CNPD (Luxembourg) - Délibération n° 18/FR/2022: Difference between revisions
From GDPRhub
(→Facts) |
m (Ar moved page CNPD (Luxembourg) - 18/FR/2022 to CNPD (Luxembourg) - Délibération n° 18/FR/2022) |
Latest revision as of 16:58, 6 December 2023
| CNPD - 18/FR/2022 | |
|---|---|
 | |
| Authority: | CNPD (Luxembourg) |
| Jurisdiction: | Luxembourg |
| Relevant Law: | Article 5(1)(b) GDPR Article 5(1)(a) GDPR Article 6(1)(c) GDPR Article 6(1)(f) GDPR Article 12 GDPR Article 15 GDPR Article 58(2) GDPR Article 83(2) GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | 04.10.2019 |
| Decided: | 13.12.2022 |
| Published: | 07.02.2023 |
| Fine: | 1,500 EUR |
| Parties: | n/a |
| National Case Number/Name: | 18/FR/2022 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | French |
| Original Source: | CNPD (in FR) |
| Initial Contributor: | ls |
The Luxembourg DPA fined the building manager of a co-ownership property €1,500 for communicating accounting data and private addresses of some co-owners to the other co-owners to warn them about payment irregularities.
English Summary
Facts
The controller is Company A which was acting as building manager of a residence co-ownership. The data subjects are Mr A and Mr B, some of the co-owners.
On 11 February 2019, the controller sent two emails to the other co-owners. The communication contained, among other things, the following data: the accounting situation of Mr. A and Mr. B vis-à-vis the co-ownership and their private addresses. They were intended to highlight the payment irregularities concerning the two.
The data subjects informed the controller that the disclosure amounted to a data breach and encouraged him to report it within 72 hours. They also requested access to their data and information on the processing operations. The company responded more than a month after these letters, without providing the requested information.
The data subject filed a complaint. On 4 October 2019, the Luxembourg DPA opened an investigation.
In his defense, the controller explained that under applicable national law, as a building manager, it was the cashier and accountant of the co-ownership and, as such, under the co-owners' supervision. For the co-owner to do so, it was crucial to disclose the debtors details. He therefore considered that it had to comply with a legal obligation and that the processing was therefore lawful under Article 6(1)(c). The controller also invoked Article 6(1)(f), explaining that it had a legitimate interest to the processing because it would be liable if it did not recover the debts of the co-ownership.
Holding
In substantial agreement with the head of the investigation, the DPA considered that the accounting obligations to which the controller was subject did not authorise him to communicate and transmit the accounting situation of one of the co-owners to the others. The considered processing was therefore in breach of Article 5(1)(a) and Article 6(1)(c) of the GDPR. The DPA also ruled out Article 6(1)(f) on the grounds of domestic law: the building manager must indeed collect the debts but could take legal action to do so. There was therefore no legitimate interest in disclosing the data to other co-owners.
Finally, with regard to the access request, the DPA considered that the controller did not respond to the access requests within the time limit set out in Article 12(3) nor did he provide information about his inaction, as he should have done under Article 12(4). The DPA also agrees with the opinion of the Head of the investigation regarding the violation of Article 15(1)(b) and (c).
In accordance with Article 58(2) and Article 83(2), the DPA fined Company A €1,500. Since the company was no longer mandated to act as building manager at the time of the decision, the DPA did not take any corrective measures.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
Decision of the National Commission sitting in restricted formation on the outcome
of survey no. […] conducted with Company A
Deliberation No. 18FR/2022 of December 13, 2022
The National Commission for Data Protection sitting in restricted formation
composed of Ms. Tine A. Larsen, President, and Messrs. Marc Lemmer and Alain
Herrmann, commissioners;
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016
on the protection of individuals with regard to the processing of personal data
personal character and on the free movement of such data, and repealing Directive
95/46/EC;
er
Considering the law of August 1, 2018 on the organization of the National Commission for the
data protection and the general data protection regime, in particular
its article 41;
Having regard to the internal regulations of the National Commission for the Protection of
data adopted by decision no. 3AD/2020 dated January 22, 2020, in particular its
section 10.2;
Having regard to the regulations of the National Commission for Data Protection relating to the
inquiry procedure adopted by decision No. 4AD/2020 dated January 22, 2020,
in particular its article 9;
Considering the following:
_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey no.[…] conducted with Company A
1/31 I. Facts and procedure
The National Data Protection Commission (hereinafter: the “CNPD”)
received two complaints filed on February 27, 2019 by Mr. A
and dated February 28, 2019 by Mr. B (hereinafter together: the "complaints"
respectively the “claimants”) with respect to Company A hereinafter referred to as
“Company A” or “the Agency”, in connection with the exercise of its functions as trustee of the
co-ownership of Residence A located at L-[…], […] (hereinafter: “Residence A”).
The claimants accused the latter of "on the one hand the transmission [by] the
responsible for processing personal data to third parties without authorization
prior and without appropriate security and confidentiality measures and, on the other hand, the
1
non-respect by the latter of the right to information and access to their data”.
During its deliberation session on October 4, 2019, the National Commission
for data protection sitting in plenary session (hereinafter: “Formation
Plenary”) thus decided to open an investigation with Company A on the basis of
article 37 of the law of 1 August 2018 on the organization of the National Commission for
data protection and the general data protection regime (hereinafter:
er
“law of August 1, 2018”) and to appoint Mr. Thierry Lallemang as head
of investigation.
According to the decision of the Plenary Formation, the purpose of the investigation was to
monitor the application and compliance with Regulation (EU) 2016/679 of the European Parliament
and of the Council of April 27, 2016 relating to the protection of individuals with regard to the
processing of personal data and the free movement of such data, and
er
repealing Directive 95/46/EC (hereinafter: “GDPR”) and the law of 1 August 2018 in the
in the context of the complaint lodged by Mr. A on February 27, 2019. Given
that Mr. B has lodged an almost identical complaint with regard to Company A,
both complaints were investigated by the head of investigation.
1Initial findings (see definition in point 5. of this decision), Finding 3.
_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey no.[…] conducted with Company A
2/31 Company A is registered […] in the Trade and Companies Register of
Luxembourg under the number […], […] at the address L-[…], […] (hereinafter: the “controlled”).
2
The object of its business is the operation of a real estate agency.
The controller was informed of the opening of the investigation in his regard by letter from
head of investigation dated July 28, 2020.
