CNPD (Luxembourg) - Délibération n°43FR/2021: Difference between revisions
From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Luxembourg |DPA-BG-Color= |DPAlogo=LogoLU.png |DPA_Abbrevation=CNPD (Luxembourg) |DPA_With_Country=CNPD (Luxembourg) |Case_Number_Name=Délib...") |
(→Facts) |
||
| Line 55: | Line 55: | ||
In 2018, the Luxembourg DPA (the CNPD) initiated 25 different audit proceedings both in the private and public sector with regard to the role of the Data Protection Officer (DPO) under Section 4 of Chapter 4 of the GDPR (see in particular [[Article 37 GDPR|Article 37 GDPR]] to [[Article 39 GDPR|Article 39 GDPR]]). | In 2018, the Luxembourg DPA (the CNPD) initiated 25 different audit proceedings both in the private and public sector with regard to the role of the Data Protection Officer (DPO) under Section 4 of Chapter 4 of the GDPR (see in particular [[Article 37 GDPR|Article 37 GDPR]] to [[Article 39 GDPR|Article 39 GDPR]]). | ||
One of these audit proceedings concerned a not-for-profit association (Association Sans But Lucratif) established under Luxembourg law (hereafter, the ASBL). The ASBL is part of a confederation specialised in the provision of social services. In that context, the ASBL has established different partnerships with various entities providing social services in Luxembourg (the Patner Entities). The core activities of the ASBL is therefore not to provide social services, but rather to manage the funding of the | One of these audit proceedings concerned a not-for-profit association (Association Sans But Lucratif) established under Luxembourg law (hereafter, the ASBL). The ASBL is part of a confederation specialised in the provision of social services. In that context, the ASBL has established different partnerships with various entities providing social services in Luxembourg (the Patner Entities). The core activities of the ASBL is therefore not to provide social services, but rather to manage the funding of the Partner Entities, validate common strategies for the confederation, and determine which Partner Entities are responsible for their implementation. | ||
responsible for their implementation. | |||
During the audit, it was found by the head of investigation of the CNPD that the ASBL had appointed a DPO pursuant to [[Article 37 GDPR#1|Article 37(1) GDPR]]. No violation of the obligations relating to the role and position of the DPO was found. | During the audit, it was found by the head of investigation of the CNPD that the ASBL had appointed a DPO pursuant to [[Article 37 GDPR#1|Article 37(1) GDPR]]. No violation of the obligations relating to the role and position of the DPO was found. In the course of the proceedings, the CNPD questioned however the necessity for the ASBL to appoint a DPO in the first place. The CNPD therefore invited the head of investigation to get complementary information on that point. The head of investigation further communicated with the ASBL, and concluded that the latter was under the obligation to appoint a DPO. | ||
=== Holding === | === Holding === | ||
Based on the | Based on the received complementary information, the CNPD decided ''not'' to concur with the conclusion of the head of investigation. Taking into account the managerial role of the ASBL within the confederation, and in particular the fact that the ASBL itself was not processing health data for the provision of social services, the CNPD found that the ASBL had wrongfully concluded that it was under an obligation to appoint a DPO pursuant [[Article 37 GDPR#1|Article 37(1) GDPR]]. The CNPD further pointed out that the investigation should have covered the processing activities of the Partner Entities of the confederation. | ||
Given the absence of any violation on the part of the ASBL, the CNPD decided to close the case. | |||
== Comment == | == Comment == | ||
Revision as of 09:24, 3 December 2021
| CNPD (Luxembourg) - Délibération n°43FR/2021 | |
|---|---|
 | |
| Authority: | CNPD (Luxembourg) |
| Jurisdiction: | Luxembourg |
| Relevant Law: | Article 37(1) GDPR |
| Type: | Investigation |
| Outcome: | No Violation Found |
| Started: | |
| Decided: | 27.10.2021 |
| Published: | |
| Fine: | None |
| Parties: | n/a |
| National Case Number/Name: | Délibération n°43FR/2021 |
| European Case Law Identifier: | n/a |
| Appeal: | Not appealed |
| Original Language(s): | French |
| Original Source: | Luxembourg DPA (in FR) |
| Initial Contributor: | Florence D'Ath |
The Luxembourg DPA found that a non-profit association, forming part of a confederation of entities providing social services, had wrongfully concluded that it was obliged to appoint a DPO pursuant to Article 37(1) GDPR. In the absence of any violation, however, the CNPD closed the case.
