CNPD (Luxembourg) - Délibération n°13FR/2021

From GDPRhub
Revision as of 14:13, 10 June 2021 by Cvl (talk | contribs) (→‎Dispute)
CNPD (Luxembourg) - Délibération n°13FR/2021
LogoLU.png
Authority: CNPD (Luxembourg)
Jurisdiction: Luxembourg
Relevant Law: Article 12 GDPR
Article 13 GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 21.04.2021
Published: 07.06.2021
Fine: None
Parties: n/a
National Case Number/Name: Délibération n°13FR/2021
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): French
Original Source: CNPD (in FR)
Initial Contributor: n/a

The Luxembourg DPA warned a controller who had not adequately informed their employees about a geolocation system used in their vehicles.

English Summary

Facts

The Luxembourg DPA launched an investigation on a controller that had implemented a geolocation system on their snowplowing and salting vehicles.

Such system used on-line software, although the data was not transferred via WiFi but via phone cards.

The employees participated in the activities relating such vehicles on a voluntary basis. They had only been informed about the system, however, orally.

Holding

The DPA argued that, even if Article 12 GDPR does not de facto exclude the possibility of providing the information from Articles 13 and 14 orally, it poses an accountability problem. The controller must be able to demonstrate that it has provided such information.

However, having provided the information in an oral manner, in this case the controlled could not prove that had provided the information, and therefore the DPA concluded that the controller had violated Article 13 GDPR.

The DPA took into account that the controller had implemented, during the proceedings, adequate measures to fulfill their information obligation, following the authority's proposal.

Therefore, the CNPD decided to only warn the controller.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

Decision of the National Commission sitting in restricted formation

    on the outcome of survey No. [...] conducted among the administration

                                municipal [...]



                       Deliberation n ° 13FR / 2021 of April 21, 2021


The National Commission for Data Protection sitting in a restricted body

composed of Ms Tine A. Larsen, president, and Messrs Thierry Lallemang and Marc
Lemmer, commissioners;



Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016

relating to the protection of individuals with regard to the processing of personal data
personal character and on the free movement of such data, and repealing the Directive

95/46 / EC;


               er
Considering the law of August 1, 2018 on the organization of the National Commission for
data protection and the general data protection regime, in particular

its article 41;



Having regard to the internal regulations of the National Commission for the Protection of

data adopted by decision n ° 3AD / 2020 dated 22 January 2020, in particular its
article 10 point 2;



Having regard to the regulation of the National Commission for Data Protection relating to

investigation procedure adopted by decision n ° 4AD / 2020 dated 22 January 2020,
in particular Article 9;



Considering the following:









   _____________________________________________________________
             Decision of the National Commission sitting in restricted formation on the outcome of
                   the survey no. […] carried out with the municipal administration of […]


                                                                                                 1/13 I. Facts and procedure



      1. During its deliberation session of January 16, 2019, the National Commission

for data protection sitting in plenary session (hereinafter: "Training

Plenary ") had decided to open an investigation with the municipal administration of
                                                                           er
[...] (hereinafter: "the controlled") on the basis of article 37 of the law of 1 August 2018 on

organization of the National Commission for Data Protection and Regime
                                                                er
General on Data Protection (hereinafter “Law of 1 August 2018”) and to designate

Mr. Christophe Buschmann as head of investigation.


      2. According to the decision of the Plenary Panel, the investigation carried out by the

National Commission for Data Protection (hereafter: "CNPD") had as

purpose of verifying compliance with the provisions of the regulation on the protection of

natural persons with regard to the processing of personal data and the

free movement of such data, and repealing Directive 95/46 / EC (hereinafter "GDPR")

and the law of August 1, 2018, in particular through the establishment of

video surveillance and geolocation if necessary installed by the controlled.


      3. On January 24, 2019, CNPD agents visited the
                                                    1
the controlled premises at the following address: [...] The decision of the National Commission

for data protection sitting in restricted formation on the outcome of the investigation

(hereinafter: "Restricted Training") will be limited to the treatments controlled by the agents

of the CNPD.

                                                               2
      4. During the said visit, the representatives of the inspected confirmed to the agents of the

CNPD that a geolocation system is installed in [...] vehicles equipped with a









1 See Minutes no. [...] relating to the on-site investigation mission carried out on January 24, 2019
with the municipal administration of [...].

2 See Minutes no. [...] relating to the on-site investigation mission carried out on January 24, 2019
with the municipal administration of [...].