It appears from this letter that the head of investigation had defined two control objectives:
“1. Ensure that the treatment which is the subject of the complaints of the two claimants
respects the principles relating to the processing of personal data such as
defined by Articles 5 (1) and 6 (1) of the GDPR.
2. Ensure that the right of access of data subjects has been respected (information
on the processing operations listed in points (a) to (d) of paragraph 1 of Article 15 of the GDPR as
as requested by the persons concerned). »
The letter was accompanied by the document entitled “Initial findings Survey No.[…]”
setting out the initial findings made by the CNPD officials in this case (hereinafter:
“initial findings”). The head of the investigation offered the ability to the person checked to "dispute
the facts included in the initial findings, or to share […] [his] possible remarks,
clarifications or additions” for September 7, 2020 at the latest.
The controller replied by letter dated July 29, 2020. He informed that he
was no longer "trustee of Residence A since [...] 2019".
The head of investigation informed the person checked by letter dated August 3, 2020 that
the fact that he no longer acted as trustee of Residence A since […] 2019, “does not
can cancel […] [his] role as data controller for the facts observed
prior to this change. He invited the controller to respond to the requests that he
had been sent by his letter dated July 28, 2020 mentioned above within the deadlines
allotted. The controller did not send any written observations to the CNPD. 3
2 Requisition form (Registration) filed with the Trade Register and
Luxembourg companies on […].
3 Statement of Objections, point 18.
_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey no.[…] conducted with Company A
3/31 At the end of his investigation, the head of investigation notified the person inspected on
July 12, 2021 a Statement of Objections (hereinafter: the "Statement of Objections")
detailing the shortcomings that he considered constituted in this case, and more specifically a
non-compliance with the requirements of Article 5.1.a), b) and c) (principles of legality, limitation of
purposes and minimization of data) and Article 6.1 of the GDPR (lawfulness of processing),4
as well as non-compliance with the obligations arising from article 12.3 and 4 of the GDPR
(methods for exercising the data subject's rights) and Article 15.1.b) and c)
5
of the GDPR (right of access of the person concerned).
In that Statement of Objections, the Head of Investigation proposed to the Commission
national authority for data protection sitting in restricted formation on the outcome of
the investigation (hereinafter: "Restricted Training") to impose a fine on the controlled
administrative in the amount of 2,500 (two thousand five hundred) euros. He did not offer to
corrective measures because he was of the opinion that the fact that the controlled no longer had
mandate to act as trustee of Residence A, the latter would not be in
able, either in fact or in law, to implement them. 7
The head of the investigation offered the ability to the person checked "to take a position in writing by
relation to the grievances upheld and the corrective measures and/or sanctions proposed by the
head of investigation, as soon as possible and no later than September 8, 2021”. 8
The controller did not send any written observations to the CNPD.
The president of the Restricted Formation informed the controller by mail in
date of December 2, 2021 that his case would be registered for the session of the Formation
Restricted on January 17, 2022. The controller did not respond to this letter either.
During this session, the head of the investigation presented his oral observations to
support of his written observations and answered the questions posed by the Panel
Restraint.
The decision of the Restricted Panel will be limited to the processing and obligations
at issue in the aforementioned initial findings and to the legal provisions and
4 Statement of Objections, point 28.
5 Statement of Objections, point 35.
6 Statement of Objections, point 39.
7
8 Statement of Objections, point 40.
Co_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey no.[…] conducted with Company A
4/31regulatory for which the head of investigation found a breach in his
statement of objections.
II. Place
II. 1. On the reasons for the decision
A. On the breach related to the principles of lawfulness, limitation of purposes and
data minimization
1. On the principles
Article 5.1 of the GDPR requires, among other things, that personal data
have to be
“a) processed in a lawful, fair and transparent manner with regard to the data subject
(lawfulness, fairness, transparency);
b) collected for specified, explicit and legitimate purposes, and not to be processed
subsequently in a manner incompatible with those purposes; further processing to
archival purposes in the public interest, for scientific or historical research purposes
or for statistical purposes is not considered, in accordance with Article 89(1),
as incompatible with the initial purposes (limitation of purposes);
c) adequate, relevant and limited to what is necessary in relation to the purposes for
which they are processed (data minimization); […]”.
Article 6.1 of the GDPR provides that
“1. Processing is only lawful if and insofar as at least one of the conditions
following is fulfilled:
a) the data subject has consented to the processing of his or her personal data
for one or more specific purposes;
b) the processing is necessary for the performance of a contract to which the data subject
is a party or to the execution of pre-contractual measures taken at the latter's request;
_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey no.[…] conducted with Company A
5/31c) processing is necessary for compliance with a legal obligation to which the controller
treatment is submitted;
d) the processing is necessary to protect the vital interests of the person
concerned or of another natural person;
e) processing is necessary for the performance of a task carried out in the public interest or falling within the
the exercise of official authority vested in the controller;
f) processing is necessary for the purposes of the legitimate interests pursued by the controller
processing or by a third party, unless the interests or freedoms and rights
fundamentals of the data subject which require data protection to be
personal nature, in particular when the person concerned is a child.
Point (f) of the first paragraph does not apply to processing carried out by the authorities
public in the performance of their duties. »
2. In this case
It appears from the initial findings of the CNPD agents
- that on February 11, 2019, the auditee "acting as trustee of the
condominium Residence A […], sent an email to Mrs A and an email to
Mr and Mrs B, all three co-owners of the residence, within the framework
of a reminder of receivables.
These two emails contained the following personal data:
- Details of the accounting situation of Mr. and Mrs. A and of
Mr and Mrs B vis-à-vis the co-ownership from January 2018 to February
2019;
- The private addresses of Mrs A and Mr and Mrs B.
These two emails were sent to the other co-owners of Residence A
as well as to a former co-owner in order to highlight payment irregularities
_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey no.[…] conducted with Company A
6/31 9
from Mrs A and Mr and Mrs B”. Copies of emails
of the audit dated February 11, 2019 are part of the documents submitted in
the species;0
- that on February 13, 2019, Mr A and Mr B had each sent
an email to the controller, in which they stated, among other things, "that the email
sent by Company A on […] 2019 to the other co-owners and the former
co-owner constitutes a violation of personal data and
represents a breach of confidentiality as well as an infringement of the rights of
data subjects”, and “as such […] “strongly encourage” the
controller to "report" this data breach
staff at the CNPD within 72 hours of its occurrence”. The copies
emails from the claimants are part of the exhibits tendered in this case; 12
- that "concerning the reasons justifying the transmission of a letter addressed to a
co-owner (also containing his address) and listing his situation
individual accountant to other co-owners and a former co-owner, the
controller has taken a position in several letters addressed to the
CNPD of 04/04/2019; 04/23/2019 and 07/22/2019 […]”. Copies of letters
of the auditee are part of the documents tendered in this case. 14
As the Claimants had not yet received a position paper from the
checked, following the submission of their complaints on February 27 and 28, 2019, the
legal department of the CNPD wrote to the control on March 21, 2019 and asked to
the latter "to take a position on the reasons justifying the communication of the letters
initially sent to claimants and listing their individual accounting situation
detailed to other co-owners and former co-owners of Residence A”. He has
9Initial findings, finding 1.
