JUDGMENT OF THE GENERAL COURT (Ninth Chamber, Extended Composition)
14 February 2019 (*)
(Personal data — Protection of natural persons with respect to the processing of their data — Right of access to those data — Regulation (EC) No 45/2001 — Refusal to grant access — Actions for annulment — Email referring to an earlier partial refusal of access without carrying out a re-examination — Concept of a challengeable act within the meaning of Article 263 TFEU — Concept of a purely confirmatory act — Applicability to access to personal data — Substantial new facts — Interest in bringing proceedings — Admissibility — Obligation to state reasons)
In Case T‑903/16,
RE, represented by S. Pappas, lawyer,
applicant,
v
European Commission, represented by H. Kranenborg and D. Nardi, acting as Agents,
defendant,
APPLICATION pursuant to Article 263 TFEU for annulment of the note of the director of the Security Directorate of the Directorate-General for Human Resources of the Commission of 12 October 2016 in so far as it rejects the applicant’s request for access to some of his personal data,
THE GENERAL COURT (Ninth Chamber, Extended Composition),
composed of S. Gervasoni, President, L. Madise, R. da Silva Passos, K. Kowalik-Bańczyk (Rapporteur) and C. Mac Eochaidh, Judges,
Registrar: N. Schall, Administrator,
having regard to the written part of the procedure and further to the hearing on 20 September 2018,
gives the following
Judgment
Background to the dispute
1 The applicant, RE, holds the position of [confidential] (1) for the Directorate-General for International Cooperation and Development of the European Commission.
2 The applicant was the subject of an administrative investigation (‘the administrative investigation’) undertaken by the Security Directorate of the Directorate-General for Human Resources and Security of the Commission (‘the Security Directorate’). That investigation concerned the alleged participation of the applicant in secret service activities and, in particular, his conduct during a conflict between two third States, the applicant being suspected of having become, on that occasion, too close to one of those States and of having communicated to it certain confidential information without authority.
3 By an email of 5 December 2013, the applicant requested that the Security Directorate, on the basis of Article 13 of Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data (OJ 2001 L 8, p. 1), provide him with all the personal and/or professional information and data held about him by the Directorate.
4 In a note of 25 February 2014, the director of the Security Directorate, after observing that some documents had already been given to the applicant on 27 November 2013, refused to grant him access to the remaining personal data relating to him on the ground that it was covered by the exemptions and restrictions laid down in Article 20(1)(a) to (d) of Regulation No 45/2001.
5 Taking the view that that refusal amounted to an infringement of Article 13 and Article 20(1) of Regulation No 45/2001, the applicant lodged a complaint, by letter, on 18 April 2014 with the European Data Protection Supervisor (EDPS) pursuant to Article 32(2) of Regulation No 45/2001.
6 By decision of 26 February 2016, the EDPS concluded that, having regard to the way in which the Security Directorate had applied the exemptions in Article 20(1) of Regulation No 45/2001, the Directorate had failed to process correctly some of the applicant’s personal data.
7 Following the decision of the EDPS, the Security Directorate re-examined the applicant’s request for access to his personal data.
8 At the end of that re-examination, by decision of 8 March 2016 (‘the decision of 8 March 2016’), the director of the Security Directorate partially granted the applicant’s request by giving him access to some of his personal data and by sending him, in addition, eight documents (Document Nos 44, 59 to 62, 67, 69 and 71). Annexed to that decision was a table identifying 71 documents in the possession of the Security Directorate and listing, in respect of each of those documents, its date, subject, the type of personal data it contained, a brief description of the content of the data, the source of the data and, for 35 out of the 71 documents (Document Nos 1, 6 to 9, 11, 12, 14 to 16, 18, 20, 21, 27, 28, 31, 32, 35, 36, 41, 42, 45, 46, 48 to 52, 54 to 57, 66, 68 and 70), the reason or reasons why some of the data could not be disclosed pursuant to Article 20(1)(a) or (c) of Regulation No 45/2001. Among those documents was one numbered 57, entitled ‘Note concerning the “recruitment of [the applicant] as [confidential] in [the Directorate-General for International Cooperation and Development of the European Commission]”’ dated 23 January 2012 (‘Document No 57’).
