CNPD (Luxembourg) - Délibération n°37FR/2021
From GDPRhub
| CNPD (Luxembourg) - 37FR/2021 | |
|---|---|
 | |
| Authority: | CNPD (Luxembourg) |
| Jurisdiction: | Luxembourg |
| Relevant Law: | Article 37(7) GDPR Article 38(6) GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | 13.10.2021 |
| Published: | |
| Fine: | None |
| Parties: | n/a |
| National Case Number/Name: | 37FR/2021 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | French |
| Original Source: | Luxembourg DPA (in FR) |
| Initial Contributor: | Florence D'Ath |
The Luxembourg DPA found that a company was in breach of its obligation to communicate the contact details of its Data Protection Officer (DPO) under Article 37(7) GDPR, and of its obligation to ensure that its DPO does not have any conflict of interests under Article 38(6) GDPR.
English Summary
Facts
In 2018, the Luxembourg DPA (the CNPD) initiated 25 different audit proceedings both in the private and public sector with regard to the obligations relating to the Data Protection Officer (DPO) under Section 4 of Chapter 4 of the GDPR (see in particular Article 37 GDPR to Article 39 GDPR).
One of these audit proceedings concerned a Luxembourg private company (hereafter, the Company). During the investigation, it was found that the Company had failed to communicate the contact details of its DPO to the CNPD on time, in breach of Article 37(7) GDPR. Furthermore, it was found that the DPO appointed by the Company had other tasks and duties that could result in a conflict of interests, in breach of Article 38(6) GDPR.
Holding
Because the Company had communicated the contact details of the DPO on 28 September 2018 (that is, more than 4 months after the day of application of the GDPR), the CNPD found that the Company had violated Article 37(7) GDPR.
Because the DPO of the Company was also "Head of Compliance, Money Laundering Reporting Officer", it was found that the DPO was involved in tasks that could result in a conflict of interest. As pointed out by the investigator of the CNPD in his report, a DPO cannot exercise within the same company a function which allows him or her to determine the purposes and means of processing of personal data. In this case, the DPO was involved in the determination and implementation of personal data processing as part of his duties as Head of Compliance, and was therefore bound to assess the data processing practices he/she had put in place himself/herself. None of the measures taken by the Company to mitigate the risk of conflict of interest (such as the fact that, in the event of a potential conflict of interest, the processing practices concerned would need to be countersigned by the hierarchical superior of the DPO) were found to be sufficient. In the course of the proceedings, the Company informed the CNPD that it had appinted a new DPO to avoid any conflict of interest.
For these reasons, the CNPD found that the Company had violated Article 37(7) GDPR and Article 38(6) GDPR. Since both violations had been addressed, however,, the CNPD did not impose any administrative fine on the Company but simply issued a warning.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
Decision of the National Commission sitting in restricted formation on
the outcome of survey No. [...] conducted with Company A
Deliberation n ° 37FR / 2021 of October 13, 2021
The National Commission for Data Protection sitting in a restricted body,
composed of Mrs Tine A. Larsen, president, and Messrs Thierry Lallemang and Marc
Lemmer, commissioners;
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on
the protection of individuals with regard to the processing of personal data
personnel and the free movement of such data, and repealing Directive 95/46 / EC;
Having regard to the law of 1 August 2018 on the organization of the National Commission for the Protection
data and the general data protection regime, in particular Article 41 thereof;
Having regard to the internal regulations of the National Commission for Data Protection
adopted by decision n ° 3AD / 2020 dated 22 January 2020, in particular Article 10, point
2;
Having regard to the regulation of the National Commission for Data Protection relating to
investigation procedure adopted by decision n ° 4AD / 2020 dated 22 January 2020, in particular
its article 9;
Considering the following:
I. Facts and procedure
1. Given the impact of the role of the data protection officer (hereinafter: the "DPO") and
the importance of its integration into the body, and considering that the guidelines
concerning DPOs have been available since December 2016, i.e. 17 months before entry into
application of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016
on the protection of natural persons with regard to the processing of personal data
personal data and the free movement of such data, and repealing Directive 95/46 / EC
1The guidelines concerning DPOs were adopted by the “Article 29” working group on 13
December 2016. The revised version (WP 243 rev. 01) was adopted on April 5, 2017.
________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey no. [...] conducted with Company A
1/10 (General Data Protection Regulation) (hereafter: the "GDPR"), the Commission
National Data Protection Authority (hereinafter: the “National Commission” or the
"CNPD") has decided to launch a thematic survey campaign on the function of the DPO.