10Initial findings, point “1. Documents added to this investigation”.
11Initial findings, finding 2.
12
Initial findings, point “1. Documents added to this investigation”.
13Initial findings, finding 5.
14Initial findings, point “1. Documents added to this investigation”.
_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey no.[…] conducted with Company A
7/31 requested details from the control by letters dated June 3 and 21, 2019.
15
Copies of these letters form part of the exhibits tendered in this case.
The auditee for its part, by letter dated April 4, 2019, took a position by
report to the letter from the CNPD's legal department dated March 21, 2019. A copy
of this letter is part of the exhibits tendered in this case. 16
With regard to the disputed communication, he gave "to consider that the situations
of the co-owners' accounts indicate the total amount of cash advances
made by each and of its balance towards the co-ownership".
He also indicated that “no other document likely to show the total amount
cash advances and the balance towards the co-ownership is established by the trustee so
that only this document is available to the trustee”.
Thus, it “consequently seemed to him with regard to Articles 24, 25 and 26 of the provisions
ducales of June 13, 1975 prescribing the measures of execution of the law of May 16, 1975
relating to the status of the co-ownership of the buildings, that the account situation of each
owner, insofar as it shows the total amount of its advances of
cash and its balance towards the co-ownership, could be communicated".
By letter dated April 23, 2019, and following a telephone conversation
with an agent of the CNPD, the controller provided the following details:
“The syndic is the accountant and the cashier of the co-ownership.
As such, it is bound by a triple obligation in accounting terms:
- He must first keep separate accounts for each syndicate, each syndicate
constituting an autonomous legal person.
- This separate accounting must make it possible to clearly identify the situation of
cash in particular to put the syndicate and, through it, the co-owners,
faced with their responsibilities in the event of a cash shortage, to detect
15Idem.
16Idem.
_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey no.[…] conducted with Company A
8/31 possibly the union in pre-difficulty, or even in difficulty and also for
facilitate the transfer of funds in the event of a change of trustee.
- This accounting must make it possible to determine the accounting position of each
co-owner with regard to the syndicate. More precisely, it must show
clearly the identification of debtor co-owners and the assessment of their debt,
both to take recovery action and to implement
sureties.
For its part, it is up to the syndicate of co-owners to control the management carried out
by the trustee.
This control mainly concerns the management aspects of the syndic, in particular the
accounting of the syndicate, the development and monitoring of the provisional budget, the distribution of
expenses, the conditions under which contracts are awarded, perform the
contracts...
Consequently, within the framework of the control of the accounts made by the syndicate, it is up to the
syndicate to communicate the identification of the debtor co-owners, and the assessment of
their debts.
Indeed, it is necessary to recall that under penalty of invoking its responsibility
contractual with regard to the syndicate of co-owners, the trustee must proceed with the
possible recovery of co-ownership debts in the event that the co-owners
debtors do not pay their debt.
Therefore, with regard to both the obligations of the trustee and that of the syndicate of
co-owners, the communication of the personal account situation of the
co-owner[s] does not constitute a violation of the regulations on the protection of
data. »
A copy of the aforementioned letter from the controller is part of the documents submitted in this case. 17
Finally, by letter dated July 22, 2019, a copy of which is part of the
documents submitted in this case, and following two reminders from the CNPD's legal department in
17Idem.
18Idem.
_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey no.[…] conducted with Company A
9/31date of June 21, 2019 and July 15, 2019, the control took a position with regard to the mail
of the CNPD's legal department dated June 3, 2019. He referred to the position paper
in its letter of April 4, 2019 relating to the question of the legality of the communication
of the individual accounting situation of co-owners to other co-owners or to
former co-owners.
2.1. Lawfulness of processing
The head of investigation in his statement of objections first noted that he
“it emerges from the investigation that the data controller [the controlled party] sent two
emails to the other co-owners of Residence A as well as to a former co-owner
in order to highlight payment irregularities on the part of Mrs A and Mr and
Mrs B in the context of a reminder of debts. and that "these two emails
contained the following personal data:
Details of the accounting situation of Mr. and Mrs. A and of Mr. and
Madame B vis-à-vis the co-ownership from January 2018 to February 2019;
The private addresses of Mrs A and of Mr and Mrs B”. 19
Then, the head of the investigation observed that the controlled invoked "different
legal provisions […] in his letter to the CNPD, dated 04/04/2019, to justify the
lawfulness of the processing carried out”. He noted that the controller invoked "the Grand-
of June 13, 1975 prescribing the measures for the execution of the law of May 16, 1975 on
status of the co-ownership of the buildings” to justify “the lawfulness of the processing in question
as follows: "It therefore seemed to me with regard to Articles 24, 25 and 26 of the provisions
of 13 June 1975 prescribing the measures for implementing the law of
May 16, 1975 on the status of the co-ownership of buildings, that the account situation
of each owner, insofar as it shows the total amount of its
cash advances and its balance towards the co-ownership, could be
communicated. » » . 20
The head of the investigation considered that article 14 of the amended law of 16 May 1975
on the status of the co-ownership of buildings (hereinafter: "law of 16 May 1975")
19 Statement of Objections, point 23.
20 Statement of Objections, point 24.
_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey no.[…] conducted with Company A
10/31" could be invoked by the data controller by allowing the trustee to bring
a legal action (debt collection action)”, noting that “this one has
that "the syndic cannot bring a legal action in the name of the union without having been
authorized by a decision of the general meeting, except in the case of an action in
debt collection even by way of forced execution or when there is an emergency
not allowing the convening of a general meeting within the time limits. On the occasion of
all disputes brought before a court and which concern the operation of a trade union
or in which the syndicate is a party, the trustee notifies each co-owner of the existence
and the subject of the proceeding. ".
