CNPD violated Article 58 of the GDPR by directly imposing a fine on it and without providing reasons for its decision not to resort to the other measures provided for in Article 58, paragraph (2) of the GDPR must first be rejected. It should be noted that the CNPD expressly and clearly justified its decision to impose a fine on the company (AA), taking into account the criteria of Article 83, paragraph (2) of the aforementioned GDPR, which it considered relevant in this case, specifically points (a), (b), (f) and (k) of said article, while subsequently explaining the reasons why it considered that the amount of the fine based on the company's total turnover for 2020 (FF) was effective, dissuasive and proportionate, in accordance with the requirements of Article 83, paragraph (1) of the GDPR. Thus, it must be held that the CNPD complied with its obligation to provide reasons for the fine imposed on the applicant, without it being possible to criticize it for automatically imposing such a penalty on the applicant. It should also be noted that the company (AA) failed to invoke any legal provision imposing on the CNPD an obligation to provide reasons for its decision not to resort to the other measures provided for in Article 58, paragraph (2) of the GDPR. The same conclusion must apply to the applicant's claims that the CNPD could only have imposed administrative fines against it by establishing the intentional nature of the violations of Articles 6, 12 to 17, and 21 of the GDPR, as already noted above. Furthermore, the applicant has failed to invoke any legally binding provision requiring the CNPD to first issue a formal notice to the data controller before imposing an administrative fine or corrective measure. Such an approach, as rightly explained by the CNPD, would result in data controllers being disinclined to comply with the GDPR from the outset, whereas they could process personal data in a manner that does not comply with the principles and obligations arising from the GDPR, only to bring said processing into compliance with the GDPR after receiving an injunction from the competent supervisory authorities, which is not the objective of the GDPR, which is to effectively protect personal data. The court must also note that the purpose of an administrative fine is not to put an end to GDPR violations, but to punish past violations of the regulation. The objective of ensuring that a data controller who has violated the GDPR will comply with it in the future is achieved by imposing other measures provided for in Article 53 of the GDPR, such as, in this case, the issuance of injunctions under penalty payments, a finding corroborated by the Council of State's opinion of March 30, 2018, relating to the draft law establishing the CNPD and implementing the GDPR. It follows that, contrary to the applicant's argument, the daily penalty payment should not be considered as being additional, either generally or in this case, to the administrative fine, since the two measures do not serve the same purpose - the fine having been imposed, as noted above, to punish the violations of the GDPR found by the company (AA) due to its processing of personal data, as it had operated until then, while the daily penalty payment relates to the corrective measures aimed at ensuring that the applicant now complies with the GDPR - so that the imposition of a penalty payment could, on the one hand, have been validly provided for by the legislature through Article 49 of the Law of 1 August 2018, in accordance with Article 84, paragraph (1) of the GDPR, according to which "Member States shall lay down the rules on other penalties applicable to infringements of this Regulation, in particular infringements not subject to the administrative fines provided for in Article 83, and shall take all measures necessary to ensure their implementation. These penalties shall be effective, proportionate, and dissuasive," and, furthermore, applied in this case by the CNPD. The applicant's claim that the measures imposed against it were intended only to punish it must therefore be dismissed as unfounded, as must its argument that the practical implementation of the daily penalty payment could undermine the uniform application of the GDPR, in that such a measure would not be subject to the cooperation mechanism of Article 60 of the GDPR, whereas, as stated above, said measure was validly provided for in national law in accordance with the GDPR.In this context, the court must still reject the plaintiff's claims that the practical implementation of the daily penalty payment could lead to the imposition of an amount higher than the maximum amount provided for in Article 83, paragraphs (3) and (5) of the GDPR, whereas, on the one hand, the aforementioned article applies only to fines and not to periodic penalty payments and, on the other hand, the CNPD has the discretionary power to set the final amount of the penalty payment lower than that resulting from the initial decision, in accordance with Article 49, paragraph (2) of the Law of August 1, 2018, in the event of compliance with the measure ordered under penalty of a periodic penalty payment. This conclusion is not called into question by the company's (AA) argument that other national supervisory authorities have favored formal notices, or the signing of commitments before closing the files submitted to them, without imposing fines. On the contrary, it is clear from the CNPD's detailed explanations, provided in its response and rejoinder, that administrative fines constitute the corrective measure often used by the said authorities, insofar as 1,058 such fines were imposed between July 2018 and April 2022, 365 of which specifically addressed the circumstance that the processing of personal data was not, as is the case here, based on a sufficient legal basis within the meaning of Article 6, paragraph (1) of the GDPR. The court must ultimately reject the plaintiff's argument that, instead of supplementing the corrective measures imposed against it with a daily penalty payment, the CNPD could have relied on Article 83, paragraph (6) of the GDPR and imposed a fine against it for non-compliance with the injunctions. This being the case, aside from the CNPD's discretionary power in this matter, such a fine would also have served only to penalize the plaintiff for having violated its obligations, this time not under the GDPR, but under the injunction issued against it, without necessarily aiming to effectively ensure the protection of personal data. Based on all of the foregoing considerations, and while reiterating its findings
relating to compliance, in this case, with the principles of legality and foreseeability, the court must reject
the applicant's argument based on the existence of an excess, or misuse, of powers on the part of the CNPD as unfounded, without there being any need to submit the aforementioned questions to the CJEU for a preliminary ruling as irrelevant. The company (AA) further claims that the contested decision violates its right to a fair trial, enshrined in Articles 41, paragraph (2), (c) and 47 of the Charter, as well as Article 6, paragraph (1) of the ECHR, arguing that it is incumbent on the authorities imposing administrative sanctions to provide explanations as to the reasons for such measures, in order to enable the persons concerned to defend their rights and decide, with full knowledge of the facts, whether it is advisable to refer the matter to the competent court. However, in this case, the contested decision failed to provide any explanation as to how the fine imposed on it was calculated. Thus, the contested decision failed to explain the reasons why
(i) it used the company's 2020 turnover as the basis for calculation,
(ii) the amount of the fine was necessary to achieve the objectives pursued by the CNPD, (iii) it would have been necessary or appropriate to impose almost double the fine
recommended by the head of investigation in the statement of objections, while having

