JUDGMENT OF THE GENERAL COURT (Tenth Chamber)
3 December 2025 (*)
( Processing of personal data – Protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies – Regulation (EU) 2018/1725 – Requests made to EPSO concerning access to and processing of personal data – Error of law )
In Cases T‑318/24 and T‑362/24,
WS, represented by H. Tettenborn, lawyer,
applicant,
v
European Commission, represented by A. Bouchagiar and H. Kranenborg, acting as Agents,
defendant,
THE GENERAL COURT (Tenth Chamber),
composed, at the time of the deliberations, of L. Madise, acting as President, P. Nihoul and S. Verschuur (Rapporteur), Judges,
Registrar: V. Di Bucci,
having regard to the written part of the procedure,
having regard to the fact that no request for a hearing was submitted by the parties within three weeks after service of notification of the close of the written part of the procedure, and having decided to rule on the action without an oral part of the procedure, pursuant to Article 106(3) of the Rules of Procedure of the General Court,
gives the following
Judgment
1 By his actions in Cases T‑318/24 and T‑362/24, based on Article 263 TFEU, the applicant, [confidential] (1), seeks the annulment, respectively, of the decision of the European Personnel Selection Office (EPSO) of 15 April 2024, by which EPSO rejected in part the request for access to personal data concerning him of 4 January 2024, pursuant to Article 17 of Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ 2018 L 295, p. 39) (‘the contested decision of 15 April 2024’), and EPSO’s decision of 3 May 2024, notified by email of 6 May 2024, by which his request for access to personal data concerning him of 1 February 2024, pursuant to Regulation 2018/1725, was also rejected (‘the contested decision of 3 May 2024’).
Background to the dispute
2 EPSO has two IT tools to manage the selection procedures for contract and temporary staff, namely (i) the Talent system, in which persons wishing to work for the EU institutions must create an account and (ii) the recruitment portal, which contains information on candidates who have passed selection tests.
3 The Talent system establishes logs of persons who have consulted an EPSO account, but does not record the precise purpose of the consultation. The recruitment portal establishes logs of persons who have accessed the portal as such, but does not record the consultation of the personal data of each of the candidates on that portal.
4 Only the data subject and certain EPSO staff members can access that person’s EPSO account in the Talent system. By contrast, staff members of other institutions who are responsible for human resources or recruitment may have access to the recruitment portal, but that access is limited to the data of a successful candidate.
5 The applicant participated in four selection procedures for which he had created an EPSO account in the Talent system and, since he had passed the tests for one of those procedures, he was registered on the recruitment portal in respect of that procedure.
6 On 18 June 2022, the applicant submitted to EPSO, pursuant to Article 17 of Regulation 2018/1725, a request for access to personal data concerning him, in relation to his four applications, found in his EPSO account.
7 In its reply of 5 August 2022 to the applicant’s request for access, EPSO provided him with details of the categories of recipients permitted to consult his personal data and the duties of those recipients. However, EPSO stated that the applicant was not entitled to obtain, under Article 17 of Regulation 2018/1725, information on the date and time when those personal data were accessed or the identity of the persons who had accessed such data.
8 On 16 November 2022, the applicant lodged a complaint with the European Data Protection Supervisor (EDPS), submitting that EPSO ought to have provided him with access to the log files of his EPSO account.
9 By its decision of 16 June 2023, the EDPS concluded that the log files did not constitute personal data and that the applicant was therefore not entitled to access them pursuant to Article 17(1)(c) of Regulation 2018/1725.
10 On 31 October 2023, following a request for review made by the applicant on 4 July 2023 pursuant to Article 18(1) of the EDPS decision of 15 May 2020 adopting the Rules of Procedure of the EDPS (OJ 2020 L 204, p. 49), and in the light of the judgment of 22 June 2023, Pankki S (C‑579/21, EU:C:2023:501), the EDPS revised its position and ordered EPSO to grant the applicant access to ‘all his log data, the time and purpose of each access generated by consultation operations of his EPSO profile in the context of the four EPSO selection procedures to which he participated’.
11 On 30 November 2023, EPSO complied with the EDPS’ revision decision of 31 October 2023, by providing the applicant with three documents containing the information available in his log files, except for the identity of the EPSO employees who had consulted his EPSO account. EPSO justified that exclusion by referring to paragraph 83 of the judgment of 22 June 2023, Pankki S (C‑579/21, EU:C:2023:501).
