CNPD (Luxembourg): Difference between revisions

From GDPRhub
 
(7 intermediate revisions by 3 users not shown)
Line 40: Line 40:
|}
|}


The Luxemburg Data Protection Commission (''Commission Nationale pour la Protection des Données'') is the national Data Protection Authority for Luxembourg. It resides in Esch-sur-Alzette and is in charge of enforcing GDPR in Luxembourg.
The ''Commission Nationale pour la Protection des Données'' (CNPD) is the national Data Protection Authority for Luxembourg, headquartered in Belvaux, municipality of Salem. The CNPD oversees the GDPR in Luxembourg and advises the national parliament, the government and other institutions and bodies on legislative and administrative measures relating to the protection of the rights and freedoms of natural persons with regard to processing of their personal data.


==Structure==
==Structure==
''You can help us by filling in this section!''
The CNPD is an independent public institution, financially and administratively autonomous. Although the CNPD operates in the form of a public establishment under the supervision of the Minister whose responsibilities include data protection (''currently the [https://gouvernement.lu/en/gouvernement/xavier-bettel.html Minister for Communications and Media]''), it is nevertheless independent in the exercise of its functions.
 
The CNPD adopted its [https://cnpd.public.lu/dam-assets/reglements-cnpd/3AD-2020-ROI-CNPD.pdf rules of procedure], including its internal procedures and working methods on 22 January 2020. The rules of procedure was adopted unanimously by the members of the college in plenary session. These internal rules of procedure are published in the [http://legilux.public.lu/eli/etat/adm/ri/2020/01/22/b549/jo Official Gazette of the Grand Duchy of Luxembourg].
 
The internal regulations determine:
 
# operating conditions for the CNPD;
# the organisation of the services of the CNPD;
# the procedures for convening the members of the college and holding collegiate meetings.
 
The CNPD is a collegiate body made up of four members, one of which is a president. Members are called ''Data Protection Commissioners'' and are authorised to use the title “Commissioner”, with this title having no impact on their rank or their remuneration. 
 
Current Commissioners are: Ms Tine A. Larsen (Chair), Mr Thierry Lallemang (Commissioner), Mr Marc Lemmer (Commissioner) and Mr Alain Herrmann (Commissioner). Four deputy members are also appointed. The deputy members are called to replace members of the college when they are absent or unable to attend.
 
The CNPD meets regularly for deliberations. The college may validly sit and deliberate only if at least three members of the college are present, and decisions are adopted by majority vote. If the number of votes are equal, the president has the deciding vote. Abstentions are not permitted. The members of the college and the deputy members cannot sit, deliberate or adopt decisions in a matter in which they have a direct or indirect interest.
 
The CNPD's organizational chart can be found [https://cnpd.public.lu/en/commission-nationale/composition.html on this page].


==Procedural Information==
==Procedural Information==


===Applicable Procedural Law===
===Applicable Procedural Law===
''You can help us by filling in this section!''
The CNPD verifies if personal data is processed in accordance with the following provisions:
 
* the General Data Protection Regulation (GDPR);
* [https://cnpd.public.lu/dam-assets/fr/legislation/droit-lux/Act-of-1-August-2018-on-the-organisation-of-the-National-Data-Protection-Commission-and-the-general-data-protection-framework.pdf the Act of 1 August 2018 on the organisation of the National Data Protection Commission and the general data protection framework];
* [https://legilux.public.lu/eli/etat/leg/loi/2018/08/01/a689/jo the Act of 1 August 2018 on the protection of individuals with regard to the processing of personal data in criminal and national security matters];
* [https://legilux.public.lu/eli/etat/leg/recueil/protection_donnees/20180901 the Act of 30 May 2005 regarding the specific rules for the protection of privacy in the sector of electronic communications];
* other legal texts containing specific provisions on the protection of personal data, [https://cnpd.public.lu/en/legislation/droit-lux.html as listed at the end of the page here].
 
'''The CNPD is not competent to supervise the processing of personal data carried out by courts of the judicial order, including the public prosecutor (ministère public), or the administrative order acting in their judicial capacities.'''  


