CNPD (Luxembourg) - Délibération n°37FR/2021: Difference between revisions

From GDPRhub
(Updated in line with the Style Guide, improved language)
 
(One intermediate revision by one other user not shown)
Line 57: Line 57:
In 2018, the Luxembourg DPA (the CNPD) initiated 25 different audit proceedings both in the private and public sector with regard to the obligations relating to the Data Protection Officer (DPO) under Section 4 of Chapter 4 of the GDPR (see in particular [[Article 37 GDPR]] to [[Article 39 GDPR]]).
In 2018, the Luxembourg DPA (the CNPD) initiated 25 different audit proceedings both in the private and public sector with regard to the obligations relating to the Data Protection Officer (DPO) under Section 4 of Chapter 4 of the GDPR (see in particular [[Article 37 GDPR]] to [[Article 39 GDPR]]).


One of these audit proceedings concerned a Luxembourg private company (hereafter, the Company). During the investigation, it was found that the Company had failed to communicate the contact details of its DPO to the CNPD on time, in breach of [[Article 37 GDPR|Article 37(7) GDPR]]. Furthermore, it was found that the DPO appointed by the Company had other tasks and duties that could result in a conflict of interests, in breach of [[Article 38 GDPR|Article 38(6) GDPR]].
One of these audit proceedings concerned a Luxembourg private company (hereafter, the controller). During the investigation, it was found that the controller had failed to communicate the contact details of its DPO to the DPA on time, in breach of [[Article 37 GDPR|Article 37(7) GDPR]]. Furthermore, it was found that the DPO appointed by the controller had other tasks and duties that could result in a conflict of interests, in breach of [[Article 38 GDPR|Article 38(6) GDPR]].


=== Holding ===
=== Holding ===
Because the Company had communicated the contact details of the DPO on 28 September 2018 (that is, more than 4 months after the day of application of the GDPR), the CNPD found that the Company had violated Article 37(7) GDPR.
Because the controller had communicated the contact details of the DPO on 28 September 2018 (that is, more than 4 months after the day of application of the GDPR), the DPA found that the controller had violated Article 37(7) GDPR.


Because the DPO of the Company was also "''Head  of  Compliance,  Money  Laundering  Reporting  Officer''", it was found that the DPO was involved in tasks that could result in a conflict of interest. As pointed out by the investigator of the CNPD in his report, a DPO cannot exercise within the same company a function which allows him or her to determine the purposes and means of processing of personal data. In this case, the DPO was involved in the determination and implementation of personal data processing as part of his duties as Head of Compliance, and was therefore bound to assess the data processing practices which he/she had put in place himself/herself. None of the measures taken by the Company to mitigate the risk of conflict of interest  (such as the fact that, in the event of a potential conflict of interest, the processing practices concerned would need to be countersigned by the hierarchical superior of the DPO) were found to be sufficient. In  the course of the audit proceeding, however, the Company informed the CNPD that it had appointed a new DPO to avoid any future conflict of interest.
Because the DPO of the controller was also "''Head  of  Compliance,  Money  Laundering  Reporting  Officer''", it was found that the DPO was involved in tasks that could result in a conflict of interest. As pointed out by the investigator of the DPA in his report, a DPO cannot exercise within the same company a function which allows him or her to determine the purposes and means of processing of personal data. In this case, the DPO was involved in the determination and implementation of personal data processing as part of his duties as Head of Compliance, and was therefore bound to assess the data processing practices which he/she had put in place himself/herself. None of the measures taken by the controller to mitigate the risk of conflict of interest  (such as the fact that, in the event of a potential conflict of interest, the processing practices concerned would need to be countersigned by the hierarchical superior of the DPO) were found to be sufficient. In  the course of the audit proceeding, however, the controller informed the DPA that it had appointed a new DPO to avoid any future conflict of interest.