9 By an email of 29 April 2016 addressed to the Security Directorate, the applicant noted the responses given in the decision of 8 March 2016 and requested access to a ‘limited number of documents [out of those listed in the table annexed to the decision]’. On that occasion, the applicant also asked to be informed of the date on which the administrative investigation would be closed.
10 In the meantime, the applicant lodged a new complaint with the EDPS dated 5 July 2016, arguing that, in the decision of 8 March 2016, the Security Directorate had still not complied with the decision of the EDPS of 26 February 2016 giving a ruling on his earlier claim.
11 By decision of 25 July 2016 (‘the decision of the EDPS of 25 July 2016’), the EDPS concluded that, in the decision of 8 March 2016, the Security Directorate had fully implemented the recommendations made in its decision of 26 February 2016 and, therefore, there was no infringement, in the decision of 8 March 2016, of Article 13 or Article 20(1) of Regulation No 45/2001.
12 On 14 September 2016, the Security Directorate replied to the applicant’s email of 29 April 2016. Working on the basis that it was dealing with an application for access to documents under Regulation (EC) No 1049/2001 of the European Parliament and of the Council of 30 May 2001 regarding public access to European Parliament, Council and Commission documents (OJ 2001 L 145, p. 43), the Security Directorate invited the applicant, on the basis of Article 6(2) of that regulation, to clarify his request so as to enable it to identify which documents he wished to access. In addition, the Directorate informed the applicant that the administrative investigation had been closed on 31 August 2016.
13 By an email of 21 September 2016 addressed to the Security Directorate (‘the request of 21 September 2016’), the applicant requested access to 42 of the 71 documents identified in the decision of 8 March 2016 (Document Nos 1 to 5, 8, 11, 13, 14, 19, 21 to 30, 33, 34, 37 to 43, 47 to 53, 56 to 58, and 63 to 65) or, in any case, to the ‘information’ contained therein, relying on, first, Article 13 of Regulation No 45/2001 and, second, Article 6 of Regulation No 1049/2001. On that occasion, the applicant grouped the documents and information to which he was requesting access into four categories, designated by the parties as Group A (Document Nos 2 to 5, 13, 19, 22 to 26, 29, 30, 33, 34, 37 to 40, 43, 47, 53, 56, 58 and 63), Group B (Document Nos 8, 11, 41, 42, 48, 49 and 51), Group C (Document Nos 48, 49 and 51, already included within Group B) and Group D (Document Nos 1, 14, 21, 27, 28, 50, 52 and 57) and, for each of those categories, set out the reasons why he considered that his request should be granted.
14 On 12 October 2016, the director of the Security Directorate responded to the request of 21 September 2016 by a note (‘the contested note’) worded as follows:
‘1. In your [request of] 21 [September] 2016 you refer to Article 13 of Regulation No 45/2001 in order to request access to a number of documents. With regard to this request I refer to our decision dated 8 [March] 2016 ….
In addition, I refer to the Decision of the [EDPS] dated 25 July 2016 which clearly states that the EDPS has no indications that the Security Directorate has violated your right to access your personal data. I therefore consider that the Security Directorate has complied with your request to access your personal data.
2. In your [request of 21 September 2016], you also refer to Regulation No 1049/2001 …, requesting to be granted access to specific documents of the file mentioned in [the table annexed to the decision of 8 March 2016]. In this context, I would like to advise you that documents given to you under that Regulation become available to any other requester in the future, thus de facto public, possibly merely expunged of your personal data.
Please be informed that, in the light of the above, your access-to-documents request will be closed. If your application is introduced for personal purposes, please confirm this to us by indicating your private email and postal address.’
Procedure and forms of order sought
15 By application lodged at the Registry of the General Court on 19 December 2016, the applicant brought the present action.
16 By separate document lodged at the Court Registry on the same day, the applicant made an application for anonymity. That application was allowed by decision of the Court of 18 January 2017.
17 By separate document lodged at the Court Registry on 5 April 2017, the Commission raised a plea of inadmissibility under Article 130(1) of the Rules of Procedure of the General Court.
18 On 22 May 2017, the applicant lodged observations on the plea of inadmissibility at the Court Registry.
19 By order of 18 October 2017, the Court decided to reserve making a decision on the plea of inadmissibility raised by the Commission until the final judgment.