12 On 4 January 2024, the applicant submitted to EPSO, pursuant to Article 17 of Regulation 2018/1725, a new request for access to personal data concerning him, in order to obtain, inter alia, ‘all data being currently processed by the EPSO/[the European Commission] that has not been obtained from the data subject, specifically (but not exclusive[ly]) all the data that [the European Union Intellectual Property Office (EUIPO)] or EDPS (or any other body) has provided to the European Commission’, ‘access logs with the time and the purpose of each access generated by consultations operations’, ‘any minutes of meetings as per EDPB Right of access guideline and cases C‑141/12 and C‑372/12’ and ‘any communication (e.g. Teams’ chats, emails, etc.) between the [European Commission] and [other] third parties as per EDPB Right of access guideline’.
13 On 1 February 2024, the applicant submitted to EPSO, pursuant to Article 17 of Regulation 2018/1725, a new request for access to personal data concerning him, requesting:
– to have restored the personal data concerning him which were allegedly unlawfully deleted;
– a copy of his data after the restore;
– any minutes of meetings held at EPSO or outside it, in accordance with EDPB Right of access guidelines 01/2022 of 28 March 2023 – and the judgment of 22 June 2023, Pankki S (C‑579/21, EU:C:2023:501);
– any internal or external communication (e.g. Teams chats, emails, etc.) between the Commission and third parties;
– log files fully compliant with the requirements of Regulation 2018/1725 (with regard the judgment of 22 June 2023, Pankki S (C‑579/21, EU:C:2023:501)), with recipients, categories, purposes of access, etc.;
– that his rights of objection and restriction be complied with;
– evidence that EPSO held no log files or data as deemed necessary by the accountability principle laid down in Regulation 2018/1725 and the order of the EDPS;
– evidence that his data relating to three deleted selection procedures have been deleted and the date, reason for and person who undertook that deletion.
14 In the contested decision of 15 April 2024, the applicant’s request of 4 January 2024 (see paragraph 12 above) was rejected.
15 In the contested decision of 3 May 2024, the applicant’s request of 1 February 2024 (see paragraph 13 above) was rejected.
16 In the contested decision of 3 May 2024, EPSO confirmed that, after having received the applicant’s request of 18 June 2022 (see paragraph 6 above), it had deleted the personal data concerning the applicant relating to the three selection procedures in which he had been unsuccessful, since those data ought normally to have been deleted two years after the date on which he had been excluded from those procedures.
17 In that regard, EPSO explained that candidates’ personal data were stored for a certain period and that, on the expiry of that period, those data were deleted manually, since the Talent system did not have a feature allowing their automatic deletion. In addition, EPSO stated that the non-automatic and periodical nature of that method meant that, in some cases, data could be stored past the applicable legal retention periods, which had been so in the present case. In that regard, EPSO acknowledged that its position was not in line with the EDPB guidelines 01/2022 on data subject rights – Right of access, but stated that since those guidelines were adopted after EPSO responded to the applicant’s request of 18 June 2022, it was not in a position to take them into account. Consequently, it concluded that the deletion of the applicant’s data after the expiry of a certain period did not infringe Regulation 2018/1725 or any relevant rule laid down by an act of law.
18 On 6 May 2024, the applicant provided the contested decision of 3 May 2024 to the EDPS.
19 On 21 May 2024, the EDPS closed its investigation by explaining that ‘[it had] carefully analysed EPSO’s reply to the complainant of 30 November 2023, and its further clarifications provided by letter of 3 May 2024’, and had concluded that ‘EPSO [had] provided the complainant with the logs generated by consultation operations of his EPSO profile that it had in its possession’ and that, consequently, EPSO ‘[had] complied with the EDPS order to grant the complainant access to all his log data available in the systems used for the purpose of managing selection procedures’.
Forms of order sought
20 The applicant claims that the Court should:
– annul the contested decision of 15 April 2024 and the contested decision of 3 May 2024;
– order the Commission to pay the costs.
21 The Commission contends that the Court should:
– dismiss the action;
– order the applicant to pay the costs.
