CNIL – Court Ruling (France, 2023)

On March 27, 2018 the Data Subject filed a complaint on CNIL againt Euronext group, specifically addressing the handling of her personal data by the Irish Stock Exchange, her employer, a subsidiary of Euronext. On March 28, 2022, the case was closed by CNIL because the Authority understood that the Irish Data Protection Authority is the one competente for addressing the issue, since the Data Subject employer, the Irish Stock Exchange, is a company located in Ireland. In addition, the Data subject and personal data processed was limited to this location. Dissatisfied with this outcome, the Data Subject sought annulment of the CNIL's decision for abuse of power and requested that the CNIL be instructed to sanction the companies involved. The Conseil d'État rejected the Data Subject's request, upholding the CNIL’s decision to close the complaint. The Court found that the CNIL correctly applied GDPR regulations, specifically Article 55 and Article 56, which dictate that in cross-border data processing situations, the Lead Supervisory Authority is generally that of the main establishment of the controller, unless the data processing is confined to a single member state and significantly affects individuals only in that state. In this case, the CNIL determined that the relevant data processing was indeed cross-border, handled by a central office in France, but the complaint was specific to the Data Subject employment in Ireland, making the Irish Data Protection Authority solely competent to address it.