English Summary
Facts
In 2018, the Luxembourg DPA (the CNPD) initiated 25 different audit proceedings both in the private and public sector with regard to the role of the Data Protection Officer (DPO) under Section 4 of Chapter 4 of the GDPR (see in particular Article 37 GDPR to Article 39 GDPR).
One of these audit proceedings concerned a not-for-profit association (Association Sans But Lucratif) established under Luxembourg law (hereafter, the ASBL). The ASBL is part of a confederation specialised in the provision of social services. In that context, the ASBL has established different partnerships with various entities providing social services in Luxembourg (the Patner Entities). The core activities of the ASBL is therefore not to provide social services, but rather to manage the funding of the Partner Entities, validate common strategies for the confederation, and determine which Partner Entities are responsible for their implementation.
During the audit, it was found by the head of investigation of the CNPD that the ASBL had appointed a DPO pursuant to Article 37(1) GDPR. No violation of the obligations relating to the role and position of the DPO was found. In the course of the proceedings, the CNPD questioned however the necessity for the ASBL to appoint a DPO in the first place. The CNPD therefore invited the head of investigation to get complementary information on that point. The head of investigation further communicated with the ASBL, and concluded that the latter was under the obligation to appoint a DPO.
Holding
Based on the received complementary information, the CNPD decided not to concur with the conclusion of the head of investigation. Taking into account the managerial role of the ASBL within the confederation, and in particular the fact that the ASBL itself was not processing health data for the provision of social services, the CNPD found that the ASBL had wrongfully concluded that it was under an obligation to appoint a DPO pursuant Article 37(1) GDPR. The CNPD further pointed out that the investigation should have covered the processing activities of the Partner Entities of the confederation.
Given the absence of any violation on the part of the ASBL, the CNPD decided to close the case.
Comment
Even when the GDPR does not specifically require the appointment of a DPO pursuant to Article 37(1) GDPR, organisations may designate a DPO on a voluntary basis. Such practice is encouraged by the Article 29 Working Party (the predecessor of the EDPB). If a DPO is appointed on a voluntary basis however, the requirements under Articles 37 to 39 will apply. In this case, however, the CNPD did not analyse in details whether these requirements had been fulfilled by the ASBL, pointing that the investigation should have rather covered the activities of the Partner Entities providing the social services.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
Decision of the National Commission sitting in restricted formation on
the outcome of survey no. [...] conducted with the Association without
profit A.
Deliberation n ° 43FR / 2021 of October 27, 2021
The National Commission for Data Protection sitting in a restricted body,
composed of Mrs Tine A. Larsen, president, and Messrs Thierry Lallemang and Marc
Lemmer, commissioners;
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on
the protection of individuals with regard to the processing of personal data
personnel and the free movement of such data, and repealing Directive 95/46 / EC;
er
Having regard to the law of 1 August 2018 on the organization of the National Commission for the Protection
data and the general data protection regime, in particular Article 41 thereof;
Having regard to the internal regulations of the National Commission for Data Protection
adopted by decision n ° 3AD / 2020 dated 22 January 2020, in particular Article 10, point
2;
Having regard to the regulations of the National Commission for Data Protection relating to the
investigation procedure adopted by decision n ° 4AD / 2020 dated 22 January 2020, in particular
its article 9;
Considering the following:
I. Facts and procedure
1. Given the impact of the role of the data protection officer (hereinafter: the "DPO") and
the importance of its integration into the body, and considering that the guidelines
1
concerning DPOs have been available since December 2016, i.e. 17 months before entry into
application of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016
1The guidelines concerning DPOs were adopted by the “Article 29” working group on 13
December 2016. The revised version (WP 243 rev. 01) was adopted on April 5, 2017.
________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
the survey n ° [...] carried out with the non-profit association A
1/7 relating to the protection of natural persons with regard to the processing of personal data
personal data and the free movement of such data, and repealing Directive 95/46 / EC
(general data protection regulation) (hereafter: the "GDPR"), the Commission
National Data Protection Authority (hereinafter: the "National Commission" or the
"CNPD") has decided to launch a thematic survey campaign on the function of the DPO.
Thus, 25 audit procedures were opened in 2018, concerning both the private sector and the
public sector.
