CNPD (Luxembourg) - 10FR/2023
From GDPRhub
| CNPD - 10FR/2023 | |
|---|---|
 | |
| Authority: | CNPD (Luxembourg) |
| Jurisdiction: | Luxembourg |
| Relevant Law: | Article 37(1)(a) GDPR Article 37(7) GDPR Article 48 of the National Data Protection Law |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | 24.07.2023 |
| Published: | 05.12.2023 |
| Fine: | n/a |
| Parties: | Administration communale de Leudelange |
| National Case Number/Name: | 10FR/2023 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | French |
| Original Source: | CNPD (in FR) |
| Initial Contributor: | ar |
The Luxembourg DPA found the Municipal Administration of Leudelange to have breached Articles 37(1)(a) and 37(7) GDPR, since the latter, on the date of investigation, had not yet designated a DPO.
English Summary
Facts
Following a general check carried on all Luxembourg municipalities in the summer of 2022, the Luxembourg DPA decided to open an investigation on the Municipal Administration of Leudelange (the controller).
Specifically, the controller aimed to evaluate the controller’s conformity with its obligation to appoint a DPO and whether it communicated the DPO's contact details to the DPA, as provided by Article 37(1)(a) GDPR and Article 37(7) GDPR.
Holding
The DPA noted that pursuant to the entry into force of the GDPR, public bodies were obliged to designate a DPO no later than 25 May 2018. Meanwhile, on the date the investigation was opened, and after consulting the register of DPOs, no DPO had been identified for the controller. The controller appointed a DPO only on 10 March 2023, namely after the opening of the investigation. Thus, the controller violated Article 37(1)(a) GDPR. Moreover, the DPA acknowledged that when the investigation began, the controller had not communicated to the DPA the contact details of the DPO, breaching Article 37(7) GDPR.
Observing Article 48 of the National Data Protection Law, the DPA may impose administrative fines as provided in Article 83 GDPR, except against the State or municipalities. Hence, the DPA found it appropriate to issue a reprimand to the controller under Article 58(2)(b) GDPR. In light of this, the DPA recognised that during the proceedings, the controller took steps to remedy the shortcomings identified by the head of the investigation.
Comment
On the same day, the Luxembourgish DPA published similar findings against other four Municipal Administrations: the Municipal Administration of Useldange, the Municipal Administration of Dalheim, the Municipal Administration of Heffingen and the Municipal Administration of Vallée de l’Ernz.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
Decision of the National Commission sitting in restricted formation
on the outcome of investigation n°[…] carried out with the Administration
municipal of Leudelange
Deliberation No. 10FR/2023 of July 24, 2023
The National Commission for Data Protection sitting in restricted formation
composed of Ms. Tine A. Larsen, president, and Messrs. Thierry Lallemang and Marc
Lemmer, commissioners;
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016
relating to the protection of individuals with regard to the processing of data
personal character and the free movement of such data, and repealing the Directive
95/46/EC;
Having regard to the law of August 1, 2018 organizing the National Commission for
data protection and the general regime on data protection, in particular
its article 41;
Considering the internal regulations of the National Commission for the Protection of
data adopted by decision no. 3AD/2020 dated January 22, 2020, in particular its
article 10 point 2;
Having regard to the regulation of the National Commission for Data Protection relating to the
investigation procedure adopted by decision no. 4AD/2020 dated January 22, 2020,
in particular its article 9;
Considering the following:
________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey n°[…] carried out with the Leudelange municipal administration
1/9 I. Facts and procedure
During its deliberation session of December 9, 2022, the National Commission
for data protection sitting in plenary session decided to open a
survey with the Municipal Administration of Leudelange, located at 5, Place des
Martyrs, L-3361 Leudelange (hereinafter: the “controlled”), on the basis of article 38 of the law of
August 1, 2018 organizing the National Commission for the Protection of
data and the general regime on data protection (hereinafter: the “law of August 1
2018") and to appoint Mr. Alain Herrmann as head of investigation.
The said decision clarified that the investigation carried out by the National Commission for
data protection (hereinafter: the “CNPD” or the “National Commission”) was intended to
purpose of monitoring the application and compliance with Regulation (EU) 2016/679 of the Parliament
European Union and of the Council of 27 April 2016 relating to the protection of natural persons
with regard to the processing of personal data and the free movement of these
data, and repealing Directive 95/46/EC (hereinafter: the “GDPR”) and the law of 1
August 2018 and legal texts providing for specific provisions regarding
protection of personal data and more precisely the application and
1
compliance with articles 37.1.a) and 37.7 of the GDPR. The specific purpose of the investigation was
to monitor compliance with the obligation to appoint a data protection officer
(hereinafter: “DPD”) and to communicate the contact details to the supervisory authority. She
followed a general verification that the CNPD had carried out among all
Luxembourg municipalities during the summer of 2022.
The person being investigated was informed of the opening of the investigation against him by letter from the head
investigation dated February 3, 2023. In this letter, the head of investigation asked the
controlled “please read the initial findings below:
By letter dated August 11, 2022, the president of the CNPD reminded the Mayor of his
obligation to appoint a data protection officer (hereinafter the “DPD”), as well as
that its obligation to notify the CNPD of this designation (EXIT 1).