Law
22 After hearing the views of the parties in that regard, the Court has decided to join the present cases for the purposes of the judgment, in accordance with Article 68 of the Rules of Procedure of the General Court.
23 In support of his action in Case T‑318/24, the applicant raises a single plea in law, alleging (i) infringement of Article 17(1)(a) and (c), and Article 17(3) of Regulation 2018/1725 (ii) infringement of Article 4(1)(a) and (f) and Article 4(2) of that regulation and (iii) infringement of Article 14(3) of that regulation.
24 In support of his action in Case T‑362/24, the applicant raises a single plea in law, alleging (i) infringement of Article 4(1)(a), (d) and (f) and Article 4(2) of Regulation 2018/1725 (ii) infringement of Article 14(1) to (3) of that regulation (iii) infringement of Article 17(1) and (3) of that regulation and (iv) infringement of Articles 20 and 23 of that regulation.
Infringement of Article 17(1) and (3) of Regulation 2018/1725
25 The applicant submits that EPSO infringed Article 17(1) and (3) of Regulation 2018/1725 in that, in the contested decision of 15 April 2024 and in the contested decision of 3 May 2024, EPSO did not provide any of the personal data which he had requested in his requests of 4 January and 1 February 2024, namely a copy of the personal data concerning him which had been deleted unlawfully but which ought to be restored, minutes of meetings which contained personal data concerning him held at the Commission or outside it as well as all internal or external communications between the Commission and third parties containing personal data concerning him and log files, complying in all respects with the requirements of Regulation 2018/1725 in the light of the judgment of 22 June 2023, Pankki S (C‑579/21, EU:C:2023:501), containing the recipients, categories of recipients, purposes of access, etc.
26 The Commission disputes those arguments.
27 As a preliminary point, it should be recalled that, pursuant to Article 17(1) and (3) of Regulation 2018/1725, the data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed and, where that is the case, access to the personal data and information about the purposes of the processing, the recipients or categories of recipient to whom the personal data have been or will be disclosed. The controller is to provide a copy of the personal data undergoing processing.
28 First, as regards the copy of the personal data concerning the applicant which were allegedly deleted unlawfully, it must be stated, as the Commission correctly submits in paragraph 36 of the defence in Case T‑362/24, that EPSO was entitled to delete those data concerning the applicant, as is apparent from paragraphs 55 to 59 below. Furthermore, Regulation 2018/1725 does not confer a right to restoration of the deleted data on data subjects. Indeed, as regards that point, the regulation does not impose any obligation on the controller and the applicant has not, moreover, identified any provision which would support the existence of such an obligation.
29 Consequently, it must be concluded that, by refusing to provide the applicant with a copy of the data referred to in paragraph 25 above after their restoration, the Commission in no way infringed Article 17(1) and (3) of Regulation 2018/1725.
30 Second, as regards the minutes of meetings and internal or external communications, it must be observed that, in his request of 1 February 2024, the applicant had essentially requested the same minutes and communications as in his request of 4 January 2024 (see paragraph 12 above), to which EPSO had replied by the contested decision of 15 April 2024 (see paragraph 14 above), therefore, prior to the contested decision of 3 May 2024.
31 Therefore, it must be concluded that EPSO could legitimately take the view that it had responded to the applicant’s request and that, therefore, it was not necessary to repeat its response in the contested decision of 3 May 2024.
32 In particular, as regards the minutes of meetings, EPSO stated, in paragraph 6 of the contested decision of 15 April 2024, that it ‘[had] not drawn up any minutes of meetings concerning [the applicant] or otherwise containing [the applicant’s] personal data, and [that it had] not received such documents from other services, either’.
33 As regards internal or external communications, EPSO stated, in paragraph 7 of the contested decision of 15 April 2024, that ‘the only personal data currently processed by [it] that [had] not been obtained from [the applicant] and [had] been included in communications [consisted] in the case numbers [relating to the complaints submitted by the applicant to the Data Protection Officer of the Commission and the EDPS]’.
34 In that regard, it should be noted that the applicant has provided no argument capable of refuting the assertions in paragraphs 32 and 33 above. As the Commission correctly submits, in that context, the applicant merely provides a list of communications between EPSO and third parties, without indicating precisely which personal data concerning him within that list EPSO has not provided to him.
