CNPD (Luxembourg) - 10FR/2023

From GDPRhub
Revision as of 13:45, 2 January 2024 by Mg (talk | contribs)
CNPD - 10FR/2023
LogoLU.png
Authority: CNPD (Luxembourg)
Jurisdiction: Luxembourg
Relevant Law: Article 37(1)(a) GDPR
Article 37(7) GDPR
Article 48 of the National Data Protection Law
Type: Investigation
Outcome: Violation Found
Started:
Decided: 24.07.2023
Published: 05.12.2023
Fine: n/a
Parties: Administration communale de Leudelange
National Case Number/Name: 10FR/2023
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): French
Original Source: CNPD (in FR)
Initial Contributor: ar

The Luxembourg DPA found the Municipal Administration of Leudelange to have breached Articles 37(1)(a) and 37(7) GDPR, since the latter, on the date of investigation, had not yet designated a DPO.

English Summary

Facts

Following a general check carried on all Luxembourg municipalities in the summer of 2022, the Luxembourg DPA decided to open an investigation on the Municipal Administration of Leudelange (the controller).

Specifically, the controller aimed to evaluate the controller’s conformity with its obligation to appoint a DPO and whether it communicated the DPO's contact details to the DPA, as provided by Article 37(1)(a) GDPR and Article 37(7) GDPR.

Holding

The DPA noted that pursuant to the entry into force of the GDPR, public bodies were obliged to designate a DPO no later than 25 May 2018. Meanwhile, on the date the investigation was opened, and after consulting the register of DPOs, no DPO had been identified for the controller. The controller appointed a DPO only on 10 March 2023, namely after the opening of the investigation. Thus, the controller violated Article 37(1)(a) GDPR. Moreover, the DPA acknowledged that when the investigation began, the controller had not communicated to the DPA the contact details of the DPO, breaching Article 37(7) GDPR.

Observing Article 48 of the National Data Protection Law, the DPA may impose administrative fines as provided in Article 83 GDPR, except against the State or municipalities. Hence, the DPA found it appropriate to issue a corrective measure to the controller. In light of this, the DPA recognised that during the proceedings, the controller took steps to remedy the shortcomings identified by the head of the investigation.

Comment

On the same day, the Luxembourgish DPA published similar findings against other four Municipal Administrations: the Municipal Administration of Useldange, the Municipal Administration of Dalheim, the Municipal Administration of Heffingen and the Municipal Administration of Vallée de l’Ernz.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

Decision of the National Commission sitting in restricted formation

    on the outcome of investigation n°[…] carried out with the Administration

                           municipal of Leudelange

                      Deliberation No. 10FR/2023 of July 24, 2023


The National Commission for Data Protection sitting in restricted formation

composed of Ms. Tine A. Larsen, president, and Messrs. Thierry Lallemang and Marc
Lemmer, commissioners;


Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016

relating to the protection of individuals with regard to the processing of data

personal character and the free movement of such data, and repealing the Directive
95/46/EC;


Having regard to the law of August 1, 2018 organizing the National Commission for

data protection and the general regime on data protection, in particular

its article 41;

Considering the internal regulations of the National Commission for the Protection of

data adopted by decision no. 3AD/2020 dated January 22, 2020, in particular its

article 10 point 2;


Having regard to the regulation of the National Commission for Data Protection relating to the
investigation procedure adopted by decision no. 4AD/2020 dated January 22, 2020,

in particular its article 9;


Considering the following:














 ________________________________________________________________
             Decision of the National Commission sitting in restricted formation on the outcome of
                survey n°[…] carried out with the Leudelange municipal administration


                                                                                                   1/9 I. Facts and procedure


      During its deliberation session of December 9, 2022, the National Commission

for data protection sitting in plenary session decided to open a

survey with the Municipal Administration of Leudelange, located at 5, Place des

Martyrs, L-3361 Leudelange (hereinafter: the “controlled”), on the basis of article 38 of the law of
August 1, 2018 organizing the National Commission for the Protection of

data and the general regime on data protection (hereinafter: the “law of August 1

2018") and to appoint Mr. Alain Herrmann as head of investigation.


