CNPD (Luxembourg) - Délibération n° 3018: Difference between revisions
From GDPRhub
| Line 69: | Line 69: | ||
Although thousand of Luxemburgish and hundred thousands of European Data Subjects are | Although thousand of Luxemburgish and hundred thousands of European Data Subjects are | ||
==Further Resources== | ==Further Resources== | ||
Part1 : https://blog.zoller.lu/2020/05/how-to-effectively-evade-gdpr-and-reach.html | '''Part1 :''' https://blog.zoller.lu/2020/05/how-to-effectively-evade-gdpr-and-reach.html | ||
Part2 : https://blog.zoller.lu/2020/10/how-to-effectively-evade-gdpr-and-reach.html | '''Part2 :''' https://blog.zoller.lu/2020/10/how-to-effectively-evade-gdpr-and-reach.html | ||
Although agreeing that Rocketreach is in breach of the GDPR, the CNPD refuses an investigation : | Although agreeing that Rocketreach is in breach of the GDPR, the CNPD refuses an investigation : | ||
* The CNPD argues that it doesn't have to follow their Internal Guidelines on "Investigations" as although they talked to Rocketreach they did not officially open an actual investigation in this particular case. They also argue they don't need to follow the Internal Guidelines on "Decisions" as a Decision to not open an investigation is formally not a Decision as defined in their Policies. | *The CNPD argues that it doesn't have to follow their Internal Guidelines on "Investigations" as although they talked to Rocketreach they did not officially open an actual investigation in this particular case. They also argue they don't need to follow the Internal Guidelines on "Decisions" as a Decision to not open an investigation is formally not a Decision as defined in their Policies. | ||
* The CNPD further argues that the Luxemburgish Law on Data Protection does not specify any criteria when or when not the CNPD would need to open an investigation and thus concludes it can do so at will. | *The CNPD further argues that the Luxemburgish Law on Data Protection does not specify any criteria when or when not the CNPD would need to open an investigation and thus concludes it can do so at will. | ||
* In the case of Rocket Reach in particular the CNPD argues that it makes no sense to open an '''investigation''' as they would not be able to ensure Rocketreach then respects the outcome. In other words, they won't make us benefit from their efforts should we seek judicial redress. | *In the case of Rocket Reach in particular the CNPD argues that it makes no sense to open an '''investigation''' as they would not be able to ensure Rocketreach then respects the outcome. In other words, they won't make us benefit from their efforts should we seek judicial redress. | ||
==English Machine Translation of the Decision== | ==English Machine Translation of the Decision== | ||
Revision as of 13:45, 8 October 2020
| CNPD - 3018 | |
|---|---|
 | |
| Authority: | CNPD (Luxembourg) |
| Jurisdiction: | Luxembourg |
| Relevant Law: | Article 27 GDPR |
| Type: | Complaint |
| Outcome: | Other Outcome |
| Started: | |
| Decided: | 04.02.2020 |
| Published: | 29.05.2020 |
| Fine: | None |
| Parties: | n/a |
| National Case Number/Name: | 3018 |
| European Case Law Identifier: | n/a |
| Appeal: | Not appealed |
| Original Language(s): | English |
| Original Source: | Zoller Thierry (in EN) |
| Initial Contributor: | Thierry ZOLLER |
Luxembourg DPA argues it cannot proceed against a company established abroad that has not designated an EU Represenative.
English Summary
Facts
Rocketreach sells access to personal data on EU data subjects, allegedly without any legal basis.
Dispute
1. Deleting the data subject's information when all he solely asked for was access.
2. Legal basis of processing.
3. Mass processing.
Holding
Luxembourg DPA argues it cannot proceed against a company established abroad that has not designated an EU Represenative.
Comment
Although thousand of Luxemburgish and hundred thousands of European Data Subjects are
Further Resources
Part1 : https://blog.zoller.lu/2020/05/how-to-effectively-evade-gdpr-and-reach.html
Part2 : https://blog.zoller.lu/2020/10/how-to-effectively-evade-gdpr-and-reach.html
Although agreeing that Rocketreach is in breach of the GDPR, the CNPD refuses an investigation :
- The CNPD argues that it doesn't have to follow their Internal Guidelines on "Investigations" as although they talked to Rocketreach they did not officially open an actual investigation in this particular case. They also argue they don't need to follow the Internal Guidelines on "Decisions" as a Decision to not open an investigation is formally not a Decision as defined in their Policies.
- The CNPD further argues that the Luxemburgish Law on Data Protection does not specify any criteria when or when not the CNPD would need to open an investigation and thus concludes it can do so at will.
- In the case of Rocket Reach in particular the CNPD argues that it makes no sense to open an investigation as they would not be able to ensure Rocketreach then respects the outcome. In other words, they won't make us benefit from their efforts should we seek judicial redress.
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