35 It must be stated that, according to settled case-law, the right to obtain a copy of the personal data undergoing processing does not relate to a document as such, but to the personal data which it contains and which must be complete (see, to that effect, judgment of 26 October 2023, FT (Copies of medical records), C‑307/22, EU:C:2023:811, paragraph 72 and the case-law cited).
36 Consequently, the applicant has not succeeded in rebutting, on the basis of relevant and consistent evidence, EPSO’s assertions that there are no personal data concerning him in the documents requested.
37 It follows from the foregoing that, by failing to provide the applicant with minutes of meetings and internal or external communications, the Commission has not infringed Article 17(1) and (3) of Regulation 2018/1725.
38 Third, as regards access to the log files, it is apparent from the case file that the files concerned were sent to the applicant by letter of 30 November 2023, following the EDPS order (see paragraph 10 above).
39 In that regard, it must be stated that, in his request of 1 February 2024, the applicant had requested the same log files as in his request of 4 January 2024 (see paragraph 12 above), to which EPSO had replied by the contested decision of 15 April 2024 (see paragraph 14 above), therefore, prior to the contested decision of 3 May 2024.
40 In the contested decision of 3 May 2024, EPSO stated that ‘as regards any further log data beyond that already provided in [its] earlier replies, [it regretted] that [it could] only confirm that no such data exist[ed], due to the legacy nature and limited logging capabilities of the data management systems in which [the applicant’s] data [had been] stored’.
41 In the present case, in response to the applicant’s argument that, contrary to the judgment of 22 June 2023, Pankki S (C‑579/21, EU:C:2023:501), the log files provided by EPSO on 30 November 2023 did not indicate the recipients of the personal data concerning him or the purpose of each access, it must be observed, as a preliminary point, that that judgment concerns Article 15 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016 L 119, p. 1; ‘the GDPR’), and that Article 15 of the GDPR is an equivalent provision to Article 17 of Regulation 2018/1725.
42 In that context, it must be noted that, as set out in Article 15(1) of the GDPR, the data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed and, where that is the case, access to the personal data and information as well as information regarding the purposes of the processing, pursuant to Article 15(1)(a) of the GDPR, and the recipients or categories of recipient to whom those personal data have been or will be disclosed, pursuant to Article 15(1)(c) of the GDPR.
43 Article 4(9) of the GDPR states that ‘recipient’ means ‘a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not’.
44 In that regard, it should be recalled that the log files reveal the existence of data processing, information to which the data subject must have access under Article 15(1) of the GDPR. In addition, they provide information on the frequency and intensity of the consultation operations, thus enabling the data subject to ensure that the processing carried out is actually motivated by the purposes put forward by the controller. Those files contain information relating to the identity of the persons who carried out the consultation operations (see, to that effect, judgment of 22 June 2023, Pankki S, C‑579/21, EU:C:2023:501, paragraphs 70 and 71).
45 In that context, although it follows from Article 15(1)(c) of the GDPR that the data subject has the right to obtain from the controller information relating to the recipients or categories of recipients to whom the personal data have been or will be disclosed, the employees of the controller cannot be regarded as being ‘recipients’, within the meaning of that article, when they process personal data under the authority of that controller and in accordance with its instructions (see, to that effect, judgment of 22 June 2023, Pankki S, C‑579/21, EU:C:2023:501, paragraph 73).
46 Yet, even if the disclosure of the information relating to the identity of the controller’s employees to the data subject may be necessary for that data subject in order to ensure the lawfulness of the processing of his or her personal data, it is nevertheless liable to infringe the rights and freedoms of those employees (judgment of 22 June 2023, Pankki S, C‑579/21, EU:C:2023:501, paragraph 79).
47 Therefore, Article 15(1) of the GDPR must be interpreted as meaning that even if information relating to consultation operations carried out on a data subject’s personal data and concerning the dates and purposes of those operations constitutes information which that person has the right to obtain from the controller under that provision, that provision does not lay down such a right in respect of information relating to the identity of the employees of that controller who carried out those operations under its authority and in accordance with its instructions, unless that information is essential in order to enable the person concerned effectively to exercise the rights conferred on him or her by that regulation and provided that the rights and freedoms of those employees are taken into account (judgment of 22 June 2023, Pankki S, C‑579/21, EU:C:2023:501, paragraph 83).
