M.A.B. – Court Ruling (France, 2024)

A data subject brought two cases before the Administrative Court of Cergy-Pontoise (Tribunal administratif de Cergy-Pontoise) – the controller. The data concerning these case were processed in an automated data processing system called “[https://www.legifrance.gouv.fr/loda/id/LEGITEXT000006071341/2023-12-14 Sagace]”. After both cases had been decided, the data subject requested the access to their personal data connected to those cases. The data were processed in “Sagace”. The controller rejected data subject’s request, which caused the data subject to lodge a complaint with the French DPA (CNIL). The DPA stated the access request fell within the scope of the judicial capacity of courts and as such was excluded from jurisdiction of the DPA. The data subject appealed against the CNIL's decision to the Supreme Administrative Court (Conseil d’Etat). The court rejected the appeal. The access request at hand touched upon the exercise of judicial capacity by courts. This was because the “Sagace” system, which processed the data subject’s data, was designed to allow parties of administrative court proceedings manage pending cases. Also, according to the body of evidence, the access requests were directly linked to the proceedings initiated by the data subject – they wanted to verify whether the court took into account two pleadings delivered within proceedings. Hence, under Article 55(3) GDPR the DPA had no competence to decide cases referring to court’s exercise of judicial capacity. Within French legal system, Article 45 of [https://www.legifrance.gouv.fr/jorf/id/JORFTEXT000049563368 Law of 21 May 2024 on the security and regulation of the digital space] (Loi n° 2024-449 du 21 mai 2024 visant à sécuriser et à réguler l'espace numérique conferred the court (Conseil d’Etat) with the authority to control data processing activities by administrative courts while exercise judicial capacity.