1Deliberation No.[…] of December 9, 2022 of the National Commission for Data Protection relating
at the opening of a fact-finding mission to the Leudelange municipal administration.
________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey n°[…] carried out with the municipal administration of Leudelange
2/9 In the absence of a reaction from the Mayor, the president of the CNPD told him
sent a reminder dated September 23, 2022 (EXHIBIT 2).
On the date of writing of this letter, and after consulting the register of
data protection delegates, the investigating officers did not identify any
appointment of a DPO for your municipality”.
The person being inspected responded to the letter opening the investigation by mail dated March 10
2023, after the CNPD had granted it additional time.
At the end of his investigation, the head of investigation notified the person being inspected on March 31
2023 a statement of objections detailing the breach which it considered constituted in
the species in relation to the requirements prescribed by article 37.1.a) of the GDPR (obligation to
appoint a DPO).
The head of investigation proposed to the National Commission sitting in formation
restricted training (hereinafter: the “Restricted Training”) to adopt a corrective measure.
The ability to formulate written observations on the statement of objections was
offered to the controlled.
By letter of May 2, 2023, the person being inspected informed the head of investigation that he had not
comments to be made in relation to the statement of objections.
The president of the Restricted Training informed the controlled person by mail on the date
of May 23, 2023 that his case would be registered at the session of the Restricted Formation of
July 4, 2023 and that he was offered the opportunity to be heard there.
By email of June 27, 2023, the controlled person confirmed his presence at said session.
During this session the head of investigation, […], and the person being investigated, represented by […],
presented their oral observations in support of their written observations and responded to the
questions asked by the Restricted Training. The person being controlled had the last word.
________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey n°[…] carried out with the Leudelange municipal administration
3/9 II. Place
II.1. On the reasons for the decision
On the failure linked to the obligation to appoint a DPO and communicate the
contact details at the CNPD
1. On the principles
In accordance with article 37.1.a) of the GDPR, any data controller or subcontractor
processor must designate a DPO if the “processing is carried out by a public authority or
a public body, with the exception of courts acting in the exercise of their function
jurisdictional”.
Based on article 37.7 of the GDPR, any data controller or subcontractor
is also obliged to communicate the contact details of the DPO to the supervisory authority,
that is to say in this case to the CNPD.
In its guidelines on DPDs, the Article 29 Working Group has
clarified the relevant provisions of the GDPR in this area in order to help those responsible
processing and subcontractors to comply with the legislation, but also to assist the DPOs
in their role.
Note that the European Data Protection Committee, which succeeded the
Article 29 Working Group on May 25, 2018, took up and reapproved the adopted documents
by the said Group between May 25, 2016 and May 25, 2018, as precisely the lines
3
aforementioned guidelines.
2. In the present case
The head of investigation noted in his statement of objections that on “the date
opening of an investigation, and after consultation of the register of delegates for the protection of
2 The Guidelines on DPDs were adopted by the Article 29 Working Group on
December 13, 2016. The revised version (WP 243 rev. 01) was adopted on April 5, 2017.
3 See decision Endorsement 1/2018 of the EDPS of May 25, 2018, available under:
https://edpb.europa.eu/sites/edpb/files/files/news/endorsement_of_wp29_documents_en_0.pdf.
________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey n°[…] carried out with the Leudelange municipal administration
4/9 data, the investigating agents did not identify the designation of a DPO for
the Municipal Administration of Leudelange”.
Furthermore, he noted that the auditee “designated a DPO on March 10, 2023, i.e.
after the opening of the investigation.
Therefore, he held that “the conditions of article 37, paragraph (1) point a) of
GDPR has not been respected. 4
Restricted Training would first of all like to emphasize that the controlled is a
Luxembourg municipal administration and therefore, a public body obliged to
designate a DPO no later than May 25, 2018, the date the GDPR comes into force.
It then notes that the person being inspected had responded on March 10, 2023 to the letter from
head of investigation of February 3, 2023 informing him of the opening of the investigation into him. In
annexed to this letter of March 10, 2023 was an extract from the deliberations of the
College of mayor and aldermen of March 10, 2023, as well as the application form
declaration from the DPD to the CNPD, signed and dated on the same day, according to which the
Government Data Protection Commissioner at the State had been
designated as DPO of the controlled person.
The Restricted Panel can therefore only agree with the findings of the head of investigation
that on the date of opening of the investigation, that is to say December 9, 2022, the person inspected did not have
still designated a DPD, despite the reminder letters from the CNPD of August 11, 2022 and
from September 23, 2022.
In view of the above, it concludes that at the start of the investigation, the person controlled failed
to its obligation arising from article 37.1.a) of the GDPR.
Furthermore, the Restricted Formation notes that on the date of the opening of
the investigation, the person controlled had not communicated the contact details of his DPO to the CNPD
in accordance with article 37.7 of the GDPR. Therefore, as the control of compliance with said
article appeared within the scope of the investigation in question (see point 2 of this decision),
4Statement of Objections, points 16 to 18.