20 By way of measures of organisation of procedure, adopted pursuant to Article 89(3)(a) and (b) of the Rules of Procedure, the Court addressed written questions to the parties whose replies were requested to be given in writing.
21 The parties complied with that request within the time allowed.
22 The Commission lodged its defence at the Court Registry on 19 December 2017.
23 By way of measures of organisation of procedure, adopted pursuant to Article 89(3)(a) and (b) of the Rules of Procedure, the Court set out written questions for the parties to answer at the hearing.
24 The applicant claims that the Court should:
– dismiss the objection of inadmissibility;
– annul the contested note in so far as it refused his request to be granted access to certain personal data;
– order the Commission to pay him the sum of EUR 10 000 by way of compensation for non-material damage suffered by him as a result of the refusal of the Security Directorate to grant him access to his personal data;
– order the Commission to pay him the sum of EUR 30 000 by way of compensation for non-material damage suffered by him as a result of the unlawful processing and dissemination of his personal data by the Security Directorate;
– order the Commission to pay the costs.
25 The Commission contends that the Court should:
– dismiss the action as inadmissible or, in the alternative, as unfounded;
– order the applicant to pay the costs.
26 The applicant also asks the Court, by a measure of organisation of procedure, to order the Commission to produce document No 57, in accordance with Article 91(c) of the Rules of Procedure or, in the alternative, Article 104 of the Rules of Procedure.
27 At the hearing, the applicant withdrew the forms of order seeking compensation for two heads of non-material loss that he claimed he had suffered. He also clarified and limited the scope of his action for annulment by indicating that it did not have the purpose of challenging the refusal to grant access to personal data contained in the documents referred to in the application but which were not invoked in the request of 21 September 2016. Since the Commission did not make any observations on that withdrawal or clarification, it was noted in the minutes of the hearing.
Law
The claim for annulment
28 It is appropriate to examine, first of all, whether the claims for annulment are admissible and, if so, secondly, whether those claims are well founded.
Admissibility of the claim for annulment
29 The Commission raises three pleas of inadmissibility. First, the contested note did not make any decision on the applicant’s right to access his personal data. Secondly, that note was, in any event, a purely confirmatory act. Thirdly, the applicant does not have a genuine interest in bringing an action against that note.
– The purpose of the contested note and whether there was a refusal to grant access to personal data
30 The Commission submits that the request of 21 September 2016 exclusively concerned access to documents on the basis of Regulation No 1049/2001. It follows that, in the contested note, the Security Directorate did not make a decision on the applicant’s right to access his personal data on the basis of Regulation No 45/1001.
31 The applicant disputes the Commission’s arguments. The applicant maintains that the request of 21 September 2016 included both a request for access to documents and a request for access to personal data.
32 At the outset, it should be recalled that Regulation No 1049/2001 and Regulation No 45/2001 have different objectives. The first is designed to ensure the greatest possible transparency in the decision-making process of the public authorities and the information on which they base their decisions. It is thus designed to facilitate as far as possible the exercise of the right of access to documents and to promote good administrative practices. The second is designed to ensure the protection of the freedoms and fundamental rights of individuals, particularly their private life, in the handling of personal data (judgment of 29 June 2010, Commission v Bavarian Lager, C‑28/08 P, EU:C:2010:378, paragraph 49). It follows that, unlike Regulation No 1049/2001, Regulation No 45/2001 is not designed to facilitate the exercise of the right of access to documents (see, to that effect, the judgment of 17 July 2014, YS and Others, C‑141/12 and C‑372/12, EU:C:2014:2081, paragraph 47).
33 In that context, the rights of access laid down by those two regulations respectively have neither the same purpose nor the same beneficiaries. Article 2 of Regulation No 1049/2001 seeks to enable the public, namely any citizen and any natural or legal person, to access documents held by the institutions. Article 13 of Regulation 45/2001 seeks to enable access only by data subjects, to their personal data, namely information about them as an identified or identifiable person, without providing that those persons may, on that basis, also have access to documents containing those data. In that regard, it must be noted that Article 13(c) of Regulation No 45/2001 provides only that the data subject has the right to obtain ‘communication in an intelligible form of the data undergoing processing’.
34 In the present case, it must be held, in the first place, that the contested note is in the nature of a rejection in so far as it replies to the request of 21 September 2016 and it is common ground that it did not grant the applicant access to either his personal data or documents containing those data.