yet identified fewer GDPR violations than the head of investigation, and (iv) the additional daily penalty payment of €746,000 per day of delay in the enforcement measures would have been necessary or appropriate, both in principle and in quantum. The applicant finally criticizes, in the context of the allegation of a violation of its right to a fair trial, the decision under appeal on the grounds that the CNPD failed to explain how its analysis of the criteria of Article 83, paragraph (2) of the GDPR relates to the amount of the fine, and not to the principle of imposing a fine. The CNPD rightly concludes that the applicant's argument should be rejected, since, apart from the fact, as noted above, that Article 41, paragraph (2), c) of the Charter is not applicable in this case, the decision under appeal duly explained the legal grounds underlying the amount of the fine, as well as the periodic penalty payment, by referring to Article 83, paragraph (5) of the GDPR, cited above, and Article 49, paragraph (1) of the Law of 1 August 2018, according to which "The CNPD may, by decision, impose on the data controller or processor, with the exception of the State and municipalities, periodic penalty payments of up to 5 percent of the average daily turnover achieved during the preceding financial year, or during the last financial year." closed social security, for each day of delay, starting from the date it sets in its decision, to compel it:

1° to provide all information requested by the CNPD pursuant to Article 58, paragraph 1, letter a) of Regulation (EU) 2016/679;
2° to comply with a corrective measure adopted by the CNPD pursuant to Article 58, paragraph 2, letters c), d), e), f), g), h) and j) of Regulation (EU) 2016/679. (…)”.

In this context, the court must also reject the plaintiff's argument

relating to a violation of its right to a fair trial with regard to the amount of both the fine and the daily penalty payment imposed on it by the contested decision, based on the considerations set out above regarding the principle of legality and foreseeability of penalties, as well as the CNPD's discretionary power to set the measures to be adopted based on Articles 58, paragraph (2) and 83 of the GDPR, as well as Article 49 of the Law of August 1, 2018.

The court must note in particular, in this context, that the CNPD explained, in the contested decision, the legal framework under which it took into account the turnover of the American company (FF), while relying on the chain of ownership of the shares. of the applicant, wholly owned by the American company (II), itself
whole-owned by the aforementioned American company, an approach recommended both by recital 75
150 of the GDPR, as well as by the relevant case law of the CJEU, to apply to the said turnover of $386,064,000,000 in 2020, the range of Article 83, paragraph (5) of the GDPR. In this context, it should also be noted that the reference year to be taken into consideration with regard to the turnover in relation to which the maximum limits of Article 83, paragraph (5) of the GDPR are to be applied, although the aforementioned article only refers to the concept of "the preceding year," is that of the year preceding the decision to impose the fine in question, as is clear from the CJEU judgment of 26 January 2017 in Badezimmerkartell Laufen Austria, the principle of which, established in competition law, is applicable by analogy to the protection of personal data. The applicant's argument challenging the amount of the fine and the periodic penalty payment must also be rejected, given that the CNPD took into consideration the criteria it deemed relevant, while analyzing in detail the criteria of effectiveness, deterrence, and proportionality, thereby enabling the applicant to understand the reasoning adopted by the CNPD in this context and to decide, with full knowledge of the facts, whether an appeal against the decision under review would be useful. This conclusion is not called into question by the applicant's argument that the CNPD imposed a fine nearly double that recommended by the head of investigation in the statement of objections, despite having found fewer GDPR violations than the latter, since the amount put forward by the latter constitutes only a proposal that is not binding on the CNPD, which, as stated above, has discretion regarding the penalty to be imposed in the event of a finding of GDPR violations by a data controller, a discretion that also exists with regard to setting the amount of the fine within the limits of the conditions of Article 83 of the GDPR. Along the same lines, the applicant's argument challenging both the principle and the amount of the daily penalty payment

attached to the corrective measures must be rejected, since the penalty payment must necessarily have a deterrent effect in order to enable the CNPD to enforce the GDPR as quickly as possible, especially given the seriousness and scope of the GDPR violations rightly found against the applicant. Finally, the applicant's claim that the CNPD failed to explain how its analysis of the criteria in Article 83(2) of the GDPR relates not to the principle of imposing a fine, but to the amount of the fine, must be rejected. The decision under appeal explicitly states that the CNPD repeated, in its entirety, its analysis of the criteria in Article 83(2) of the GDPR to determine the amount of the fine, the authority having, in fact, specified that "(…)

75
According to recital 150 of the GDPR, "(…) When administrative fines are imposed on an undertaking, this term must, for this purpose, be understood as an undertaking in accordance with Articles 101 and 102 of the Treaty on the Functioning of the European Union. (…)".93. In view of the relevant criteria of Article 83.2 of the GDPR mentioned above and after an assessment of all the circumstances of the case, the Restricted Committee considers that the imposition of a fine of seven hundred and forty-six million euros (EUR 746,000,000), in addition to the corrective measures mentioned under III.2.2., is both effective, proportionate, and dissuasive, in accordance with the requirements of Article 83.1 of the GDPR. (…).

It follows from all of the foregoing considerations that the applicant's argument based on a violation of its right to a fair trial, enshrined in Articles 41, paragraph (2), (c) and 47 of the Charter, as well as Article 6, paragraph (1) of the ECHR, is liable to be dismissed in all its aspects as unfounded.

The plaintiff then argues that the CNPD's contested decision should be reversed for violating Article 83 of the GDPR in several respects. It argues, first of all, in this context, that the CNPD wrongly used the total worldwide annual turnover of the American company (FF) for 2020 as the basis for calculating the fine, which would have been $386,064,000,000, concluding that a fine of €746 million would have been appropriate in this case, even though it should have been based on the turnover of the company (AA), since the factors to be taken into consideration under Article 83(2) of the GDPR would all focus on the conduct of the allegedly infringing party. Thus, adopting the CNPD's approach would result in a fine being levied on the turnover relating to services provided by (AA) unrelated to the disputed activity, including services unrelated to the activity in question. with
the European Union and to which the GDPR does not even apply.

Furthermore, to the extent that the CNPD relied on competition law theory regarding the definition of the term "undertaking" in deciding to use the turnover of the American company (FF), the plaintiff argues that the contested decision did not correctly calculate and did not justify the fine in accordance with established practices in competition law and other administrative procedures imposing fines. In this context, the applicant claims that, in order to determine the basic amount of the fine to be imposed, the CNPD should have taken into account (i) the value of sales of goods or services made by the company, directly or indirectly related to the infringement, in the relevant geographical area within the territory of the European Economic Area, (ii) the company's sales during the last full year of its participation in the infringement, and (iii) circumstances leading to an increase or reduction in the basic amount.

Thus, according to the applicant, the CNPD should have limited itself to taking into account its turnover relating to the PBI based on any treatment constituting the infringement, while indicating the sales values, the duration of the infringement, the percentages, as well as the aggravating and/or mitigating factors, which it nevertheless failed to do. In this context, the plaintiff further suggests that the amount of the fine imposed by the CNPD represents three times its 2018 advertising revenue, circumstances which demonstrate both the disproportionate nature of the fine and the lack of reasoning in the decision under appeal. In the same vein, the plaintiff argues that the daily penalty payment of €746,000 exceeds its entire daily advertising revenue, so as to exceed the limit of 5% of the company's worldwide daily revenue, as set out in Article 49 of the Law of August 1, 2018.

94 Finally, the CNPD failed to provide explanations on how the mitigating factors it had identified, such as pseudonymization and the strength of its opt-out mechanism, would have led to a reduction in the fine, contrary to the requirements of the case law of the Court of First Instance of the European Union in competition law matters. The plaintiff then criticizes the fact that the CNPD, in the contested decision, referred to the American company's (FF) turnover for 2020 as the basis for the fine imposed on it, whereas the said authority should have used its turnover for 2018, relating to the year preceding the assessment of the GDPR violations found against it, or alternatively, based on the methodology applied in competition law, the turnover for 2019.

The company (AA) argues, in this context, that, based on a purely textual analysis of Article 83(4) of the GDPR, the expression "previous financial year" should refer to the noun "violation." Thus, to the extent that the CNPD's assessment of the facts had been carried out when the investigation was opened in April 2019, the turnover to be considered would have been that of 2018, an approach that has also been adopted by other national supervisory authorities with jurisdiction over personal data protection. Had the CNPD also followed this approach, it should have noted that the fine in dispute would represent approximately 11% of the applicant's total turnover, which would correspond to almost three times the maximum of 4% permitted by Article 83, paragraph (4) of the GDPR. Based on the competition law methodology, as set out in the European Commission's Guidelines on the Methodology of Fines, the applicant explains that the CNPD should have, in a two-step process, first set the "basic amount of the fine" by reference to the value of the company's sales of the products or services to which the infringement relates directly or indirectly – which would allow for an adequate measurement of the additional profits made by the company as a result of the infringement and the resulting harm to consumers and competitors – and then adjusted the basic amount, upwards or downwards, based on aggravating or mitigating circumstances, such as, in this case, the corrective measures adopted in 2020.

It would therefore be logical to consider the turnover for the year preceding the correction of the alleged infringement, in this case the year 2019, which would allow the controller's unlawful activity to be taken into account, while not punishing it for the year

in which it remedied the violation, as well as for subsequent years. The applicant suggests that a fine calculated using the aforementioned method would be proportionate, linked to the turnover wrongfully obtained through the unlawful activities and to recognize the efforts made by the controller to remedy the violations, an approach that the CNPD, however, did not follow in this case. The applicant also proposes to submit two preliminary questions to the CJEU,

its representative having expressly stated at the public hearing that it waived
the other questions raised in its appeal in the context of its
arguments relating to the various measures imposed against the company (AA),
the two questions maintained being worded as follows:

95 "Does Article 49 of the 2018 Law infringe Article 83 of Regulation (EU) 2016/679 and
Article 4(3) of the TEU by granting the CNPD the power to impose a daily fine

of up to 5% of the average daily turnover achieved during the preceding financial year, or during the last financial year for which a conclusion has been reached, which may lead to fines exceeding
the maximum fines provided for in Article 83(4) and (6)?" Are such additional fines compatible with the intention of Regulation (EU) 2016/679 to apply Union law uniformly in order to avoid unequal treatment of data controllers based on the Member State of their main establishment?

and

"When establishing an undertaking's annual turnover in accordance with Article 83(4) and (5)
of Regulation (EU) 2016/679, must the supervisory authority take into account activities
of the undertaking or group of undertakings (...) that are entirely unrelated to the

processing considered to be in violation of Regulation (EU) 2016/679?"

In its reply, the applicant emphasizes its argument that the CNPD wrongly referred to the turnover of the American company (FF) on the one hand, and of 2020 on the other.