2. In particular, the National Commission decided by decision no. […] Of 14
September 2018 to initiate an investigation in the form of a data protection audit
with the non-profit association A located at […], L- […] and registered in the register of
Luxembourg trade and companies under the number […] (hereinafter: the “controlled”) and
appoint Mr. Christophe Buschmann as head of the investigation. Said deliberation specifies that
the investigation relates to the compliance of the inspected with section 4 of chapter 4 of the GDPR.
3. According to Article 3 of its statutes, the purpose of the inspected is [to provide social services].
4. By letter of September 17, 2018, the head of the survey sent a questionnaire
preliminary to the control to which the latter replied by email of October 15, 2018.
on-site visits took place on January 28, 2019 and March 13, 2019. Following these discussions, the
Chief Investigator drew up the audit report no. […] (hereafter: the "audit report").
5. It emerges from the audit report that in order to verify the compliance of the organization with the
section 4 of chapter 4 of the GDPR, the head of the investigation defined eleven control objectives,
know :
1) Ensure that the body subject to the obligation to appoint a DPO has done so;
2) Make sure that the organization has published the contact details of its DPO;
3) Ensure that the organization has communicated the contact details of its DPO to the CNPD;
4) Ensure that the DPO has sufficient expertise and skills to
carry out its missions effectively;
5) Ensure that the missions and tasks of the DPO do not give rise to a conflict of interest;
6) Ensure that the DPO has sufficient resources to perform effectively
of its missions;
7) Ensure that the DPO is able to carry out his missions to a sufficient degree
autonomy within their organization;
________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey no. [...] conducted with the non-profit association A 2/7 8) Ensure that the organization has put in place measures so that the DPO is associated with
all matters relating to data protection;
9) Ensure that the DPO fulfills his mission of information and advice to the
data controller and employee;
10) Ensure that the DPO exercises adequate control over data processing within
of his body;
11) Ensure that the DPO assists the controller in carrying out the
impact analyzes in the event of new data processing.
6. By letter of 28 October 2019 (hereinafter: the “statement of objections”), the Chief
investigation informed the inspector of breaches of obligations under the GDPR that it
noted during its investigation. The audit report was attached to the letter.
7. In particular, the head of the investigation noted in the statement of objections a
2
breach relating to the DPD's control mission.
8. By letter of November 18, 2019, the inspector sent the head of the investigation
position regarding the failure noted in the statement of objections.
9. On December 3, 2020, the head of the investigation sent the inspectorate a letter
complementary to the statement of objections by which he informs the inspectorate that,
given the position taken by the latter of November 18, 2019, "it is appropriate to lift the grievance
relating to compliance with the requirements relating to the missions of the DPO and in particular
control "and that" [i] t therefore no longer has any grievance against you
regarding this investigation. "
10. By email of December 7, 2020, the head of the investigation forwarded the investigation file to
the National Commission sitting in a restricted formation (hereinafter: the "formation
restricted "), indicating that it has not accepted any grievance or breach against the inspected,
when the latter had met the expectations set in the survey or presented
elements of mitigation that it considers sufficient in relation to the control objectives adopted
in point 5 of this decision. For these reasons, the investigator proposed to the training
restricted, in its communication of December 7, 2020, the closure of the file.
2Objective 10
________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
the survey n ° […] carried out with the non-profit association A 3/711. The restricted committee examined the case during its session on February 5, 2021,
in accordance with Article 10.2.a) of the Rules of Procedure of the National Commission.
12. During the said session, the restricted committee considered that it was not sufficient
enlightened on the point of knowing whether the controlled, taking into account its structure, within which
several member entities are grouped together, and the predominance of said entities for
the management and exercise of its activities, is obliged to appoint a delegate to
data protection under Article 37 (1) of the General Regulation on
Data protection.
13. The restricted committee therefore asked the head of the investigation, by letter from
25 March 2021, to proceed, in accordance with Article 10.2.a) of the internal regulations of
the National Commission, to further investigation on this point.
14. By email of May 25, 2021, the head of the investigation asked the control of him
communicate additional information and documents, in particular concerning
activities of the inspectorate and its decision-making structure, in order to be able to inform the training
limited on whether the inspected is obliged to appoint a delegate
to data protection under Article 37 (1) of the General Regulation on
Data protection.
15. The inspected responded to this request by letter of June 15, 2021. The inspected there
indicates in particular that he carried out an analysis that led him to consider that he is in
the obligation to appoint a DPO and that this analysis has been updated
given the questions raised by the restricted committee in this regard.