35 Where a decision is a rejection, it must be appraised in the light of the nature of the request to which it constitutes a reply (judgments of 8 March 1972, Nordgetreide v Commission, 42/71, EU:C:1972:16, paragraph 5, and of 24 November 1992, Buckl and Others v Commission, C‑15/91 and C‑108/91, EU:C:1992:454, paragraph 22). Therefore, the purpose of the contested note must be appraised in the light, in particular, of the content of the request of 21 September 2016.
36 In that regard, it must be observed, first of all, that the request of 21 September 2016 is entitled ‘Personal data’.
37 Next, the request of 21 September 2016 refers not only to Regulation No 1049/2001, but also to Regulation No 45/2001. First, that request is presented explicitly on the basis of both Article 6 of Regulation No 1049/2001 and Article 13 of Regulation No 45/2001. Secondly, that request contains, in respect of each of the four groups of documents referred to in paragraph 13 above, argument as regards the exemptions and restrictions laid down in Article 20(1) of Regulation No 45/2001.
38 Finally, on several occasions in his request of 21 September 2016 the applicant refers both to documents and to ‘information’ contained in those documents. Thus, he states, at the outset and generally, that he would like access to certain documents or, in any case, to information contained therein. In addition, the applicant expressly renews that request for access as regards information contained in the documents in Group D. Furthermore, as regards the documents in Group C, he disputes the fact that the communication of those documents, or information therein, could jeopardise the investigation methods and tools used by the Security Directorate. Lastly, the applicant refers to information transferred or compiled in the documents in Group A and specifies that those documents concern him personally and directly.
39 In the light of those factors, it is clear that the request of 21 September 2016 contained, in addition to a request for access to documents, a request for access to personal data relating to the applicant contained in those documents.
40 In the second place, it must be observed that in the contested note the director of the Security Directorate referred to the ‘request [by the applicant] to access [his] personal data’. He also stated, referring to the decision of the EDPS of 25 July 2016, that he considered that the Security Directorate had ‘complied with [that] request’. Thus the Security Directorate itself chose to invoke, in the contested note, not only the question of access to the documents in question, but also of access to personal data contained in those documents and to stress that the decision of 8 March 2016 did not contain a breach of the applicant’s right of access to those data.
41 In addition, it is not established or even alleged by the Commission that the Security Directorate replied, at any other time, in writing or orally, explicitly or implicitly, to the request of 21 September 2016 inasmuch as it sought access to personal data.
42 In those circumstances, the Commission must be regarded as having taken a decision, in the contested note, on the applicant’s request for it to grant him access to some of his personal data. It follows that that note, which did not uphold that request, must be viewed as a refusal to grant access to those data.
– The purely confirmatory nature of the contested note
43 The Commission submits that, even if it were accepted that in the contested note the Security Directorate made a decision regarding access to personal data, that note was, in any event, a purely confirmatory act confirming the decision of 8 March 2016, which was not challenged by the applicant within the time limit for appeals.
44 The applicant disputes the Commission’s arguments. He submits that the closure of the administrative investigation on 31 August 2016 and the submission on 21 September 2016 of a request for personal data in an expunged form constituted substantial new facts requiring the Security Directorate to re-examine the merits of the decision of 8 March 2016.
45 In the first place, the Commission’s argument raises the question of whether the case-law in accordance with which an action brought against an act that was purely confirmatory of an earlier decision is inadmissible if it was not brought within the time limit for instituting proceedings against it (judgment of 17 May 2017, Portugal v Commission, C‑337/16 P, EU:C:2017:381, paragraph 51) applies to decisions adopted by an institution in response to a request for access to personal data made on the basis of Article 13 of Regulation No 45/2001.
46 In that regard, it must be recalled, first, that Article 13(c) of Regulation No 45/2001 provides that ‘the data subject shall have the right to obtain, without constraint, at any time within three months from the receipt of the request and free of charge from the controller [...] communication in an intelligible form of the data undergoing processing [...]’. It follows from that provision, which allows the data subject to access his personal data ‘at any time’, that that person had a continuous and permanent right of access to those data.
47 Second, while Article 20(1) of Regulation No 45/2001 provides for exemptions and restrictions to the right for the data subject to access his personal data, that provision specifies that the institutions cannot restrict the application of Article 13 of that regulation except ‘where such restriction constitutes a necessary measure’. It follows that the exemptions and restrictions laid down in Article 20(1) of that regulation are applicable only in the period during which they remain necessary.