However, he was of the opinion that “this article cannot justify such a transmission of
personal data ". He specified that “indeed, a simple reminder of receivables cannot
constitute a legal action. Moreover, even if a legal action for
debt collection would have been initiated, the trustee would not have needed to obtain
the prior authorization of the general meeting of co-owners and therefore no need
proactively transmit the details of the individual accounting situation and the
personal addresses of co-owners to other co-owners and to former
co-owners”.21
Furthermore, the head of investigation, after noting that article 24 of the regulations
Grand-Ducal of 13 June 1975 prescribing the measures for implementing the law of 16 May 1975
on the status of co-ownership of buildings (hereinafter: “Grand-Ducal regulation of the
June 13, 1975) “provides that “The trustee holds, for each syndicate of co-owners,
separate accounts such as to show the accounting position of each
co-owner with regard to the syndicate. He prepares the provisional budget which is voted by
general meeting", expressed the opinion that "these regulatory provisions
do not authorize the proactive transmission of the details of the accounting situation
individual and personal addresses of co-owners to other co-owners and to
former co-owners. 22
The Head of Investigation also noted that Article 25 of the Grand-
of June 13, 1975 “provides that “The trustee may demand the payment: 1° Of the advance
permanent cash provided for in the co-ownership regulations; 2° At the beginning of each
21 Statement of Objections, point 24.a.
22 Statement of Objections, point 24.b.
_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey no.[…] conducted with Company A
11/31 fiscal year, of a provision which, subject to the stipulations of the co-ownership regulations
or, failing that, of the decisions of the general meeting, cannot exceed either a quarter of the
provisional budget voted for the financial year in question, i.e. half of this budget, if the
co-ownership regulations do not provide for the payment of a cash advance
permed; 3° During the financial year, either an amount corresponding to the reimbursement
expenses regularly incurred and actually paid, or provisions
quarterly, each of which cannot exceed a quarter of the provisional budget for
the financial year in question; 4° Special provisions intended to enable the execution of
decisions of the general meeting, such as those to carry out the work
provided for in articles 26 to 32 of the law of May 16, 1975, under the conditions set by
decisions of the said assembly. The general meeting decides, if necessary, on the method of
investment of the funds thus collected. » and that article 26 of the Grand-Ducal regulation of the
June 13, 1975 “provides that “Unless otherwise stipulated in the co-ownership regulations, the
sums due under the preceding article bear interest for the benefit of the syndicate. This interest,
fixed at the legal rate in civil matters, is due from the formal notice sent by
the syndic to the defaulting co-owner”.
In this regard, it noted that the provisions of Articles 25 and 26 of the Grand-
ducal of June 13, 1975 "do not authorize the proactive transmission of the details of the
individual accounting situation of each co-owner and their personal addresses
to other co-owners and former co-owners". 23
In view of the foregoing, the head of the investigation held that the person inspected in his
letter to the CNPD dated April 4, 2019 "did not invoke any legal basis likely
to establish and justify the processing of data carried out in this case, namely the transmission
data to unauthorized third parties. He was of the opinion that the controlled did not respect the
condition of lawfulness of Article 5.1.a) of the GDPR "in the context of data processing
25
accomplished ".
In addition, the head of investigation found that the control stated "other
arguments […] to justify such processing in his letter of 23/04/2019 indicating
23 Statement of Objections, point 24.c.
24
25 Statement of Objections, point 24.
Same.
_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey no.[…] conducted with Company A
12/31that: “in the context of the control of the accounts made by the syndicate, it is up to the
syndicate to communicate the identification of the debtor co-owners, and the assessment of
their debts. » » .
In this context, he identified similarities with Article 16.2 of the Regulation
Grand-Ducal of 13 June 1975. Indeed, he retained that "this article allows the council
union (taken over by the data controller under the name “union”, if
the interpretation of the head of investigation is correct) to control the management of the trustee (taken over by
the controller under the name "syndicate", if the interpretation of the controller
investigation is correct), in particular the accounts of the latter. It states that: "He [the
union council] controls the management of the trustee, in particular the accounts of the latter,
the breakdown of expenses, the conditions under which the contracts are awarded and executed
markets and all other contracts. » » .27
He further stated that "however, the legal and regulatory provisions
invoked do not apply to the processing under review. On the one hand, the communication of
detail of the individual accounting situation of each co-owner and their addresses
personal to the co-owners and to a former co-owner was at the initiative of the trustee
only and does not respond to a request for access to these documents by members
of the trade union council specially authorized by the latter within the framework of its control of
the management of the co-ownership by the trustee. On the other hand, and even if the advice
union would have wanted to access the accounts, this information should not have been
proactively forwarded to all co-owners and a former co-owner.
Indeed, the union council is an optional body, which is not necessarily composed
of all the co-owners or former co-owners (According to article 14 of the law
28
of May 16, 1975 and Article 13 of the GDPR of June 13, 1975)”.
In view of the foregoing, he retained that the control in his letter to the CNPD
dated April 23, 2019 "has not invoked any relevant argument allowing him to be linked
to a legal obligation or for the purposes of the legitimate interests pursued by the person responsible for the
treatment or by a third party”.9
26 Statement of Objections, point 25.
27
28Idem.
Same.
29Idem.
_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey no.[…] conducted with Company A
13/31 Therefore, the head of the investigation was of the opinion that the control did not respect the
conditions of lawfulness of articles 5.1.a) and 6.1 of the GDPR "in the context of the processing of
data carried out in this case, namely the transmission of data to third parties not
30
permitted”.
The Restricted Committee notes that the facts set out in the two complaints
with regard to the disputed communication of personal data are almost
identical.
It notes in particular that the e-mail from the controller to the co-owners and to a former
co-owner dated February 11, 2019 31 had been sent to six email addresses
different, including those of the claimants. The controller had indicated in this e-mail to do
“follow account situations” and complained that two co-owners had taken
delay in the payment of their monthly advances. He demanded payment of
these delays, and threatened to garnish wages in the event of non-payment.
Letters containing the individual accounting situation of spouses B as well as that of
Madame A, dated the same day, were attached to this email. These annexes were
appear, among other things, the names of the recipients and the respective private addresses of the
spouse, the monthly movements (sums debited and credited) for the years 2018
and 2019 and debit balances, amounts for which payment was requested.
The Restricted Committee notes that the person checked in the letters he sent
to the CNPD during the complaint procedures, invoked two legal bases for
justify the lawfulness of its processing, namely compliance with a legal obligation (article 6.1.c)
of the GDPR) and the legitimate interest (article 6.1.f) of the GDPR).