For these reasons, the CNPD found that the Company had violated  [[Article 37 GDPR|Article 37(7) GDPR]] and [[Article 38 GDPR|Article 38(6) GDPR]]. Since both violations had been addressed, however, the CNPD did not impose any administrative fine on the Company but simply issued a warning.
For these reasons, the DPA found that the controller had violated  [[Article 37 GDPR|Article 37(7) GDPR]] and [[Article 38 GDPR|Article 38(6) GDPR]]. Since both violations had been addressed, however, the DPA did not impose any administrative fine on the controller but simply issued a warning.


== Comment ==
== Comment ==

Latest revision as of 17:41, 25 June 2022

CNPD (Luxembourg) - 37FR/2021
LogoLU.png
Authority: CNPD (Luxembourg)
Jurisdiction: Luxembourg
Relevant Law: Article 37(7) GDPR
Article 38(6) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 13.10.2021
Published:
Fine: None
Parties: n/a
National Case Number/Name: 37FR/2021
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): French
Original Source: Luxembourg DPA (in FR)
Initial Contributor: Florence D'Ath

The Luxembourg DPA found that a company was in breach of its obligation to communicate the contact details of its Data Protection Officer (DPO) under Article 37(7) GDPR, and of its obligation to ensure that its DPO does not have any conflict of interests under Article 38(6) GDPR.

English Summary

Facts

In 2018, the Luxembourg DPA (the CNPD) initiated 25 different audit proceedings both in the private and public sector with regard to the obligations relating to the Data Protection Officer (DPO) under Section 4 of Chapter 4 of the GDPR (see in particular Article 37 GDPR to Article 39 GDPR).

One of these audit proceedings concerned a Luxembourg private company (hereafter, the controller). During the investigation, it was found that the controller had failed to communicate the contact details of its DPO to the DPA on time, in breach of Article 37(7) GDPR. Furthermore, it was found that the DPO appointed by the controller had other tasks and duties that could result in a conflict of interests, in breach of Article 38(6) GDPR.

Holding

Because the controller had communicated the contact details of the DPO on 28 September 2018 (that is, more than 4 months after the day of application of the GDPR), the DPA found that the controller had violated Article 37(7) GDPR.

Because the DPO of the controller was also "Head of Compliance, Money Laundering Reporting Officer", it was found that the DPO was involved in tasks that could result in a conflict of interest. As pointed out by the investigator of the DPA in his report, a DPO cannot exercise within the same company a function which allows him or her to determine the purposes and means of processing of personal data. In this case, the DPO was involved in the determination and implementation of personal data processing as part of his duties as Head of Compliance, and was therefore bound to assess the data processing practices which he/she had put in place himself/herself. None of the measures taken by the controller to mitigate the risk of conflict of interest (such as the fact that, in the event of a potential conflict of interest, the processing practices concerned would need to be countersigned by the hierarchical superior of the DPO) were found to be sufficient. In the course of the audit proceeding, however, the controller informed the DPA that it had appointed a new DPO to avoid any future conflict of interest.

For these reasons, the DPA found that the controller had violated Article 37(7) GDPR and Article 38(6) GDPR. Since both violations had been addressed, however, the DPA did not impose any administrative fine on the controller but simply issued a warning.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

 Decision of the National Commission sitting in restricted formation on

            the outcome of survey No. [...] conducted with Company A

                         Deliberation n ° 37FR / 2021 of October 13, 2021



The National Commission for Data Protection sitting in a restricted body,

composed of Mrs Tine A. Larsen, president, and Messrs Thierry Lallemang and Marc

Lemmer, commissioners;



Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on
the protection of individuals with regard to the processing of personal data

personnel and the free movement of such data, and repealing Directive 95/46 / EC;



Having regard to the law of 1 August 2018 on the organization of the National Commission for the Protection

data and the general data protection regime, in particular Article 41 thereof;


Having regard to the internal regulations of the National Commission for Data Protection

adopted by decision n ° 3AD / 2020 dated 22 January 2020, in particular Article 10, point

2;



Having regard to the regulation of the National Commission for Data Protection relating to

investigation procedure adopted by decision n ° 4AD / 2020 dated 22 January 2020, in particular
its article 9;



Considering the following:



    I. Facts and procedure


1. Given the impact of the role of the data protection officer (hereinafter: the "DPO") and
the importance of its integration into the body, and considering that the guidelines

concerning DPOs have been available since December 2016, i.e. 17 months before entry into

application of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016

on the protection of natural persons with regard to the processing of personal data

personal data and the free movement of such data, and repealing Directive 95/46 / EC


1The guidelines concerning DPOs were adopted by the “Article 29” working group on 13
December 2016. The revised version (WP 243 rev. 01) was adopted on April 5, 2017.
________________________________________________________________________

              Decision of the National Commission sitting in restricted formation on the outcome of
                                survey no. [...] conducted with Company A
                                                                                                       1/10 (General Data Protection Regulation) (hereafter: the "GDPR"), the Commission

National Data Protection Authority (hereinafter: the “National Commission” or the

"CNPD") has decided to launch a thematic survey campaign on the function of the DPO.
Thus, 25 audit procedures were opened in 2018, concerning both the private sector and the

public sector.


2. In particular, the National Commission decided by decision no. […] Of 14

September 2018 to initiate an investigation in the form of a data protection audit
with Company A located at […], L- […] and registered in the Trade and

Luxembourg companies under number […] (hereinafter: the “controlled”) and to designate Mr. Christophe

Buschmann as the head of the investigation. The said deliberation specifies that the investigation relates to the

compliance of the inspected with section 4 of chapter 4 of the GDPR.


3. According to Article 3 of its statutes, the purpose of the inspected is [to carry out all operations

insurance and reinsurance of the "Life" branch [...].


4. By letter of September 17, 2018, the head of the survey sent a questionnaire

preliminary to the control to which the latter replied by email of October 8, 2018. A visit

on site took place on February 4, 2019. Following these discussions, the head of the investigation prepared the report
audit n ° [...] (hereinafter: the "audit report").



5. It emerges from the audit report that in order to verify the compliance of the organization with the

section 4 of chapter 4 of the GDPR, the head of the investigation defined eleven control objectives,
know :


    1) Ensure that the body subject to the obligation to appoint a DPO has done so;

    2) Make sure that the organization has published the contact details of its DPO;

    3) Ensure that the organization has communicated the contact details of its DPO to the CNPD;

    4) Ensure that the DPO has sufficient expertise and skills to
        carry out its missions effectively;

    5) Ensure that the missions and tasks of the DPO do not give rise to a conflict of interest;

    6) Ensure that the DPO has sufficient resources to perform effectively
        of its missions;

    7) Ensure that the DPO is able to carry out his missions to a sufficient degree

        autonomy within their organization;


________________________________________________________________________


              Decision of the National Commission sitting in restricted formation on the outcome of
                               survey no. [...] conducted with Company A 2/10 8) Ensure that the organization has put in place measures so that the DPO is associated with
        all matters relating to data protection;

    9) Ensure that the DPO fulfills his mission of information and advice to the

        data controller and employees;

    10) Ensure that the DPO exercises adequate control over data processing within

        of his body;

    11) Ensure that the DPO assists the data controller in carrying out the
        impact analyzes in the event of new data processing.


6. By letter of 24 October 2019 (hereinafter: the “statement of objections”), the Chief

investigation informed the inspector of breaches of obligations under the GDPR that it

noted during its investigation. The audit report was attached to this letter.



7. In particular, the head of the investigation noted in the statement of objections
failures to

      the obligation to communicate the contact details of the DPO to the supervisory authority; 2

      the obligation to ensure that the missions and tasks of the DPO do not lead to

        conflict of interest .



8. By email of November 27, 2019, the inspected took a position on the breach noted

by the head of investigation concerning the obligation to ensure that the missions and tasks of the DPO
do not lead to conflicts of interest.