   _____________________________________________________________
               Decision of the National Commission sitting in restricted formation on the outcome of

                     the survey no. […] carried out with the municipal administration of […]


                                                                                                          2/13 snow removal or road salting device, but that the inspected does not have recourse to

a video surveillance system. 3


      5. According to the explanations provided to the CNPD agents, the persons concerned

by geolocation are the members of the municipal staff (employees and civil servants

municipalities) who have expressed their willingness to participate in the winter service.


      6. In addition, the CNPD agents noted that the software of the
geolocation of the controlled is hosted online by the supplier "[…]", specialized in

cleaning and snow removal and that the said supplier is to be considered as

processor within the meaning of article 4, point 8 of the GDPR.


      7. In his response letter of February 14, 2019 to the minutes drawn up by the

CNPD agents, the inspector specified that the data collected by the boxes of the

geolocation device are not transmitted to the servers of the provider of the
program via wifi connection ([…]), but with mobile phone cards.



      8. At the end of his investigation, the head of investigation notified the inspector on the 8th

August 2019 a statement of objections detailing the breach which he considered constituted

in this case, and more specifically a non-compliance with the requirements prescribed by Article

13 of the GDPR for employees.


      9. On September 17, 2019, the inspected filed written observations on the

statement of objections.



      10. A letter supplementing the statement of objections was sent to

checked on August 3, 2020. In this letter, the head of the investigation proposed to the
Restricted training to adopt two different corrective measures.



      11. By letter of 24 August 2020, the inspected produced written observations on

the additional letter to the statement of objections.



3 See report no. [...] relating to the on-site investigation mission carried out on January 24, 2019
with the municipal administration of [...]. See also the response of the inspected of February 14, 2019 where this
the latter clarified that it is not a question of [...], but only of [...] vehicles equipped with a
geolocation.

   _____________________________________________________________
              Decision of the National Commission sitting in restricted formation on the outcome of
                     the survey no. […] carried out with the municipal administration of […]


                                                                                                        3/13 12. The president of the Restricted Formation informed the control by letter of 9
October 2020 that his case would be registered for the Restricted Training session of 17

November 2020. The inspected confirmed their presence at the said meeting on 3

November 2020.


      13. During the Restricted Training session on November 17, 2020, the leader

investigation team and the inspector presented their oral observations in support of their

written observations and answered questions posed by the Restricted Training. The

President consented to the inspector's request to be able to send to Formation
Restricted additional photos of the geolocation system and to provide by

writes the necessary explanations within a week. The controlled had the floor in

latest.


      14. By e-mail of November 18, 2020, the inspected sent four
photos to the Restricted Training of the geolocation system in place with

additional explanations.


II. Place


II. 1. As to the grounds for the decision



A. On the breach related to the obligation to inform the persons concerned


1. On the principles


      15. Pursuant to paragraph 1 of Article 12 of the GDPR, the "controller

take appropriate measures to provide any information referred to in Articles 13 and 14

as well as to make any communication under Articles 15 to 22 and Article
34 with regard to the processing to the data subject in a concise manner,

transparent, understandable and easily accessible, in clear and simple terms […].

The information is provided in writing or by other means including, when it is

appropriate, electronically. When the data subject so requests, the
information may be provided orally, provided that the identity of the person

concerned is demonstrated by other means. "


   _____________________________________________________________
              Decision of the National Commission sitting in restricted formation on the outcome of
                    the survey no. […] carried out with the municipal administration of […]


                                                                                                  4/13 16. Article 13 of the GDPR provides as follows:


"1. When personal data relating to a data subject are

collected from this person, the controller provides them, at the time

where the data in question is obtained, all of the following information:


a) the identity and contact details of the controller and, where applicable, of the

representative of the controller;


b) where applicable, the contact details of the data protection officer;



c) the purposes of the processing for which the personal data are intended as well

as the legal basis for the processing;


d) where the processing is based on Article 6 (1) (f), the legitimate interests

pursued by the controller or by a third party;


e) the recipients or the categories of recipients of the personal data,

if they exist; and


f) where applicable, the fact that the controller intends to carry out a

transfer of personal data to a third country or to an organization

international, and the existence or absence of an adequacy decision issued by the

Commission or, in the case of transfers referred to in Article 46 or 47, or in Article 49,
paragraph 1, second subparagraph, the reference to appropriate or adapted guarantees and the

how to obtain a copy or where it was made available;