With regard to compliance with a legal obligation, it takes note of the
regulatory provisions that the controller invoked in his letter dated
April 4, 2019 (see point 17 of this decision) to justify the communication of
30 Statement of Objections, points 25 and 28.
31
32Initial findings, point “1. Documents added to this investigation”.
That is to say the monthly movements from […] 2018 to […] 2019 with regard to the annex
addressed to Mr and Mrs B, and those from […] 2018 to […] 2019 with regard to the appendix
addressed to Mrs A.
_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey no.[…] conducted with Company A
14/31individual account situations of co-owners to other co-owners, current or
old, namely Articles 24, 25 and 26 of the Grand-Ducal Regulation of 13 June 1975:
" Art. 24. The trustee keeps, for each syndicate of co-owners, accounts
separated in such a way as to show the accounting position of each co-owner at
towards the union. He prepares the provisional budget which is voted by the assembly
general.
Art. 25. The syndic may require the payment:
1° The permanent cash advance provided for in the co-ownership regulations;
2° At the beginning of each financial year, a provision which, subject to the stipulations of the
co-ownership regulations or, failing that, the decisions of the general meeting, cannot
exceed either a quarter of the estimated budget voted for the financial year in question, or half
of this budget, if the co-ownership regulations do not provide for the payment of an advance of
permanent cash;
3° During the financial year, either an amount corresponding to the reimbursement of
expenses regularly incurred and actually paid, either provisions
quarterly, each of which cannot exceed a quarter of the provisional budget for
the year in question;
4° Special provisions intended to allow the execution of decisions of the meeting
general, such as carrying out the work provided for in Articles 26 to
32 of the law of May 16, 1975, under the conditions set by decisions of the said meeting.
The general meeting decides, if necessary, on the method of investment of the funds as well as
collected.
Art. 26. Unless otherwise stipulated in the co-ownership regulations, the sums due under
of the previous article bear interest for the benefit of the syndicate. This interest, fixed at the legal rate in
civil matters, is due from the formal notice sent by the trustee to the
defaulting co-owner. »
The Restricted Committee considers that if these provisions determine
accounting and treasurer obligations to which the audit is subject, they do not authorize
_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey no.[…] conducted with Company A
15/31not the communication by transmission to other co-owners, current or former, of a
e-mail having as an appendix letters addressed to a co-owner and resuming his
individual accounting situation, neither for information nor as a reminder of debt. By
moreover, the auditee did not demonstrate to what extent the disputed communication was
necessary for compliance with the duties incumbent on the trustee under these provisions,
so that the controlled could not base this treatment on these.
It considers in particular that the assertions of the audited according to which the situations
of the co-owners' individual accounts would be the only "document capable of making
statement of the total amount of cash advances and the balance towards the co-ownership” drawn up by
the trustee and at his disposal cannot disturb these findings.
It also notes that in its letter to the CNPD dated April 23, 2019
(see point 18 of this decision), the control to found the disputed communication,
further invoked control obligations of the syndicate of co-owners concerning
the management of the syndic and the accounts of the syndicate. However, the audit cannot establish
the processing in question on legal obligations incumbent on the syndicate of
co-owners.
With regard to the legitimate interest, the controlled, in its aforementioned letter to the
CNPD dated April 23, 2019 to found the disputed communication, also invoked
that he would bring into play his contractual liability with regard to the syndicate of
co-owners, if he would not proceed "to the possible recovery of the debts of the
co-ownership in the event that the debtor co-owners do not discharge their debt”.
However, in view of the trustee's obligation to recover debts under
of article 14.5 of the law of May 16, 1975, which stipulates that "the trustee may not bring
legal action on behalf of the union without having been authorized to do so by a decision of
the general meeting, except in the case of an action for the recovery of debt even
by way of forced execution […]”, the Restricted Panel cannot retain this
justification to legitimize the processing in question.
In view of the foregoing, the Restricted Formation agrees with the opinion of the Chief
investigation and concludes that Articles 5.1.a) and 6.1 of the GDPR have not been complied with by the
checked in the context of the communication at issue.
_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey no.[…] conducted with Company A
16/312.2 Purpose limitation
The head of investigation in the statement of objections also held that
“the data initially collected and processed (detail of the accounting situation of
co-owners vis-à-vis the co-ownership and private addresses) for initial purposes
determined, explicit and legitimate for a trustee in the context of his activities
regular (reminder of receivables to the debtor) were then subsequently processed from a
manner incompatible with these purposes (willingness to harm certain co-owners). In
effect, the data controller has carried out processing incompatible with these purposes,
namely the deliberate transmission of the financial situation of the co-owners concerned
to unauthorized third parties with a view to harming the debtor co-owners. The will of
controller to harm is proven in his initial email dated 02/11/2019.
Indeed, in this email, the data controller specifies that "it is a shame to see
that 2 co-owners [indicating their names and financial situation] do not pay
33
their monthly advances”.
He believed that the controlled "used the personal data of the co-owners
debtors for a purpose incompatible with the purposes for which the trustee could
legitimately process them, which constitutes a misuse of purpose”. Thus, he was of the opinion
that the controlled has violated Article 5.1.b) of the GDPR. 34
Given that the Restricted Formation does not recognize a will to harm
as a specific purpose on the part of the audited, it cannot agree with the opinion of the
head of investigation, and therefore cannot conclude that Article 5.1.b) of the GDPR has been violated
by the controlled party in the context of the disputed communication.
2.3 Data minimization
In his statement of objections, the head of investigation finally held that he
considered "that a reminder of debts could not justify the proactive transmission of
personal data to other co-owners and former co-owners”. Leaving, he
was of the opinion that “the data, by communicating them to unauthorized third parties, have been
33 Statement of Objections, point 26.
34 Statement of Objections, points 26 and 28.
_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey no.[…] conducted with Company A
17/31excessively used and processed, so that article 5.1.c) of the GDPR has been
35
violated”.
However, in view of the lack of lawfulness of the processing in question under Article 6.1 of the
GDPR, the Restricted Committee considers that there is no need to rule on this point.
B. On the breach related to the obligation to comply with the terms and conditions of the exercise of
data subject rights
1. On the principles
With regard firstly to the procedures for exercising the rights of the
data subject, Article 12 of the GDPR provides, among other things, that:
“[…] 3. The controller shall provide the data subject with information
on the measures taken following a request made pursuant to Articles 15 to
22, as soon as possible and in any case within one month from
of receipt of the request. If necessary, this period may be extended by two months,
given the complexity and number of requests. The controller
inform the person concerned of this extension and the reasons for the postponement within a period
one month from receipt of the request. When the person concerned
submits its request in electronic form, the information is provided electronically
electronically where possible, unless the data subject requests
let it be otherwise.
