CNPD (Luxembourg) - Délibération n°37FR/2021: Difference between revisions
m (FD moved page CNPD (Luxembourg) - 37FR/2021 to CNPD (Luxembourg) - Délibération n°37FR/2021) |
(Updated in line with the Style Guide, improved language) |
||
Line 57: | Line 57: | ||
In 2018, the Luxembourg DPA (the CNPD) initiated 25 different audit proceedings both in the private and public sector with regard to the obligations relating to the Data Protection Officer (DPO) under Section 4 of Chapter 4 of the GDPR (see in particular [[Article 37 GDPR]] to [[Article 39 GDPR]]). | In 2018, the Luxembourg DPA (the CNPD) initiated 25 different audit proceedings both in the private and public sector with regard to the obligations relating to the Data Protection Officer (DPO) under Section 4 of Chapter 4 of the GDPR (see in particular [[Article 37 GDPR]] to [[Article 39 GDPR]]). | ||
One of these audit proceedings concerned a Luxembourg private company (hereafter, the | One of these audit proceedings concerned a Luxembourg private company (hereafter, the controller). During the investigation, it was found that the controller had failed to communicate the contact details of its DPO to the DPA on time, in breach of [[Article 37 GDPR|Article 37(7) GDPR]]. Furthermore, it was found that the DPO appointed by the controller had other tasks and duties that could result in a conflict of interests, in breach of [[Article 38 GDPR|Article 38(6) GDPR]]. | ||
=== Holding === | === Holding === | ||
Because the | Because the controller had communicated the contact details of the DPO on 28 September 2018 (that is, more than 4 months after the day of application of the GDPR), the DPA found that the controller had violated Article 37(7) GDPR. | ||
Because the DPO of the | Because the DPO of the controller was also "''Head of Compliance, Money Laundering Reporting Officer''", it was found that the DPO was involved in tasks that could result in a conflict of interest. As pointed out by the investigator of the DPA in his report, a DPO cannot exercise within the same company a function which allows him or her to determine the purposes and means of processing of personal data. In this case, the DPO was involved in the determination and implementation of personal data processing as part of his duties as Head of Compliance, and was therefore bound to assess the data processing practices which he/she had put in place himself/herself. None of the measures taken by the controller to mitigate the risk of conflict of interest (such as the fact that, in the event of a potential conflict of interest, the processing practices concerned would need to be countersigned by the hierarchical superior of the DPO) were found to be sufficient. In the course of the audit proceeding, however, the controller informed the DPA that it had appointed a new DPO to avoid any future conflict of interest. | ||
For these reasons, the | For these reasons, the DPA found that the controller had violated [[Article 37 GDPR|Article 37(7) GDPR]] and [[Article 38 GDPR|Article 38(6) GDPR]]. Since both violations had been addressed, however, the DPA did not impose any administrative fine on the controller but simply issued a warning. | ||
== Comment == | == Comment == |
Latest revision as of 17:41, 25 June 2022
CNPD (Luxembourg) - 37FR/2021 | |
---|---|
Authority: | CNPD (Luxembourg) |
Jurisdiction: | Luxembourg |
Relevant Law: | Article 37(7) GDPR Article 38(6) GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 13.10.2021 |
Published: | |
Fine: | None |
Parties: | n/a |
National Case Number/Name: | 37FR/2021 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | French |
Original Source: | Luxembourg DPA (in FR) |
Initial Contributor: | Florence D'Ath |
The Luxembourg DPA found that a company was in breach of its obligation to communicate the contact details of its Data Protection Officer (DPO) under Article 37(7) GDPR, and of its obligation to ensure that its DPO does not have any conflict of interests under Article 38(6) GDPR.
English Summary
Facts
In 2018, the Luxembourg DPA (the CNPD) initiated 25 different audit proceedings both in the private and public sector with regard to the obligations relating to the Data Protection Officer (DPO) under Section 4 of Chapter 4 of the GDPR (see in particular Article 37 GDPR to Article 39 GDPR).
