Court case 45717 – Court Ruling (Luxembourg, 2023)

A data subject found that an American company (controller) had collected personal data about him and was marketing it on its website. The data subject contacted the controller about this, who responded with an automated message asking him to fill in an identity verification form in order to process his request. On 8 July 2020, the data subject requested the Luxembourg DPA to order the controller to comply with his request. He believed that the controller had violated Article 15 GDPR for not handling his access request correctly and 27 GDPR for not having an establishment in the EU. The DPA asked the data subject to provide correspondence with the controller. In August 2020, the DPA informed the data subject that it would no longer deal with his request as the controller was US based and the DPA therefore had no power to impose measures under the GDPR. The data subject insisted that the controller offered services on the internet and that a simple search via a search engine would find his personal data on the controller's website. He also asked why the DPA felt it did not have the authority to investigate in the US. On 16 October 2020, the DPA replied by letter that it had contacted the controller but that without its response it was impossible to proceed. It also repeated that it had no means of action against a US based controller. The data subject, represented by noyb, appealed this decision of the DPA to the administrative Court (hereafter the Court) to have the DPA's letter reversed or annulled. He considered that he had a standing to act under Article 78 GDPR, especially since his data was still present on the controller's site. He argued he was therefore damaged by the DPA's decision not to pursue with his request. The data subject also argued that the DPA had violated Article 77 GDPR. Finally, he explained that the controller did not provide a copy of his access request, reason why he could not provide this document. First, the Court considered that th