CNPD (Luxembourg) - 10FR/2023: Difference between revisions
(Created page with "{{DPAdecisionBOX |Jurisdiction=Luxembourg |DPA-BG-Color= |DPAlogo=LogoLU.png |DPA_Abbrevation=CNPD |DPA_With_Country=CNPD (Luxembourg) |Case_Number_Name=10FR/2023 |ECLI= |Original_Source_Name_1=CNPD |Original_Source_Link_1=https://cnpd.public.lu/content/dam/cnpd/fr/decisions-fr/2023/dlibration-n-10fr-2023-du-24-juillet-2023.pdf |Original_Source_Language_1=French |Original_Source_Language__Code_1=FR |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Lan...") |
(specified corrective measure adopted) |
||
(2 intermediate revisions by 2 users not shown) | |||
Line 42: | Line 42: | ||
|EU_Law_Link_2= | |EU_Law_Link_2= | ||
|National_Law_Name_1= | |National_Law_Name_1=Article 48 of the National Data Protection Law | ||
|National_Law_Link_1= | |National_Law_Link_1=https://legilux.public.lu/eli/etat/leg/loi/2018/08/01/a686/jo | ||
|National_Law_Name_2= | |National_Law_Name_2= | ||
|National_Law_Link_2= | |National_Law_Link_2= | ||
Line 63: | Line 63: | ||
}} | }} | ||
The | The Luxembourg DPA found the Municipal Administration of Leudelange to have breached [[Article 37 GDPR#1a|Articles 37(1)(a)]] and [[Article 37 GDPR#7|37(7) GDPR]], since the latter, on the date of investigation, had not yet designated a DPO. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
Following a general check carried | Following a general check carried on all Luxembourg municipalities in the summer of 2022, the Luxembourg DPA decided to open an investigation on the Municipal Administration of Leudelange (the controller). | ||
Specifically, the controller aimed to evaluate the controller’s conformity with its obligation to appoint a DPO and whether it communicated the DPO's contact details to the DPA, as provided by [[Article 37 GDPR#1a|Article 37(1)(a) GDPR]] and [[Article 37 GDPR#7|Article 37(7) GDPR]]. | Specifically, the controller aimed to evaluate the controller’s conformity with its obligation to appoint a DPO and whether it communicated the DPO's contact details to the DPA, as provided by [[Article 37 GDPR#1a|Article 37(1)(a) GDPR]] and [[Article 37 GDPR#7|Article 37(7) GDPR]]. | ||
=== Holding === | === Holding === | ||
The DPA noted that pursuant to the entry into force of the GDPR, public bodies were obliged to designate a DPO no later than 25 May 2018. Meanwhile, on the date the investigation was opened, and after consulting the register of DPOs, no DPO had been identified for the controller. | The DPA noted that pursuant to the entry into force of the GDPR, public bodies were obliged to designate a DPO no later than 25 May 2018. Meanwhile, on the date the investigation was opened, and after consulting the register of DPOs, no DPO had been identified for the controller. The controller appointed a DPO only on 10 March 2023, namely after the opening of the investigation. Thus, the controller violated [[Article 37 GDPR#1a|Article 37(1)(a) GDPR]]. Moreover, the DPA acknowledged that when the investigation began, the controller had not communicated to the DPA the contact details of the DPO, breaching [[Article 37 GDPR#7|Article 37(7) GDPR]]. | ||
Observing Article 48 of the National | Observing [https://legilux.public.lu/eli/etat/leg/loi/2018/08/01/a686/jo Article 48 of the National Data Protection Law], the DPA may impose administrative fines as provided in [[Article 83 GDPR|Article 83 GDPR]], except against the State or municipalities. Hence, the DPA found it appropriate to issue a reprimand to the controller under [[Article 58 GDPR#2b|Article 58(2)(b) GDPR]]. In light of this, the DPA recognised that during the proceedings, the controller took steps to remedy the shortcomings identified by the head of the investigation. | ||