The CNPD concludes that this aspect of the applicant's argument based on a violation of Article 83 of the GDPR with regard to turnover, as well as the related reference year to be taken into consideration when setting a fine, should be dismissed, just as it requests the dismissal of the preliminary questions raised in this context. The court must first recall that in the specific context of calculating administrative fines imposed for violations referred to in Article 83(4) to (6) of the GDPR, the interpretation of the concept of "undertaking" must be carried out, in accordance with recital 150 of the GDPR, within the meaning of Articles 101 and 102 of the TFEU and includes any entity

carrying out an economic activity, regardless of its legal status and its method of financing. It thus refers to an economic unit even if, from a legal perspective, this economic unit consists of several natural or legal persons.This economic unit consists of a unitary organization of personal, tangible, and intangible elements pursuing a specific economic purpose on a long-term basis. 76

Thus, where the recipient of the administrative fine is or forms part of an undertaking, within the meaning of Articles 101 and 102 of the TFEU, the maximum amount of the administrative fine is calculated on the basis of a percentage of the total worldwide annual turnover for the previous financial year of the said undertaking concerned. Furthermore, only an administrative fine whose amount is determined based on the actual or material economic capacity of its recipient, and therefore imposed by the supervisory authority based, with regard to its amount, on the concept of economic unit, is likely to meet the three conditions set out in Article 83(1) of the GDPR, namely that it must be effective, proportionate, and dissuasive.77

Thus, contrary to the applicant's argument, the worldwide turnover of the undertaking concerned must be taken into consideration, which should therefore not be...

76
77Judgment of the CJEU of 6 October 2021, Sumal, C‑882/19, paragraph 41 and the case law cited therein. CJEU judgment of December 5, 2021, Deutsche Wohnen, C-807/21, paragraphs 57 and 58.

96 be limited solely to the volume of business directly related to the activity in the context of which a violation of the GDPR was validly found.

Furthermore, since it is common ground at issue, and not contested by the parties, that the applicant is wholly owned by the American company (II), which is itself wholly owned by the American company (FF), the said companies must be considered as an economic unit, such that no criticism can be leveled at the CNPD for having taken the turnover of the American company (FF) as the basis for determining the amount of the fine, in compliance with the conditions of Article 83 of the GDPR.

It should also be noted that the reference period to be taken into consideration for the company's turnover is the year preceding the decision of the authority imposing an administrative penalty, in this case 2020, in accordance with the relevant case law of the CJEU, such that the CNPD rightly referred to the amount of $386,064,000,000, corresponding to the turnover of the American company (FF) in 2020.

In this context, the court must still reject the applicant's claim that the CNPD failed to take into consideration the duration of the infringement, as well as the aggravating and mitigating factors, whereas, on the contrary, it is clear from the contested decision that the CNPD highlighted these elements by noting, on the one hand, that the violations found in the The company's head (AA) had begun

since May 25, 2018, and, on the other hand, the mechanism of pseudonymization as a mitigating circumstance, as well as the financial advantage derived for the plaintiff from the PBI, as an aggravating factor. Furthermore, it should be noted that the applicant has failed to invoke any legal provision applicable to the dispute under review, pursuant to which it would be up to the CNPD to quantify the impact of these mitigating and aggravating circumstances on the amount of the fine. It should also be noted that Article 83, paragraph (1) of the GDPR states that the setting of the fine must, apart from the limits set in paragraphs (4) and (5) of the GDPR, only comply with the requirements of effectiveness, proportionality, and deterrence, criteria that the CNPD took into account and explained in the contested decision. Finally, the applicant's argument regarding the amount of the penalty payment must be rejected, based on the same considerations as those raised above in the applicant's argument regarding the existence of an excess, or misuse of, power on the part of the CNPD, and relating to the punitive nature of the fine, for past violations of the GDPR, whereas the objective of the corrective measures, as well as the penalty payments that may accompany them, is to ensure that the data controller will now comply with the GDPR as soon as possible. It follows from the foregoing considerations that the applicant's argument alleging a violation of Article 83 of the GDPR and relating to the question of the entity whose turnover is to be taken into account, as well as the year of said turnover, for the purpose of setting a fine, must be rejected, since the CNPD was right to rely on the turnover of the American company (FF) for 2020, without it being necessary to submit it to the CJEU.

78
Judgments of the CJEU of 26 January 2017, Badezimmerkartell Laufen Austria, C-637/13P, paragraph 49, and of 4 September 2014, YKK and Others, C-408/12P, paragraph 90.

97
The questions referred for a preliminary ruling by the applicant, in this context, for lack of relevance.

The company (AA) then criticizes the contested decision regarding the CNPD's assessment of the factors set out in Article 83, paragraph (2) of the GDPR, on the grounds that the latter misinterpreted several of these factors and failed to take into account the numerous factors arguing against a fine. The applicant further asserts, in this context, that the omission of factors would further contravene the procedural requirements of the CNPD, which should have conducted both incriminating and exonerating investigations. With regard, first of all, to the criterion set out in Article 83, paragraph (2), b) of the GDPR, according to which the violation must have been committed deliberately or negligently, the applicant argues that the decision under appeal recognized that it had not violated the GDPR negligently, let alone intentionally, and concluded that no "culpable violation" could be attributed to it and that it should therefore not have been subject to a fine. Even assuming that she had acted negligently, the CNPD should have reduced the fine, since her conduct only met the lowest level of culpability, a consideration that also emerges from the WP253 Guidelines of the Group