One of these audit proceedings concerned a Luxembourg private company (hereafter, the controller). During the investigation, it was found that the controller had failed to communicate the contact details of its DPO to the DPA on time, in breach of Article 37(7) GDPR. Furthermore, it was found that the DPO appointed by the controller had other tasks and duties that could result in a conflict of interests, in breach of Article 38(6) GDPR.
Holding
Because the controller had communicated the contact details of the DPO on 28 September 2018 (that is, more than 4 months after the day of application of the GDPR), the DPA found that the controller had violated Article 37(7) GDPR.
Because the DPO of the controller was also "Head of Compliance, Money Laundering Reporting Officer", it was found that the DPO was involved in tasks that could result in a conflict of interest. As pointed out by the investigator of the DPA in his report, a DPO cannot exercise within the same company a function which allows him or her to determine the purposes and means of processing of personal data. In this case, the DPO was involved in the determination and implementation of personal data processing as part of his duties as Head of Compliance, and was therefore bound to assess the data processing practices which he/she had put in place himself/herself. None of the measures taken by the controller to mitigate the risk of conflict of interest (such as the fact that, in the event of a potential conflict of interest, the processing practices concerned would need to be countersigned by the hierarchical superior of the DPO) were found to be sufficient. In the course of the audit proceeding, however, the controller informed the DPA that it had appointed a new DPO to avoid any future conflict of interest.
For these reasons, the DPA found that the controller had violated Article 37(7) GDPR and Article 38(6) GDPR. Since both violations had been addressed, however, the DPA did not impose any administrative fine on the controller but simply issued a warning.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
Decision of the National Commission sitting in restricted formation on the outcome of survey No. [...] conducted with Company A Deliberation n ° 37FR / 2021 of October 13, 2021 The National Commission for Data Protection sitting in a restricted body, composed of Mrs Tine A. Larsen, president, and Messrs Thierry Lallemang and Marc Lemmer, commissioners; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of individuals with regard to the processing of personal data personnel and the free movement of such data, and repealing Directive 95/46 / EC; Having regard to the law of 1 August 2018 on the organization of the National Commission for the Protection data and the general data protection regime, in particular Article 41 thereof; Having regard to the internal regulations of the National Commission for Data Protection adopted by decision n ° 3AD / 2020 dated 22 January 2020, in particular Article 10, point 2; Having regard to the regulation of the National Commission for Data Protection relating to investigation procedure adopted by decision n ° 4AD / 2020 dated 22 January 2020, in particular its article 9; Considering the following: I. Facts and procedure 1. Given the impact of the role of the data protection officer (hereinafter: the "DPO") and the importance of its integration into the body, and considering that the guidelines concerning DPOs have been available since December 2016, i.e. 17 months before entry into application of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data personal data and the free movement of such data, and repealing Directive 95/46 / EC 1The guidelines concerning DPOs were adopted by the “Article 29” working group on 13 December 2016. The revised version (WP 243 rev. 01) was adopted on April 5, 2017. ________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey no. [...] conducted with Company A 1/10 (General Data Protection Regulation) (hereafter: the "GDPR"), the Commission National Data Protection Authority (hereinafter: the “National Commission” or the "CNPD") has decided to launch a thematic survey campaign on the function of the DPO. Thus, 25 audit procedures were opened in 2018, concerning both the private sector and the public sector. 2. In particular, the National Commission decided by decision no. […] Of 14 September 2018 to initiate an investigation in the form of a data protection audit with Company A located at […], L- […] and registered in the Trade and Luxembourg companies under number […] (hereinafter: the “controlled”) and to designate Mr. Christophe Buschmann as the head of the investigation. The said deliberation specifies that the investigation relates to the compliance of the inspected with section 4 of chapter 4 of the GDPR. 3. According to Article 3 of its statutes, the purpose of the inspected is [to carry out all operations insurance and reinsurance of the "Life" branch [...]. 4. By letter of September 17, 2018, the head of the survey sent a questionnaire preliminary to the control to which the latter replied by email of October 8, 2018. A visit on site took place on February 4, 2019. Following these discussions, the head of the investigation prepared the report audit n ° [...] (hereinafter: the "audit report"). 