Judgment of the Court in Case C-333/22 | Ligue des droits humains (Verification by the supervisory
authority of data processing)
A court must be able to verify the grounds and the evidence on which they are based
A citizen requests the Belgian autorité nationale de sécurité (National Security Authority) to issue him, for
professional purposes, security clearance. He is refused that document on the ground that he had participated in
demonstrations. Relying on his right of access to his data, that citizen makes a request to the Organe de contrôle de
l’information policière (the Supervisory Body for Police Information), which informs him that he has only indirect
access and that it will itself verify the lawfulness of the processing of his data. However, at the end of that
verification, as allowed under Belgian law, that body merely replied to him that it had carried out the necessary
verifications. That citizen then brought court proceedings before the first instance court, which declared that it had
no substantive jurisdiction.
Seised by the person concerned and Ligue des droits humains, the cour d’appel de Bruxelles (Court of Appeal,
Brussels, Belgium) asks the Court of Justice whether EU law requires Member States to provide for the possibility for
the data subject to be able to challenge the decision of the supervisory authority where the latter exercises the
rights of that data subject with regard to the processing at issue.
The Court of Justice takes the view that, in informing the data subject of the result of the verifications made, the
competent supervisory authority adopts a legally binding decision. That decision must be amenable to judicial
review in order for the data subject to be able to challenge the assessment made by the supervisory authority
concerning the lawfulness of the data processing and the decision as to whether or not to adopt corrective
measures.
The Court observes that EU law requires the supervisory authority to inform the data subject, ‘at least that all
necessary verifications or a review by the supervisory authority have taken place’ and of ‘his or her right to seek a
judicial remedy’. Where this is not precluded by public interest purposes, Member States must nevertheless provide
that the information disclosed to the data subject may go beyond that minimum information so that the data
subject is in a position to defend his or her rights and to decide whether or not to apply to the court with
jurisdiction.
In addition, in cases where the information thus disclosed to the data subject was limited to the bare minimum,
Member States must ensure that the court with jurisdiction, in order to check whether the reasons which warranted
such a limitation on that information are well founded, may weigh up the public interest purposes pursued (State
security, prevention, investigation, detection or prosecution of criminal offences) and the need to guarantee
citizens compliance with their procedural rights.
Read more https://curia.europa.eu/jcms/upload/docs/application/pdf/2023-11/cp230174en.pdf