Article 29 of October 3, 2017, on the application and setting of administrative fines, according to which it is "(…) generally accepted that violations committed deliberately, which demonstrate disregard for legislative provisions, are more serious than violations committed non-deliberately and that, consequently, they are more likely to justify the imposition of an administrative fine." In this context, the applicant further criticizes the contested decision for failing to specify the impact of its benign intentions, in this case, on the amount of the fine. In its reply brief, the plaintiff, apart from arguing that the CNPD, on the one hand, found the absence of intent or negligence on its part in the alleged violations of the GDPR, and, on the other hand, could not modify its argument, through its reply brief, to henceforth assert that it acted negligently, further maintains that the conditions for attributing negligent actions to it based on violations of Articles 6, 12 to 17, and 21 of the GDPR are not met in this case, since it did not act in clear contradiction with the regulatory framework applicable to it. As for the criterion of Article 83, paragraph (2)(a) of the GDPR, according to which it is for national supervisory authorities to take into account "the nature, gravity, and duration of the breach, taking into account the nature, scope, or purpose of the processing concerned, as well as the number of data subjects affected and the level of damage they have suffered," the applicant criticizes the CNPD for not taking into account its comments made in its position paper of August 20, 2020, but for merely issuing generalizations that do not adequately support the fine imposed on it. In this context, the company (AA) argues, first of all, with regard to the nature and seriousness of the violation, in particular, that it has not violated Article 6, paragraph (1) of the GDPR, nor Articles 12 to 17 and 21 of the GDPR, which, moreover, are not part of the scope of the investigation in this case. It also states that the contested decision failed, on the one hand, to indicate specific cases where the said regulatory provisions were violated, and the actual harm suffered in this regard, and, on the other hand, to take into account the efforts made by the company (AA) to comply with the obligations arising from the aforementioned articles of the GDPR. It also suggests, in this context, that the CNPD failed to address relevant facts to assess the nature and seriousness of the alleged violations, such as, more specifically, the prohibition on displaying the PBI for certain sensitive products and vulnerable individuals, the pseudonymization of personal data collected, the limitation of the types of data used, the failure to share the processed data with third parties, as well as the fact that the disputed PBI targeted individuals who had already viewed or purchased products in the Boutiques (AA). It reiterates these considerations in its reply.

The plaintiff further notes, with regard to the criterion of the duration of the alleged violations, that the CNPD limited itself to stating that the said violations began at least on May 25, 2015, and continued until the start of the investigation, which suggests that the said violations lasted longer. Furthermore, the contested decision allegedly failed to take into account the corrective measures it allegedly implemented during the investigation, which, according to the Commission, resulted in correcting the alleged violations by August 2020 at the latest. It concludes that the fine imposed on it, due to these deficiencies, cannot be considered effective, dissuasive, and proportionate.

It also disputes the CNPD's explanations regarding the number of individuals affected by the disputed processing of personal data, suggesting that there is no reason to equate the number of terminal devices registered in its system with the number of individuals concerned, since the same individual could interact with the company (AA) through multiple devices. Thus, the number of individual individuals concerned, for whom the company (AA) allegedly holds advertising profiles, only represents a small percentage of the total number of records. The applicant further notes that several of the violations alleged against it only target "a few thousand individuals at most."

The applicant further refutes the level of harm as established by the contested decision, arguing that the CNPD's assertion that its customers could suffer a deprivation due to inaccurate profiles is based solely on a set of imagined facts.

Furthermore, said harm is unrelated to the alleged violation of Article 6, paragraph (1), f) of the GDPR, such that it cannot justify the fine imposed on it, both in principle and in the amount of the fine, especially since it offers a simple opt-out mechanism that, when exercised, prevents any harm from materializing to the data subject.

In its reply, the plaintiff reiterates its considerations
relating to the scope, duration, number of data subjects, and the level of the alleged damages suffered as a result of its disputed processing of personal data
in the context of the PBI, arguing that the CNPD (i) failed to establish
the existence of any harm, (ii) misrepresented and overestimated the scope of its
activities, as well as their impact on the data subjects, and (iii) failed
to establish the impact of the duration of the alleged violations on the amount of the fine. The company (AA) then highlights its level of cooperation with the CNPD, a criterion to be taken into account in accordance with Article 83, paragraph (2), f) of the GDPR, which it describes as voluntary, transparent, and close throughout the investigation conducted against it, to criticize the CNPD for not having taken this cooperation into consideration in a significant manner, or even for having minimized it under the pretext that it was required by law.

The applicant, in its reply, further notes, in this context, the finding of the head of investigation describing its cooperation as "particularly constructive," and refutes the CNPD's analysis, according to which a distinction should be made between cooperation required by law and extra-legal cooperation, whereas such a distinction is not provided for by Article 83, paragraph (2), f) of the GDPR. Furthermore, the CNPD allegedly failed to explain the impact of the cooperation observed in this case on the amount of the fine imposed against it, with the applicant further refuting the CNPD's assertion that its challenges to the alleged violations should be analyzed as a refusal to cooperate with the CNPD.

Regarding the criterion provided for in Article 83, paragraph (2), g) of the GDPR relating to categories of personal data, the applicant maintains that it only processes data without which it could not reasonably and effectively pursue its legitimate interests, while specifying that it applies limitations to the type of data used to display PBI. However, the CNPD allegedly only considered these limitations as a factor in favor of the applicant's use of the legal basis of legitimate interests, without, however, referring to them in its arguments regarding the imposition of a fine and its amount, except to invoke non-existent and false assumptions regarding certain categories of data, with a view to imposing a higher fine. Similarly, the CNPD also allegedly ignored, in determining the fine, the opt-out mechanism offered to data subjects, allowing them to avoid the PBI relating to products or services offered to them based on personal data that, at first glance, appear innocuous but nevertheless constitute highly sensitive data. In its reply, the applicant, while reiterating its arguments regarding the limitation on the use of certain types of data, as well as its opt-out mechanism, further argues that the CNPD failed to provide it with guidance on how to identify "more sensitive data" and, moreover, failed to provide the slightest evidence that certain data collected was in fact more sensitive.

