Ministère de l'Intérieur – Court Ruling (France, 2020)

The applicant claimed to have personal data stored on the French National Schengen Information System (“N-SIS II database”). Under [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32018R1862 Regulation (EU) 2018/1862], the Schengen Information System is composed of, on one hand, a central system (“C-SIS”), and, on the other hand, national systems (“N-SIS”) that communicate with the central system. The system as a whole allows Member States to share alerts on persons, which include personal data, for several purposes in relation with police and judicial cooperation. The applicant exercised his rights of access and erasure against the Ministry of the Interior (“Ministère de l’intérieur”), without success. She then petitioned the French DPA (“CNIL”), with the same outcome. In this context, she seeks the annulment of the Ministry’s decision before the French Administrative Supreme Court (“Conseil d’Etat”). As it appeared during the proceedings, her demand was processed in accordance with the procedure applicable to personal data processed for national security purposes. The applicant demands that the Court reviews the lawfulness of this procedure and the decision of the Ministry. Is French procedural law applicable to the exercise of the right of access and the right to erasure of personal data processed for national safety purposes compliant with Article 15 and 23 GDPR? The Court found that the applicant’s petition had been lawfully processed and must be rejected. According to [https://www.legifrance.gouv.fr/codes/section_lc/LEGITEXT000006070933/LEGISCTA000006136462/#LEGISCTA000006136462 Article L773-1 to 773-8 of the Administrative Justice Code] (“Code de la Justice administrative”), a specific panel of judges reviews the application. The defendant has limited access to the file. If the alleged data do not exist or are lawfully processed, the application is rejected without further indication. However, if the processing is found unlawful, the app