CNPD (Luxembourg) - Délibération n° 42FR/2021
CNPD (Luxembourg) - Délibération n° 42FR/2021 | |
---|---|
Authority: | CNPD (Luxembourg) |
Jurisdiction: | Luxembourg |
Relevant Law: | Article 37(1) GDPR |
Type: | Investigation |
Outcome: | No Violation Found |
Started: | |
Decided: | 27.10.2021 |
Published: | |
Fine: | None |
Parties: | n/a |
National Case Number/Name: | Délibération n° 42FR/2021 |
European Case Law Identifier: | n/a |
Appeal: | Not appealed |
Original Language(s): | French |
Original Source: | Luxembourg DPA (in FR) |
Initial Contributor: | Florence D'Ath |
The Luxembourg DPA (CNPD) found that a company did not need to appoint a Data Protection Officer under Article 37(1) GDPR. The Luxembourg DPA therefore did not adopt any injunction against the company, and did not impose any fine on the Company, contrary to what the head of investigation of the CNPD had suggested.
English Summary
Facts
In 2018, the Luxembourg DPA (the CNPD) initiated 25 different audit proceedings both in the private and public sector with regard to the role of the Data Protection Officer (DPO) under Section 4 of Chapter 4 of the GDPR (see in particular Article 37 GDPR to Article 39 GDPR).
One of these audit proceedings concerned a Luxembourg private company (hereafter, the Company). During the audit, it was found by the head of investigation of the CNPD that the Company had failed to appoint a Data Protection Officer (DPO), in line with Article 37(1) GDPR.
Article 37(1) GDPR envisages two situations where private controllers (such as private companies) must appoint a DPO. In particular, a private controller must appoint a DPO when:
- its (i) core activities consist of processing operations which require (ii) regular and systematic monitoring of data subjects (iii) on a large scale; or
-its (i) core activities consist of processing (ii) on a large scale of (iii) sensitive data pursuant to Article 9 GDPR or Article 10 GDPR.
In the case a hand, it was not contested that the Company was not processing sensitive data on a large scale. However, the audit report drafted by the head of investigation had concluded that the core activities of the companies included the offering of a loyalty programme for its customers, which included the processing of personal data through loyalty cards, and that such processing had to be considered as a regular and systematic monitoring of its customers on a large scale.
The head of investigation of the CNPD therefore recommended to issue an injunction against that Company to appoint a DPO, and to impose a fine of €80.000 on the Company for failure to appoint a DPO in due time.
Holding
After reviewing the facts of the case and the applicable law, the CNPD decided against the recommendations of the head of investigation.
The CNPD first noted that the Company had completed a documented analysis on the need to appoint a DPO pursuant to Article 37(1) GDPR, and had concluded that it was not bound to do so.
The CNPD then agreed with the conclusion of the audit report that the offering, by the Company, of a loyalty programme to its customers was part of the core activities of the Company. The CNPD also agreed with the conclusion of the audit report that scuh activities were conducted on a large scale, taking into account, in particular, the number of customers concerned, and the geographical scope of the processing.
As far as the third condition is concerned however, the CNPD found that the offering of a loyalty programme did not constitute a "regular and systematic monitoring of data subjects". The CNPD noted in this respect that the Company was processing the personal data attached the loyalty card in order to manage its customers' account, and offer them rewards, but not for monitoring their purchasing behaviors. In other words, the CNPD considered that the purpose of the processing was the management of the loyalty programme, and not the monitoring of the customers.