== Comment == | == Comment == | ||
On the same day, the Luxembourgish DPA published similar findings against other four Municipal Administrations: the Municipal Administration of Useldange, the Municipal Administration of Dalheim, the Municipal Administration of Heffingen and the Municipal Administration of Vallée de l’Ernz. | On the same day, the Luxembourgish DPA published similar findings against other four Municipal Administrations: the [https://cnpd.public.lu/content/dam/cnpd/fr/decisions-fr/2023/dlibration-n-8fr-2023-du-24-juillet-2023.pdf Municipal Administration of Useldange], the [https://cnpd.public.lu/content/dam/cnpd/fr/decisions-fr/2023/dlibration-n-9fr-2023-du-24-juillet-2023.pdf Municipal Administration of Dalheim], the [https://cnpd.public.lu/content/dam/cnpd/fr/decisions-fr/2023/dlibration-n-11fr-2023-du-24-juillet-2023.pdf Municipal Administration of Heffingen] and the [https://cnpd.public.lu/content/dam/cnpd/fr/decisions-fr/2023/dlibration-n-12fr-2023-du-24-juillet-2023.pdf Municipal Administration of Vallée de l’Ernz]. | ||
== Further Resources == | == Further Resources == |
Latest revision as of 11:34, 3 January 2024
CNPD - 10FR/2023 | |
---|---|
Authority: | CNPD (Luxembourg) |
Jurisdiction: | Luxembourg |
Relevant Law: | Article 37(1)(a) GDPR Article 37(7) GDPR Article 48 of the National Data Protection Law |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 24.07.2023 |
Published: | 05.12.2023 |
Fine: | n/a |
Parties: | Administration communale de Leudelange |
National Case Number/Name: | 10FR/2023 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | French |
Original Source: | CNPD (in FR) |
Initial Contributor: | ar |
The Luxembourg DPA found the Municipal Administration of Leudelange to have breached Articles 37(1)(a) and 37(7) GDPR, since the latter, on the date of investigation, had not yet designated a DPO.
English Summary
Facts
Following a general check carried on all Luxembourg municipalities in the summer of 2022, the Luxembourg DPA decided to open an investigation on the Municipal Administration of Leudelange (the controller).
Specifically, the controller aimed to evaluate the controller’s conformity with its obligation to appoint a DPO and whether it communicated the DPO's contact details to the DPA, as provided by Article 37(1)(a) GDPR and Article 37(7) GDPR.
Holding
The DPA noted that pursuant to the entry into force of the GDPR, public bodies were obliged to designate a DPO no later than 25 May 2018. Meanwhile, on the date the investigation was opened, and after consulting the register of DPOs, no DPO had been identified for the controller. The controller appointed a DPO only on 10 March 2023, namely after the opening of the investigation. Thus, the controller violated Article 37(1)(a) GDPR. Moreover, the DPA acknowledged that when the investigation began, the controller had not communicated to the DPA the contact details of the DPO, breaching Article 37(7) GDPR.
Observing Article 48 of the National Data Protection Law, the DPA may impose administrative fines as provided in Article 83 GDPR, except against the State or municipalities. Hence, the DPA found it appropriate to issue a reprimand to the controller under Article 58(2)(b) GDPR. In light of this, the DPA recognised that during the proceedings, the controller took steps to remedy the shortcomings identified by the head of the investigation.
