CNPD (Luxembourg) - Délibération n°13FR/2021: Difference between revisions
No edit summary |
|||
Line 63: | Line 63: | ||
The DPA argued that, even if [[Article 12 GDPR|Article 12 GDPR]] does not ''de facto'' exclude the possibility of providing the information from Articles 13 and 14 orally, it poses an accountability problem. The controller must be able to demonstrate that it has provided such information. | The DPA argued that, even if [[Article 12 GDPR|Article 12 GDPR]] does not ''de facto'' exclude the possibility of providing the information from Articles 13 and 14 orally, it poses an accountability problem. The controller must be able to demonstrate that it has provided such information. | ||
However, having provided the information in an oral manner, in this case the | However, having provided the information in an oral manner, in this case the controller could not prove that had provided the information, and therefore the DPA concluded that the controller had violated [[Article 13 GDPR|Article 13 GDPR]]. | ||
The DPA took into account that the controller had implemented, during the proceedings, adequate measures to fulfill their information obligation, following the authority's proposal. | The DPA took into account that the controller had implemented, during the proceedings, adequate measures to fulfill their information obligation, following the authority's proposal. |
Latest revision as of 11:12, 16 June 2021
CNPD (Luxembourg) - Délibération n°13FR/2021 | |
---|---|
Authority: | CNPD (Luxembourg) |
Jurisdiction: | Luxembourg |
Relevant Law: | Article 12 GDPR Article 13 GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 21.04.2021 |
Published: | 07.06.2021 |
Fine: | None |
Parties: | n/a |
National Case Number/Name: | Délibération n°13FR/2021 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | French |
Original Source: | CNPD (in FR) |
Initial Contributor: | n/a |
The Luxembourg DPA issued a warning to a controller that had not adequately informed its employees about a geolocation system used in its company vehicles.
English Summary
Facts
The Luxembourg DPA launched an investigation on a controller that had implemented a geolocation system on their snowplowing and salting vehicles.
Such system used on-line software, although the data was not transferred via WiFi but via phone cards.
The employees participated in the activities relating such vehicles on a voluntary basis. They had only been informed about the system, however, orally.
Holding
The DPA argued that, even if Article 12 GDPR does not de facto exclude the possibility of providing the information from Articles 13 and 14 orally, it poses an accountability problem. The controller must be able to demonstrate that it has provided such information.
However, having provided the information in an oral manner, in this case the controller could not prove that had provided the information, and therefore the DPA concluded that the controller had violated Article 13 GDPR.
The DPA took into account that the controller had implemented, during the proceedings, adequate measures to fulfill their information obligation, following the authority's proposal.
Therefore, the CNPD decided to only warn the controller.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
Decision of the National Commission sitting in restricted formation on the outcome of survey No. [...] conducted among the administration municipal [...] Deliberation n ° 13FR / 2021 of April 21, 2021 The National Commission for Data Protection sitting in a restricted body composed of Ms Tine A. Larsen, president, and Messrs Thierry Lallemang and Marc Lemmer, commissioners; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 relating to the protection of individuals with regard to the processing of personal data personal character and on the free movement of such data, and repealing the Directive 95/46 / EC; er Considering the law of August 1, 2018 on the organization of the National Commission for data protection and the general data protection regime, in particular its article 41; Having regard to the internal regulations of the National Commission for the Protection of data adopted by decision n ° 3AD / 2020 dated 22 January 2020, in particular its article 10 point 2; Having regard to the regulation of the National Commission for Data Protection relating to investigation procedure adopted by decision n ° 4AD / 2020 dated 22 January 2020, in particular Article 9; Considering the following: _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey no. […] carried out with the municipal administration of […] 1/13 I. Facts and procedure 1. During its deliberation session of January 16, 2019, the National Commission for data protection sitting in plenary session (hereinafter: "Training Plenary ") had decided to open an investigation with the municipal administration of er [...] (hereinafter: "the controlled") on the basis of article 37 of the law of 1 August 2018 on organization of the National Commission for Data Protection and Regime er General on Data Protection (hereinafter “Law of 1 August 2018”) and to designate Mr. Christophe Buschmann as head of investigation. 