Based on these considerations, the CNPD concluded that the conditions of Article 37(1)(b) GDPR were not fulfilled, and that the Company did not have the obligation to appoint a DPO. As a consequence, the CNPD decided to close the investigation, and to not issue any injunction, or impose any fine on the Company.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
Decision of the National Commission sitting in restricted formation on the outcome of survey no. [...] conducted with Company A Deliberation n ° 42FR / 2021 of October 27, 2021 The National Commission for Data Protection sitting in a restricted body, composed of Mrs Tine A. Larsen, president, and Messrs Thierry Lallemang and Marc Lemmer, commissioners; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of individuals with regard to the processing of personal data personnel and the free movement of such data, and repealing Directive 95/46 / EC; er Having regard to the law of 1 August 2018 on the organization of the National Commission for the Protection data and the general data protection regime, in particular Article 41 thereof; Having regard to the internal regulations of the National Commission for Data Protection adopted by decision n ° 3AD / 2020 dated 22 January 2020, in particular Article 10, point 2; Having regard to the regulations of the National Commission for Data Protection relating to the investigation procedure adopted by decision n ° 4AD / 2020 dated 22 January 2020, in particular its article 9; Considering the following: I. Facts and procedure 1. Given the impact of the role of the data protection officer (hereinafter: the "DPO") and the importance of its integration into the body, and considering that the guidelines concerning DPOs have been available since December 2016, i.e. 17 months before entry in application of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of 1The guidelines concerning DPOs were adopted by the “Article 29” working group on 13 December 2016. The revised version (WP 243 rev. 01) was adopted on April 5, 2017. ________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey no. [...] conducted with Company A 1/13 personal data and the free movement of such data, and repealing the Directive 95/46 / EC (general data protection regulation) (hereafter: the "GDPR "), The National Commission for Data Protection (hereinafter: the" Commission national "or the" CNPD ") has decided to launch a thematic survey campaign on the function of the DPO. Thus, 25 audit procedures were opened in 2018, involving so many the private sector than the public sector. 2. In particular, the National Commission decided by deliberation n ° […] of September 14 2018 to initiate an investigation in the form of a data protection audit of Company A located […], L- […] and registered in the trade and companies register Luxembourg under the number […] (hereinafter: the “controlled”) and to designate Mr. Christophe Buschmann as the head of the investigation. The said deliberation specifies that the investigation relates to the compliance of the inspected with section 4 of chapter 4 of the GDPR. 3. […] the inspected [is active in the retail trade in non-specialized stores in predominantly food]. 4. By letter of September 17, 2018, the head of the survey sent a questionnaire preliminary to the control to which the latter replied by email of October 8, 2018. A on-site visit took place on February 27, 2019 and a telephone meeting took place on February 22 February 2021. 5. As part of this audit campaign, in order to verify the organization's compliance with section 4 of chapter 4 of the GDPR, the head of the investigation defined eleven control objectives included in the report of the visit of February 27, 2019, namely: 1) Ensure that the body subject to the obligation to appoint a DPO has done so; 2) Make sure that the organization has published the contact details of its DPO; 3) Ensure that the organization has communicated the contact details of its DPO to the CNPD; 4) Ensure that the DPO has sufficient expertise and skills to carry out its missions effectively; 5) Ensure that the missions and tasks of the DPO do not give rise to a conflict of interest; 6) Ensure that the DPO has sufficient resources to perform effectively of its missions; 7) Ensure that the DPO is able to carry out his missions to a sufficient degree autonomy within their organization; ________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey no. [...] conducted with Company A 2/13 8) Ensure that the organization has put in place measures to ensure that the DPO is associated with all matters relating to data protection; 9) Ensure that the DPO fulfills his mission of information and advice to the data controller and employee; 10) Ensure that the DPO exercises adequate control over data processing within of his body; 11) Ensure that the DPO assists the controller in carrying out the impact analyzes in the event of new data processing. 6. By letter of March 15, 2021 (hereafter: the “statement of objections”), the Chief investigation informed the control of breaches of obligations under the GDPR that he noted during his investigation as well as the corrective measures and sanctions that he proposes to the National Commission sitting in restricted formation (hereafter: the "Restricted formation") to adopt. 7. In particular, the head of the investigation noted in the statement of objections a breach of the obligation to appoint a DPO and proposed to the restricted training to adopt corrective action as well as to impose an administrative fine of one amount of 80,000 euros. 8. By letter of April 12, 2021, the inspector sent his observations to the head of the investigation. as to the statement of objections. 9. By letter of June 2, 2021, the President of the CNPD informed the inspectorate of the date of the session during which the case concerning him and the faculty which was offered to be heard there. By letter of June 29, 2021, the inspected informed the President of the CNPD that he would not attend. 10. The matter was on the agenda for the restricted committee session on July 14, 2021. In accordance with Article 10.2.b) of the Rules of Procedure of the Commission national, the head of investigation made oral submissions on the case and responded to the questions asked by the restricted formation. 