The company (AA) further criticizes the decision under appeal regarding the aggravating and mitigating circumstances relied on, based on Article 83, paragraph (2), k) of the GDPR, insofar as the CNPD failed to explain to what extent the mitigating circumstance it allegedly relied on, in this case the pseudonymization of the personal data collected, would have reduced the amount of the fine imposed on it. In its reply brief, the applicant further argues that the pseudonymization it proposes to implement would be more rigorous than the industry standard and go beyond what would be required by the GDPR.

Regarding the aggravating circumstances identified by the CNPD, the applicant first refutes the CNPD's analysis of its opt-out mechanism, which, coupled with insufficient transparency, does not contribute to increasing the number of advertising profiles and therefore its financial gain. In this context, it further explains that

the CNPD's claim that the fine should have been increased, on the grounds that it
would have held data on fewer devices by opting, under the PBI, for an active consent (opt-in) system for the PBI instead of the opt-out mechanism, is completely unsupported and assumes the erroneous premise that consent is a more protective legal basis for private data, while the GDPR does not provide for any hierarchy of legal bases. In its reply, the company (AA) further criticizes the circumstance of being penalized for having implemented a mechanism allowing data subjects to choose not to view the PBI. The applicant further refutes the CNPD's conclusion regarding the financial gain it derives from the disputed data processing, as an aggravating circumstance, since its main activity is the operation of the Boutiques (AA), meaning that it does not depend on advertising for the majority of its revenue, a circumstance allowing it to make a choice that protects its customers' personal data more than other companies in the sector. In its reply brief, the applicant further contests the CNPD's assertion that it derives direct and indirect benefits from its GDPR violations, in that its PBI attracts customers to the Boutiques (AA), while arguing that the decision under appeal failed to specify the impact of these considerations on the amount of the fine imposed against it. The applicant finally argues that the contested decision wrongly ignored the other criteria of Article 83, paragraph (2) of the GDPR.

In this context, it notes, first of all, the criterion relating to all the measures taken by the controller to mitigate the harm suffered by the data subjects, such as, more specifically in this case, pseudonymization, the limits adopted regarding the scope of processing and the use of cookies, the corrective measures implemented during the investigation, the contractual restrictions imposed on third parties, and the frequency cap, all of which, according to the applicant, go beyond the requirements of the GDPR. The contested decision also wrongly failed to take into account the degree of responsibility of the data controller, given the technical and organizational measures implemented under Articles 25 and 32 of the GDPR. The applicant also cited, in this context, the pseudonymization of the personal data processed, as well as the implementation of its IT system preventing the disclosure to and use by third parties of the personal data processed within the framework of its PBI, while criticizing the CNPD for having attributed full responsibility to it with regard to off-site processing, which should, however, fall under the responsibility of third parties, in this case the operators of said sites. In its reply, the company (AA) further argues in this context that the CNPD simply chose to sanction it for alleged breaches committed by other data controllers, without providing any evidence in this regard, while making the same observation regarding the CNPD's criticism that it failed to effectively monitor compliance with the requirements imposed on its co-contractors regarding PBI.

The applicant further criticizes the CNPD for not having considered the criterion of Article 83, paragraph (2), e) of the GDPR relating to a relevant breach committed previously, since it allegedly has no history of previous violations of the GDPR, a circumstance arguing against the imposition of a fine, which is also the largest ever imposed under the GDPR.

The company (AA) also argues, along the same lines, that the CNPD wrongly failed to take into account the criterion of Article 83, paragraph (2), (i) of the GDPR, which refers to the situation
where measures provided for in Article 58, paragraph (2) of the GDPR have already been imposed on a data controller and require an analysis of the manner in which the controller implemented them, which was not the case in this instance. According to the applicant, this criterion should also have led the CNPD not to impose a fine on it, or even to reduce the amount. In its reply, the applicant, while reiterating its considerations
relating to the criteria of Article 83, paragraph (2), e) and i) of the GDPR, further argues, with regard to
the criterion of Article 83, paragraph (2), h) of the GDPR concerning the manner in which the competent supervisory authority became aware of the violation of the GDPR, that the assertion that
the number of complainants could even be considered an aggravating circumstance would be vague and purely speculative, especially since the CNPD has failed

to provide evidence that any of the complainants, or even any person, had suffered
actual harm. Relying on the Article 29 Working Party Guidelines, the applicant further argues that the criterion relating to the manner in which the supervisory authority became aware of the GDPR violation would only be an aggravating circumstance in situations where the controller failed to notify the said supervisory authority of a breach, or was negligent in failing to notify the breach, or in failing to notify it in detail due to its inability to adequately assess the extent of the breach, situations which do not arise in this case. Based on its analysis of the various criteria cited above, the applicant argues that the CNPD, on the one hand, drew erroneous conclusions with respect to the criteria explicitly mentioned in the decision under appeal, and, on the other hand, wrongly refused to take into consideration certain criteria that would have led it to conclude that it should not impose a fine, or reduce the amount thereof, thereby violating the GDPR and Luxembourg law. The applicant further points out, in this context, that the CNPD failed to link the criteria it took into account to the amount of the fine in question, failing to comment on how the factors in Article 83, paragraph (2) of the GDPR contributed to the calculation of the fine. The CNPD concludes that the applicant's argument relating to the criteria of Article 83, paragraph (2) of the GDPR should be dismissed as unfounded.

