CNPD (Luxembourg) - Délibération n° 3018: Difference between revisions
Line 60: | Line 60: | ||
2. Did not answer requests to enquire about the Legal basis of processing. | 2. Did not answer requests to enquire about the Legal basis of processing. | ||
3. | 3. Has not selected an EU Representative | ||
4. Mass Processing of European Data Subjects | 4. Mass Processing of European Data Subjects |
Revision as of 13:10, 16 October 2020
CNPD - 3018 | |
---|---|
Authority: | CNPD (Luxembourg) |
Jurisdiction: | Luxembourg |
Relevant Law: | Article 27 GDPR |
Type: | Complaint |
Outcome: | Other Outcome |
Started: | |
Decided: | 04.02.2020 |
Published: | 29.05.2020 |
Fine: | None |
Parties: | n/a |
National Case Number/Name: | 3018 |
European Case Law Identifier: | n/a |
Appeal: | Not appealed |
Original Language(s): | English |
Original Source: | Zoller Thierry (in EN) |
Initial Contributor: | Thierry ZOLLER |
Luxembourg DPA argues it cannot proceed and is not willing to open an investigation against a company established abroad that has not designated an EU Represenative.
English Summary
Facts
Rocketreach sells access to personal data on EU data subjects, allegedly without any legal basis.
Dispute
1. Deleting the data subject's information when all he solely asked for was access.
2. Did not answer requests to enquire about the Legal basis of processing.
3. Has not selected an EU Representative
4. Mass Processing of European Data Subjects
Holding
Luxembourg DPA argues it cannot proceed against a company established abroad that has not designated an EU Represenative.
Comment
Although thousand of Luxemburgish and hundred thousands of European Data Subjects are Impacted the DPA of Luxemburg refuses to open an inquiry/Investigation.
Further Resources
Part1 : https://blog.zoller.lu/2020/05/how-to-effectively-evade-gdpr-and-reach.html
Part2 : https://blog.zoller.lu/2020/10/how-to-effectively-evade-gdpr-and-reach.html
Although agreeing that Rocketreach is in breach of the GDPR, the CNPD refuses an investigation :
- The CNPD argues that it doesn't have to follow their Internal Guidelines on "Investigations" as although they talked to Rocketreach they did not officially open an actual investigation in this particular case. They also argue they don't need to follow the Internal Guidelines on "Decisions" as a Decision to not open an investigation is formally not a Decision as defined in their Policies.
- The CNPD further argues that the Luxemburgish Law on Data Protection does not specify any criteria when or when not the CNPD would need to open an investigation and thus concludes it can do so at will.
- In the case of Rocket Reach in particular the CNPD argues that it makes no sense to open an investigation as they would not be able to ensure Rocketreach then respects the outcome. In other words, they won't make us benefit from their efforts should we seek judicial redress.
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.