2. According to the decision of the Plenary Panel, the investigation carried out by the National Commission for Data Protection (hereafter: "CNPD") had as purpose of verifying compliance with the provisions of the regulation on the protection of natural persons with regard to the processing of personal data and the free movement of such data, and repealing Directive 95/46 / EC (hereinafter "GDPR") and the law of August 1, 2018, in particular through the establishment of video surveillance and geolocation if necessary installed by the controlled. 3. On January 24, 2019, CNPD agents visited the 1 the controlled premises at the following address: [...] The decision of the National Commission for data protection sitting in restricted formation on the outcome of the investigation (hereinafter: "Restricted Training") will be limited to the treatments controlled by the agents of the CNPD. 2 4. During the said visit, the representatives of the inspected confirmed to the agents of the CNPD that a geolocation system is installed in [...] vehicles equipped with a 1 See Minutes no. [...] relating to the on-site investigation mission carried out on January 24, 2019 with the municipal administration of [...]. 2 See Minutes no. [...] relating to the on-site investigation mission carried out on January 24, 2019 with the municipal administration of [...]. _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey no. […] carried out with the municipal administration of […] 2/13 snow removal or road salting device, but that the inspected does not have recourse to a video surveillance system. 3 5. According to the explanations provided to the CNPD agents, the persons concerned by geolocation are the members of the municipal staff (employees and civil servants municipalities) who have expressed their willingness to participate in the winter service. 6. In addition, the CNPD agents noted that the software of the geolocation of the controlled is hosted online by the supplier "[…]", specialized in cleaning and snow removal and that the said supplier is to be considered as processor within the meaning of article 4, point 8 of the GDPR. 7. In his response letter of February 14, 2019 to the minutes drawn up by the CNPD agents, the inspector specified that the data collected by the boxes of the geolocation device are not transmitted to the servers of the provider of the program via wifi connection ([…]), but with mobile phone cards. 8. At the end of his investigation, the head of investigation notified the inspector on the 8th August 2019 a statement of objections detailing the breach which he considered constituted in this case, and more specifically a non-compliance with the requirements prescribed by Article 13 of the GDPR for employees. 9. On September 17, 2019, the inspected filed written observations on the statement of objections. 10. A letter supplementing the statement of objections was sent to checked on August 3, 2020. In this letter, the head of the investigation proposed to the Restricted training to adopt two different corrective measures. 11. By letter of 24 August 2020, the inspected produced written observations on the additional letter to the statement of objections. 3 See report no. [...] relating to the on-site investigation mission carried out on January 24, 2019 with the municipal administration of [...]. See also the response of the inspected of February 14, 2019 where this the latter clarified that it is not a question of [...], but only of [...] vehicles equipped with a geolocation. _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey no. […] carried out with the municipal administration of […] 3/13 12. The president of the Restricted Formation informed the control by letter of 9 October 2020 that his case would be registered for the Restricted Training session of 17 November 2020. The inspected confirmed their presence at the said meeting on 3 November 2020. 13. During the Restricted Training session on November 17, 2020, the leader investigation team and the inspector presented their oral observations in support of their written observations and answered questions posed by the Restricted Training. The President consented to the inspector's request to be able to send to Formation Restricted additional photos of the geolocation system and to provide by writes the necessary explanations within a week. The controlled had the floor in latest. 14. By e-mail of November 18, 2020, the inspected sent four photos to the Restricted Training of the geolocation system in place with additional explanations. II. Place II. 1. As to the grounds for the decision A. On the breach related to the obligation to inform the persons concerned 1. On the principles 15. Pursuant to paragraph 1 of Article 12 of the GDPR, the "controller take appropriate measures to provide any information referred to in Articles 13 and 14 as well as to make any communication under Articles 15 to 22 and Article 34 with regard to the processing to the data subject in a concise manner, transparent, understandable and easily accessible, in clear and simple terms […]. The information is provided in writing or by other means including, when it is appropriate, electronically. When the data subject so requests, the information may be provided orally, provided that the identity of the person concerned is demonstrated by other means. " _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey no. […] carried out with the municipal administration of […] 4/13 16. Article 13 of the GDPR provides as follows: "1. When personal data relating to a data