It should first be recalled that, in its analysis of the necessity of imposing a fine, as provided for in the aforementioned Article 58, paragraph (2), i) of the GDPR, and of the amount thereof, it is up to the competent supervisory authority, in this case the CNPD, to take into account the criteria relevant to the specific case submitted to it, as provided for in the aforementioned Article 83, paragraph (2), a) to k) of the GDPR. In this context, the

court must further note that fines imposed on the basis of Article 58(2)(i) of the GDPR must, in accordance with Article 83(1) of the GDPR,
meet the criteria of effectiveness, proportionality, and deterrence, so as to require the competent supervisory authority to take into account all the specific factual circumstances of the case submitted to it. Based on these considerations, the applicant's argument developed in its analysis of various criteria under Article 83, paragraph (2) of the GDPR, which alleges that the CNPD failed to provide a calculation method to trace the impact, on the amount of the fine, of the various criteria that the company (AA) considers to be met and which, according to the company, should have led to a reduction in the amount of the fine imposed on it, must be rejected from the outset. 102 The court must, in fact, note, with regard to the assessment of the various factors in Article 83, paragraph (2) of the GDPR, that their positive or negative impact on the amount of the fine cannot be predetermined by means of tables or percentages, since the actual quantification of the fine must necessarily be carried out based on all the evidence gathered during the investigation and from the perspective of the criteria of effectiveness, proportionality, and deterrence set out in Article 83, paragraph (1) of the GDPR. The court must then note that it has just held above that (i) the company (AA) acted negligently in violation of Articles 6, 12 to 17, and 21 of the GDPR, (ii) that the violations of the aforementioned articles have been duly established, on its part, and (iii) that it has not adopted, according to the latest submissions, sufficient corrective measures to be considered to comply with the requirements of the aforementioned articles of the GDPR. It also emerges from the court's findings that the company (AA) committed violations of Articles 6, 12 to 17, and 21 of the GDPR, based on the processing of a very large volume of personal data, impacting a particularly large number of individuals who, for a period of several years, were subjected to processing of their personal data that was not validly based on one of the grounds for lawfulness set out in Article 6, paragraph (1) of the GDPR, and, in the context of said processing, were not granted the rights conferred on them by Articles 12 to 17 and 21 of the GDPR. The
court must also note, in this context, that the processing of personal data in dispute was not confined to Luxembourg territory, but necessarily had at least a

European, if not global, scope, having been carried out on the basis of the activities of said individuals on the websites operated by the company (AA).

Based on these considerations, the plaintiff's argument criticizing the CNPD's findings regarding the negligent nature of its actions, as well as

the nature, seriousness, and duration of the violations found against it, must be rejected. In this context, the court must also reject the plaintiff's argument that the CNPD failed to duly consider the various elements, which it considers to be mitigating circumstances, in its analysis of the criteria of Article 83, paragraph (2) of the GDPR for setting the amount of the fine at €746 million, and thus further violated the principle of proportionality.

Indeed, based on the finding that the company (AA) committed violations of Articles 6, 12 to 17, and 21 of the GDPR, it is liable to the maximum amount of a fine under Article 83, paragraph (4) of the GDPR, corresponding to 4% of the worldwide turnover of the American company (FF), i.e., a maximum fine of approximately €12.46 billion. However, the CNPD imposed only one fine, although significant in itself, but corresponding to only approximately 0.24% of said turnover. The amount of said fine was essentially due to the size of the turnover taken as a reference, which must necessarily have an impact on the final amount of the fine so that the latter, for the company concerned, is:

79
It is common ground, and not disputed by the parties, that the turnover for 2020 of the American company (FF) was $368,064,000,000, which, based on the exchange rate of 0.8466 in effect on July 15, 2021, the date the decision under appeal was issued, is equivalent to €311,60,982,400.

103 effective, dissuasive, and proportionate, criteria that the CNPD validly took into consideration in this case.

It follows that the fine imposed cannot already be considered disproportionate, noting that only the validly met criteria of Article 83, paragraph (2) of the GDPR are to be considered, and that the fact that not all the criteria are met is not a mitigating circumstance, noting that the CNPD rightly emphasized that cooperation is mandatory. As an anecdote, it should also be noted that by applying the calculation method

recommended by Guidelines 04/2022 of May 24, 2023 on the calculation of administrative fines under the GDPR, the amount imposed by the CNPD falls within the range of fines proposed by the EDPB for violations of low severity, or even within the lower limit of violations of medium severity. This means that, in the presence of violations of non-negligible gravity, such as those found in this case by the company (AA), the CNPD, by following the aforementioned guidelines, clearly took into consideration mitigating circumstances, such that no violation of the principle of proportionality can be found in the latter's case. The applicant's argument alleging a violation of Article 83 of the GDPR, as well as its arguments relating to a violation of the principle of proportionality, are therefore subject to rejection in all its aspects as unfounded.

Finally, the applicant criticizes the CNPD for not having justified its decision to publish the contested decision, by limiting itself to explanations that such publication would not risk causing disproportionate harm to the parties involved. In this context, the company (AA) argues that publication of the contested decision would aggravate its harmful effects by adding, to the larger fine imposed under the GDPR, as well as the corrective measures imposed on it, requiring it to make substantial changes to its services, significant damage to its reputation. Such publication would (i) generate significant additional media attention, (ii) cause its customers to question the trust placed in its company, and (iii) encourage third parties to attack (AA) in the media without necessarily assessing the legal nuances of the contested decision. The company (AA) concludes that publication of the contested decision would cause it disproportionate reputational damage, such that the decision should be reversed on this point.In its reply, the applicant emphasizes that the CNPD's decision to publish the contested decision would be disproportionate and violate Article 52 of the Law of August 1, 2018. This finding is not invalidated by the CNPD's argument that the majority of data protection supervisory authorities publish their decisions to ensure transparency and deter future non-compliance. However, such a consideration would not be relevant since the criterion set out in Article 52 of the Law of 1 August 2018 would only authorize publication if a supervisory authority demonstrated the absence of a risk that publication would cause disproportionate harm, proving that the CNPD had not sufficiently stated the objectives of publication alone, namely to ensure transparency and strengthen the deterrent nature of sanctions. Moreover, the circumstances that LQDN's initial complaint was public, that the existence of said complaint demonstrated a public interest in the case under review, and that the nature of the offenses and the number of persons concerned justified publication of the contested decision would be irrelevant to the criterion set out in Article 52 of the Law of 1 August 2018. The same finding should be made with regard to the fact that elements of the The disputed decision and the summary proceedings were allegedly disclosed to the media.