      The said decision clarified that the investigation carried out by the National Commission for

data protection (hereinafter: the “CNPD” or the “National Commission”) was intended to

purpose of monitoring the application and compliance with Regulation (EU) 2016/679 of the Parliament
European Union and of the Council of 27 April 2016 relating to the protection of natural persons

with regard to the processing of personal data and the free movement of these

data, and repealing Directive 95/46/EC (hereinafter: the “GDPR”) and the law of 1

August 2018 and legal texts providing for specific provisions regarding

protection of personal data and more precisely the application and
                                                1
compliance with articles 37.1.a) and 37.7 of the GDPR. The specific purpose of the investigation was
to monitor compliance with the obligation to appoint a data protection officer

(hereinafter: “DPD”) and to communicate the contact details to the supervisory authority. She

followed a general verification that the CNPD had carried out among all

Luxembourg municipalities during the summer of 2022.


      The person being investigated was informed of the opening of the investigation against him by letter from the head

investigation dated February 3, 2023. In this letter, the head of investigation asked the

controlled “please read the initial findings below:


   By letter dated August 11, 2022, the president of the CNPD reminded the Mayor of his
obligation to appoint a data protection officer (hereinafter the “DPD”), as well as

that its obligation to notify the CNPD of this designation (EXIT 1).







1Deliberation No.[…] of December 9, 2022 of the National Commission for Data Protection relating
at the opening of a fact-finding mission to the Leudelange municipal administration.
 ________________________________________________________________
              Decision of the National Commission sitting in restricted formation on the outcome of
                 survey n°[…] carried out with the municipal administration of Leudelange


                                                                                                       2/9 In the absence of a reaction from the Mayor, the president of the CNPD told him
sent a reminder dated September 23, 2022 (EXHIBIT 2).


   On the date of writing of this letter, and after consulting the register of

data protection delegates, the investigating officers did not identify any

appointment of a DPO for your municipality”.


      The person being inspected responded to the letter opening the investigation by mail dated March 10
2023, after the CNPD had granted it additional time.


      At the end of his investigation, the head of investigation notified the person being inspected on March 31

2023 a statement of objections detailing the breach which it considered constituted in

the species in relation to the requirements prescribed by article 37.1.a) of the GDPR (obligation to
appoint a DPO).


   The head of investigation proposed to the National Commission sitting in formation

restricted training (hereinafter: the “Restricted Training”) to adopt a corrective measure.


   The ability to formulate written observations on the statement of objections was
offered to the controlled.


      By letter of May 2, 2023, the person being inspected informed the head of investigation that he had not

comments to be made in relation to the statement of objections.


      The president of the Restricted Training informed the controlled person by mail on the date

of May 23, 2023 that his case would be registered at the session of the Restricted Formation of
July 4, 2023 and that he was offered the opportunity to be heard there.


   By email of June 27, 2023, the controlled person confirmed his presence at said session.


   During this session the head of investigation, […], and the person being investigated, represented by […],

presented their oral observations in support of their written observations and responded to the
questions asked by the Restricted Training. The person being controlled had the last word.








 ________________________________________________________________

              Decision of the National Commission sitting in restricted formation on the outcome of
                 survey n°[…] carried out with the Leudelange municipal administration


                                                                                                      3/9 II. Place


   II.1. On the reasons for the decision



   On the failure linked to the obligation to appoint a DPO and communicate the
contact details at the CNPD



   1. On the principles


      In accordance with article 37.1.a) of the GDPR, any data controller or subcontractor

processor must designate a DPO if the “processing is carried out by a public authority or
a public body, with the exception of courts acting in the exercise of their function

jurisdictional”.


      Based on article 37.7 of the GDPR, any data controller or subcontractor

is also obliged to communicate the contact details of the DPO to the supervisory authority,

that is to say in this case to the CNPD.


       In its guidelines on DPDs, the Article 29 Working Group has

clarified the relevant provisions of the GDPR in this area in order to help those responsible

processing and subcontractors to comply with the legislation, but also to assist the DPOs

in their role.


       Note that the European Data Protection Committee, which succeeded the

Article 29 Working Group on May 25, 2018, took up and reapproved the adopted documents

by the said Group between May 25, 2016 and May 25, 2018, as precisely the lines
                      3
aforementioned guidelines.