Comment
On the same day, the Luxembourgish DPA published similar findings against other four Municipal Administrations: the Municipal Administration of Useldange, the Municipal Administration of Dalheim, the Municipal Administration of Heffingen and the Municipal Administration of Vallée de l’Ernz.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
Decision of the National Commission sitting in restricted formation on the outcome of investigation n°[…] carried out with the Administration municipal of Leudelange Deliberation No. 10FR/2023 of July 24, 2023 The National Commission for Data Protection sitting in restricted formation composed of Ms. Tine A. Larsen, president, and Messrs. Thierry Lallemang and Marc Lemmer, commissioners; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 relating to the protection of individuals with regard to the processing of data personal character and the free movement of such data, and repealing the Directive 95/46/EC; Having regard to the law of August 1, 2018 organizing the National Commission for data protection and the general regime on data protection, in particular its article 41; Considering the internal regulations of the National Commission for the Protection of data adopted by decision no. 3AD/2020 dated January 22, 2020, in particular its article 10 point 2; Having regard to the regulation of the National Commission for Data Protection relating to the investigation procedure adopted by decision no. 4AD/2020 dated January 22, 2020, in particular its article 9; Considering the following: ________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey n°[…] carried out with the Leudelange municipal administration 1/9 I. Facts and procedure During its deliberation session of December 9, 2022, the National Commission for data protection sitting in plenary session decided to open a survey with the Municipal Administration of Leudelange, located at 5, Place des Martyrs, L-3361 Leudelange (hereinafter: the “controlled”), on the basis of article 38 of the law of August 1, 2018 organizing the National Commission for the Protection of data and the general regime on data protection (hereinafter: the “law of August 1 2018") and to appoint Mr. Alain Herrmann as head of investigation. The said decision clarified that the investigation carried out by the National Commission for data protection (hereinafter: the “CNPD” or the “National Commission”) was intended to purpose of monitoring the application and compliance with Regulation (EU) 2016/679 of the Parliament European Union and of the Council of 27 April 2016 relating to the protection of natural persons with regard to the processing of personal data and the free movement of these data, and repealing Directive 95/46/EC (hereinafter: the “GDPR”) and the law of 1 August 2018 and legal texts providing for specific provisions regarding protection of personal data and more precisely the application and 1 compliance with articles 37.1.a) and 37.7 of the GDPR. The specific purpose of the investigation was to monitor compliance with the obligation to appoint a data protection officer (hereinafter: “DPD”) and to communicate the contact details to the supervisory authority. She followed a general verification that the CNPD had carried out among all Luxembourg municipalities during the summer of 2022. The person being investigated was informed of the opening of the investigation against him by letter from the head investigation dated February 3, 2023. In this letter, the head of investigation asked the controlled “please read the initial findings below: By letter dated August 11, 2022, the president of the CNPD reminded the Mayor of his obligation to appoint a data protection officer (hereinafter the “DPD”), as well as that its obligation to notify the CNPD of this designation (EXIT 1). 1Deliberation No.[…] of December 9, 2022 of the National Commission for Data Protection relating at the opening of a fact-finding mission to the Leudelange municipal administration. ________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey n°[…] carried out with the municipal administration of Leudelange 2/9 In the absence of a reaction from the Mayor, the president of the CNPD told him sent a reminder dated September 23, 2022 (EXHIBIT 2). On the date of writing of this letter, and after consulting the register of data protection delegates, the investigating officers did not identify any appointment of a DPO for your municipality”. The person being inspected responded to the letter opening the investigation by mail dated March 10 2023, after the CNPD had granted it additional time. At the end of his investigation, the head of investigation notified the person being inspected on March 31 2023 a statement of objections detailing the breach which it considered constituted in the species in relation to the requirements prescribed by article 37.1.a) of the GDPR (obligation to appoint a DPO). The head of investigation proposed to the National Commission sitting in formation restricted training (hereinafter: the “Restricted Training”) to adopt a corrective measure. The ability to formulate written observations on the statement of objections was offered to the controlled. By letter of May 2, 2023, the person being inspected informed the head of investigation that he had not comments to be made in relation to the statement of objections. The president of the Restricted Training informed the controlled person by mail on the date of May 23, 2023 that his case would be registered at the session of the Restricted Formation of July 4, 2023 and that he was offered the opportunity