5. It emerges from the audit report that in order to verify the compliance of the organization with the section 4 of chapter 4 of the GDPR, the head of the investigation defined eleven control objectives, know : 1) Ensure that the body subject to the obligation to appoint a DPO has done so; 2) Make sure that the organization has published the contact details of its DPO; 3) Ensure that the organization has communicated the contact details of its DPO to the CNPD; 4) Ensure that the DPO has sufficient expertise and skills to carry out its missions effectively; 5) Ensure that the missions and tasks of the DPO do not give rise to a conflict of interest; 6) Ensure that the DPO has sufficient resources to perform effectively of its missions; 7) Ensure that the DPO is able to carry out his missions to a sufficient degree autonomy within their organization; ________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey no. [...] conducted with Company A 2/10 8) Ensure that the organization has put in place measures so that the DPO is associated with all matters relating to data protection; 9) Ensure that the DPO fulfills his mission of information and advice to the data controller and employees; 10) Ensure that the DPO exercises adequate control over data processing within of his body; 11) Ensure that the DPO assists the data controller in carrying out the impact analyzes in the event of new data processing. 6. By letter of 24 October 2019 (hereinafter: the “statement of objections”), the Chief investigation informed the inspector of breaches of obligations under the GDPR that it noted during its investigation. The audit report was attached to this letter. 7. In particular, the head of the investigation noted in the statement of objections failures to the obligation to communicate the contact details of the DPO to the supervisory authority; 2 the obligation to ensure that the missions and tasks of the DPO do not lead to conflict of interest . 8. By email of November 27, 2019, the inspected took a position on the breach noted by the head of investigation concerning the obligation to ensure that the missions and tasks of the DPO do not lead to conflicts of interest. 9. On August 3, 2020, the head of the investigation sent the inspector an additional letter to the statement of objections by which he informs the inspectorate of the corrective measure he proposes to the National Commission sitting in restricted formation (hereinafter: "the" formation restricted ") to adopt. 10. By email of August 5, 2020, the inspector sent the head of the investigation his observations on the additional letter to the statement of objections. 11. The case was on the agenda for the restricted committee session on June 16, 2021. In accordance with article 10.2. b) the rules of procedure of the National Commission, 2Objective 3 3Objective 5 ________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey no. [...] conducted with Company A 3/10 the head of the investigation and the inspector made oral observations on the case and responded to the questions asked by the restricted formation. The controlled had the floor last. II. Place A. On the failure to communicate the DPO's contact details to the authority control 1. On the principles 12. Article 37.7 of the GDPR provides for the obligation for the organization to communicate the contact details of the DPO at the supervisory authority. Indeed, it follows from Article 39.1. e) of the GDPR that the DPO acts as a point of contact for the supervisory authority so it is important that the latter has the contact details of the DPD. 13. The DPO guidelines explain in this regard that this requirement aims to ensure that "the supervisory authorities can easily and directly contact 4 with the DPD without having to contact another department of the organization ". 14. It should also be noted that the CNPD published on its website on May 18 2018 a form allowing organizations to send the contact details of their DPD. 2. In this case 15. It emerges from the audit report that, in order for the investigator to consider objective 3 as completed by the inspected as part of this audit campaign, the head of the investigation expects the organization to have communicated by 25 May 2018 the contact details of its DPO at the CNPD. 16. According to the statement of objections, page 2, "[t] he investigation showed that the DPD declaration form was sent to the CNPD on September 28, 2018. The communication was therefore carried out late. " 17. The inspected did not reconsider this failure in his position of the 27 November 2019, nor during subsequent discussions with the CNPD. 4 WP 243 v.01, version revised and adopted on April 5, 2017, p.15 ________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey no. […] conducted with Company A 4/1018. The restricted committee notes that the GDPR has been applicable since May 25, 2018 from so that the obligation to communicate the DPO's contact details to the supervisory authority exists since that date. Thus, the communication of the DPO's contact details to the CNPD on September 28, 2018 was late. 19. In view of the above, the restricted panel concludes that Article 37.7 of the GDPR has no not respected by the inspected. B. On the breach relating to the obligation to ensure that the other missions and tasks of the DPO do not give rise to a conflict of interest 1. On the principles 20. According to Article 38.6 of the GDPR, "[the DPO] may perform other tasks and tasks. the controller or processor ensures that these missions and tasks do not give rise to a conflict of interest ". 