4. If the controller does not comply with the request made by the
person concerned, he shall inform the latter without delay and at the latest within one month
from receipt of the request, the reasons for its inaction and the possibility
to lodge a complaint with a supervisory authority and to lodge an appeal
jurisdictional. […]”
With regard then to the data subject's right of access, Article
15 GDPR provides the following:
35 Statement of Objections, points 27 and 28.
_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey no.[…] conducted with Company A
18/31“1. The data subject has the right to obtain from the controller the
confirmation that personal data relating to him or her is or is not
processed and, when they are, access to said personal data as well as
the following information:
a) the purposes of the processing;
b) the categories of personal data concerned;
c) the recipients or categories of recipients to whom the personal data
personnel have been or will be communicated, in particular recipients who are established
in third countries or international organisations;
d) where possible, the retention period of the personal data
envisaged or, where this is not possible, the criteria used to determine this
duration ;
e) the existence of the right to request from the controller the rectification or
the erasure of personal data, or a limitation of the processing of
personal data relating to the data subject, or the right to oppose
to this treatment;
f) the right to lodge a complaint with a supervisory authority;
g) when the personal data is not collected from the
data subject, any available information as to their source;
h) the existence of automated decision-making, including profiling, referred to in Article
22, paragraphs 1 and 4, and, at least in such cases, useful information concerning the
underlying logic, as well as the significance and intended consequences of such processing
for the person concerned.
2. When the personal data is transferred to a third country or to a
international organization, the data subject has the right to be informed of the guarantees
appropriate, under Article 46, with respect to this transfer.
3. The controller provides a copy of the personal data
undergoing treatment. The controller may require payment of
_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey no.[…] conducted with Company A
19/31reasonable fee based on administrative costs for any additional copies
requested by the data subject. When the person concerned presents his
request electronically, the information is provided in an electronic form
commonly used, unless the data subject requests otherwise.
4. The right to obtain a copy referred to in paragraph 3 does not affect the rights and
freedoms of others. »
2. In this case
It appears from the initial findings of the CNPD agents
- that on February 13, 2019, Mr A and Mr B had each sent
an email to the controller, in which they declared, among other things, "that they have not
been informed of how their data has been processed” and that “as such,
they request, within 5 days, a copy of the data protection policy
Agency data and access to information specified in Article 15 (1) (a)
to (d) GDPR”. The copies of the claimants' emails are part of the exhibits
paid in this case; 37
- that a response that the audit provided to Mr. B on February 26, 2019 does not
did not contain the information requested by the latter, and that no response
had not been provided to Mr. A. 38A copy of the aforementioned letter from the
39
part of the documents paid in this case;
- that "on 16/04/2019, the data controller sends two letters
registered with acknowledgment of receipt to Mr A and Mr B. These
letters contain a "data protection information notice
personal”. In a letter dated 19/06/2019, the data controller
confirms that the aforementioned letter of 16/04/2019 constitutes a "response to
requests for access from Messrs. A and B concerning information relating to the
processing of their data corresponding to those provided for in Article 15
36Initial findings, finding 2.
37Initial findings, point “1. Documents added to this investigation”.
38Initial findings, finding 6.
39Initial findings, point “1. Documents added to this investigation”.
_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey no.[…] conducted with Company A
20/31 paragraph 1 a (h) (sic) of the general regulation on the protection of
data " " . The copies of the letters of the control are part of the documents paid
in this case.41
As the Claimants had not yet received a position paper from the
checked following the submission of their complaints on February 27 and 28, 2019, the
CNPD's legal department in its letter dated March 21, 2019 asked the
controlled information on the follow-up given to their access requests, or failing that
on the reasons that would justify refusing to exercise their right of access. He asked
details to the control by mail dated June 3, 2019. The copy of this mail is
part of the documents paid in this case. 42
The auditee for its part, by letter dated April 4, 2019, took a position by
report to the letter from the legal department of the CNPD dated March 21, 2019. With regard to
concerning the exercise of the right of access by the complainants, he indicated that he had “responded to the
statements of Mr. B dated February 26, 2019", and that Mr. A would not have
made an access request. A copy of the aforementioned letter from the controller, with the
attaches, among other things, a copy of his email to Mr B dated February 26, 2019,
43
is one of the exhibits tendered in this case.
Finally, the controller specified in his letter to the CNPD dated
June 19, 2019 that a response to the access requests would have been sent to Messrs. A and
B by registered letter dated April 16, 2019. He attached to his letter to the CNPD
the copies of these two letters which were addressed to "Mr. and Mrs. B"
respectively to "Madame A", as well as copies of deposit receipts for a shipment
of Post Luxembourg of the same day and the corresponding acknowledgments of receipt. Control
had indicated in the registered letters that it had attached the “information note on the
personal data protection policy”. However, he did not append
this document to his mail at the CNPD.
40Initial findings, finding 7.
41
42Initial findings, point “1. Documents added to this investigation”.
Same.
43Idem.
_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey no.[…] conducted with Company A
21/31 A copy of this information notice was provided to the CNPD by each of the claimants
on request, namely by email from Mr B dated February 15, 2020 and by email
of Mr. A dated February 11, 2020 (hereinafter: the “information note”).
A copy of the control letter of June 19, 2019 with the above-mentioned annexes as well
that copies of the documents provided by the claimants are part of the documents submitted
44
in this case.
The head of investigation in his statement of objections noted “that it appears from
investigation that the claimants, Mr. A and Mr. B, each send an email to the
data controller dated 02/13/2019, in order to make an access request
to their personal data” and that they “request, within 5 days, a copy of the
Agency's data protection policy and access to specified information
in Section 15.1. a) to d) of the GDPR » .5
Then, he noted that the control provided two answers to the claimants, to
know :
- “a first response was provided […] within one month of receipt
of the request to Mr B (on 02/26/2019). This response did not contain any
information requested by Mr. B. No response was provided to
Mr A”;
- "a second response with an information note relating to the protection of
personal data was sent on 04/16/2019 […] by mail to Mr.
46
B and A, i.e. more than two months after the initial request of 13/02/2019”;
He noted that "these responses were therefore sent more than a month from receipt
access requests from Messrs A and B and without explanation on the extension of the deadline
response beyond one month nor on the possibility of lodging a complaint with a
control authority » .7
44Idem.