to be heard there. By email of June 27, 2023, the controlled person confirmed his presence at said session. During this session the head of investigation, […], and the person being investigated, represented by […], presented their oral observations in support of their written observations and responded to the questions asked by the Restricted Training. The person being controlled had the last word. ________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey n°[…] carried out with the Leudelange municipal administration 3/9 II. Place II.1. On the reasons for the decision On the failure linked to the obligation to appoint a DPO and communicate the contact details at the CNPD 1. On the principles In accordance with article 37.1.a) of the GDPR, any data controller or subcontractor processor must designate a DPO if the “processing is carried out by a public authority or a public body, with the exception of courts acting in the exercise of their function jurisdictional”. Based on article 37.7 of the GDPR, any data controller or subcontractor is also obliged to communicate the contact details of the DPO to the supervisory authority, that is to say in this case to the CNPD. In its guidelines on DPDs, the Article 29 Working Group has clarified the relevant provisions of the GDPR in this area in order to help those responsible processing and subcontractors to comply with the legislation, but also to assist the DPOs in their role. Note that the European Data Protection Committee, which succeeded the Article 29 Working Group on May 25, 2018, took up and reapproved the adopted documents by the said Group between May 25, 2016 and May 25, 2018, as precisely the lines 3 aforementioned guidelines. 2. In the present case The head of investigation noted in his statement of objections that on “the date opening of an investigation, and after consultation of the register of delegates for the protection of 2 The Guidelines on DPDs were adopted by the Article 29 Working Group on December 13, 2016. The revised version (WP 243 rev. 01) was adopted on April 5, 2017. 3 See decision Endorsement 1/2018 of the EDPS of May 25, 2018, available under: https://edpb.europa.eu/sites/edpb/files/files/news/endorsement_of_wp29_documents_en_0.pdf. ________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey n°[…] carried out with the Leudelange municipal administration 4/9 data, the investigating agents did not identify the designation of a DPO for the Municipal Administration of Leudelange”. Furthermore, he noted that the auditee “designated a DPO on March 10, 2023, i.e. after the opening of the investigation. Therefore, he held that “the conditions of article 37, paragraph (1) point a) of GDPR has not been respected. 4 Restricted Training would first of all like to emphasize that the controlled is a Luxembourg municipal administration and therefore, a public body obliged to designate a DPO no later than May 25, 2018, the date the GDPR comes into force. It then notes that the person being inspected had responded on March 10, 2023 to the letter from head of investigation of February 3, 2023 informing him of the opening of the investigation into him. In annexed to this letter of March 10, 2023 was an extract from the deliberations of the College of mayor and aldermen of March 10, 2023, as well as the application form declaration from the DPD to the CNPD, signed and dated on the same day, according to which the Government Data Protection Commissioner at the State had been designated as DPO of the controlled person. The Restricted Panel can therefore only agree with the findings of the head of investigation that on the date of opening of the investigation, that is to say December 9, 2022, the person inspected did not have still designated a DPD, despite the reminder letters from the CNPD of August 11, 2022 and from September 23, 2022. In view of the above, it concludes that at the start of the investigation, the person controlled failed to its obligation arising from article 37.1.a) of the GDPR. Furthermore, the Restricted Formation notes that on the date of the opening of the investigation, the person controlled had not communicated the contact details of his DPO to the CNPD in accordance with article 37.7 of the GDPR. Therefore, as the control of compliance with said article appeared within the scope of the investigation in question (see point 2 of this decision), 4Statement of Objections, points 16 to 18. ________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey n°[…] carried out with the Leudelange municipal administration 5/9she considers that the person inspected also failed to fulfill his obligation arising from article 37.7 of the GDPR. II. 2. On corrective measures 1. On the principles In accordance with article 12 of the law of August 1, 2018, the National Commission has the powers provided for in article 58.2 of the GDPR: “a) notify a controller or a processor of the fact that the operations processing envisaged are likely to violate the provisions of this regulation; b) call to order a controller or a processor when the processing operations have resulted in a violation of the provisions of this Regulation; (c) order the controller or processor to comply with the requests submitted by the data subject with a view to exercising their rights in application of this regulation; (d) order the controller or processor to put the operations processing in accordance with the provisions of this regulation, where applicable, in a specific manner and within a specific time frame; (e) order the controller to communicate to the data subject a personal data