subject are collected from this person, the controller provides them, at the time where the data in question is obtained, all of the following information: a) the identity and contact details of the controller and, where applicable, of the representative of the controller; b) where applicable, the contact details of the data protection officer; c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing; d) where the processing is based on Article 6 (1) (f), the legitimate interests pursued by the controller or by a third party; e) the recipients or the categories of recipients of the personal data, if they exist; and f) where applicable, the fact that the controller intends to carry out a transfer of personal data to a third country or to an organization international, and the existence or absence of an adequacy decision issued by the Commission or, in the case of transfers referred to in Article 46 or 47, or in Article 49, paragraph 1, second subparagraph, the reference to appropriate or adapted guarantees and the how to obtain a copy or where it was made available; 2. In addition to the information referred to in paragraph 1, the controller shall provide to the data subject, when the personal data are obtained, the following additional information which is necessary to guarantee fair and transparent treatment: a) the retention period of personal data or, when this is not possible, the criteria used to determine this duration; _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey no. […] carried out with the municipal administration of […] 5 / 13b) the existence of the right to request from the controller access to the data personal character, rectification or erasure thereof, or a limitation of the processing relating to the data subject, or the right to object to the processing and right to data portability; c) where the processing is based on Article 6 (1) (a) or on Article 9, paragraph 2 (a), the existence of the right to withdraw consent at any time, without affecting the lawfulness of the processing based on consent made before the withdrawal of it; d) the right to lodge a complaint with a supervisory authority; e) information on whether the requirement to provide data to personal character has a regulatory or contractual character or if it conditions the conclusion of a contract and whether the data subject is obliged to provide the data to personal character, as well as the possible consequences of the non-provision of those data; f) the existence of automated decision-making, including profiling, referred to in Article 22, paragraphs 1 and 4, and, at least in such cases, useful information concerning the underlying logic, as well as the significance and expected consequences of this processing for the person concerned. 3. When he intends to carry out further processing of personal data personal for a purpose other than that for which the personal data have been collected, the data controller provides the person with concerned information about this other purpose and any other information relevant referred to in paragraph 2. 4. Paragraphs 1, 2 and 3 do not apply when and to the extent that the person concerned already has this information. " _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey no. […] carried out with the municipal administration of […] 6/13 17. The communication to data subjects of information relating to processing of their data is an essential element in the context of compliance with general transparency obligations within the meaning of the GDPR. The said obligations were clarified by the Article 29 Working Group in its guidelines on transparency within the meaning of Regulation (EU) 2016/679, the revised version of which has been adopted April 11, 2018 (hereafter: "WP 260 rev.01"). 18. Note that the European Data Protection Board (hereafter: "EDPS"), which replaced the Article 29 Working Party since 25 May 2018, took over and re-approved the documents adopted by said Group between May 25, 2016 and May 25 5 2018, as precisely the aforementioned guidelines on transparency. 2. In this case 19. In the statement of objections, the head of investigation referred to a letter from February 14, 2019, in which the latter annexed a document entitled "[…] ". In the said letter, the inspector also specified that "everything is being done to also transmit the information in writing to the officers concerned. So a personalized information letter to the attention of the agents making up the teams of the winter service has been prepared […] ”. 20. Nevertheless, the head of the investigation found that the non-compliance with Article 13 of GDPR was acquired on the day of the on-site visit, because the documentation submitted to it by the the aforementioned letter contained no evidence against this non-compliance with this precise date. The head of the investigation added that "the observation that the employees had been informed orally, without presenting any evidence to support this claim, is not likely to upset this finding. "(See statement of objections, page 2, Ad.A.1.). 