The CNPD concludes that the applicant's argument based on a violation of Article 52 of the Law of August 1, 2018, with regard to the part of the contested decision that retained its publication, was dismissed as unfounded.

Under Article 52 of the Law of August 1, 2018, "The CNPD may order, at the expense of the sanctioned person, the publication in full or in part of its decisions, with the exception of decisions relating to the imposition of periodic penalty payments, and provided that:

1° the appeals against the decision have been exhausted; and
2° the publication is not likely to cause disproportionate harm to the parties involved." »

Although the publication of an administrative decision imposing a GDPR fine can generally harm the reputation and be likely to lead to a loss of confidence among customers, business partners, and investors of the entity concerned, the court must nevertheless hold that it has not been established that the publication of the contested decision itself causes harm to the company (AA) that could be described as disproportionate. It should be noted, first of all, that, on the one hand, both the contested decision and the aforementioned interim order of December 17, 2021, have already been the subject of a certain amount of media coverage, which has had the effect of bringing to the public's attention that the applicant has been subject to an administrative fine of €746 million from the CNPD, as well as corrective measures accompanied by a penalty payment of €746,000 per day of delay. However, on the other hand, it has not been asserted, let alone established by the applicant, that the media coverage of this information would have had a negative impact, in the years following the contested decision, on its turnover or, respectively, on the number of people using the services (AA). Furthermore, based on the premise that the plaintiff is one of the major players in online commerce, that the violations rightly found against it concern the essential principles and rights of Articles 6, paragraph (1), 12 to 17 and 21 of the GDPR and relate to the lawfulness of processing, transparency, as well as the data subjects' right to access, rectify, erase, and object, and that the plaintiff has processed and continues to process a very large amount of personal data to create several billion advertising profiles from said data, such that said violations have had a very far-reaching impact, in terms of the volume of personal data and the number of individuals affected by the disputed processing, the court must hold that the proposed publication of the CNPD's disputed decision necessarily has a positive impact. Thus, the publication of the contested decision, in addition to the preventive and dissuasive nature of such a measure, allows individuals whose personal data has been processed by the applicant to know precisely the claims against the company (AA), which makes it possible to rule out any speculation or assumptions relating thereto, and, correlatively, to assess the effectiveness and efficiency of the control carried out by the competent national authorities for the protection of personal data, elements which undeniably contribute to reassuring these individuals, thereby minimizing any potential damage to the applicant's reputation and the trust placed in it. Based on all of the foregoing considerations, the plaintiff's argument alleging a violation of Article 52 of the Law of August 1, 2018, must be dismissed, as it has not been established that the publication of the contested decision under review, in compliance with the conditions imposed by said article, is likely to cause disproportionate harm to the company (AA).

The plaintiff also requests the award of procedural compensation in the amount of €10,000 on the basis of Article 33 of the Law of June 21, 1999, a request which must, however, be dismissed in light of the outcome of the dispute.

The CNPD's claim for procedural compensation in the amount of €20,000 also lacks merit, as the relevant legal conditions are not met. Finally, regarding the company's (AA) request for an order to have the appeal suspended as provided for in Article 35 of the Law of June 21, 1999, which provides that "By way of derogation from Article 45, if the enforcement of the contested decision risks causing the applicant serious and permanent harm, the court may, in a judgment deciding the main issue or part of the main issue, order the appeal to have suspensive effect during the time limit and the appeal proceedings. (...)", this request must be granted in light of the specific circumstances of the case and the applicant's explanations, not otherwise challenged, that the daily amount of the penalty payment exceeds its daily turnover, such that it alone is likely to cause it serious and permanent harm.

For these reasons,

the Administrative Court, Fourth Chamber, ruling in an adversarial proceeding;

Excludes from the proceedings Exhibit No. 39 filed by the company (AA) with the registry of the administrative court on March 31, 2022, entitled "Summary of erroneous facts and inaccurate representations in the CNPD's response," as well as Exhibits Nos. 29 and 30 filed with the registry of the administrative court by the CNPD on May 31, 2022, entitled "Clarifications provided by the CNPD in connection with Exhibit No. 39 of Allen & Overy," respectively

"Criticism of the opinion of Prof. Dr. ... (Exhibit No. 36 of Allen & Overy)";

Allows the principal application for revision in form;

On the merits, declares it unjustified, dismissing the application;

States that there is no need to rule on the subsidiary application for annulment;

106 dismisses the requests for procedural compensation made by the applicant and the CNPD respectively;

orders the stay of the appeal during the appeal period and the appeal proceedings on the basis of

Article 35 of the amended law of June 21, 1999, establishing the rules of procedure before administrative courts;

orders the company (AA) to pay the costs and expenses of the proceedings.

Thus judged and delivered at the public hearing of March 18, 2025 by:

Paul Nourissier, First Vice-President,
Olivier Poos, Vice-President
Emilie Da Cruz De Sousa, First Judge,

in the presence of Registrar Marc Warken.

Sr. Marc Warken Sr. Paul Nourissier

Certified reproduction of the original
Luxembourg, March 18, 2025
The Registrar of the Administrative Court

107
  1. CJEU, Case C-40/17, Fashion ID, 29 July 2019 (available here).
Retrieved from "https://gdprhub.eu/index.php?title=TA_Luxembourg_-_46578&oldid=46833"
Creative Commons Attribution-NonCommercial-ShareAlike
Powered by MediaWiki