   2. In the present case


       The head of investigation noted in his statement of objections that on “the date

opening of an investigation, and after consultation of the register of delegates for the protection of






2 The Guidelines on DPDs were adopted by the Article 29 Working Group on
December 13, 2016. The revised version (WP 243 rev. 01) was adopted on April 5, 2017.
3 See decision Endorsement 1/2018 of the EDPS of May 25, 2018, available under:
https://edpb.europa.eu/sites/edpb/files/files/news/endorsement_of_wp29_documents_en_0.pdf.
 ________________________________________________________________

              Decision of the National Commission sitting in restricted formation on the outcome of
                 survey n°[…] carried out with the Leudelange municipal administration


                                                                                                        4/9 data, the investigating agents did not identify the designation of a DPO for

the Municipal Administration of Leudelange”.


   Furthermore, he noted that the auditee “designated a DPO on March 10, 2023, i.e.
after the opening of the investigation.


   Therefore, he held that “the conditions of article 37, paragraph (1) point a) of

GDPR has not been respected. 4


       Restricted Training would first of all like to emphasize that the controlled is a

Luxembourg municipal administration and therefore, a public body obliged to
designate a DPO no later than May 25, 2018, the date the GDPR comes into force.


       It then notes that the person being inspected had responded on March 10, 2023 to the letter from

head of investigation of February 3, 2023 informing him of the opening of the investigation into him. In

annexed to this letter of March 10, 2023 was an extract from the deliberations of the

College of mayor and aldermen of March 10, 2023, as well as the application form

declaration from the DPD to the CNPD, signed and dated on the same day, according to which the
Government Data Protection Commissioner at the State had been

designated as DPO of the controlled person.


       The Restricted Panel can therefore only agree with the findings of the head of investigation

that on the date of opening of the investigation, that is to say December 9, 2022, the person inspected did not have

still designated a DPD, despite the reminder letters from the CNPD of August 11, 2022 and
from September 23, 2022.


       In view of the above, it concludes that at the start of the investigation, the person controlled failed

to its obligation arising from article 37.1.a) of the GDPR.


       Furthermore, the Restricted Formation notes that on the date of the opening of

the investigation, the person controlled had not communicated the contact details of his DPO to the CNPD
in accordance with article 37.7 of the GDPR. Therefore, as the control of compliance with said

article appeared within the scope of the investigation in question (see point 2 of this decision),






4Statement of Objections, points 16 to 18.
 ________________________________________________________________
              Decision of the National Commission sitting in restricted formation on the outcome of

                survey n°[…] carried out with the Leudelange municipal administration


                                                                                                     5/9she considers that the person inspected also failed to fulfill his obligation arising from article 37.7
of the GDPR.


   II. 2. On corrective measures


   1. On the principles


       In accordance with article 12 of the law of August 1, 2018, the National Commission

has the powers provided for in article 58.2 of the GDPR:

   “a) notify a controller or a processor of the fact that the operations

processing envisaged are likely to violate the provisions of this

regulation;


   b) call to order a controller or a processor when the

processing operations have resulted in a violation of the provisions of this Regulation;

   (c) order the controller or processor to comply with the

requests submitted by the data subject with a view to exercising their rights in

application of this regulation;


   (d) order the controller or processor to put the operations
processing in accordance with the provisions of this regulation, where applicable,

in a specific manner and within a specific time frame;


   (e) order the controller to communicate to the data subject

a personal data breach;


   (f) impose a temporary or permanent limitation, including a ban, on the
treatment;


   g) order the rectification or erasure of personal data or the

limitation of processing pursuant to Articles 16, 17 and 18 and the notification of these

measures to recipients to whom personal data have been disclosed
pursuant to Article 17(2) and Article 19;


   (h) withdraw a certification or order the certification body to withdraw a

certification issued pursuant to articles 42 and 43, or order the body to
 ________________________________________________________________

              Decision of the National Commission sitting in restricted formation on the outcome of
                survey n°[…] carried out with the Leudelange municipal administration


                                                                                                     6/9certification not to issue certification if the requirements applicable to certification

are not or no longer satisfied;


   (i) impose an administrative fine pursuant to section 83, in addition or

instead of the measures referred to in this paragraph, depending on the characteristics
specific to each case;


   j) order the suspension of data flows addressed to a recipient located in

a third country or an international organization.