===Complaints Procedure under Art 77 GDPR===
===Complaints Procedure under Art 77 GDPR===
''Complaints can be filed online via :'' https://cnpd.public.lu/en/particuliers/faire-valoir/formulaire-plainte.html
The GDPR was adopted pursuant to article 40 of the Act of 1 August 2018 on the organisation of the National Data Protection Commission and the general data protection framework. It determines the procedure for investigations before the CNPD.


''You can help us by filling in this section!''
In the course of the procedure of complaint, the CNPD first examines whether a complaint is justified, i.e. it checks whether the facts alleged by the claimant relating to the processing of personal data are likely or not to constitute a violation of the applicable data protection legislation. Where the CNPD considers that the challenged processing of data would indeed be contrary to applicable law, it will use its best endeavours to remedy the situation without making use of the binding measures entrusted within the framework of its powers conferred by law.


===''Ex Officio'' Procedures under Art 57 GDPR===
===''Ex Officio'' Procedures under Art 57 GDPR===
''You can help us by filling in this section!''
The CNPD may launch ''Ex Officio'' procedures, for example following information seen in the media. They also launch own audit campaigns, for example the 2018 audit of controllers' appointment of a Data Protection Officer (''which lead to several decisions, many which are found in the GDPRhub, for example [[CNPD (Luxembourg) - Délibération n° 42FR/2021|Délibération n° 42FR/2021]]'').


===Appeals===
===Appeals===
''You can help us by filling in this section!''
A decision made by the CNPD can be challenged within 3 months. If it is, it will go to a general, administrative tribunal for review. A tribunal decision may also be challenged and the case will then move forward in the Luxembourg court system.


==Practical Information==
==Practical Information==
===Filing with the DPA===
 
''You can help us by filling in this section!''
=== Filing with the DPA ===
Complaints can be filed online via this form: https://cnpd.public.lu/en/particuliers/faire-valoir/formulaire-plainte.html or sent by post to the following address:
 
'''Commission nationale pour la protection des données'''
 
'''Service des réclamations'''
 
'''15, Boulevard du Jazz'''
 
'''L-4370 Belvaux'''


===Known Problems===
===Known Problems===
''You can help us by filling in this section!''
Make sure to '''download your complaint''' as PDF after submission. You are left with no trace of what you submitted if you fail to download the complaint.
 
===Filing an Appeal===
===Filing an Appeal===
''You can help us by filling in this section!''
''You can help us by filling in this section!''


==Decision Database==
==Decision Database==
Decision and Opinions can be found here : https://cnpd.public.lu/en/decisions-avis.html
Decision and Opinions can be found on the CNPD's website here : https://cnpd.public.lu/en/decisions-avis.html. Decisions summarized on the GDPRhub [[:Category:CNPD (Luxembourg)|are listed here]].


==Statistics==
==Statistics==


=== Funding ===
== Key figures of 2021 ==
These figures are from the DPA's [https://cnpd.public.lu/en/actualites/national/2022/10/rapport-annuel-2021.html 2021 annual report]:
 
* '''618 written''' '''requests for information''' (compared to 655 in 2020) —The three main categories were the COVID-19 pandemic (contact tracing, body temperature measurement, teleworking, homeschooling, etc.), monitoring at the workplace and the rights of data subjects (right of access, right of erasure, etc.).
* '''33 opinions on draft laws or regulations''' (compared to 24 in 2020) — In addition to those relating to the fight against Covid-19, the opinions focused on video surveillance of public spaces for public safety purposes (VISUPOL), open data and re-use of public sector information, the control of the acquisition and possession of weapons, the European electronic communications code and the Central Database of the Police.
* '''512 complaints from individuals who considered that the law had not been respected or that their rights had been violated''' (compared to 485 in 2020) —Over one quarter (26%) of the complaints were based on non-compliance with the right of access by controllers, 24% were requests for erasure or rectification of data and 14% were related to the lawfulness of the processing.
* '''333 data breaches notified to the CNPD''' (compared to 379 in 2020) —The CNPD receives approximately 29 notifications of data breaches per month. The main cause remains human error in 62 % of cases. More than half of the incidents are detected within 5 days of their occurrence.
* '''18 on-site investigations''' (compared to 8 in 2020) — The CNPD carried out on-site investigations mainly on video surveillance.
* '''6 investigations as part of an audit on transparency''' — The CNPD continued its investigations as part of its thematic campaign “transparency in the online services sector” which was launched in 2020 among 6 companies in this area.
 