48 In addition, it should be noted that the protection of personal data resulting from the explicit obligation laid down in Article 8(1) of the Charter of Fundamental Rights of the European Union is especially important for the right to respect for private life enshrined in Article 7 of that charter (judgment of 8 April 2014, Digital Rights Ireland and Others, C‑293/12 and C‑594/12, EU:C:2014:238, paragraph 53).
49 Thus, the Court has favoured an interpretation of EU law conducive to a high level of protection of personal data. It has taken into account, among other things, the fact that, in the context of the processing of personal data, the factual and legal situation of the data subject is, by its nature, liable to change over time, since the mere passage of time is capable of rendering the processing of data, which was initially lawful, unnecessary or even unlawful (see, to that effect and by analogy, judgment of 13 May 2014, Google Spain and Google, C‑131/12, EU:C:2014:317, paragraphs 92 and 93).
50 It follows that, under Regulation No 45/2001, a person may, at any time, make a new request for access to personal data to which access had previously been refused. Such a request requires the institution concerned to examine whether the earlier refusal of access remains justified.
51 Therefore, a fresh examination seeking to verify whether a previously-adopted refusal to grant access to personal data remains justified having regard to Articles 13 and 20 of Regulation No 45/2001 leads to the adoption of an act which is not purely confirmatory of the earlier act, but constitutes an act that may be the subject of an action for annulment under Article 263 TFEU.
52 In the present case, the Commission received a request from the applicant on 21 September 2016 for access to his personal data contained in various documents. It follows from paragraph 50 above that the Commission was required to examine that request. As has been concluded in paragraph 42 above, the Commission must be regarded as having made a decision on that request, and as having refused to uphold it, in the contested note. In those circumstances, having regard to the principle set out in paragraph 51 above, that note constitutes a challengeable act irrespective of the fact that a previous partial refusal of access to those data had already been given to the applicant in the decision of 8 March 2016. Therefore, the Commission cannot successfully argue that the contested note was of a purely confirmatory nature.
53 In the second place, even if the case-law referred to in paragraph 45 above applies in the present case, it must be recalled that a measure is purely confirmatory of an earlier measure only if it contains no new factors as compared with the earlier measure (judgments of 10 December 1980, Grasselli v Commission, 23/80, EU:C:1980:284, paragraph 18, and of 31 May 2017, DEI v Commission, C‑228/16 P, EU:C:2017:409, paragraph 33). Furthermore, the existence of substantial new facts may justify the submission of a request for reconsideration of a previous decision which has become definitive (see judgment of 7 February 2001, Inpesca v Commission, T‑186/98, EU:T:2001:42, paragraph 47 and the case-law cited). Therefore, an action brought against a decision refusing to reconsider a decision which has become definitive will be declared admissible if it appears that there are substantial new facts (see, to that effect, judgment of 7 February 2001, Inpesca v Commission, T‑186/98, EU:T:2001:42, paragraph 49). Facts are to be classified as ‘substantial new’ facts where, first, neither the applicant nor the administration was aware of, or in a position to be aware of, the fact in question when the earlier decision was adopted and, second, the fact concerned is capable of substantially altering the applicant’s situation compared with that which gave rise to the earlier decision which has become definitive (see, to that effect, judgment of 7 February 2001, Inpesca v Commission, T‑186/98, EU:T:2001:42, paragraphs 50 and 51).
54 In the present case, in order to establish the existence of substantial new facts, the applicant relies in particular on the fact that the administrative investigation was closed on 31 August 2016.
55 The Commission counters that, in his request of 21 September 2016, the applicant merely thanked the Security Directorate for having informed him on 14 September 2016 of the closure of the administrative investigation and that, on that occasion, he did not submit that that closure was a substantial new fact which justified the re-examination of the decision of 8 March 2016.
56 In that regard, it must be recalled that none of the provisions of Regulation No 45/2001 and in particular Article 13 thereof, which provides for a right of access ‘without constraint’, requires the data subject to set out the reasons for, or to justify, his request for access to his personal data. It follows that, as regards access to personal data, an applicant may rely, before the General Court, on the existence as at the date of the contested act of substantial new facts justifying a new examination, even if he failed to refer to those facts in his request.