2Objective n ° 1 ________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey no. […] carried out with Company A 3/13 II. Place A. On the failure to appoint a DPO 1. On the principles 11. According to article 37.1 of the GDPR, "The controller and the processor designate in any case, a data protection officer when: a) the processing is carried out by a public authority or a public body, the exception of courts acting in the exercise of their judicial function; b) the core activities of the controller or processor consist of processing operations which, by virtue of their nature, scope and / or purposes, require regular and systematic monitoring on a large scale of people concerned; Where c) the core activities of the controller or processor consist of large-scale processing of special categories of data referred to in Article 9 and personal data relating to criminal convictions and offenses referred to in Article 10. " 12. The Article 29 Data Protection Working Party adopted on 13 December 2016 of the guidelines concerning DPOs which have been taken up and re-approved by the European Data Protection Board on May 25, 2018. These lines 3 guidelines provide clarifications on the concepts of "core activities" and "Large scale" which can be found in Article 37.1.b) and c) of the GDPR as well as concerning the notion of "regular and systematic monitoring" found in Article 37.1.b) of the GDPR. 13. With regard to the concept of "core activities", the guidelines state that "[T] he 'core activities' can be seen as the core operations to achieve the objectives of the controller or processor. They also include all activities for which the data processing is carried out 4 integral part of the activity of the controller or processor ". 3 4WP 243 v.01, revised version and adopted on April 5, 2017 WP 243 v.01, version revised and adopted on April 5, 2017, p. 24 ________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey no. [...] conducted with Company A 4/1314. As for the concept of "large scale", it is recommended in the guidelines of consider the following factors: "- the number of people concerned, either in absolute value or in relative value by relation to the population concerned; - the volume of data and / or the spectrum of data processed; - the duration, or permanence, of the data processing activities; 5 - the geographical extent of the processing activity ". 15. Finally, with regard to the notion of “regular and systematic monitoring”, the lines 6 The guidelines state that monitoring is not limited to the "online environment". The term "Regular", according to the guidelines, covers "one or more of the meanings following: - continuous or occurring at regular intervals over a given period; - recurring or repeating at fixed times; - taking place constantly or periodically. " As for the term "systematic", it covers "one or more of the meanings following: - occurring in accordance with a system; - pre-established, organized or methodical; - taking place as part of a general data collection program; - carried out as part of a strategy. "7 2. In this case 16. As part of this audit campaign, for the head of the investigation to consider the objective 1 as completed by the inspected, it expects the body to have appointed a DPO on 25 May 2018 if its processing falls within the scope of Article 37.1 of the GDPR. 17. It should be noted that the inspected carried out a documented analysis, as is 8 recommended by the DPD guidelines, by which he arrived at the conclusion that he was not obliged to appoint a DPO. This analysis was 5 WP 243 v.01, version revised and adopted on April 5, 2017, p.25 6WP 243 v.01, version revised and adopted on April 5, 2017, p.25 7WP 243 v.01, version revised and adopted on April 5, 2017, p.26 8WP 243 v.01, version revised and adopted on April 5, 2017, p. 7 ________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey no. [...] conducted with Company A 5/13 sent by the inspected with their answers to the preliminary questionnaire by email from the 8 October 2018. 18. It emerges in particular from this analysis that the inspected “considers that if [his] activities can sometimes include a dimension of large scale or regular monitoring […] [its] activities do not have the two elements together. »It is also indicated that the controlled "does not carry out regular monitoring for customer activities (no profiling). The purchases are sometimes recorded on the customer card (at the customer's discretion) but are not used for direct marketing purposes. These data are processed only for the purposes restocking, customer relations when the latter calls or for the calculation of his points and to fulfill legal obligations. " 19. In the statement of objections, the head of the investigation refers to this analysis on page 5, "[i] l The investigation shows that [the inspected] did not appoint a DPO. CNPD agents take note that, in accordance with the guidelines for the DPO of the group Article 29 working group on data protection [the inspected] documented an analysis internally in collaboration with its consultants (...) in order to determine whether or not there is place of appointing a DPO. On the basis of this internal analysis, the position [of the inspected] is that a DPO does not seem necessary in view of the activities carried out. " 20. The head of the investigation then noted that the inspected "offers a loyalty card service to its customers and that there are more than [...] active customer cards (i.e. used in year). As part of the management of these customer cards, [the inspected] performs data processing including purchase history and loyalty points. The cards loyalty programs (...) operate in all [controlled] stores, as well as in other partner stores. "According to the investigator," the proposal of a loyalty program is an integral part of the activity [of the controlled] "; it would be consequent of a "basic activity" of the controlled taking into account the details provided 9 in the DPO guidelines on this notion. 