21. The DPO guidelines specify that “the DPO may not exercise at within the organization a function which leads it to determine the purposes and means of processing of personal data ”. According to the guidelines, “[t] he rule general, among the functions likely to give rise to a conflict of interest within the organization may include senior management functions (for example: director general, operational director, financial director, chief medical officer, responsible for marketing department, human resources manager or department manager IT), but also other roles at a lower level of the organizational structure if these functions or roles imply the determination of the purposes and means of the processing. In addition, there may also be a conflict of interest, for example, if an external DPO is called to represent the controller or the processor before the courts in cases cases relating to data protection issues. Depending on the activities, size and structure of the organization, it can be good practice for data controllers or processors: identify the functions which would be incompatible with that of DPD; 5 WP 243 v.01, version revised and adopted on April 5, 2017, pp. 19-20 ________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey no. […] conducted with Company A 5/10 establish internal rules to this effect, in order to avoid conflicts of interest; include a more general explanation of conflicts of interest; to declare that the DPO has no conflict of interest with regard to his function as DPD, with the aim of raising awareness of this requirement; to provide guarantees in the internal regulations of the body, and to ensure that that the vacancy notice for the DPD function or the service contract is sufficiently precise and detailed to avoid any conflict of interest. In this context, it should also be borne in mind that conflicts of interest can take different forms depending on whether the DPO is recruited internally or externally. " 2. In this case 22. It emerges from the audit report that, in order for the head of the investigation to consider objective 5 as achieved by the controlled as part of this audit campaign, he expects, in the event that the DPO exercises other functions within the audited body, these functions do not give rise to a conflict of interest, in particular through the exercise of functions which would lead to DPD to determine the purposes and means of the processing of personal data. The investigator also expects the inspector to have carried out an analysis of the existence of a possible conflict of interest at the level of the DPO. 23. According to the statement of objections, page 3, "[i] tem appears from the investigation that the DPO is also Head of Compliance, Money Laundering Reporting Officer. This other function involves a risk of conflict of interest, particularly in the context of AML processing of the Compliance department. Indeed, the DPD guidelines of the working group "Article 29" on data protection indicate that the DPO cannot exercise within of the body a function that leads it to determine the purposes and means of processing of personal data. [The inspected] informed the CNPD that in the event of any conflicts of interest in AML processing of the Compliance department, processing concerned would then be countersigned by the hierarchical superior of the DPO. Nevertheless, the DPD remains involved in the implementation of personal data processing as part of his duties as Head of Compliance. During the investigation, the CNPD did not have knowledge of other elements allowing to address this risk, such as for example the appointment of a deputy DPO (outside the AML department) who would be in charge of analyze AML treatments. " ________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey no. […] conducted with Company A 6/1024. By email of November 25, 2019, the controlled indicated that two substitute delegates have been appointed, namely the "Chief Risk Officer (for the processing of personal data of the Compliance Department) "as well as a" Senior Compliance Specialist (for all processing of personal data other than those of the Compliance department) ”. 25. The inspected person also transmitted, with his position paper of November 27, 2019, several internal documents concerning the measures taken following the breach noted by the head of the investigation; these documents make it possible in particular to verify the information provided by the controlled, in his email November 25, 2019, relating to the appointment of two alternate delegates. 26. The CNPD was then informed, on March 19, 2021, of the appointment of a new er DPD, from April 1, 2021, who was previously the substitute delegate “for all processing of personal data other than those of the Compliance department ”. At the time of the hearing of June 16, 2021, the controlled specified that, because of this designation, the risk of conflict of interest that had been identified by the head of the investigation no longer exists, the new DPD not performing the function of "Head of compliance". 27. However, if measures have been taken by the inspected in the sense of putting compliance, it should be noted that these were decided during the investigation. 