________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey n°[…] carried out with the Leudelange municipal administration
5/9she considers that the person inspected also failed to fulfill his obligation arising from article 37.7
of the GDPR.
II. 2. On corrective measures
1. On the principles
In accordance with article 12 of the law of August 1, 2018, the National Commission
has the powers provided for in article 58.2 of the GDPR:
“a) notify a controller or a processor of the fact that the operations
processing envisaged are likely to violate the provisions of this
regulation;
b) call to order a controller or a processor when the
processing operations have resulted in a violation of the provisions of this Regulation;
(c) order the controller or processor to comply with the
requests submitted by the data subject with a view to exercising their rights in
application of this regulation;
(d) order the controller or processor to put the operations
processing in accordance with the provisions of this regulation, where applicable,
in a specific manner and within a specific time frame;
(e) order the controller to communicate to the data subject
a personal data breach;
(f) impose a temporary or permanent limitation, including a ban, on the
treatment;
g) order the rectification or erasure of personal data or the
limitation of processing pursuant to Articles 16, 17 and 18 and the notification of these
measures to recipients to whom personal data have been disclosed
pursuant to Article 17(2) and Article 19;
(h) withdraw a certification or order the certification body to withdraw a
certification issued pursuant to articles 42 and 43, or order the body to
________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey n°[…] carried out with the Leudelange municipal administration
6/9certification not to issue certification if the requirements applicable to certification
are not or no longer satisfied;
(i) impose an administrative fine pursuant to section 83, in addition or
instead of the measures referred to in this paragraph, depending on the characteristics
specific to each case;
j) order the suspension of data flows addressed to a recipient located in
a third country or an international organization.
In accordance with article 48 of the law of August 1, 2018, the CNPD may impose
administrative fines as provided for in Article 83 of the GDPR, except against
the State or municipalities.
The Restricted Training would like to point out that the facts taken into account in the framework
of this decision are those noted at the start of the investigation. The possible
modifications relating to the data processing subject to the investigation that have taken place
subsequently, even if they make it possible to fully or partially establish the
compliance, do not allow retroactive cancellation of a noted breach.
However, the steps taken by the auditee to comply
with the GDPR during the investigation procedure or to remedy breaches
noted by the head of investigation in the statement of objections, are taken into account by
Restricted Training as part of any corrective measures to be taken.
2. In the present case
In the communication of grievances the head of investigation “proposes to the Training
Restricted from issuing a call to order against the Controlled Party according to which he must
comply with the applicable legislation regarding the appointment of a protection delegate
data » .5
As for the corrective measure proposed by the head of investigation and with reference to
point 21 of this decision, the Restricted Training takes into account the procedures
5Statement of Objections, paragraph 25.
________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey n°[…] carried out with the Leudelange municipal administration
7/9 carried out by the auditee in order to comply with the provisions of articles 37.1.a) and 37.7
of the GDPR, as detailed in its letter of March 10, 2023.
More particularly, it notes that as of March 10, 2023, the person inspected had
sent to the CNPD, the extract of the deliberations of the College of Mayor and Aldermen
relating to the meeting of March 10, 2023, as well as the DPO declaration form, signed
and dated the same day, and according to which the Government Protection Commission
of data with the State had been designated as DPO of the controlled.
However, on the date of the opening of the investigation, the person inspected had neither designated a
DPD, nor communicated its contact details to the CNPD.
For these reasons, the Restricted Panel considers that it is appropriate to pronounce the
corrective measure proposed by the head of investigation in this regard and taken up in point 22 of the
this decision and to call the controlled person to order for having violated articles 37.1.a) and
37.7 of the GDPR.
Finally, under the terms of article 52 of the law of August 1, 2018, “CNPD may
order, at the expense of the sanctioned person, the publication in full or in extracts of
its decisions with the exception of decisions relating to the imposition of penalty payments, and under
reserves that:
1° the means of appeal against the decision have been exhausted; And
2° the publication does not risk causing disproportionate harm to the parties in question.
cause ".
The Restricted Panel considers that the publication of this decision does not risk
not cause disproportionate harm to the person being controlled, but that it is justified in view of
of the public interest in knowing the results of the general verification that the CNPD had
carried out in all Luxembourg municipalities during the summer of 2022.
________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey n°[…] carried out with the Leudelange municipal administration
8/9 Taking into account the above developments, the National Commission
sitting in restricted formation, after having deliberated, decides:
- to identify breaches of articles 37.1.a) and 37.7 of the GDPR;
- to issue a recall against the Leudelange municipal administration
to order for having violated articles 37.1.a) and 37.7 of the GDPR;
- to publish the decision on the website of the National Commission as soon as the
avenues of appeal have been exhausted.
Belvaux, July 24, 2023,
The National Commission for Data Protection sitting in restricted formation,
Tine A. Larsen Thierry Lallemang Marc Lemmer
President Commissioner Commissioner
Indication of avenues of appeal
This administrative decision may be the subject of an appeal for reform in
the three months following its notification. This appeal must be brought before the court
administrative and must be introduced through a lawyer to the Court of a
Bar Associations.
________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey n°[…] carried out with the Leudelange municipal administration
9/9