9. On August 3, 2020, the head of the investigation sent the inspector an additional letter to

the statement of objections by which he informs the inspectorate of the corrective measure he

proposes to the National Commission sitting in restricted formation (hereinafter: "the" formation

restricted ") to adopt.


10. By email of August 5, 2020, the inspector sent the head of the investigation his

observations on the additional letter to the statement of objections.


11. The case was on the agenda for the restricted committee session on June 16, 2021.

In accordance with article 10.2. b) the rules of procedure of the National Commission,




2Objective 3
3Objective 5
________________________________________________________________________

              Decision of the National Commission sitting in restricted formation on the outcome of
                                survey no. [...] conducted with Company A
                                                                                                       3/10 the head of the investigation and the inspector made oral observations on the case and responded

to the questions asked by the restricted formation. The controlled had the floor last.


    II. Place


    A. On the failure to communicate the DPO's contact details to the authority
        control


        1. On the principles


12. Article 37.7 of the GDPR provides for the obligation for the organization to communicate the

contact details of the DPO at the supervisory authority. Indeed, it follows from Article 39.1. e) of the GDPR

that the DPO acts as a point of contact for the supervisory authority so it is important

that the latter has the contact details of the DPD.


13. The DPO guidelines explain in this regard that this requirement

aims to ensure that "the supervisory authorities can easily and directly contact
                                                                          4
with the DPD without having to contact another department of the organization ".


14. It should also be noted that the CNPD published on its website on May 18

2018 a form allowing organizations to send the contact details of their

DPD.

        2. In this case


15. It emerges from the audit report that, in order for the investigator to consider objective 3

as completed by the inspected as part of this audit campaign, the head of the investigation

expects the organization to have communicated by 25 May 2018 the contact details of its DPO

at the CNPD.


16. According to the statement of objections, page 2, "[t] he investigation showed that the

DPD declaration form was sent to the CNPD on September 28, 2018. The

communication was therefore carried out late. "


17. The inspected did not reconsider this failure in his position of the 27

November 2019, nor during subsequent discussions with the CNPD.


4 WP 243 v.01, version revised and adopted on April 5, 2017, p.15
________________________________________________________________________


              Decision of the National Commission sitting in restricted formation on the outcome of
                               survey no. […] conducted with Company A 4/1018. The restricted committee notes that the GDPR has been applicable since May 25, 2018 from

so that the obligation to communicate the DPO's contact details to the supervisory authority exists

since that date. Thus, the communication of the DPO's contact details to the CNPD on

September 28, 2018 was late.


19. In view of the above, the restricted panel concludes that Article 37.7 of the GDPR has no

not respected by the inspected.




    B. On the breach relating to the obligation to ensure that the other missions and
        tasks of the DPO do not give rise to a conflict of interest



    1. On the principles


20. According to Article 38.6 of the GDPR, "[the DPO] may perform other tasks and tasks. the

controller or processor ensures that these missions and tasks

do not give rise to a conflict of interest ".


21. The DPO guidelines specify that “the DPO may not exercise at

within the organization a function which leads it to determine the purposes and means of

processing of personal data ”. According to the guidelines, “[t] he rule

general, among the functions likely to give rise to a conflict of interest within
the organization may include senior management functions (for example: director

general, operational director, financial director, chief medical officer, responsible for

marketing department, human resources manager or department manager

IT), but also other roles at a lower level of the organizational structure

if these functions or roles imply the determination of the purposes and means of the processing.
In addition, there may also be a conflict of interest, for example, if an external DPO is called

to represent the controller or the processor before the courts in cases

cases relating to data protection issues.