breach; (f) impose a temporary or permanent limitation, including a ban, on the treatment; g) order the rectification or erasure of personal data or the limitation of processing pursuant to Articles 16, 17 and 18 and the notification of these measures to recipients to whom personal data have been disclosed pursuant to Article 17(2) and Article 19; (h) withdraw a certification or order the certification body to withdraw a certification issued pursuant to articles 42 and 43, or order the body to ________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey n°[…] carried out with the Leudelange municipal administration 6/9certification not to issue certification if the requirements applicable to certification are not or no longer satisfied; (i) impose an administrative fine pursuant to section 83, in addition or instead of the measures referred to in this paragraph, depending on the characteristics specific to each case; j) order the suspension of data flows addressed to a recipient located in a third country or an international organization. In accordance with article 48 of the law of August 1, 2018, the CNPD may impose administrative fines as provided for in Article 83 of the GDPR, except against the State or municipalities. The Restricted Training would like to point out that the facts taken into account in the framework of this decision are those noted at the start of the investigation. The possible modifications relating to the data processing subject to the investigation that have taken place subsequently, even if they make it possible to fully or partially establish the compliance, do not allow retroactive cancellation of a noted breach. However, the steps taken by the auditee to comply with the GDPR during the investigation procedure or to remedy breaches noted by the head of investigation in the statement of objections, are taken into account by Restricted Training as part of any corrective measures to be taken. 2. In the present case In the communication of grievances the head of investigation “proposes to the Training Restricted from issuing a call to order against the Controlled Party according to which he must comply with the applicable legislation regarding the appointment of a protection delegate data » .5 As for the corrective measure proposed by the head of investigation and with reference to point 21 of this decision, the Restricted Training takes into account the procedures 5Statement of Objections, paragraph 25. ________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey n°[…] carried out with the Leudelange municipal administration 7/9 carried out by the auditee in order to comply with the provisions of articles 37.1.a) and 37.7 of the GDPR, as detailed in its letter of March 10, 2023. More particularly, it notes that as of March 10, 2023, the person inspected had sent to the CNPD, the extract of the deliberations of the College of Mayor and Aldermen relating to the meeting of March 10, 2023, as well as the DPO declaration form, signed and dated the same day, and according to which the Government Protection Commission of data with the State had been designated as DPO of the controlled. However, on the date of the opening of the investigation, the person inspected had neither designated a DPD, nor communicated its contact details to the CNPD. For these reasons, the Restricted Panel considers that it is appropriate to pronounce the corrective measure proposed by the head of investigation in this regard and taken up in point 22 of the this decision and to call the controlled person to order for having violated articles 37.1.a) and 37.7 of the GDPR. Finally, under the terms of article 52 of the law of August 1, 2018, “CNPD may order, at the expense of the sanctioned person, the publication in full or in extracts of its decisions with the exception of decisions relating to the imposition of penalty payments, and under reserves that: 1° the means of appeal against the decision have been exhausted; And 2° the publication does not risk causing disproportionate harm to the parties in question. cause ". The Restricted Panel considers that the publication of this decision does not risk not cause disproportionate harm to the person being controlled, but that it is justified in view of of the public interest in knowing the results of the general verification that the CNPD had carried out in all Luxembourg municipalities during the summer of 2022. ________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey n°[…] carried out with the Leudelange municipal administration 8/9 Taking into account the above developments, the National Commission sitting in restricted formation, after having deliberated, decides: - to identify breaches of articles 37.1.a) and 37.7 of the GDPR; - to issue a recall against the Leudelange municipal administration to order for having violated articles 37.1.a) and 37.7 of the GDPR; - to publish the decision on the website of the National Commission as soon as the avenues of appeal have been exhausted. Belvaux, July 24, 2023, The National Commission for Data Protection sitting in restricted formation, Tine A. Larsen Thierry Lallemang Marc Lemmer President Commissioner Commissioner Indication of avenues of appeal This administrative decision may be the subject of an appeal for reform in the three months following its notification. This appeal must be brought before the court administrative and must be introduced through a lawyer to the Court of a Bar Associations. ________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey n°[…] carried out with the Leudelange municipal administration 9/9