48 However, as the Commission correctly submits, it is not apparent from the judgment of 22 June 2023, Pankki S (C‑579/21, EU:C:2023:501), that Article 15 of the GDPR requires the controller to set up a logging mechanism containing information on the identity of employees who have carried out consultation operations in respect of the personal data of a person.
49 Therefore, the same goes for Article 17 of Regulation 2018/1725, with the result that the fact that the log files to which the applicant requested access did not contain information on the precise purposes of the access or on the recipients or categories of recipients of the personal data cannot lead to an infringement of that article.
50 It is also apparent from Annex A.20 to the application in Case T‑318/24 and from Annex A.3 to the application in Case T‑362/24 that the applicant had already been informed of the purposes of the processing and of the recipients of his personal data.
51 Lastly, having regard to the considerations set out in paragraphs 42 to 47 above, the controller’s employees cannot be regarded as ‘recipients’, as referred to in Article 15(1) of the GDPR, with the result that that article, like Article 17 of Regulation 2018/1725, does not confer on the applicant a right to obtain from that controller information relating to the identity of the EPSO staff members who consulted his EPSO account in the Talent system.
52 It follows from the foregoing that the contested decision of 15 April 2024 and the contested decision of 3 May 2024 do not infringe Article 17(1) and (3) of Regulation 2018/1725 and that, consequently, the applicant’s arguments in that regard must be rejected.
Infringement of Article 4(1)(a), (d) and (f) and of Article 4(2) of Regulation 2018/1725
53 The applicant submits that EPSO infringed the principles of ‘accuracy’, ‘integrity and confidentiality’ and ‘lawfulness, fairness and transparency’, laid down in Article 4(1)(a), (d) and (f) and Article 4(2) of Regulation 2018/1725. In the contested decision of 15 April 2024, EPSO did not provide the log files, contrary to Article 17(1)(a) and (c) of that regulation, read in the light of the judgment of 22 June 2023, Pankki S (C‑579/21, EU:C:2023:501), and that decision also does not contain copies of the personal data concerning him undergoing processing, contrary to Article 17(3) of that regulation. The applicant argues that, furthermore, in the contested decision of 3 May 2024, EPSO ignored his request to restore the personal data concerning him, which, moreover, had been deleted unlawfully. Lastly, EPSO provided no evidence demonstrating that it did not have log files or data deemed necessary under the principle of accountability laid down in Regulation 2018/1725 and the EDPS order, or any evidence demonstrating that personal data concerning the applicant which related to three selection procedures had been deleted.
54 The Commission disputes those arguments.
55 In that regard, it should be recalled that, under Article 4(1)(a) of Regulation 2018/1725, personal data is to be processed ‘lawfully, fairly and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”)’, that, under Article 4(1)(d) of that regulation, the data must be accurate and, where necessary, kept up to date, taking every reasonable step to ensure that inaccurate data ‘are erased or rectified without delay (“accuracy”)’, and that, under Article 4(1)(f) of that regulation, they must be processed in a manner that ensures appropriate security, ‘including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (“integrity and confidentiality”)’. Article 4(2) of that regulation provides that the controller is to be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).
56 First of all, it is apparent from paragraphs 38 to 51 above that, in the context of the decision of 15 April 2024, EPSO provided the applicant with all the information available in the log files to which he had requested access. In addition, as regards the disclosure of a copy of the personal data concerning the applicant which was being processed, it is apparent from paragraphs 28 to 37 above that, in that decision, EPSO informed the applicant that no personal data concerning him was found in the requested documents. Consequently, it must be concluded that the decision of 15 April 2024 is not vitiated by an infringement of Article 4(1)(a), (d) or (f) or of Article 4(2) of Regulation 2018/1725.
57 Furthermore, as regards the decision of 3 May 2024, it should be noted, first, that it follows from Regulation 2018/1725 that the period for which the personal data are stored is no longer than that necessary for the purposes for which the personal data are processed (Article 4(1)(e)), that controllers are to delete such data once they are no longer necessary (Article 19(1)(a)) and that processing, such as deletion, is lawful if it is necessary for compliance with a legal obligation to which the controller is subject (Article 5(1)(b)).
58 In addition, as the Commission stated without being challenged by the applicant, he was aware that the retention period which applied to his personal data was indeed two years, which is confirmed by the fact that he referred thereto in his request of 1 February 2024, which led to the contested decision of 3 May 2024. It should also be noted that the applicant also did not object to the processing of those data during that period.
59 It follows that the applicant has not demonstrated that the personal data concerning him were deleted unlawfully.
60 Second, as the Commission correctly submits, no provision of Regulation 2018/1725 lays down any obligation on the part of the controller to reinstate the deleted personal data, with the result that it was permissible for EPSO to reject the applicant’s request in that regard (see paragraphs 28 and 29 above).
61 Third, in accordance with the presumption of legality attaching to EU acts, where the institution concerned asserts that a particular data to which access has been sought does not exist, there is a presumption that such data does not exist. That is, however, a simple presumption which the person requesting access may rebut in any way by relevant and consistent evidence. If that presumption is rebutted and that institution can no longer rely on it, it is for that institution to prove the non-existence or lack of possession of the data requested by providing plausible explanations enabling the reasons for such non-existence or lack of possession to be established (see, by analogy, judgment of 13 November 2024, Kargins v Commission, T‑110/23, not published, EU:T:2024:805, paragraphs 27 and 28 and the case-law cited).
62 In the present case, it must be recalled that the Commission stated, in the contested decision of 3 May 2024, that it had no log file or any other data deemed necessary under the principle of accountability laid down in Regulation 2018/1725 and under the EDPS order other than the data which had already been sent to the applicant in that respect. In order to challenge that assertion, the applicant merely lists documents containing personal data concerning him. However, that cannot rebut the presumption of legality referred to in paragraph 61 above. Therefore, as the Commission did, it must be concluded that EPSO was not required to adduce any evidence in that regard (see paragraph 40 above).
63 In those circumstances, it must be concluded that EPSO did not infringe Article 4(1)(a), (d) or (f) or Article 4(2) of Regulation 2018/1725 as regards the contested decision of 3 May 2024.
Infringement of Articles 20 and 23 of Regulation 2018/1725
64 The applicant submits that the contested decision of 3 May 2024 does not refer to his request of 1 February 2024, nor does it take any action on that request as regards respect for his right to restriction of processing and right to object (see paragraph 13 above) and that, therefore, EPSO has infringed Articles 20 and 23 of Regulation 2018/1725.
65 In particular, the applicant submits that, in his request of 1 February 2024, he informed EPSO of the unlawful processing under Article 20(1)(b) of Regulation 2018/1725 and objected to the processing of his personal data, in accordance with Article 20(1)(d) of that regulation.
66 The Commission disputes those arguments.
67 In that regard, it must be stated that Article 20(1)(b) and (d) of Regulation 2018/1725 provides that the data subject has the right to obtain from the controller restriction of processing where that processing is unlawful and the data subject objects to erasure of the personal data and requests the restriction of their use instead (Article 20(1)(b) of that regulation) or where the data subject has objected to processing pursuant to Article 23(1) of that regulation pending the verification whether the legitimate grounds of the controller overrode those of the data subject (Article 20(1)(d) of that regulation). Article 23 of that regulation provides for the right of every data subject to object and the arrangements for exercising that right.
68 In the present case, as regards the alleged infringement of Article 20(1)(b) of Regulation 2018/1725, it is apparent from the request for access of 1 February 2024 that the unlawful processing relied on by the applicant in order to obtain, in accordance with that article, a restriction of that processing consisted of the deletion of his personal data.
69 In that context, as a preliminary point, it must be observed that, in accordance with Article 3(3) of Regulation 2018/1725, the deletion of personal data is to be regarded as processing of such data.
70 However, as stated in paragraphs 57 to 59 above, the deletion of the personal data concerning the applicant complied with Article 4(1)(e) and Article 19(1)(a) of Regulation 2018/1725, since EPSO was, furthermore, not required to restore such data.
71 It follows from the foregoing that there has been no unlawful processing by EPSO and, consequently, no infringement of Article 20(1)(b) of Regulation 2018/1725.