28. Therefore, the restricted panel concludes that Article 38.6 of the GDPR has not been complied with by the controlled. III. On corrective measures A. Principles 29. In accordance with article 12 of the law of 1 August 2018 on the organization of the National Commission for Data Protection and the General Regime on data protection, the National Commission has the powers provided for in Article 58.2 of the GDPR: ________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of investigation no. [...] carried out with Company A 7/10 a) notify a data controller or a subcontractor of the fact that the planned treatment are likely to violate the provisions of this regulation; b) call to order a controller or a processor when the processing operations have resulted in a violation of the provisions of this regulation; c) order the controller or processor to comply with the requests presented by the data subject in order to exercise their rights under the this regulation; d) order the controller or processor to put the data processing operations processing in accordance with the provisions of these regulations, if applicable, in a specific manner and within a specified timeframe; e) order the controller to communicate to the data subject a personal data breach; f) impose a temporary or permanent limitation, including a ban, on the processing; g) order the rectification or erasure of personal data or the restriction of processing in application of Articles 16, 17 and 18 and the notification of these measures to the recipients to whom the personal data have been disclosed in accordance with Article 17, paragraph 2, and Article 19; h) withdraw a certification or order the certification body to withdraw a certification issued in application of Articles 42 and 43, or order the certification not to issue certification if the requirements applicable to the certification are not or no longer satisfied; i) impose an administrative fine in application of Article 83, in addition to or the place of the measures referred to in this paragraph, depending on the characteristics specific to each case; j) order the suspension of data flows addressed to a recipient located in a third country or to an international organization. " ________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey no. […] conducted with Company A 8/1030. The restricted committee would like to point out that the facts taken into account in the context of the this decision are those noted at the start of the investigation. Nevertheless, the steps carried out by the inspected to comply with the GDPR during the procedure investigation or to remedy the shortcomings identified by the head of investigation in the statement of objections are taken into account by the restricted training within the framework of any corrective measures to be taken. B. In this case 1. As for the call to order 31. Under Article 58.2.b) of the GDPR, the CNPD may call a manager to order of the processing or a processor where the processing operations have resulted in a violation of the provisions of the GDPR. 32. Given the fact that the inspected violated articles 37.7 and 38.6 of the GDPR, the restricted party considers it justified to issue a call to order against him. 2. Regarding the taking of corrective measures 33. In his additional letter to the statement of objections of 3 August 2020, the survey leader suggests that the restricted group take the following corrective action: "A) Order the implementation of measures ensuring that the various missions and current or past tasks of the person exercising the function of DPO do not entail no conflicts of interest in accordance with the requirements of Article 38 (6) of the GDPR. Although several ways can be implemented, one of the possibilities would be the involvement of a third person, benefiting from the skills necessary, for the review of treatments for which there is a conflict of interest (in occurrence for AML / KYC treatments). " 34. As to the corrective measure proposed by the head of investigation under a) of point 33 of the this Decision and with reference to point 30 of this Decision, the formation restricted takes into account the steps taken by the inspected in order to comply the provisions of Article 38.6 of the GDPR. In particular, she takes note of the facts following: ________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of investigation no. [...] conducted with Company A 9/10 - With regard to the violation of article 38.6 of the GDPR, the restricted committee notes that a new DPO has been appointed, as of April 1, 2021, and that this new DPO does not perform the function of "Head of compliance". The restricted formation considers from when there is no need to take the corrective measure proposed by the head of the investigation under a) of point 33 of this Decision. In view of the foregoing developments, the National Commission sitting in restricted formation and deliberating unanimously decides: - to retain the breaches of articles 37.7 and 38.6 of the GDPR; - to issue a call to order against Company A regarding the violation of Articles 37.7 and 38.6 of the GDPR. So decided in Belvaux on October 13, 2021. The National Commission for Data Protection sitting in a restricted body Tine A. Larsen Thierry Lallemang Marc Lemmer President Commissioner Commissioner Indication of remedies This administrative decision may be the subject of an appeal for reformation within three months following its notification. This appeal is to be brought before the administrative tribunal and must must be introduced through a lawyer at the Court of one of the Bar Associations. ________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey no. [...] conducted with Company A 10/10