Court case 45716 – Court Ruling (Luxembourg, 2023)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A person complained to the Luxembourg DPA about a US company using their data, but the DPA said they couldn't investigate because the data was already deleted. The court agreed, showing the limits of GDPR enforcement when data is no longer being processed.
What happened
A person complained to the Luxembourg DPA about a US company using their personal data, but the data was already deleted.
Who was affected
The individual whose personal data was initially collected and marketed by the US company.
What the authority found
The court found that since the data was already deleted, there was no ongoing data processing to investigate under GDPR.
Why this matters
This case underscores the importance of timely data deletion in resolving GDPR complaints. Website operators should ensure swift data removal to mitigate potential issues.
GDPR Articles Cited
A data subject found that an American company (controller) had collected personal data about him and was marketing it on its website. On 5 April 2019, he contacted the controller, who replied the same day with a copy of his personal data and informed the data subject that it had deleted his personal data. Still on 5 April 2019, the data subject lodged a complaint with the Luxembourg DPA to have the controller act on his request in accordance with the GDPR. After requesting the data subject to provide its correspondence with the controller, on 6 March 2020, the DPA informed the data subject that the controller was US based and that it would therefore be impossible to pursue his complaint. The data subject replied several times and asked among other things for clarification on the administrative procedure and in particular of the rules on investigations. The DPA finally replied by letter that the opening of an investigation was not systematic whenever a controller is subject to a complaint. In this case, the DPA considered that it was not relevant to open an investigation since it had no means of action against a US based company. On 1 March 2021, the data subject, represented by noyb, lodged an appeal with the administrative Court (hereafter the Court) requesting the reversal or cancellation of the DPA's letter. On the basis of Article 78 GDPR, the data subject considered that he had a standing in bringing the action. The Court considered that both at the time of his complaint of 5 April 2019 and the lodging of the appeal, the data subject's data had already been deleted from the controller's website. Consequently, the court considered that the data subject did not prove that data processing was taking place when he lodged his appeal. The Court also held that under Article 51 GDPR, the DPA is responsible for monitoring the application of the RGPD by controllers, "so that it is no longer called upon to intervene from the moment that any possible disregard of the
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Court case 45716 in LU
This is the only recorded case for this entity in this jurisdiction.
Details
Ruling Date
21 April 2023
Authority
Commission Nationale pour la Protection des Données
GDPRhub ID
gdprhub-court-5868About this data
Cite as: Cookie Fines. Court case 45716 - Luxembourg (2023). Retrieved from cookiefines.eu
Last updated: