GDPR: complaint closure and no Article 78 appeal if not concerned

Right of access under the GDPR: when a “complaint closure” does not open a remedy

On 20 May 2026, the French Council of State held that a CNIL complaint closure is not, by itself, a “legally binding decision” within the meaning of Article 78 GDPR if the complainant is not concretely concerned by the processing. A key takeaway for data subject rights workflows in Luxembourg.

The case

In its decision of 20 May 2026 (nos. 504639, 504641), the Council of State dismissed the appeal brought by a former student and his father against the CNIL President’s decision to close their complaint targeting a clause of a private school’s “GDPR Charter – Parents/Students.” The applicants argued that the charter, published after the student’s final departure, made the exercise of certain rights (objection, portability, erasure) conditional upon de facto deregistration, in breach of the GDPR. The CNIL had issued a compliance notice to adjust the information, then closed the complaint in view of the corrective measures. The Council of State held that: (1) the referral did not constitute a “complaint” within the meaning of Article 77 GDPR, since the disputed stipulations never applied to the applicants; and (2) the complaint closure is not a “legally binding decision” “that concerns them” within the meaning of Article 78 GDPR. The applicants therefore had no standing to challenge this closure (no direct grievance). Full decision on Légifrance: Council of State, 20 May 2026, nos. 504639, 504641.

Legal reasoning

• The GDPR provides two parallel avenues: (a) the “complaint” to the supervisory authority (Art. 77) and (b) effective judicial remedies (Arts. 78 and 79). Article 78(1) allows an appeal “against a legally binding decision of a supervisory authority which concerns him or her”; paragraph 2 opens a remedy where the authority does not handle the complaint or fails to inform the complainant within three months. Official text: EUR‑Lex, Chapter VIII, Arts. 77–78. For a local recap, see our overview of the GDPR and its Articles 77–78.
• According to the Council of State, closing a complaint following awareness-raising or “soft” compliance action does not, by itself, create a legally binding situation for the complainant—especially when they are not personally affected by the processing (post-dated charter, no application to the applicants). Consequently, in such cases neither Article 77 nor Article 78 confers standing. See the summary on the absence of a “legally binding decision” and “standing” in the 20 May 2026 ruling.
• This reading aligns with the GDPR’s structure:
  • Article 77 guarantees the possibility to alert the authority; it does not imply that every response harms the complainant.
  • Article 78 requires either a binding decision affecting the complainant or inaction by the authority (silence > 3 months). CNPD – Chapter VIII (Arts. 77–78).
• Convergence with supervisory practice: Luxembourg’s CNPD indicates it may favor non-binding resolution where this suffices to end the infringement, without necessarily adopting a formal measure (order, sanction). Such an outcome does not in itself create a right to appeal if it does not “concern” the complainant legally. See “Procedure relating to complaints” (CNPD): CNPD, complaints procedure.

Regarding the right of access, this framework interacts with the EDPB’s Article 15 guidance: effectiveness depends on a targeted request, identification, and a reasoned reply—yet Article 78 litigation does not automatically open whenever a complaint is closed. See: EDPB, Guidelines 01/2022 – Right of access.

What changes in practice

1. Properly document and close access requests (Art. 15) and related complaints
   • Provide a written response within one month, extendable by two months if necessary, with reasons and information on legal remedies (CNPD complaint, Art. 77).
   • If a CNPD complaint arises, cooperate to promptly correct information or documentation (notice, charter, FAQ)—a closure without binding measures remains possible where compliance is restored and the complainant is not affected. References: EDPB – Right of access, CNPD – Access right (factsheet), CNPD – Access right (individuals). To structure these workflows, support from a certified DPO mandate can secure timelines and response templates.
2. Clarify when a judicial remedy (Art. 78) is available—and when it is not
   • An Article 78(1) appeal targets a “legally binding decision” that “concerns” the applicant (e.g., an order or sanction addressed to them). A mere closure of a third-party complaint, or soft action by the authority, does not necessarily fall within that scope. EUR‑Lex, Art. 78; Council of State, 20 May 2026.
   • An Article 78(2) appeal may be considered if the authority fails to handle the complaint or to inform the complainant within three months. The CNPD reiterates this information duty. CNPD – Chapter VIII.
3. Adapt your “rights information” templates and records
   • Avoid dissuasive clauses (“exercising your rights will result in deletion of your account”). Such wording can trigger inspections and corrective actions. For local guidance, see our resources on GDPR in Luxembourg and CNPD compliance.
   • Prepare response matrices, including grounds for partial refusals (third-party data, secrets, rights and freedoms of others) and ID verification. The EDPB stresses granularity and traceability.

Common pitfalls

• Assuming an authority’s complaint closure always harms the complainant. The 20 May 2026 ruling shows this is not automatic: no concrete affectation = no standing (Art. 78). Council of State, 20 May 2026.
• Responding late or without indicating remedies. Failure to inform within three months exposes the authority to an Article 78(2) appeal and weakens your position vis‑à‑vis the complainant. EUR‑Lex, Arts. 77–78; CNPD – Chapter VIII.
• Using dissuasive or vague “rights” notices. Ambiguous formulations may lead to a compliance notice; the authority can require corrections even without a formal sanction. CNPD – Complaints procedure.
• Confusing a complaint (Art. 77) with an individual action (Art. 79). A complaint does not replace a liability action (Art. 82) nor a claim against the controller; your notices should clearly distinguish these avenues. EUR‑Lex, Chapter VIII.
• Overlooking ID verification and the scope of the copy (Art. 15(3)). The EDPB requires a copy of the personal data rather than raw documents by default; protection of third parties and secrets remains a filter. EDPB – Right of access.

Official sources

• French Council of State, 10th–9th chambers combined, 20 May 2026, nos. 504639, 504641 (ECLI:FR:CECHR:2026:504639.20260520) — full decision. https://www.legifrance.gouv.fr/ceta/id/CETATEXT000054121355
• Regulation (EU) 2016/679 (GDPR), Chapter VIII, Arts. 77–78 — Official Journal (EUR‑Lex). https://eur-lex.europa.eu/eli/reg/2016/679/oj/?locale=fr
• CNPD (Luxembourg) — Chapter VIII (remedies), access right pages; complaints procedure. https://cnpd.public.lu/fr/legislation/droit-europ/union-europeenne/rgpd/chapitre-8.html ; https://cnpd.public.lu/fr/particuliers/vos-droits/droit-acces.html ; https://cnpd.public.lu/fr/actualites/national/2024/04/fiche-droit-acces.html ; https://cnpd.public.lu/fr/decisions-avis/2020/procedure-reclamations.html
• EDPB — Guidelines 01/2022 on data subject rights – Right of access (final version, 17 April 2023). https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-012022-data-subject-rights-right-access_en

Regulatory takeaway

In Luxembourg, the CNPD may favor non-binding measures to restore compliance while informing the complainant of the outcome and available remedies (Arts. 77–78). The 20 May 2026 ruling confirms that this “corrective before coercive” approach does not automatically open a judicial remedy under Article 78 if the complainant is not concretely concerned. For DPOs/CISOs/legal teams, the priority is to structure robust access procedures, promptly adjust notices, and evidence end‑to‑end compliance.

Luxgap regulatory expertise article. For personalised guidance on this topic, contact us or configure your online quote.