===Funding===
''You can help us filling this section!''
''You can help us filling this section!''


=== Personal ===
===Personal===
''You can help us filling this section!''
''You can help us filling this section!''


=== Caseload ===
===Caseload===
''You can help us filling this section!''


*Number of complaints received by the DPA: 526
===Fines===
*Number of proceedings initiated on the own initiative of the DPA: 31
''You can help us filling this section!''
*Number of data breach notifications: 299
*Number of proceedings terminated by a decision: '''''<u>0</u>'''''


=== Fines ===
===Annual Reports===
 
The CNPD has published annual reports since 2002, all of which can be found on their website here: https://cnpd.public.lu/en/publications/rapports.html
*Number of imposed fines : '''''<u>0</u>'''''
*Amount of these fines: '''''<u>0</u>'''''
 
=== Annual Reports ===
''You can help us filling this section!''


Source:  https://download.data.public.lu/resources/gdpr-in-luxembourg/20190601-125253/gdpr.xml
Annual reports are usually published in September/October.


{{DataProtectionAuthorities}}
{{DataProtectionAuthorities}}

Latest revision as of 10:14, 19 October 2022

Commission Nationale pour la Protection des Données
LogoLU.png
Name: Commission Nationale pour la Protection des Données
Abbreviation : CNPD
Jurisdiction: Luxembourg
Head: Tine A. Larsen
Deputy: n/a
Adress: 15, Boulevard du Jazz

L-4370 Belvaux

Luxembourg

Webpage: www.cnpd.lu
Email: info@cnpd.lu
Phone: +352 2610 60 1
Twitter: n/a
Procedural Law: n/a
Decision Database: n/a
Translated Decisions: Category:CNPD (Luxembourg)
Head Count: n/a
Budget: n/a

The Commission Nationale pour la Protection des Données (CNPD) is the national Data Protection Authority for Luxembourg, headquartered in Belvaux, municipality of Salem. The CNPD oversees the GDPR in Luxembourg and advises the national parliament, the government and other institutions and bodies on legislative and administrative measures relating to the protection of the rights and freedoms of natural persons with regard to processing of their personal data.

Structure

The CNPD is an independent public institution, financially and administratively autonomous. Although the CNPD operates in the form of a public establishment under the supervision of the Minister whose responsibilities include data protection (currently the Minister for Communications and Media), it is nevertheless independent in the exercise of its functions.

The CNPD adopted its rules of procedure, including its internal procedures and working methods on 22 January 2020. The rules of procedure was adopted unanimously by the members of the college in plenary session. These internal rules of procedure are published in the Official Gazette of the Grand Duchy of Luxembourg.

The internal regulations determine:

  1. operating conditions for the CNPD;
  2. the organisation of the services of the CNPD;
  3. the procedures for convening the members of the college and holding collegiate meetings.

The CNPD is a collegiate body made up of four members, one of which is a president. Members are called Data Protection Commissioners and are authorised to use the title “Commissioner”, with this title having no impact on their rank or their remuneration.

Current Commissioners are: Ms Tine A. Larsen (Chair), Mr Thierry Lallemang (Commissioner), Mr Marc Lemmer (Commissioner) and Mr Alain Herrmann (Commissioner). Four deputy members are also appointed. The deputy members are called to replace members of the college when they are absent or unable to attend.

The CNPD meets regularly for deliberations. The college may validly sit and deliberate only if at least three members of the college are present, and decisions are adopted by majority vote. If the number of votes are equal, the president has the deciding vote. Abstentions are not permitted. The members of the college and the deputy members cannot sit, deliberate or adopt decisions in a matter in which they have a direct or indirect interest.

The CNPD's organizational chart can be found on this page.

Procedural Information

Applicable Procedural Law

The CNPD verifies if personal data is processed in accordance with the following provisions:

The CNPD is not competent to supervise the processing of personal data carried out by courts of the judicial order, including the public prosecutor (ministère public), or the administrative order acting in their judicial capacities.

Complaints Procedure under Art 77 GDPR

The GDPR was adopted pursuant to article 40 of the Act of 1 August 2018 on the organisation of the National Data Protection Commission and the general data protection framework. It determines the procedure for investigations before the CNPD.