72 As regards the alleged infringement of Article 20(1)(d) of Regulation 2018/1725, it must be observed, as the Commission has done, that that article presupposes that the applicant had the right to object to the deletion of his personal data under Article 23(1) of that regulation.
73 However, Article 23(1) of Regulation 2018/1725 applies only to the processing of personal data taking as its basis Article 5(1)(a) of that regulation, whereas, in the present case, the deletion of personal data took as its basis Article 5(1)(b) of that regulation (see paragraph 57 above), with the result that Article 20(1)(d) of that regulation was not applicable.
74 It follows from the foregoing that no infringement of Article 20(1)(d) can be alleged against the Commission, with the result that the applicant’s arguments in that regard must be rejected.
Infringement of Article 14(1) to (3) of Regulation 2018/1725
75 In Case T‑318/24, the applicant maintains that, in the contested decision of 15 April 2024, the Commission infringed Article 14(3) of Regulation 2018/1725, in that EPSO did not explain why it had replied to his request after the expiry of the time limit referred to in that article.
76 In Case T‑362/24, the applicant submits that the contested decision of 3 May 2024 fails to comply with Article 14(1) to (3) of Regulation 2018/1725 by raising six complaints in that regard, alleging that (i) EPSO failed to provide any of the requested personal data, (ii) EPSO did not facilitate the exercise of the rights which the data subject derived from Articles 17 to 24 of Regulation 2018/1725, (iii) EPSO provided no reason for the delay in adopting that decision, (iv) EPSO failed to comply with his rights of restriction as referred to in Article 20 of that regulation, (v) EPSO failed to comply with his right to object as referred to in Article 23 of that regulation and (vi) EPSO replied more than three months after the request for access of 1 February 2024.
77 The Commission disputes those arguments.
78 In that regard, as regards the first complaint, raised by the applicant in Case T‑362/24, reference should be made to paragraphs 28 to 51 above, on the basis of which it was concluded that EPSO had acted in accordance with Article 17(1) and (3) of Regulation 2018/1725. Furthermore, the fourth and fifth complaints raised by the applicant in that case allege infringements of Articles 20 and 23 of Regulation 2018/1725, which, as observed in paragraphs 67 to 74 above, have not been infringed.
79 In addition, as regards the second complaint, relied on by the applicant in Case T‑362/24, it must be stated that the applicant has failed to put forward any arguments in support of his allegation that EPSO did not facilitate the exercise of the rights which the data subject derived from Articles 17 to 24 of Regulation 2018/1725, with the result that that complaint must be rejected.
80 In the light of the foregoing, it must be held that no infringement of Article 14(1) to (3) of Regulation 2018/1725 can be found as regards the first, second, fourth and fifth complaints relied on by the applicant in Case T‑362/24.
81 Lastly, as regards the sole complaint raised by the applicant in Case T‑318/24 as well as the third and sixth complaints raised by him in Case T‑362/24, relating to the period which elapsed between (i) the request of 4 January 2024 and the contested decision of 15 April 2024 and (ii) the request of 1 February 2024 and the contested decision of 3 May 2024, it must be held that, even though it is true that those decisions were adopted after the expiry of the period laid down in Article 14(3) and (4) of Regulation 2018/1725, that fact does not, in itself, render them unlawful (see, by analogy, judgment of 19 January 2010, Co-Frutta v Commission, T‑355/04 and T‑446/04, EU:T:2010:15, paragraphs 58 and 59).
82 It follows from the foregoing that all of the applicant’s arguments alleging infringement of Article 14(1) to (3) of Regulation 2018/1725 must be rejected and, consequently, the action must be dismissed in its entirety.
Costs
83 Under Article 134(1) of the Rules of Procedure, the unsuccessful party is to be ordered to pay the costs if they have been applied for in the successful party’s pleadings.
84 Since the applicant has been unsuccessful, he must be ordered to pay the costs, in accordance with the form of order sought by the Commission.
On those grounds,
THE GENERAL COURT (Tenth Chamber)
hereby:
1. Joins Cases T‑318/24 and T‑362/24 for the purposes of the judgment;
2. Dismisses the action;
3. Orders WS to pay the costs.
Delivered in open court in Luxembourg on 3 December 2025.
V. Di Bucci | | M. van der Woude |