16. Following this exchange, the head of the investigation informed the restricted party, by email from the
June 22, 2021, from its conclusion on the item for further investigation, according to
which the inspected is indeed subject to the obligation to appoint a DPO. The head of inquiry has by
elsewhere again proposed to the restricted committee to close the file, considering that it
There is no reason to hold any breach with regard to the inspected.
17. The restricted committee examined the case again at its meeting on October 27.
2021, in accordance with Article 10.2.a) of the Commission's Rules of Procedure
national.
________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
the survey n ° […] carried out with the non-profit association A 4/718. Taking into account the elements communicated by the inspected within the framework of the supplement
investigation, the small group finds that it does not share the chief's conclusion
investigation according to which the inspected is indeed subject to the obligation to appoint a delegate to
Data protection.
19. It should first be noted that the inspected is an entity [...] "which brings together the
activities organized for its service provider members ”and that, as mentioned in
point 12 of this decision, these entities have a preponderant place for the management and
the exercise of its activities.
20. As for the activities of the inspected, the restricted formation notes that if the chief
investigation rightly noted in its email of June 22, 2021 that "[t] he core activities
[of the controlled] are [to provide social services] and that, as part of these activities, the
controlled processes data relating to health, the head of the investigation also noted
that “[i] n the framework of its basic activities, [the controlled] does not have any collaborators.
All the activities are carried out by another entity, member of the network [of the controlled], to
the account [of the controlled]. "
21. In this regard, it should be noted that in its response of 15 June 2021, the inspected
only identified a single "own operational activity", the other activities mentioned
being on the one hand "Operational activities delegated" to one of its member entities
and on the other hand, "Administrative and support activities" delegated to two entities
members.
22. With regard to the decision-making structure, the elements communicated by the
controlled confirm that its member entities, which sit in its Assembly
general, occupy a prominent place, it being specified "that an activity is recognized
as an activity [of the controlled] if it was set up by decision of the board
of directors ", this board of directors being" composed of at least [...] members and
of [...] members at most, taken from among the active members and elected by the general assembly
ordinary and annual ruling by a simple majority of the votes of the active members present. "
23. The inspected also indicates that this board of directors (hereinafter: CA) "is
responsible for the general management [of the controlled] and for the strategy of the network. Since [the
________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
the survey n ° [...] carried out with the non-profit association A 5/7 controlled] has a very limited activity of its own, the Board of Directors focuses on agreements
strategic between the partners forming the network. It validates common strategies
proposed by the partners, determines where applicable their funding and the entity (ies)
responsible for their operationalization. "
24. Finally, the controlled indicates that it is "[in] summary (...) a confederation bringing together the
members, actors and drivers of a common idea in order to determine common policies
and organize their application at the level of field activities. Thus any daily management
(also that [of the controlled itself]) is entrusted to operational entities, in
occurrence to partners. "
25. In view of the above, the restricted committee considers that it was not established by the
further investigation that the controlled, namely the non-profit association A, was
in the obligation to appoint a DPO.
26. In addition, taking into account the objectives defined by the CNPD within the framework of the
thematic survey on the function of the DPO, and in particular the criteria used for
selection of entities, the restricted committee considers that the investigation opened by deliberation
No. […] of September 14, 2018 should also have covered, given their activities and
data processing, on other operational entities, members providing
the non-profit association A.
27. In these circumstances, the restricted committee considers that the case should be closed,
in accordance with Article 10.2.a) of the Rules of Procedure of the National Commission.
In view of the foregoing developments, the National Commission sitting in
restricted formation and deliberating unanimously decides:
- to close the investigation opened by deliberation n ° [...] of September 14, 2018 of the
National Commission for Data Protection with the Non-Profit Association
A located at […], L- […] and registered in the Luxembourg trade and companies register
under the number […]
________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
the survey n ° [...] carried out with the non-profit association A 6/7 As decided in Belvaux on October 27, 2021.
The National Commission for Data Protection sitting in a restricted body
Tine A. Larsen Thierry Lallemang Marc Lemmer
President Commissioner Commissioner
Indication of remedies
This administrative decision may be the subject of an appeal for reformation within three
months following its notification. This appeal is to be brought before the administrative tribunal and must
must be introduced through a lawyer at the Court of one of the Bar Associations.
________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
the survey n ° [...] carried out with the non-profit association A 7/7
