Pulsantiera di navigazione Home Page
Pagina Facebook Pagina Linkedin Canale Youtube Italian version
News
Legal news

DATA PROTECTION

Processing of personal data: decisions taken by a supervisory authority in the context of the indirect exercise of the rights of the data subject are legally binding.

A citizen requests the Belgian autorité nationale de sécurité (National Security Authority) to issue him, for professional purposes, security clearance. He is refused that document on the ground that he had participated in demonstrations.

Relying on his right of access to his data, that citizen makes a request to the Organe de contrôle de l’information policière (the Supervisory Body for Police Information), which informs him that he has only indirect access and that it will itself verify the lawfulness of the processing of his data. However, at the end of that verification, as allowed under Belgian law, that body merely replied to him that it had carried out the necessary verifications.

That citizen then brought court proceedings before the first instance court, which declared that it had no substantive jurisdiction. Seised by the person concerned and Ligue des droits humains, the cour d’appel de Bruxelles (Court of Appeal, Brussels, Belgium) asks the Court of Justice whether EU law requires Member States to provide for the possibility for the data subject to be able to challenge the decision of the supervisory authority where the latter exercises the rights of that data subject with regard to the processing at issue.

The Court of Justice takes the view that, in informing the data subject of the result of the verifications made, the competent supervisory authority adopts a legally binding decision. That decision must be amenable to judicial review in order for the data subject to be able to challenge the assessment made by the supervisory authority concerning the lawfulness of the data processing and the decision as to whether or not to adopt corrective measures.

The Court observes that EU law requires the supervisory authority to inform the data subject, ‘at least that all necessary verifications or a review by the supervisory authority have taken place’ and of ‘his or her right to seek a judicial remedy’. Where this is not precluded by public interest purposes, Member States must nevertheless provide that the information disclosed to the data subject may go beyond that minimum information so that the data subject is in a position to defend his or her rights and to decide whether or not to apply to the court with jurisdiction.

In addition, in cases where the information thus disclosed to the data subject was limited to the bare minimum, Member States must ensure that the court with jurisdiction, in order to check whether the reasons which warranted such a limitation on that information are well founded, may weigh up the public interest purposes pursued (State security, prevention, investigation, detection or prosecution of criminal offences) and the need to guarantee citizens compliance with their procedural rights. In the context of that judicial review, the national rules must enable the court to examine the grounds and the evidence behind the supervisory authority’s decision, as well as the conclusions which that authority drew from that decision.
Stampa la pagina