Thus, 25 audit procedures were opened in 2018, concerning both the private sector and the
public sector.
2. In particular, the National Commission decided by decision no. […] Of 14
September 2018 to initiate an investigation in the form of a data protection audit
with Company A located at […], L- […] and registered in the Trade and
Luxembourg companies under number […] (hereinafter: the “controlled”) and to designate Mr. Christophe
Buschmann as the head of the investigation. The said deliberation specifies that the investigation relates to the
compliance of the inspected with section 4 of chapter 4 of the GDPR.
3. According to Article 3 of its statutes, the purpose of the inspected is [to carry out all operations
insurance and reinsurance of the "Life" branch [...].
4. By letter of September 17, 2018, the head of the survey sent a questionnaire
preliminary to the control to which the latter replied by email of October 8, 2018. A visit
on site took place on February 4, 2019. Following these discussions, the head of the investigation prepared the report
audit n ° [...] (hereinafter: the "audit report").
5. It emerges from the audit report that in order to verify the compliance of the organization with the
section 4 of chapter 4 of the GDPR, the head of the investigation defined eleven control objectives,
know :
1) Ensure that the body subject to the obligation to appoint a DPO has done so;
2) Make sure that the organization has published the contact details of its DPO;
3) Ensure that the organization has communicated the contact details of its DPO to the CNPD;
4) Ensure that the DPO has sufficient expertise and skills to
carry out its missions effectively;
5) Ensure that the missions and tasks of the DPO do not give rise to a conflict of interest;
6) Ensure that the DPO has sufficient resources to perform effectively
of its missions;
7) Ensure that the DPO is able to carry out his missions to a sufficient degree
autonomy within their organization;
________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey no. [...] conducted with Company A 2/10 8) Ensure that the organization has put in place measures so that the DPO is associated with
all matters relating to data protection;
9) Ensure that the DPO fulfills his mission of information and advice to the
data controller and employees;
10) Ensure that the DPO exercises adequate control over data processing within
of his body;
11) Ensure that the DPO assists the data controller in carrying out the
impact analyzes in the event of new data processing.
6. By letter of 24 October 2019 (hereinafter: the “statement of objections”), the Chief
investigation informed the inspector of breaches of obligations under the GDPR that it
noted during its investigation. The audit report was attached to this letter.
7. In particular, the head of the investigation noted in the statement of objections
failures to
the obligation to communicate the contact details of the DPO to the supervisory authority; 2
the obligation to ensure that the missions and tasks of the DPO do not lead to
conflict of interest .
8. By email of November 27, 2019, the inspected took a position on the breach noted
by the head of investigation concerning the obligation to ensure that the missions and tasks of the DPO
do not lead to conflicts of interest.
9. On August 3, 2020, the head of the investigation sent the inspector an additional letter to
the statement of objections by which he informs the inspectorate of the corrective measure he
proposes to the National Commission sitting in restricted formation (hereinafter: "the" formation
restricted ") to adopt.
10. By email of August 5, 2020, the inspector sent the head of the investigation his
observations on the additional letter to the statement of objections.
11. The case was on the agenda for the restricted committee session on June 16, 2021.
In accordance with article 10.2. b) the rules of procedure of the National Commission,
2Objective 3
3Objective 5
________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey no. [...] conducted with Company A
3/10 the head of the investigation and the inspector made oral observations on the case and responded
to the questions asked by the restricted formation. The controlled had the floor last.
II. Place
A. On the failure to communicate the DPO's contact details to the authority
control
1. On the principles
12. Article 37.7 of the GDPR provides for the obligation for the organization to communicate the
contact details of the DPO at the supervisory authority. Indeed, it follows from Article 39.1. e) of the GDPR
that the DPO acts as a point of contact for the supervisory authority so it is important
that the latter has the contact details of the DPD.
13. The DPO guidelines explain in this regard that this requirement
aims to ensure that "the supervisory authorities can easily and directly contact
4
with the DPD without having to contact another department of the organization ".
14. It should also be noted that the CNPD published on its website on May 18
2018 a form allowing organizations to send the contact details of their
DPD.
2. In this case
15. It emerges from the audit report that, in order for the investigator to consider objective 3
as completed by the inspected as part of this audit campaign, the head of the investigation
expects the organization to have communicated by 25 May 2018 the contact details of its DPO
at the CNPD.
16. According to the statement of objections, page 2, "[t] he investigation showed that the
DPD declaration form was sent to the CNPD on September 28, 2018. The
communication was therefore carried out late. "
17. The inspected did not reconsider this failure in his position of the 27
November 2019, nor during subsequent discussions with the CNPD.