45 Statement of Objections, point 32.
46 Statement of Objections, point 33.
47
Same.
_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey no.[…] conducted with Company A
22/31 Thus, the head of investigation was of the opinion that the conditions of article 12.3 and 4 of the GDPR
had not been respected by the controller “in the context of the responses made […] to the
48
requests for access submitted by Messrs. A and B”.
The head of investigation also noted that if the information note
mentioned above that the control sent to the claimants by registered letter in
dated April 16, 2019 "contained information on the treatments listed in the article
15.1. a), b), c) and d) of the GDPR […] information was missing in the note
information on the following points:
Point b) of Article 15.1. of the GDPR (relating to the categories of personal data
staff concerned): it appears from the investigation that the financial data
were not included in the description of the categories of personal data
personnel processed by the trustee (e.g. RIB or bank account number,
fund movements).
Point c) of Article 15.1. of the GDPR (relating to the recipients or categories of
recipients to whom the personal data have been or will be
communicated, in particular recipients who are established in third countries
or international organizations): the information note did not mention
recipients or categories of recipients to whom the personal data
personnel have been or are being communicated. It is only made
mention of the potential recipients (e.g.: "he can call on subcontractors
external"). If applicable, the category of recipients should be specified (the
formulation "external subcontractors" is not sufficient) and mention should be
made if recipients are established in third countries or organizations
49
international”.
Thus, the head of investigation was of the opinion that the control had not complied with the conditions of
Article 15.1.b) and c) of the GDPR “in the context of responses made […] to requests
of access introduced by Messrs A and B". 50
48 Statement of Objections, paragraphs 33 and 35
49 Statement of Objections, point 34.
50 Statement of Objections, paragraphs 34 and 35.
_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey no.[…] conducted with Company A
23/31 With regard to Mr. B's request for access, the Restricted Panel
notes that in his email to the controller dated 13 February 2019, the latter had asked
to the controlled to provide him with his "privacy policy" as well as access to the
information specified in Article 15.1.a) to d) of the GDPR.
She also notes that in her response to Mr B dated February 26, 2019 the
controlled had not sent the latter's request for access, and that the controlled did not
communicated the prospectus only with its registered letter dated
April 16, 2019, i.e. more than a month after receipt of the request.
With regard to Mr. A's request for access, the Restricted Training
notes that he had expressly referred to the right of access conferred on him by the
GDPR 51 in his email to the controller dated February 13, 2019 by which he had
asked the latter to provide it with its privacy policy as well as access to the
information specified in Article 15.1.a) to d) of the GDPR, so that the assertion of the
controlled that Mr. A did not make an access request is false.
It also notes that the auditee did not communicate the information note to it.
only with his registered letter dated April 16, 2019, that is to say more than a month
after receipt of the request.
The Restricted Formation considers that the controlled neither responded to the requests
of access for claimants within the period provided for in Article 12.3 of the GDPR, nor informed the
claimants of a possible reason for its inaction as required by article 12.4 of the GDPR.
It also considers that the information note communicated with the letter
recommended by the audit dated April 16, 2019, and which had for “the objective […]
to inform the various co-owners about the processing and transfer of their
personal data by the trustee", was unsuitable for responding to requests
access for claimants.
Indeed, it did not mention all the categories of personal data
personnel concerned (article 15.1.b) of the GDPR), nor all the recipients or categories
51Excerpt from the original English text: “Pursuant to our rights of access as data subjects under the
General Data Protection Regulation, please provide us with the following information […]”.
52Point “[…]” of the information note.
_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey no.[…] conducted with Company A
24/31 of recipients to whom the personal data have been or will be
communicated (article 15.1.c) of the GDPR).
In view of the foregoing, the Restricted Formation agrees with the opinion of the Chief
investigation and concludes that Articles 12.3 and 4 as well as Article 15.1.b) and c) of the GDPR
had not been complied with by the controller with regard to access requests
brought by the claimants.
II. 2. On the fine and corrective measures
1. Principles
In accordance with article 12 of the law of August 1, 2018, the CNPD has the
power to adopt all the corrective measures provided for in Article 58.2 of the GDPR:
"(a) notify a controller or processor of the fact that the operations of the
envisaged processing are likely to violate the provisions of this Regulation;
(b) call a controller or processor to order when the
processing operations have resulted in a breach of the provisions of this Regulation;
(c) order the controller or processor to comply with requests
submitted by the data subject with a view to exercising their rights under this
these regulations;
d) order the controller or the processor to put the operations of
processing in accordance with the provisions of this Regulation, where applicable, of
specific manner and within a specified time;
(e) order the controller to communicate to the data subject a
personal data breach;
f) impose a temporary or permanent restriction, including prohibition, of processing;
g) order the rectification or erasure of personal data or the
limitation of processing pursuant to Articles 16, 17 and 18 and the notification of these
measures to the recipients to whom the personal data have been disclosed
pursuant to Article 17, paragraph 2, and Article 19;
_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey no.[…] conducted with Company A
25/31h) withdraw a certification or order the certification body to withdraw a
certification issued pursuant to Articles 42 and 43, or order the body to
certification not to issue certification if the requirements applicable to the certification
are not or no longer satisfied;
(i) impose an administrative penalty under section 83, in addition to or in addition to
instead of the measures referred to in this paragraph,function of characteristics
specific to each case;
j) order the suspension of data flows addressed to a recipient located in a
third country or an international organisation. »
er
In accordance with article 48 of the law of August 1, 2018, the CNPD may impose
administrative fines as provided for in Article 83 of the GDPR, except against
of the state or the municipalities.
Article 83 of the GDPR provides that each supervisory authority shall ensure that the
administrative fines imposed are, in each case, effective, proportionate and
deterrents, before specifying the elements that must be taken into account to decide
whether an administrative fine should be imposed and to decide on the amount of this
fine :
“(a) the nature, gravity and duration of the breach, taking into account the nature, scope
or the purpose of the processing concerned, as well as the number of data subjects
affected and the level of damage they suffered;
b) whether the breach was committed willfully or negligently;
c) any action taken by the controller or processor to mitigate the
damage suffered by the persons concerned;
d) the degree of responsibility of the controller or processor, account
given the technical and organizational measures they have implemented under the
sections 25 and 32;
e) any relevant breach previously committed by the controller or
the subcontractor ;
_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey no.[…] conducted with Company A
26/31f) the degree of cooperation established with the supervisory authority with a view to remedying the breach
and to mitigate any negative effects;
g) the categories of personal data affected by the breach;
h) the manner in which the supervisory authority became aware of the breach, in particular whether,
and to what extent the controller or processor notified the breach;
(i) where measures referred to in Article 58(2) have previously been
ordered against the controller or processor concerned for the
same purpose, compliance with these measures;
(j) the application of codes of conduct approved pursuant to Article 40 or
certification mechanisms approved under Article 42; And
k) any other aggravating or mitigating circumstance applicable to the circumstances of
the species, such as the financial advantages obtained or the losses avoided, directly or
indirectly, as a result of the breach”.