Depending on the activities, size and structure of the organization, it can be good
practice for data controllers or processors:

     identify the functions which would be incompatible with that of DPD;


5
 WP 243 v.01, version revised and adopted on April 5, 2017, pp. 19-20
________________________________________________________________________

              Decision of the National Commission sitting in restricted formation on the outcome of

                               survey no. […] conducted with Company A 5/10  establish internal rules to this effect, in order to avoid conflicts of interest;

     include a more general explanation of conflicts of interest;

     to declare that the DPO has no conflict of interest with regard to his function as

        DPD, with the aim of raising awareness of this requirement;
     to provide guarantees in the internal regulations of the body, and to ensure that

        that the vacancy notice for the DPD function or the service contract is

        sufficiently precise and detailed to avoid any conflict of interest. In this context, it

        should also be borne in mind that conflicts of interest can take
        different forms depending on whether the DPO is recruited internally or externally. "



    2. In this case


22. It emerges from the audit report that, in order for the head of the investigation to consider objective 5

as achieved by the controlled as part of this audit campaign, he expects,

in the event that the DPO exercises other functions within the audited body, these functions
do not give rise to a conflict of interest, in particular through the exercise of functions which would lead to

DPD to determine the purposes and means of the processing of personal data.

The investigator also expects the inspector to have carried out an analysis of

the existence of a possible conflict of interest at the level of the DPO.


23. According to the statement of objections, page 3, "[i] tem appears from the investigation that the DPO is

also Head of Compliance, Money Laundering Reporting Officer. This other function

involves a risk of conflict of interest, particularly in the context of AML processing of the
Compliance department. Indeed, the DPD guidelines of the working group

"Article 29" on data protection indicate that the DPO cannot exercise within

of the body a function that leads it to determine the purposes and means of processing

of personal data. [The inspected] informed the CNPD that in the event of any
conflicts of interest in AML processing of the Compliance department, processing

concerned would then be countersigned by the hierarchical superior of the DPO. Nevertheless, the

DPD remains involved in the implementation of personal data processing
as part of his duties as Head of Compliance. During the investigation, the CNPD did not

have knowledge of other elements allowing to address this risk, such as for example the

appointment of a deputy DPO (outside the AML department) who would be in charge of

analyze AML treatments. "


________________________________________________________________________


              Decision of the National Commission sitting in restricted formation on the outcome of
                               survey no. […] conducted with Company A 6/1024. By email of November 25, 2019, the controlled indicated that two substitute delegates

have been appointed, namely the "Chief Risk Officer (for the processing of personal data

of the Compliance Department) "as well as a" Senior Compliance Specialist (for all

processing of personal data other than those of the Compliance department) ”.


25. The inspected person also transmitted, with his position paper of November 27, 2019,

several internal documents concerning the measures taken following the breach noted by

the head of the investigation; these documents make it possible in particular to verify the information provided

by the controlled, in his email November 25, 2019, relating to the appointment of two
alternate delegates.



26. The CNPD was then informed, on March 19, 2021, of the appointment of a new
                      er
DPD, from April 1, 2021, who was previously the substitute delegate “for all
processing of personal data other than those of the Compliance department ”. At the time of

the hearing of June 16, 2021, the controlled specified that, because of this designation, the risk of

conflict of interest that had been identified by the head of the investigation no longer exists, the new DPD

not performing the function of "Head of compliance".


27. However, if measures have been taken by the inspected in the sense of putting

compliance, it should be noted that these were decided during the investigation.



28. Therefore, the restricted panel concludes that Article 38.6 of the GDPR has not been complied with

by the controlled.


    III. On corrective measures



            A. Principles


29. In accordance with article 12 of the law of 1 August 2018 on the organization of the

    National Commission for Data Protection and the General Regime on

    data protection, the National Commission has the powers provided for in Article

    58.2 of the GDPR:






________________________________________________________________________

              Decision of the National Commission sitting in restricted formation on the outcome of

