CNPD (Luxembourg) - Délibération n°43FR/2021
CNPD (Luxembourg) - Délibération n°43FR/2021 | |
---|---|
Authority: | CNPD (Luxembourg) |
Jurisdiction: | Luxembourg |
Relevant Law: | Article 37(1) GDPR |
Type: | Investigation |
Outcome: | No Violation Found |
Started: | |
Decided: | 27.10.2021 |
Published: | |
Fine: | None |
Parties: | n/a |
National Case Number/Name: | Délibération n°43FR/2021 |
European Case Law Identifier: | n/a |
Appeal: | Not appealed |
Original Language(s): | French |
Original Source: | Luxembourg DPA (in FR) |
Initial Contributor: | Florence D'Ath |
The Luxembourg DPA found that a non-profit association, forming part of a confederation of entities providing social services, had wrongfully concluded that it was obliged to appoint a DPO pursuant to Article 37(1) GDPR. In the absence of any violation, however, the CNPD closed the case.
English Summary
Facts
In 2018, the Luxembourg DPA (the CNPD) initiated 25 different audit proceedings both in the private and public sector with regard to the role of the Data Protection Officer (DPO) under Section 4 of Chapter 4 of the GDPR (see in particular Article 37 GDPR to Article 39 GDPR).
One of these audit proceedings concerned a not-for-profit association (Association Sans But Lucratif) established under Luxembourg law (hereafter, the ASBL). The ASBL is part of a confederation specialised in the provision of social services. In that context, the ASBL has established different partnerships with various entities providing social services in Luxembourg (the Patner Entities). The core activities of the ASBL is therefore not to provide social services, but rather to manage the funding of the partner entities, validate common strategies for the confederation, and determine which Partner Entities are responsible for their implementation.
During the audit, it was found by the head of investigation of the CNPD that the ASBL had appointed a DPO pursuant to Article 37(1) GDPR. No violation of the obligations relating to the role and position of the DPO was found.
Holding
Based on the findings of the audit report, the CNPD concluded that there has been no violation of Article 37 to 39 GDPR. The CNPD questionned however the necessity for the ASBL to appoint a DPO in the first place. The CNPD therefore invited the head of investigation to get complementary information on that point.
Taking into account the managerial role of the ASBL within the confederation, and in particular the fact that the ASBL itself was not processing health data for the provision of social services, the CNPD found that the ASBL had wrongfully concluded that it was under an obligation to appoint a DPO under Article 37(1) GDPR. The CNPD further pointed out that the investigation should have covered the processing activities of the Partner Entities of the confederation.
Based on these considerations, the CNPD concluded to the absence of violations by the ASBL and closed the case.
Comment
Even when the GDPR does not specifically require the appointment of a DPO pursuant to Article 37(1) GDPR, organisations may designate a DPO on a voluntary basis. Such practice is encouraged by the Article 29 Working Party (the predecessor of the EDPB). If a DPO is appointed on a voluntary basis however, the requirements under Articles 37 to 39 will apply. In this case, however, the CNPD did not analyse in details whether these requirements had been fulfilled by the ASBL, pointing that the investigation should have rather covered the activities of the Partner Entities providing the social services.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
Decision of the National Commission sitting in restricted formation on the outcome of survey no. [...] conducted with the Association without profit A. Deliberation n ° 43FR / 2021 of October 27, 2021 The National Commission for Data Protection sitting in a restricted body, composed of Mrs Tine A. Larsen, president, and Messrs Thierry Lallemang and Marc Lemmer, commissioners; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of individuals with regard to the processing of personal data personnel and the free movement of such data, and repealing Directive 95/46 / EC; er Having regard to the law of 1 August 2018 on the organization of the National Commission for the Protection data and the general data protection regime, in particular Article 41 thereof; Having regard to the internal regulations of the National Commission for Data Protection adopted by decision n ° 3AD / 2020 dated 22 January 2020, in particular Article 10, point 2; Having regard to the regulations of the National Commission for Data Protection relating to the investigation procedure adopted by decision n ° 4AD / 2020 dated 22 January 2020, in particular its article 9; Considering the following: I. Facts and procedure 1. Given the impact of the role of the data protection officer (hereinafter: the "DPO") and the importance of its integration into the body, and considering that the guidelines 1 concerning DPOs have been available since December 2016, i.e. 17 months before entry into application of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 1The guidelines concerning DPOs were adopted by the “Article 29” working group on 13 December 2016. The revised version (WP 243 rev. 01) was adopted on April 5, 2017. ________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey n ° [...] carried out with the non-profit association A 1/7 relating to the protection of natural persons with regard to the processing of personal data personal data and the free movement of such data, and repealing Directive 95/46 / EC (general data protection regulation) (hereafter: the "GDPR"), the Commission National Data Protection Authority (hereinafter: the "National Commission" or the "CNPD") has decided to launch a thematic survey campaign on the function of the DPO. Thus, 25 audit procedures were opened in 2018, concerning both the private sector and the public sector. 2. In particular, the National Commission decided by decision no. […] Of 14 September 2018 to initiate an investigation in the form of a data protection audit with the non-profit association A located at […], L- […] and registered in the register of Luxembourg trade and companies under the number […] (hereinafter: the “controlled”) and appoint Mr. Christophe Buschmann as head of the investigation. Said deliberation specifies that the investigation relates to the compliance of the inspected with section 4 of chapter 4 of the GDPR. 3. According to Article 3 of its statutes, the purpose of the inspected is [to provide social services]. 4. By letter of September 17, 2018, the head of the survey sent a questionnaire preliminary to the control to which the latter replied by email of October 15, 2018. on-site visits took place on January 28, 2019 and March 13, 2019. Following these discussions, the Chief Investigator drew up the audit report no. […] (hereafter: the "audit report"). 5. It emerges from the audit report that in order to verify the compliance of the organization with the section 4 of chapter 4 of the GDPR, the head of the investigation defined eleven control objectives, know : 1) Ensure that the body subject to the obligation to appoint a DPO has done so; 2) Make sure that the organization has published the contact details of its DPO; 3) Ensure that the organization has communicated the contact details of its DPO to the CNPD; 4) Ensure that the DPO has sufficient expertise and skills to carry out its missions effectively; 5) Ensure that the missions and tasks of the DPO do not give rise to a conflict of interest; 6) Ensure that the DPO has sufficient resources to perform effectively of its missions; 7) Ensure that the DPO is able to carry out his missions to a sufficient degree autonomy within their organization; ________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey no. [...] conducted with the non-profit association A 2/7 8) Ensure that the organization has put in place measures so that the DPO is associated with all matters relating to data protection; 9) Ensure that the DPO fulfills his mission of information and advice to the data controller and employee; 10) Ensure that the DPO exercises adequate control over data processing within of his body; 11) Ensure that the DPO assists the controller in carrying out the impact analyzes in the event of new data processing. 6. By letter of 28 October 2019 (hereinafter: the “statement of objections”), the Chief investigation informed the inspector of breaches of obligations under the GDPR that it noted during its investigation. The audit report was attached to the letter. 7. In particular, the head of the investigation noted in the statement of objections a 2 breach relating to the DPD's control mission. 8. By letter of November 18, 2019, the inspector sent the head of the investigation position regarding the failure noted in the statement of objections. 9. On December 3, 2020, the head of the investigation sent the inspectorate a letter complementary to the statement of objections by which he informs the inspectorate that, given the position taken by the latter of November 18, 2019, "it is appropriate to lift the grievance relating to compliance with the requirements relating to the missions of the DPO and in particular control "and that" [i] t therefore no longer has any grievance against you regarding this investigation. " 10. By email of December 7, 2020, the head of the investigation forwarded the investigation file to the National Commission sitting in a restricted formation (hereinafter: the "formation restricted "), indicating that it has not accepted any grievance or breach against the inspected, when the latter had met the expectations set in the survey or presented elements of mitigation that it considers sufficient in relation to the control objectives adopted in point 5 of this decision. For these reasons, the investigator proposed to the training restricted, in its communication of December 7, 2020, the closure of the file. 2Objective 10 ________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey n ° […] carried out with the non-profit association A 3/711. The restricted committee examined the case during its session on February 5, 2021, in accordance with Article 10.2.a) of the Rules of Procedure of the National Commission. 12. During the said session, the restricted committee considered that it was not sufficient enlightened on the point of knowing whether the controlled, taking into account its structure, within which several member entities are grouped together, and the predominance of said entities for the management and exercise of its activities, is obliged to appoint a delegate to data protection under Article 37 (1) of the General Regulation on Data protection. 13. The restricted committee therefore asked the head of the investigation, by letter from 25 March 2021, to proceed, in accordance with Article 10.2.a) of the internal regulations of the National Commission, to further investigation on this point. 14. By email of May 25, 2021, the head of the investigation asked the control of him communicate additional information and documents, in particular concerning activities of the inspectorate and its decision-making structure, in order to be able to inform the training limited on whether the inspected is obliged to appoint a delegate to data protection under Article 37 (1) of the General Regulation on Data protection. 15. The inspected responded to this request by letter of June 15, 2021. The inspected there indicates in particular that he carried out an analysis that led him to consider that he is in the obligation to appoint a DPO and that this analysis has been updated given the questions raised by the restricted committee in this regard. 