21. As to the question of whether the inspected carries out a systematic and regular follow-up on based on the data collected via the loyalty card, the head of the survey considers that "[i] l According to the elements of the survey, the [loyalty] card makes it possible to track purchases of a person through loyalty points. Follow-up is organized, occurs in accordance 9WP 243 v.01, version revised and adopted on April 5, 2017, p. 24 ________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey n ° […] carried out with Company A 6/13 to a system ([…]) and is carried out as part of a strategy, here a strategy of loyalty. The argument that the cardholder uses it "at will" is inoperative. Indeed, (...) the loyalty program is part of a strategy that encourages the card holder to use to collect points. As soon as a customer enters the loyalty program, it is part of a systematic and regular monitoring system. Although the purpose of "monitoring" may not be pursued as such by the person in charge of processing, all that remains is to achieve the purposes pursued (restocking, customer relationship, etc ...), the data controller has set up a monitoring system systematic and regular. " 22. With regard to the notion of "large scale", the head of the investigation first notes "that he there are more than […] active [loyalty] cards ”[…]. Then, with regard to the scope geographic location, he noted that said card "can be used in all stores [of the controlled] in the country as well as in many other partner brands. " At last, concerning the duration of the treatment, the head of the investigation noted that the loyalty card allows "to trace the purchases of its holder over a period of two years". Leader investigation concludes that "[c] owing to the number of people concerned, the geographical scope of the processing activity, as well as its duration (...) the card [of fidelity] must (…) be considered as a large-scale treatment within the meaning of article 37 paragraph (1) of the GDPR. " 23. Taking into account the criteria examined by the head of the investigation in order to determine whether the control was and remains under the obligation to appoint a DPO, the restricted committee deduces that this are those of Article 37.1.b) of the GDPR, which is however not explicitly mentioned in the statement of objections, which only refers to Article 37.1 of the GDPR. The restricted training also finds that it is essentially on the basis of the analysis of the "management of customer cards" (or "[loyalty] card") processing that the manager investigation came to the conclusion that the inspected was and remains under the obligation to appoint a DPO under Article 37.1.b) of the GDPR. 24. In its position statement of April 12, 2021, the inspected returns in particular to the treatment in question and maintains that it does not constitute a systematic follow-up, considering that "the recording of data may possibly be considered as systematic (after each purchase and presentation of the card) but in no case follow-up. The purpose of processing the card is not to track purchases or ________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey no. [...] conducted with Company A 7/13 behavior of its customers. (...) a simple recording cannot be considered as a follow-up. " 25. The inspected further maintains that the treatment is not regular, considering that the "customer card management" processing does not fall under any of the meanings of the term “Regular” retained by the guidelines concerning DPOs. 10 26. The inspected also indicates that the identification of the user of the loyalty card is not not necessary to use this one and that "[i] t is not uncommon for people to share their card making any follow-up, which is not the case here, inoperative and ineffective. " 27. As mentioned in point 23 of this decision, it is mainly on the basis of the analysis of the "management of customer cards" (or "[loyalty] card") processing that the head of the investigation came to the conclusion that the controlled was and remains in the obligation to appoint a DPO under Article 37.1.b) of the GDPR. It is therefore necessary to examine whether the processing in question covers each of the criteria set out in Article 37.1.b) of the GDPR. 28. As to the question of whether the “management of customer cards” (or “[loyalty] card”) constitutes a core activity of the controller, taking into account that the DPO guidelines state that core activities “include (…) All activities for which data processing is an integral part of the activity of the controller ", the limited training is aligned with the assessment the head of the survey according to which "the proposal for a loyalty program is integral to the activity [of the controlled] "and therefore constitutes a basic activity of this last. 29. As to the concept of “large scale”, in the light of the recommendations made 12 in the DPO guidelines on this notion, and in particular taking into account the fact that the number of people concerned "in relative value by relative to the population concerned ", that" the geographical extent of the activity of treatment 'and that the duration of treatment are factors that should be taken 10WP 243 v.01, version revised and adopted on April 5, 2017, p.26 11WP 243 v.01, version revised and adopted on April 5, 2017, p.24 12WP 243 v.01, version revised and adopted on April 5, 2017, p.25 ________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey no. [...] conducted with Company A 8/13 in consideration, the restricted formation agrees with the assessment of the head of investigation according to which “the [loyalty] card must (…) be considered as a high treatment scale within the meaning of Art.37 para. (1) GDPR. " 30. Finally, it should be examined whether the "management of customer cards" (or "card [of fidelity] ”) constitutes a“ regular and systematic follow-up ”of the persons concerned. 31. The restricted committee admits that the "management of customer cards" (or "card [loyalty] ") is carried out" in accordance with a system ". It nevertheless notes, given in particular the details provided by the inspected in his position paper of 12 April 2021, referred to in points 24, 25 and 26 of this decision concerning the various aspects of this processing, it does not appear from the investigation file that said processing would aim at regular monitoring of the data subjects or such monitoring would actually be carried out by the controlled. 