                               investigation no. [...] carried out with Company A 7/10 a) notify a data controller or a subcontractor of the fact that the

       planned treatment are likely to violate the provisions of this

       regulation;

    b) call to order a controller or a processor when the

       processing operations have resulted in a violation of the provisions of this

       regulation;


    c) order the controller or processor to comply with the requests
       presented by the data subject in order to exercise their rights under the

       this regulation;


    d) order the controller or processor to put the data processing operations

       processing in accordance with the provisions of these regulations, if applicable,

       in a specific manner and within a specified timeframe;

    e) order the controller to communicate to the data subject a

       personal data breach;


    f) impose a temporary or permanent limitation, including a ban, on the

       processing;

    g) order the rectification or erasure of personal data or the

       restriction of processing in application of Articles 16, 17 and 18 and the notification of these

       measures to the recipients to whom the personal data have been

       disclosed in accordance with Article 17, paragraph 2, and Article 19;


    h) withdraw a certification or order the certification body to withdraw a
       certification issued in application of Articles 42 and 43, or order the

       certification not to issue certification if the requirements applicable to the

       certification are not or no longer satisfied;


    i) impose an administrative fine in application of Article 83, in addition to or
       the place of the measures referred to in this paragraph, depending on the characteristics

       specific to each case;


    j) order the suspension of data flows addressed to a recipient located in a

       third country or to an international organization. "

________________________________________________________________________


              Decision of the National Commission sitting in restricted formation on the outcome of
                               survey no. […] conducted with Company A 8/1030. The restricted committee would like to point out that the facts taken into account in the context of the

this decision are those noted at the start of the investigation. Nevertheless, the steps

carried out by the inspected to comply with the GDPR during the procedure
investigation or to remedy the shortcomings identified by the head of investigation in the

statement of objections are taken into account by the restricted training within the framework of

any corrective measures to be taken.


           B. In this case


    1. As for the call to order



31. Under Article 58.2.b) of the GDPR, the CNPD may call a manager to order
of the processing or a processor where the processing operations have resulted in a violation

of the provisions of the GDPR.


32. Given the fact that the inspected violated articles 37.7 and 38.6 of the GDPR, the

restricted party considers it justified to issue a call to order against him.

    2. Regarding the taking of corrective measures


33. In his additional letter to the statement of objections of 3 August 2020, the

survey leader suggests that the restricted group take the following corrective action:


        "A) Order the implementation of measures ensuring that the various missions and

        current or past tasks of the person exercising the function of DPO do not entail
        no conflicts of interest in accordance with the requirements of Article 38 (6) of the

        GDPR. Although several ways can be implemented, one of the

        possibilities would be the involvement of a third person, benefiting from the skills

        necessary, for the review of treatments for which there is a conflict of interest (in
        occurrence for AML / KYC treatments). "


34. As to the corrective measure proposed by the head of investigation under a) of point 33 of the

    this Decision and with reference to point 30 of this Decision, the formation

    restricted takes into account the steps taken by the inspected in order to comply
    the provisions of Article 38.6 of the GDPR. In particular, she takes note of the facts

    following:



________________________________________________________________________


              Decision of the National Commission sitting in restricted formation on the outcome of
                               investigation no. [...] conducted with Company A 9/10 - With regard to the violation of article 38.6 of the GDPR, the restricted committee notes

    that a new DPO has been appointed, as of April 1, 2021, and that this new DPO

    does not perform the function of "Head of compliance". The restricted formation considers from

    when there is no need to take the corrective measure proposed by the head of the investigation
    under a) of point 33 of this Decision.






In view of the foregoing developments, the National Commission sitting

in restricted formation and deliberating unanimously decides:


- to retain the breaches of articles 37.7 and 38.6 of the GDPR;



- to issue a call to order against Company A regarding the violation of

Articles 37.7 and 38.6 of the GDPR.


So decided in Belvaux on October 13, 2021.





The National Commission for Data Protection sitting in a restricted body









Tine A. Larsen Thierry Lallemang Marc Lemmer

  President Commissioner Commissioner





                              Indication of remedies



This administrative decision may be the subject of an appeal for reformation within three
months following its notification. This appeal is to be brought before the administrative tribunal and must

must be introduced through a lawyer at the Court of one of the Bar Associations.



________________________________________________________________________

              Decision of the National Commission sitting in restricted formation on the outcome of

                               survey no. [...] conducted with Company A 10/10