4 See in particular Articles 5.1.a) and 12 of the GDPR, see also recital (39) of the GDPR. 5 See EDPS Endorsement 1/2018 decision of 25 May 2018, available at: https://edpb.europa.eu/sites/edpb/files/files/news/endorsement_of_wp29_documents_en_0.pdf. _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey no. […] carried out with the municipal administration of […] 7/13 21. In his letter of August 24, 2020, the inspector referred to his comments contained in his letter of September 17, 2019, which already mentioned the procedures carried out by the inspected, following the visit of CNPD agents, in order to comply with the provisions of Article 13 of the GDPR. The controlled specified that in accordance with Article L-261-1 of the Labor Code, collective information relating to the implementation of the geolocation system for the delegations of officials and municipal employees, as well as employees took place by letter of August 13, 2019, a er share, and that all the agents concerned would be informed individually before the 1 November 2019, on the other hand. In addition, the controlled specified therein that the information also been put on the intranet site of […] and that the instructions were given to the services to post information in the premises of the departments concerned. Copies of information notices intended for delegations and employees were appended to the letter of 17 September 2019. 22. In addition, the inspected explained in the aforementioned letter of September 17, 2019 that on that date the number of intervention vehicles equipped with a 6 st geolocation totaled [...] and that for November 1, 2019, thumbnails signs would be installed in said vehicles with the following content: "... to inform you that this vehicle is equipped with a geolocation system. For more information, you can inquire at the following address: ... " 23. Finally, during the Restricted Training session on November 17, 2020, as well as in his email of November 18, 2020, the inspected confirmed that the information notice communicated to the CNPD by the aforementioned letter of September 19 2019 has been transmitted and countersigned individually by all agents of the service winter of [...]. 24. The Restricted Training first of all wishes to emphasize that Article 13 of the GDPR refers to the obligation imposed on the controller to "provide" all information mentioned therein. The word "provide" is crucial here and it "means that the controller must take concrete measures to provide the information in question to the data subject or to actively direct the person 6 […] vehicles for the Hygiene department and […] vehicles for the Roads department. _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey no. […] carried out with the municipal administration of […] 8/13 regarding the location of said information (for example by means of a link direct, a QR code, etc.). ”(WP260 rev. 01, paragraph 33). 25. Furthermore, it would like to point out that Article 12 of the GDPR does not de facto exclude that the information provided for in Articles 13 and 14 may be provided orally by the controller to the data subject. On the other hand, the WP260 rev. 01 (paragraph 21) insists that in this case the controller should ensure “to keep a written record, and ensure that he is able to prove it (for the purposes of compliance with the responsibility requirement), of: i) oral request for information, ii) the method by which the identity of the data subject was verified (the case (see point 20 above), and (iii) the fact that the information has been transmitted to the person concerned. " 26. During the on-site visit of CNPD agents, the inspector specifically mentioned that the persons concerned were only informed orally about the presence of the geolocation device in the vehicles in question as part of the work instructions provided. 27. Nevertheless, the Restricted Formation notes that no documentation submitted by the inspected does not contain proof that the employees of the inspected have been validly informed, before the on-site visit by CNPD staff, orally in accordance with Article 13 of the GDPR. 28. In view of the above, the Restricted Formation concludes that at the time of the site visit by CNPD agents, Article 13 of the GDPR was not respected by the control. II. 2. On corrective measures 1. The principles er 29. In accordance with article 12 of the law of August 1, 2018, the CNPD has the power to adopt all the corrective measures provided for in Article 58.2 of the GDPR: _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey no. […] carried out with the municipal administration of […] 9/13 "a) notify a controller or processor that data processing operations treatment envisaged are likely to violate the provisions of these regulations; b) call to order a controller or a processor when the processing operations have resulted in a violation of the provisions of this Regulation; c) order the controller or processor to comply with the requests presented by the data subject in order to exercise their rights under the this regulation; d) order the controller or processor to put the data processing operations processing in accordance with the provisions of this Regulation, where applicable, of in a specific way and within a specific timeframe; e) order the controller to communicate to the data subject a personal data breach; f) impose a temporary or permanent restriction, including a ban, of processing; g) order the rectification or erasure of personal data or the restriction of processing in application of Articles 16, 17 and 18 and the notification of these measures to the recipients to whom the personal