57 In those circumstances and since the Commission already knew of the closure of the administrative investigation at the time when it received the request of 21 September 2016, the applicant can successfully rely, before the General Court, on the closure of the administrative investigation for purpose of establishing the existence of a substantial new fact.
58 It must be observed, first, that that event occurred after the decision of 8 March 2016, such that it is ‘new’, within the meaning of the case-law cited in paragraph 53 above.
59 Second, that event is also ‘substantial’, within the meaning of the same case-law. It should be recalled that, in order to refuse to grant the applicant, in the decision of 8 March 2016, access to some of his personal data, the Security Directorate invoked, depending on the data in question, first, the exemption laid down by Article 20(1)(a) of Regulation No 45/2001, which aims to safeguard ‘the prevention, investigation, detection and prosecution of criminal offences’, and, second, the exemption laid down by Article 20(1)(c) of that regulation, which aims, in particular, to safeguard ‘the protection [...] of the rights and freedoms of others’. As regards the exemption laid down in Article 20(1)(a) of Regulation No 45/2001, the Security Directorate indicated that the disclosure of the data in question would reveal its investigation tools and methods. As regards the exemption laid down in Article 20(1)(c) of the regulation, the Security Directorate stated that the disclosure of the data in question would prejudice the rights of other persons whose data has been the subject of processing, namely witnesses and informants heard in the context of the administrative investigation. Thus, it is clear that the grounds upon which the applicant was partially refused access in the decision of 8 March 2016 were related, at least indirectly, to the administrative investigation relating to the applicant. Consequently, it cannot be excluded that the closure of that investigation significantly altered the applicant’s situation.
60 That conclusion cannot be called into question by the Commission’s argument that the obligation, first, not to compromise the tools and methods of investigation that were used by the Security Directorate and, second, to protect the witnesses and informants, continued after the closure of the administrative investigation. In effect, that argument seeks to entirely subordinate the admissibility of the action for annulment to the merits of the fresh refusal to grant access to the applicant. However, for the purpose of finding that the closure of the administrative investigation constituted a substantial new fact justifying the re-examination of the applicant’s situation, it suffices to observe that that event was capable of having an effect on the application of the exemptions laid down by Article 20(1)(a) and (c) of Regulation No 45/2001, without prejudging the possibility of giving the applicant, at the end of that re-examination, a new refusal to grant access based, if appropriate, on the same exemptions.
61 It follows that the closure of the administrative investigation constituted a substantial new fact that justified a fresh examination of the applicant’s right to access his personal data.
62 That examination was all the more justified in the present case since the applicant had allowed a reasonable time to elapse before presenting the Security Directorate with a fresh request for access to his personal data. The request of 21 September 2016 was submitted more than six months after the partial refusal of access given to the applicant in the decision of 8 March 2016.
63 In those circumstances, the Commission’s submission that the contested note is a purely confirmatory act confirming the decision of 8 March 2016 is not, in any event, well founded.
– Applicant’s legal interest in bringing proceedings
64 The Commission considers that, since the applicant has already had access to all or part of his personal data and, in particular, to all the data contained in the documents in Group A, and since he is in fact seeking access to documents, he does not have a genuine interest in bringing proceedings challenging the contested note.
65 While the applicant does not specifically challenge the Commission’s argument, it is clear from all of his written arguments that he considers that he was wrongly denied access to his personal data by the contested note.
66 According to settled case-law, an action for annulment brought by a natural or legal person is admissible only in so far as that person has an interest in having the contested act annulled. Such an interest requires that the annulment of that act must be capable, in itself, of having legal consequences and that the action may therefore, through its outcome, procure an advantage to the party which brought it (judgments of 17 September 2009, Commission v Koninklijke FrieslandCampina, C‑519/07 P, EU:C:2009:556, paragraph 63, and of 17 September 2015, Mory and Others v Commission, C‑33/14 P, EU:C:2015:609, paragraph 55).
67 In the present case, as already observed in paragraph 42, the Commission must be regarded as having refused, by the contested note, to grant the applicant access to all of the personal data referred to in the request of 21 September 2016.