32. Therefore, it should be noted that it does not appear from the investigation file that the inspected is found, due to the processing "management of customer cards" (or "card [loyalty]"), in the obligation to appoint a DPO under Article 37.1.b) of the GDPR. 33. In view of the foregoing, the restricted panel concludes that the breach of article 37.1 of the GDPR has not been established. III. On corrective measures and the fine A. Principles 34. In accordance with article 12 of the law of 1 August 2018 on the organization of the National Commission for Data Protection and the General Regime on data protection, the National Commission has the powers provided for in Article 58.2 of the GDPR: a) notify a controller or processor that data processing operations planned treatment are likely to violate the provisions of this regulation; ________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of investigation no. [...] conducted with Company A 9/13 b) call to order a controller or a processor when the processing operations have resulted in a violation of the provisions of this regulation; c) order the controller or processor to comply with the requests presented by the data subject in order to exercise their rights under the this regulation; d) order the controller or processor to put the data processing operations processing in accordance with the provisions of these regulations, if applicable, in a specific manner and within a specified timeframe; e) order the controller to communicate to the data subject a personal data breach; f) impose a temporary or permanent limitation, including a ban, on the processing; g) order the rectification or erasure of personal data or the restriction of processing in application of Articles 16, 17 and 18 and the notification of these measures to the recipients to whom the personal data have been disclosed in accordance with Article 17, paragraph 2, and Article 19; h) withdraw a certification or order the certification body to withdraw a certification issued in application of Articles 42 and 43, or order the certification not to issue certification if the requirements applicable to the certification are not or no longer satisfied; i) impose an administrative fine in application of Article 83, in addition to or the place of the measures referred to in this paragraph, depending on the characteristics specific to each case; j) order the suspension of data flows addressed to a recipient located in a third country or to an international organization. " 35. Article 83 of the GDPR provides that each supervisory authority ensures that fines administrative requirements are, in each case, effective, proportionate and dissuasive, before specifying the elements that must be taken into account in deciding ________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey no. [...] conducted with Company A 10/13 if an administrative fine is to be imposed and to decide on the amount of this fine : (a) the nature, gravity and duration of the breach, taking into account the nature, extent or the purpose of the processing concerned, as well as the number of data subjects affected and the level of damage they suffered; (b) whether the violation was committed willfully or negligently; c) any measures taken by the controller or processor to mitigate the damage suffered by the persons concerned; d) the degree of responsibility of the controller or processor, account taking into account the technical and organizational measures they have implemented in accordance with the Articles 25 and 32; e) any relevant breach previously committed by the controller or the subcontractor ; f) the degree of cooperation established with the supervisory authority in order to remedy the violation and mitigate any negative effects; g) the categories of personal data affected by the breach; h) the manner in which the supervisory authority became aware of the breach, in particular whether, and to what extent the controller or processor has notified the violation; (i) where measures referred to in Article 58 (2) have previously been ordered against the controller or the processor concerned for the same object, compliance with these measures; j) the application of codes of conduct approved in accordance with Article 40 or certification mechanisms approved under Article 42; and k) any other aggravating or mitigating circumstance applicable to the circumstances of the species, such as financial benefits obtained or losses avoided, directly or indirectly, as a result of the violation ”. ________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey no. [...] conducted with Company A 11/13 B. In the present case 1. As to the imposition of an administrative fine 36. In the statement of objections of 15 March 2021, the head of the investigation proposes to the restricted formation to pronounce against the controlled an administrative fine relating to the amount of 80,000 euros “for breach of obligations arising from RGPD in relation to the appointment of the Data Protection Officer ”. 37. As the breach of Article 37.1 of the GDPR has not been established, there is no need to pronounce against the controlled the administrative fine proposed by the head of the investigation. 2. Regarding the taking of corrective measures 38. In the statement of objections of 15 March 2021, the head of the investigation proposes to the training to take the following corrective action, specifying that it should be implemented "within 6 months, under penalty of a fine of 1,000, - Euros per day of delay ": "Order the controller to appoint a Data Protection Officer in accordance with Art.37 (1) GDPR. " 39. As the breach of Article 37.1 of the GDPR has not been established, there is no need to examine the relevant corrective measure. In view of the foregoing developments, the National Commission sitting in restricted formation and deliberating unanimously decides: - to close the investigation opened by deliberation n ° [...] of September 14, 2018 of the National Commission for Data Protection at Company A located […], L- […] And registered in the Luxembourg trade and companies register under number […], in the absence of breach held against him. ________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey no. [...] conducted with Company A 12/13 As decided in Belvaux on October 27, 2021. The National Commission for Data Protection sitting in a restricted body Tine A. Larsen Thierry Lallemang Marc Lemmer President Commissioner Commissioner Indication of remedies This administrative decision may be the subject of an appeal for reformation within three months following its notification. This appeal is to be brought before the administrative tribunal and must must be introduced through a lawyer at the Court of one of the Bar Associations. ________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey no. [...] conducted with Company A 13/13