The Restricted Committee would like to point out that the facts taken into account in the
context of this decision are those found at the start of the investigation. The possible
changes relating to the data processing under investigation
subsequently, even if they make it possible to establish in whole or in part the
conformity, do not make it possible to retroactively cancel a breach noted.
Nevertheless, the steps taken by the controller to put themselves in
compliance with the GDPR during the investigation process or to remedy the
shortcomings noted by the head of investigation in the statement of objections, are taken
taken into account by the Restricted Training in the context of any corrective measures
to pronounce and/or the setting of the amount of a possible administrative fine to be
pronounce.
_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey no.[…] conducted with Company A
27/312. In this case
2.1 Regarding the imposition of an administrative fine
In the statement of objections, the head of investigation proposes to the Panel
Restricted to impose an administrative fine on the person controlled in the amount of 2,500 (two
one thousand five hundred) euros.53
In order to decide whether to impose an administrative fine and to decide,
where applicable, the amount of this fine, the Restricted Panel takes into account
the elements provided for in Article 83.2 of the GDPR:
- As to the nature and seriousness of the violation (Article 83.2.a) of the GDPR), it is
that with respect to breaches of Article 5.1.a) and Article 6.1 of the GDPR, they
constitute breaches of a fundamental principle of the GDPR (and of the right to
data protection in general), namely the principle of lawfulness enshrined in the
Chapter II “Principles” of the GDPR.
It also notes that compliance with the right of access provided for in Article 15 of the GDPR
is one of the major requirements of the right to data protection, because it constitutes
the "gateway" allowing the exercise of the other rights that the GDPR confers on the
data subject, such as the rights to rectification and erasure provided for by
GDPR Articles 16 and 17.
In addition, in the present case, the breaches found do not relate solely to the right
of access, but also the procedures for exercising this right provided for in Articles
12.3 and 4 of the GDPR which have not been complied with by the controller.
- As for the duration criterion (article 83.2.a) of the GDPR), the Restricted Panel finds
that the breaches of the claimants' rights of access have lasted over time,
at least since February 13, 2019, the date of their access requests, and until the
receipt of the information note communicated by the controller with his letter
recommended on April 16, 2019. Furthermore, it does not have any
documentation that proves that the auditee has in the meantime responded in full to the
53
VS_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey no.[…] conducted with Company A
28/31 requests for access from claimants by sending them all the data to
personal nature processed by him as required by Article 15.1 a) to d) of the GDPR.
- As for the number of data subjects (article 83.2.a) of the GDPR), the Training
Restreinte finds that the breaches noted in Articles 5.1.a) and 6.1 of the
GDPR concern the two claimants, their wives and the other co-owners,
old and current, while the breaches noted in Articles 12.3 and 4 as well as
that Article 15.1 b) and c) of the GDPR only concern the two claimants.
- As to whether the breaches were committed deliberately or
not (by negligence) (article 83.2.b) of the GDPR), the Restricted Panel recalls that
"not deliberately" means that there was no intention to commit the violation,
although the controller or processor has not complied with the obligation
due diligence required by law.
In this case, it is of the opinion that the facts and breaches observed do not reflect
not a deliberate intention to violate the GDPR on the part of the controller.
The Restricted Committee notes that the other criteria of article 83.2 of the
GDPR are neither relevant nor likely to influence its decision on the taxation
an administrative fine and its amount.
Therefore, the Restricted Committee considers that the pronouncement of a fine
administrative is justified with regard to the criteria laid down by article 83.2 of the GDPR for
breach of Articles 5.1.a), 6.1, 12.3 and 4 as well as Article 15.1.b) and c) of the GDPR.
As regards the amount of the administrative fine, it recalls that the
paragraph 3 of Article 83 of the GDPR provides that in the event of multiple infringements, such as
this is the case here, the total amount of the fine may not exceed the amount set for
the most serious violation. To the extent that a breach of Articles 5, 6, 12 and 15
of the GDPR is reproached to the controlled, the maximum amount of the fine that can be retained
amounts to 20 million euros or 4% of worldwide annual turnover, whichever is the greater
high being retained.
With regard to the relevant criteria of Article 83.2 of the GDPR mentioned above, the
Restricted Formation considers that the imposition of a fine in the amount of 1,500
_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey no.[…] conducted with Company A
29/31 (one thousand five hundred) euros appears to be both effective, proportionate and dissuasive, in accordance
the requirements of Article 83.1 of the GDPR.
2.2 Regarding the taking of corrective measures
In the statement of objections, the head of investigation did not propose to the
Restricted training to adopt the corrective measures. Indeed, "given that the
subject of this investigation […] no longer has a mandate to act as
as syndic of Residence A since […] 2019" the head of the investigation was of the opinion "that he
does not make sense to propose additional corrective measures to the fine
administrative proposed above, given that the control will not be able, nor
54
in fact, nor in law, to implement corrective measures”.
In view of the foregoing developments, the National Commission sitting
in restricted formation, after having deliberated, decides:
- to retain the breaches of Articles 5.1.a), 6.1, 12.3 and 4 as well as Article 15.1b)
and c) GDPR; And
- to pronounce against Company A, an administrative fine of an amount
of 1,500 (one thousand five hundred) euros, with regard to breaches of articles
5.1.a), 6.1, 12.3 and 4 as well as in article 15.1.b) and c) of the GDPR.
Belvaux, December 13, 2022.
For the National Data Protection Commission sitting in formation
restraint
Tine A. Larsen Marc Lemmer Alain Herrmann
President Commissioner Commissioner
54
VS_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey no.[…] conducted with Company A
30/31 Indication of remedies
This administrative decision may be the subject of an appeal for review in the
three months following its notification. This appeal is to be brought before the administrative court.
and must be introduced through a lawyer at the Court of one of the Orders of
lawyers.
_____________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey no.[…] conducted with Company A
31/31