68 It is true that the applicant has already had access to some of his personal data. In the table annexed to the decision of 8 March 2016, the Commission communicated to him some data in respect of which it did not rely on any of the exemptions or restrictions laid down in Article 20 of Regulation No 45/2001. That is the case, first, in respect of all of the personal data identified by the Commission in the documents in Group A, with the exception of document No 56, and, second, in respect of some of the personal data identified by the Commission in the documents in Groups B, C and D, and document No 56.
69 However, it has already been observed in paragraph 46 above that, in the context of Regulation No 45/2001, the data subject has a continuous and permanent right of access to his personal data. That right enables him, among other things, to make a request for access to personal data, including where the data subject has already been able to access all or part of those data in order, for example, to satisfy himself that all of the personal data held by an institution had in fact been identified and communicated, or to know whether the data in question was still being processed by the institution and, if so, whether they had been altered or not.
70 Furthermore, while it is true that the applicant cannot, by means of a request for access to his personal data, access documents containing those data, that fact, in itself, does not affect the applicant’s interest in obtaining access to those data in themselves.
71 In those circumstances, the annulment of the contested note, which refused to grant the applicant access to all of his personal data contained in the documents referred to in the request of 21 September 2016, is capable of having legal consequences for the applicant and of procuring an advantage for him.
72 It follows that the claims for annulment are admissible and that the pleas of inadmissibility advanced by the Commission must be dismissed.
The merits of the claim for annulment
73 In support of his claim for annulment, the applicant submits that the contested note does not satisfy the duty to state reasons laid down in Article 296 TFEU. That note merely referred to the decision of 8 March 2016 and did not set out the reasons why he could not have access to personal data. As regards the personal data contained in the documents in Group A, the decision of 8 March 2016 did not include reasons, with the result that the contested note was also vitiated by a failure to state reasons. As regards the personal data contained in the documents in Groups B, C and D, the contested note did not explain why the application of the exemptions and restrictions laid down by Article 20(1)(a) and (c) of Regulation No 45/2001 and relied on in the decision of 8 March 2016 continued to be justified after the closure of the administrative investigation and even though the Security Directorate was in receipt of a fresh request seeking access to those data in an expunged form.
74 The Commission disputes the applicant’s arguments. It submits that, first, no particular reasons were required as regards the personal data contained in the documents in Group A, to which the applicant had already obtained access, and, second, the applicant had been sufficiently informed, in the table annexed to the decision of 8 March 2016, of the reasons why some of his personal data contained in the documents in Groups B, C and D had not been disclosed to him.
75 It should be recalled that, according to settled case-law, the statement of reasons required by Article 296 TFEU must be appropriate to the measure at issue and must disclose in a clear and unequivocal fashion the reasoning followed by the institution which adopted the measure, in such a way as to enable the persons concerned to ascertain the reasons for it and to enable the competent court to exercise its power of review. The requirements to be satisfied by the statement of reasons depend on the circumstances of each case, in particular the content of the measure in question, the nature of the reasons given and the interest which the addressees of the measure, or other parties to whom it is of direct and individual concern, may have in obtaining explanations. It is not necessary for the reasoning to go into all the relevant facts and points of law, since the question whether the statement of reasons meets the requirements of Article 296 TFEU must be assessed with regard not only to its wording but also to its context and all the legal rules governing the matter in question (judgments of 2 April 1998, Commission v Sytraval and Brink’s France, C‑367/95 P, EU:C:1998:154, paragraph 63, and of 1 July 2008, Chronopost and La Poste v UFEX and Others, C‑341/06 P and C‑342/06 P, EU:C:2008:375, paragraph 88).
76 In addition, under Article 20(3) of Regulation No 45/2001, if an exemption or restriction provided for by Article 20(1) of that regulation is relied on against the data subject, the latter must be informed of the principal reasons supporting the application of that exception or restriction.
77 In the present case, it must be observed that the contested note — the terms of which are reproduced in paragraph 14 above — is, in itself, almost entirely devoid of any factual or legal reasoning. In fact, that note contains no reasons of its own. It does not set out the reasons why the applicant cannot be granted access to the personal data referred to in the request of 21 September 2016. In reality, the contested note merely refers to the decision of 8 March 2016 and to the decision of the EDPS of 25 July 2016 which concluded that the applicant’s right to access his personal data was not breached. In that note, it is merely stated, having regard to the conclusion reached by the EDPS and without any other explanation, that the request for access had been ‘complied with’.