4 WP 243 v.01, version revised and adopted on April 5, 2017, p.15
________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey no. […] conducted with Company A 4/1018. The restricted committee notes that the GDPR has been applicable since May 25, 2018 from
so that the obligation to communicate the DPO's contact details to the supervisory authority exists
since that date. Thus, the communication of the DPO's contact details to the CNPD on
September 28, 2018 was late.
19. In view of the above, the restricted panel concludes that Article 37.7 of the GDPR has no
not respected by the inspected.
B. On the breach relating to the obligation to ensure that the other missions and
tasks of the DPO do not give rise to a conflict of interest
1. On the principles
20. According to Article 38.6 of the GDPR, "[the DPO] may perform other tasks and tasks. the
controller or processor ensures that these missions and tasks
do not give rise to a conflict of interest ".
21. The DPO guidelines specify that “the DPO may not exercise at
within the organization a function which leads it to determine the purposes and means of
processing of personal data ”. According to the guidelines, “[t] he rule
general, among the functions likely to give rise to a conflict of interest within
the organization may include senior management functions (for example: director
general, operational director, financial director, chief medical officer, responsible for
marketing department, human resources manager or department manager
IT), but also other roles at a lower level of the organizational structure
if these functions or roles imply the determination of the purposes and means of the processing.
In addition, there may also be a conflict of interest, for example, if an external DPO is called
to represent the controller or the processor before the courts in cases
cases relating to data protection issues.
Depending on the activities, size and structure of the organization, it can be good
practice for data controllers or processors:
identify the functions which would be incompatible with that of DPD;
5
WP 243 v.01, version revised and adopted on April 5, 2017, pp. 19-20
________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey no. […] conducted with Company A 5/10 establish internal rules to this effect, in order to avoid conflicts of interest;
include a more general explanation of conflicts of interest;
to declare that the DPO has no conflict of interest with regard to his function as
DPD, with the aim of raising awareness of this requirement;
to provide guarantees in the internal regulations of the body, and to ensure that
that the vacancy notice for the DPD function or the service contract is
sufficiently precise and detailed to avoid any conflict of interest. In this context, it
should also be borne in mind that conflicts of interest can take
different forms depending on whether the DPO is recruited internally or externally. "
2. In this case
22. It emerges from the audit report that, in order for the head of the investigation to consider objective 5
as achieved by the controlled as part of this audit campaign, he expects,
in the event that the DPO exercises other functions within the audited body, these functions
do not give rise to a conflict of interest, in particular through the exercise of functions which would lead to
DPD to determine the purposes and means of the processing of personal data.
The investigator also expects the inspector to have carried out an analysis of
the existence of a possible conflict of interest at the level of the DPO.
23. According to the statement of objections, page 3, "[i] tem appears from the investigation that the DPO is
also Head of Compliance, Money Laundering Reporting Officer. This other function
involves a risk of conflict of interest, particularly in the context of AML processing of the
Compliance department. Indeed, the DPD guidelines of the working group
"Article 29" on data protection indicate that the DPO cannot exercise within
of the body a function that leads it to determine the purposes and means of processing
of personal data. [The inspected] informed the CNPD that in the event of any
conflicts of interest in AML processing of the Compliance department, processing
concerned would then be countersigned by the hierarchical superior of the DPO. Nevertheless, the
DPD remains involved in the implementation of personal data processing
as part of his duties as Head of Compliance. During the investigation, the CNPD did not
have knowledge of other elements allowing to address this risk, such as for example the
appointment of a deputy DPO (outside the AML department) who would be in charge of
analyze AML treatments. "
________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey no. […] conducted with Company A 6/1024. By email of November 25, 2019, the controlled indicated that two substitute delegates
have been appointed, namely the "Chief Risk Officer (for the processing of personal data
of the Compliance Department) "as well as a" Senior Compliance Specialist (for all
processing of personal data other than those of the Compliance department) ”.
25. The inspected person also transmitted, with his position paper of November 27, 2019,
several internal documents concerning the measures taken following the breach noted by
the head of the investigation; these documents make it possible in particular to verify the information provided
by the controlled, in his email November 25, 2019, relating to the appointment of two
alternate delegates.
26. The CNPD was then informed, on March 19, 2021, of the appointment of a new
er
DPD, from April 1, 2021, who was previously the substitute delegate “for all
processing of personal data other than those of the Compliance department ”. At the time of
the hearing of June 16, 2021, the controlled specified that, because of this designation, the risk of
conflict of interest that had been identified by the head of the investigation no longer exists, the new DPD
not performing the function of "Head of compliance".
