Court case 466856 – Court Ruling (France, 2023)

A data subject was registered in the information system of the company [https://www.verifone.com/ Verifone], a payment service provider (controller). After changing her identity, she requested a court in the USA to order the rectification of her customer account data (surname, first name, email) and of her data appearing in other documents such as orders. The court refused, and the data subject referred the matter to the French DPA (CNIL). The CNIL contacted the controller to ask it to rectify the data subject's customer account data, which it did for the customer account data but not for the other documents. The CNIL considered that the documents drawn up before the change of identity did not need to be rectified retroactively because the change of identity happened later. The data subject took the CNIL's decision to the Conseil d'Etat (Supreme Administrative Court). For the documents drawn up before the identity change, the Conseil d'Etat considered that the data could not be considered as inaccurate since they were accurate at the time and for the purpose of the processing. These documents therefore did not contain any inaccuracies that should have been corrected under Article 16 GDPR. Consequently, the Conseil d'Etat upheld the CNIL's decision, considering that the CNIL correctly applied Article 16 GDPR.