data have been disclosed in accordance with Article 17, paragraph 2, and Article 19; h) withdraw a certification or order the certification body to withdraw a certification issued in application of Articles 42 and 43, or order the certification not to issue certification if the requirements for certification are not or no longer satisfied; i) impose an administrative fine in application of Article 83, in addition to or the place of the measures referred to in this paragraph, depending on the characteristics specific to each case; _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey no. […] carried out with the municipal administration of […] 10/13 j) order the suspension of data flows addressed to a recipient located in a third country or to an international organization. " 30. These measures also include the power to "impose a fine administrative pursuant to Article 83 […] ”. However, article 48.1 of the law of August 1 2018 on the organization of the National Commission for Data Protection and of the general data protection regime specifies that “[t] he CNPD may impose administrative fines as provided for in Article 83 of [GDPR], except against state or municipalities. ". 31. In addition, the Restricted Training would like to point out that the facts taken into account in the context of this decision are those found at the start of the investigation. The any changes relating to the processing of data subject to the investigation intervened subsequently, even if they make it possible to fully establish or partially compliance, do not allow retroactive cancellation of a breach found. 32. Nevertheless, the steps taken by the inspected to get into compliance with the GDPR during the investigation process or to remedy shortcomings identified by the head of investigation in the statement of objections, are taken taken into account by the Restricted Training in the context of any corrective measures to pronounce. 2. In this case 33. The adoption of the following corrective measures was proposed by the Chief of investigation to the Restricted Training in its complementary mail to the communication grievances of August 3, 2020: "A) Order the controller to complete the information measures intended for people affected by geolocation, in accordance with provisions of article 13, paragraphs (1) and (2) of the GDPR by informing in particular the identity of the controller, the purposes of the processing and its legal basis, the categories of data processed, the legitimate interests pursued _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey no. […] carried out with the municipal administration of […] 11/13 by the inspected, the recipients, the retention period of the data as well as indication of human rights and how to exercise them. b) To issue a call to order against the controller for cause of violation of the provisions of the GDPR. " 34. The Restricted Training takes into account the steps taken by the controlled, following the visit of CNPD agents, in order to comply with the provisions of Article 13 of the GDPR, as detailed in his letter of August 24, 2020. More in particular, it takes note of the following facts, which were confirmed by the inspected during the Restricted Training session of November 17, 2020, as well as in its e-mail of November 18, 2020: The information notice regarding the geolocation of intervention vehicles, communicated to the CNPD by letter of September 19, 2019, has been sent and individually countersigned by all the agents of the Hygiene Service and Roads service providing the winter service of [...]. Signage stickers have been installed in the intervention vehicles with the following content: "... would like to inform you that this vehicle is equipped with a geolocation system. For more information, you can get information at the following address: ... " 35. Under Article 58.2.b) of the GDPR, the CNPD may call to order a controller or a processor when the processing operations have resulted in a violation of the provisions of the GDPR. 36. Taking into account the fact that at the time of the site visit of the CNPD agents, no documentation submitted by the inspected contained proof that the employees of the inspected have been validly informed in violation of Article 13 of the GDPR, the Restricted Training considers it justified to issue a call to order to against the controlled. _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey no. […] carried out with the municipal administration of […] In view of the foregoing developments, the National Commission sitting in restricted formation and deliberating unanimously decides: to pronounce against the municipal administration of [...] a call to order for violating Article 13 of the GDPR. So decided in Belvaux on April 21, 2021. For the National Commission for Data Protection sitting in formation restraint Tine A. Larsen Thierry Lallemang Marc Lemmer President Commissioner Commissioner Indication of remedies This administrative decision may be the subject of an appeal for reformation in the three months following its notification. This appeal is to be brought before the administrative court. and must be introduced through a lawyer at the Court of one of the Orders of lawyers. _____________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey no. […] carried out with the municipal administration of […] 13/13