27. However, if measures have been taken by the inspected in the sense of putting
compliance, it should be noted that these were decided during the investigation.
28. Therefore, the restricted panel concludes that Article 38.6 of the GDPR has not been complied with
by the controlled.
III. On corrective measures
A. Principles
29. In accordance with article 12 of the law of 1 August 2018 on the organization of the
National Commission for Data Protection and the General Regime on
data protection, the National Commission has the powers provided for in Article
58.2 of the GDPR:
________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
investigation no. [...] carried out with Company A 7/10 a) notify a data controller or a subcontractor of the fact that the
planned treatment are likely to violate the provisions of this
regulation;
b) call to order a controller or a processor when the
processing operations have resulted in a violation of the provisions of this
regulation;
c) order the controller or processor to comply with the requests
presented by the data subject in order to exercise their rights under the
this regulation;
d) order the controller or processor to put the data processing operations
processing in accordance with the provisions of these regulations, if applicable,
in a specific manner and within a specified timeframe;
e) order the controller to communicate to the data subject a
personal data breach;
f) impose a temporary or permanent limitation, including a ban, on the
processing;
g) order the rectification or erasure of personal data or the
restriction of processing in application of Articles 16, 17 and 18 and the notification of these
measures to the recipients to whom the personal data have been
disclosed in accordance with Article 17, paragraph 2, and Article 19;
h) withdraw a certification or order the certification body to withdraw a
certification issued in application of Articles 42 and 43, or order the
certification not to issue certification if the requirements applicable to the
certification are not or no longer satisfied;
i) impose an administrative fine in application of Article 83, in addition to or
the place of the measures referred to in this paragraph, depending on the characteristics
specific to each case;
j) order the suspension of data flows addressed to a recipient located in a
third country or to an international organization. "
________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey no. […] conducted with Company A 8/1030. The restricted committee would like to point out that the facts taken into account in the context of the
this decision are those noted at the start of the investigation. Nevertheless, the steps
carried out by the inspected to comply with the GDPR during the procedure
investigation or to remedy the shortcomings identified by the head of investigation in the
statement of objections are taken into account by the restricted training within the framework of
any corrective measures to be taken.
B. In this case
1. As for the call to order
31. Under Article 58.2.b) of the GDPR, the CNPD may call a manager to order
of the processing or a processor where the processing operations have resulted in a violation
of the provisions of the GDPR.
32. Given the fact that the inspected violated articles 37.7 and 38.6 of the GDPR, the
restricted party considers it justified to issue a call to order against him.
2. Regarding the taking of corrective measures
33. In his additional letter to the statement of objections of 3 August 2020, the
survey leader suggests that the restricted group take the following corrective action:
"A) Order the implementation of measures ensuring that the various missions and
current or past tasks of the person exercising the function of DPO do not entail
no conflicts of interest in accordance with the requirements of Article 38 (6) of the
GDPR. Although several ways can be implemented, one of the
possibilities would be the involvement of a third person, benefiting from the skills
necessary, for the review of treatments for which there is a conflict of interest (in
occurrence for AML / KYC treatments). "
34. As to the corrective measure proposed by the head of investigation under a) of point 33 of the
this Decision and with reference to point 30 of this Decision, the formation
restricted takes into account the steps taken by the inspected in order to comply
the provisions of Article 38.6 of the GDPR. In particular, she takes note of the facts
following:
________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
investigation no. [...] conducted with Company A 9/10 - With regard to the violation of article 38.6 of the GDPR, the restricted committee notes
that a new DPO has been appointed, as of April 1, 2021, and that this new DPO
does not perform the function of "Head of compliance". The restricted formation considers from
when there is no need to take the corrective measure proposed by the head of the investigation
under a) of point 33 of this Decision.
In view of the foregoing developments, the National Commission sitting
in restricted formation and deliberating unanimously decides:
- to retain the breaches of articles 37.7 and 38.6 of the GDPR;
- to issue a call to order against Company A regarding the violation of
Articles 37.7 and 38.6 of the GDPR.
So decided in Belvaux on October 13, 2021.
The National Commission for Data Protection sitting in a restricted body
Tine A. Larsen Thierry Lallemang Marc Lemmer
President Commissioner Commissioner
Indication of remedies
This administrative decision may be the subject of an appeal for reformation within three
months following its notification. This appeal is to be brought before the administrative tribunal and must
must be introduced through a lawyer at the Court of one of the Bar Associations.
________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey no. [...] conducted with Company A 10/10