In the course of the procedure of complaint, the CNPD first examines whether a complaint is justified, i.e. it checks whether the facts alleged by the claimant relating to the processing of personal data are likely or not to constitute a violation of the applicable data protection legislation. Where the CNPD considers that the challenged processing of data would indeed be contrary to applicable law, it will use its best endeavours to remedy the situation without making use of the binding measures entrusted within the framework of its powers conferred by law.

Ex Officio Procedures under Art 57 GDPR

The CNPD may launch Ex Officio procedures, for example following information seen in the media. They also launch own audit campaigns, for example the 2018 audit of controllers' appointment of a Data Protection Officer (which lead to several decisions, many which are found in the GDPRhub, for example Délibération n° 42FR/2021).

Appeals

A decision made by the CNPD can be challenged within 3 months. If it is, it will go to a general, administrative tribunal for review. A tribunal decision may also be challenged and the case will then move forward in the Luxembourg court system.

Practical Information

Filing with the DPA

Complaints can be filed online via this form: https://cnpd.public.lu/en/particuliers/faire-valoir/formulaire-plainte.html or sent by post to the following address:

Commission nationale pour la protection des données

Service des réclamations

15, Boulevard du Jazz

L-4370 Belvaux

Known Problems

Make sure to download your complaint as PDF after submission. You are left with no trace of what you submitted if you fail to download the complaint.

Filing an Appeal

You can help us by filling in this section!

Decision Database

Decision and Opinions can be found on the CNPD's website here : https://cnpd.public.lu/en/decisions-avis.html. Decisions summarized on the GDPRhub are listed here.

Statistics

Key figures of 2021

These figures are from the DPA's 2021 annual report:

  • 618 written requests for information (compared to 655 in 2020) —The three main categories were the COVID-19 pandemic (contact tracing, body temperature measurement, teleworking, homeschooling, etc.), monitoring at the workplace and the rights of data subjects (right of access, right of erasure, etc.).
  • 33 opinions on draft laws or regulations (compared to 24 in 2020) — In addition to those relating to the fight against Covid-19, the opinions focused on video surveillance of public spaces for public safety purposes (VISUPOL), open data and re-use of public sector information, the control of the acquisition and possession of weapons, the European electronic communications code and the Central Database of the Police.
  • 512 complaints from individuals who considered that the law had not been respected or that their rights had been violated (compared to 485 in 2020) —Over one quarter (26%) of the complaints were based on non-compliance with the right of access by controllers, 24% were requests for erasure or rectification of data and 14% were related to the lawfulness of the processing.
  • 333 data breaches notified to the CNPD (compared to 379 in 2020) —The CNPD receives approximately 29 notifications of data breaches per month. The main cause remains human error in 62 % of cases. More than half of the incidents are detected within 5 days of their occurrence.
  • 18 on-site investigations (compared to 8 in 2020) — The CNPD carried out on-site investigations mainly on video surveillance.
  • 6 investigations as part of an audit on transparency — The CNPD continued its investigations as part of its thematic campaign “transparency in the online services sector” which was launched in 2020 among 6 companies in this area.

Funding

You can help us filling this section!

Personal

You can help us filling this section!

Caseload

You can help us filling this section!

Fines

You can help us filling this section!

Annual Reports

The CNPD has published annual reports since 2002, all of which can be found on their website here: https://cnpd.public.lu/en/publications/rapports.html

Annual reports are usually published in September/October.

EU/EEA/UK Data Protection Authorities
Austria · Belgium · Bulgaria · Croatia · Cyprus · Czech Republic · Denmark · Estonia · Finland (Åland) · France · Germany (Baden-Württemberg · Bavaria, private sector · Bavaria, public sector · Berlin · Brandenburg · Bremen · Hamburg · Hesse · Lower Saxony · Mecklenburg-Vorpommern · North Rhine-Westphalia · Rhineland-Palatinate · Saarland · Saxony · Saxony-Anhalt · Schleswig-Holstein · Thuringia ) · Greece · Hungary · Ireland · Italy · Latvia · Lithuania · Luxembourg · Malta · Netherlands · Poland · Portugal · Romania · Slovakia · Slovenia · Spain (Basque Country · Catalonia · AndalusiaSweden
Iceland · Liechtenstein · Norway · United Kingdom EDPS · EDPB