       In accordance with article 48 of the law of August 1, 2018, the CNPD may impose

administrative fines as provided for in Article 83 of the GDPR, except against

the State or municipalities.


       The Restricted Training would like to point out that the facts taken into account in the framework
of this decision are those noted at the start of the investigation. The possible

modifications relating to the data processing subject to the investigation that have taken place

subsequently, even if they make it possible to fully or partially establish the

compliance, do not allow retroactive cancellation of a noted breach.


       However, the steps taken by the auditee to comply

with the GDPR during the investigation procedure or to remedy breaches
noted by the head of investigation in the statement of objections, are taken into account by

Restricted Training as part of any corrective measures to be taken.


   2. In the present case


       In the communication of grievances the head of investigation “proposes to the Training

Restricted from issuing a call to order against the Controlled Party according to which he must

comply with the applicable legislation regarding the appointment of a protection delegate
data » .5


       As for the corrective measure proposed by the head of investigation and with reference to

point 21 of this decision, the Restricted Training takes into account the procedures





5Statement of Objections, paragraph 25.
 ________________________________________________________________
              Decision of the National Commission sitting in restricted formation on the outcome of
                survey n°[…] carried out with the Leudelange municipal administration



                                                                                                     7/9 carried out by the auditee in order to comply with the provisions of articles 37.1.a) and 37.7

of the GDPR, as detailed in its letter of March 10, 2023.

       More particularly, it notes that as of March 10, 2023, the person inspected had

sent to the CNPD, the extract of the deliberations of the College of Mayor and Aldermen

relating to the meeting of March 10, 2023, as well as the DPO declaration form, signed

and dated the same day, and according to which the Government Protection Commission
of data with the State had been designated as DPO of the controlled.


       However, on the date of the opening of the investigation, the person inspected had neither designated a

DPD, nor communicated its contact details to the CNPD.


       For these reasons, the Restricted Panel considers that it is appropriate to pronounce the

corrective measure proposed by the head of investigation in this regard and taken up in point 22 of the
this decision and to call the controlled person to order for having violated articles 37.1.a) and

37.7 of the GDPR.


       Finally, under the terms of article 52 of the law of August 1, 2018, “CNPD may

order, at the expense of the sanctioned person, the publication in full or in extracts of

its decisions with the exception of decisions relating to the imposition of penalty payments, and under
reserves that:


   1° the means of appeal against the decision have been exhausted; And


   2° the publication does not risk causing disproportionate harm to the parties in question.

   cause ".


   The Restricted Panel considers that the publication of this decision does not risk
not cause disproportionate harm to the person being controlled, but that it is justified in view of

of the public interest in knowing the results of the general verification that the CNPD had

carried out in all Luxembourg municipalities during the summer of 2022.










 ________________________________________________________________

              Decision of the National Commission sitting in restricted formation on the outcome of
                 survey n°[…] carried out with the Leudelange municipal administration


                                                                                                       8/9 Taking into account the above developments, the National Commission
sitting in restricted formation, after having deliberated, decides:


   - to identify breaches of articles 37.1.a) and 37.7 of the GDPR;


   - to issue a recall against the Leudelange municipal administration

to order for having violated articles 37.1.a) and 37.7 of the GDPR;


   - to publish the decision on the website of the National Commission as soon as the
avenues of appeal have been exhausted.




Belvaux, July 24, 2023,



The National Commission for Data Protection sitting in restricted formation,






   Tine A. Larsen Thierry Lallemang Marc Lemmer
     President Commissioner Commissioner






                             Indication of avenues of appeal

   This administrative decision may be the subject of an appeal for reform in

the three months following its notification. This appeal must be brought before the court

administrative and must be introduced through a lawyer to the Court of a

Bar Associations.












 ________________________________________________________________

              Decision of the National Commission sitting in restricted formation on the outcome of
                survey n°[…] carried out with the Leudelange municipal administration


                                                                                                    9/9