16. Following this exchange, the head of the investigation informed the restricted party, by email from the June 22, 2021, from its conclusion on the item for further investigation, according to which the inspected is indeed subject to the obligation to appoint a DPO. The head of inquiry has by elsewhere again proposed to the restricted committee to close the file, considering that it There is no reason to hold any breach with regard to the inspected. 17. The restricted committee examined the case again at its meeting on October 27. 2021, in accordance with Article 10.2.a) of the Commission's Rules of Procedure national. ________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey n ° […] carried out with the non-profit association A 4/718. Taking into account the elements communicated by the inspected within the framework of the supplement investigation, the small group finds that it does not share the chief's conclusion investigation according to which the inspected is indeed subject to the obligation to appoint a delegate to Data protection. 19. It should first be noted that the inspected is an entity [...] "which brings together the activities organized for its service provider members ”and that, as mentioned in point 12 of this decision, these entities have a preponderant place for the management and the exercise of its activities. 20. As for the activities of the inspected, the restricted formation notes that if the chief investigation rightly noted in its email of June 22, 2021 that "[t] he core activities [of the controlled] are [to provide social services] and that, as part of these activities, the controlled processes data relating to health, the head of the investigation also noted that “[i] n the framework of its basic activities, [the controlled] does not have any collaborators. All the activities are carried out by another entity, member of the network [of the controlled], to the account [of the controlled]. " 21. In this regard, it should be noted that in its response of 15 June 2021, the inspected only identified a single "own operational activity", the other activities mentioned being on the one hand "Operational activities delegated" to one of its member entities and on the other hand, "Administrative and support activities" delegated to two entities members. 22. With regard to the decision-making structure, the elements communicated by the controlled confirm that its member entities, which sit in its Assembly general, occupy a prominent place, it being specified "that an activity is recognized as an activity [of the controlled] if it was set up by decision of the board of directors ", this board of directors being" composed of at least [...] members and of [...] members at most, taken from among the active members and elected by the general assembly ordinary and annual ruling by a simple majority of the votes of the active members present. " 23. The inspected also indicates that this board of directors (hereinafter: CA) "is responsible for the general management [of the controlled] and for the strategy of the network. Since [the ________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey n ° [...] carried out with the non-profit association A 5/7 controlled] has a very limited activity of its own, the Board of Directors focuses on agreements strategic between the partners forming the network. It validates common strategies proposed by the partners, determines where applicable their funding and the entity (ies) responsible for their operationalization. " 24. Finally, the controlled indicates that it is "[in] summary (...) a confederation bringing together the members, actors and drivers of a common idea in order to determine common policies and organize their application at the level of field activities. Thus any daily management (also that [of the controlled itself]) is entrusted to operational entities, in occurrence to partners. " 25. In view of the above, the restricted committee considers that it was not established by the further investigation that the controlled, namely the non-profit association A, was in the obligation to appoint a DPO. 26. In addition, taking into account the objectives defined by the CNPD within the framework of the thematic survey on the function of the DPO, and in particular the criteria used for selection of entities, the restricted committee considers that the investigation opened by deliberation No. […] of September 14, 2018 should also have covered, given their activities and data processing, on other operational entities, members providing the non-profit association A. 27. In these circumstances, the restricted committee considers that the case should be closed, in accordance with Article 10.2.a) of the Rules of Procedure of the National Commission. In view of the foregoing developments, the National Commission sitting in restricted formation and deliberating unanimously decides: - to close the investigation opened by deliberation n ° [...] of September 14, 2018 of the National Commission for Data Protection with the Non-Profit Association A located at […], L- […] and registered in the Luxembourg trade and companies register under the number […] ________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey n ° [...] carried out with the non-profit association A 6/7 As decided in Belvaux on October 27, 2021. The National Commission for Data Protection sitting in a restricted body Tine A. Larsen Thierry Lallemang Marc Lemmer President Commissioner Commissioner Indication of remedies This administrative decision may be the subject of an appeal for reformation within three months following its notification. This appeal is to be brought before the administrative tribunal and must must be introduced through a lawyer at the Court of one of the Bar Associations. ________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of the survey n ° [...] carried out with the non-profit association A 7/7