78 However, a statement of reasons by reference may, in certain cases, be acceptable (see, to that effect, the judgment of 19 November 1998, Parliament v Gaspari, C‑316/97 P, EU:C:1998:558, paragraph 27). In particular, the case-law allows a statement of reasons by reference to a previous decision (see, to that effect, judgments of 12 May 2016, Zuffa v EUIPO (ULTIMATE FIGHTING CHAMPIONSHIP), T‑590/14, not published, EU:T:2016:295, paragraph 43, and of 5 February 2018, Edeka-Handelsgesellschaft Hessenring v Commission, T‑611/15, EU:T:2018:63, paragraphs 32 to 38).
79 It is therefore necessary to assess whether the reference to the decision of 8 March 2016 and the decision of the EDPS of 25 July 2016 constitutes a sufficient statement of reasons in the contested note.
80 In that regard, it must be observed, in the first place, that, as regards the personal data contained in the documents in Group A (with the exception of document No 56), the table annexed to the decision of 8 March 2016, which entirely upheld the request for access at least as regards the personal data identified by the Commission in the documents in question, did not contain any reasons for the refusal of access. Consequently, the reference to the decision of 8 March 2016 cannot constitute a statement of reasons for the refusal to grant access to all of the personal data contained in the documents in Group A, given to the applicant, for the first time, in the contested note.
81 In the second place, as regards the personal data contained in the documents in Groups B, C and D, it must be recalled that, as is set out in paragraphs 52 and 61 above, the Commission was required to examine whether the refusal to grant access to the applicant in the decision of 8 March 2016 remained justified. To that end, it was required, in particular, to verify, for all of the personal data in question, whether the application of the exemptions and restrictions laid down in Article 20(1)(a) and (c) of Regulation No 45/2001 and relied on in the decision of 8 March 2016, remained justified having regard to a possible alteration in the legal or factual circumstances. In particular, the Commission was required to take into account the fact that the administrative investigation had been closed in the meantime, and that a period of more than six months had elapsed.
82 However, first, it must be observed that the contested note does not contain any reasons relating to a concrete and detailed re-examination of the applicant’s right of access to his personal data. It does not contain further reasoning regarding the possible effect of the facts referred to in paragraph 81 above. Second, the reference solely to the decision of 8 March 2016 and the decision of the EDPS of 25 July 2016 manifestly cannot constitute appropriate and sufficient reasoning, since a fresh refusal decision taken after a re-examination cannot, by definition, be based exclusively on the reasons set out in the decisions taken prior to that re-examination. Consequently, the reference to those two decisions does not satisfy the obligation to state reasons in respect of the refusal once again, in the contested note, to grant the applicant access to personal data contained in the documents in Groups B, C and D.
83 It follows that the plea alleging an infringement of the obligation to state reasons must be upheld.
84 Therefore, the contested note, in so far as it rejected the applicant’s request to be granted access to some of his personal data, must be annulled.
The measure of inquiry sought by the applicant
85 The applicant submits that the Commission should be ordered to produce document No 57.
86 However, as the applicant accepted at the hearing, the measure of inquiry sought is connected with the claims for compensation. Since the applicant has withdrawn those claims and that withdrawal has been recorded (paragraph 27 above), the production of document No 57 serves no useful purpose in the present case.
87 Therefore, there is no need to grant the request for the measure of inquiry submitted by the applicant.
Costs
88 Under Article 134(1) of the Rules of Procedure, the unsuccessful party is to be ordered to pay the costs if they have been applied for in the successful party’s pleadings.
89 Since the Commission has been substantially unsuccessful, it must be ordered to pay the costs in accordance with the form of order sought by the applicant and without it being necessary to take into account the partial withdrawal by the latter of his claims for compensation.
On those grounds,
THE GENERAL COURT (Ninth Chamber, Extended Composition)
hereby:
1. Annuls the note of 12 October 2016 of the director of the Security Directorate of the Directorate-General for Human Resources of the Commission, in so far as it rejects the request of 21 September 2016 of RE for access to some of his personal data;
2. Orders the Commission to pay the costs.
Gervasoni | Madise | da Silva Passos |
Kowalik-Bańczyk | | Mac Eochaidh |
Delivered in open court in Luxembourg on 14 February 2019.