2. In addition to the information referred to in paragraph 1, the controller shall provide
to the data subject, when the personal data are

obtained, the following additional information which is necessary to guarantee

fair and transparent treatment:


a) the retention period of personal data or, when this is not

possible, the criteria used to determine this duration;
   _____________________________________________________________
              Decision of the National Commission sitting in restricted formation on the outcome of
                    the survey no. […] carried out with the municipal administration of […]


                                                                                                      5 / 13b) the existence of the right to request from the controller access to the data

personal character, rectification or erasure thereof, or a limitation of the

processing relating to the data subject, or the right to object to the processing and

right to data portability;


c) where the processing is based on Article 6 (1) (a) or on Article 9,

paragraph 2 (a), the existence of the right to withdraw consent at any time,

without affecting the lawfulness of the processing based on consent made before the
withdrawal of it;



d) the right to lodge a complaint with a supervisory authority;


e) information on whether the requirement to provide data to

personal character has a regulatory or contractual character or if it conditions the

conclusion of a contract and whether the data subject is obliged to provide the data to
personal character, as well as the possible consequences of the non-provision of

those data;



f) the existence of automated decision-making, including profiling, referred to in Article
22, paragraphs 1 and 4, and, at least in such cases, useful information concerning the

underlying logic, as well as the significance and expected consequences of this processing

for the person concerned.


3. When he intends to carry out further processing of personal data

personal for a purpose other than that for which the personal data

have been collected, the data controller provides the person with

concerned information about this other purpose and any other information
relevant referred to in paragraph 2.



4. Paragraphs 1, 2 and 3 do not apply when and to the extent that the person
concerned already has this information. "




   _____________________________________________________________
              Decision of the National Commission sitting in restricted formation on the outcome of
                    the survey no. […] carried out with the municipal administration of […]


                                                                                                      6/13 17. The communication to data subjects of information relating to

processing of their data is an essential element in the context of compliance with

general transparency obligations within the meaning of the GDPR. The said obligations were

clarified by the Article 29 Working Group in its guidelines on

transparency within the meaning of Regulation (EU) 2016/679, the revised version of which has been adopted

April 11, 2018 (hereafter: "WP 260 rev.01").



      18. Note that the European Data Protection Board (hereafter:

"EDPS"), which replaced the Article 29 Working Party since 25 May 2018, took over

and re-approved the documents adopted by said Group between May 25, 2016 and May 25
                                                                                  5
2018, as precisely the aforementioned guidelines on transparency.


2. In this case



      19. In the statement of objections, the head of investigation referred to a letter from

February 14, 2019, in which the latter annexed a document entitled "[…]

". In the said letter, the inspector also specified that "everything is being done to

also transmit the information in writing to the officers concerned. So a

personalized information letter to the attention of the agents making up the teams of the

winter service has been prepared […] ”.



      20. Nevertheless, the head of the investigation found that the non-compliance with Article 13 of

GDPR was acquired on the day of the on-site visit, because the documentation submitted to it by the

the aforementioned letter contained no evidence against this non-compliance with this
precise date. The head of the investigation added that "the observation that the employees had been

informed orally, without presenting any evidence to support this

claim, is not likely to upset this finding. "(See statement of objections,

page 2, Ad.A.1.).







4
 See in particular Articles 5.1.a) and 12 of the GDPR, see also recital (39) of the GDPR.
5 See EDPS Endorsement 1/2018 decision of 25 May 2018, available at:

https://edpb.europa.eu/sites/edpb/files/files/news/endorsement_of_wp29_documents_en_0.pdf.
   _____________________________________________________________
              Decision of the National Commission sitting in restricted formation on the outcome of

                     the survey no. […] carried out with the municipal administration of […]


                                                                                                        7/13 21. In his letter of August 24, 2020, the inspector referred to his

comments contained in his letter of September 17, 2019, which already mentioned the

procedures carried out by the inspected, following the visit of CNPD agents, in order to

comply with the provisions of Article 13 of the GDPR. The controlled specified that
in accordance with Article L-261-1 of the Labor Code, collective information relating to the

implementation of the geolocation system for the delegations of officials and

municipal employees, as well as employees took place by letter of August 13, 2019, a
                                                                                             er
share, and that all the agents concerned would be informed individually before the 1

November 2019, on the other hand. In addition, the controlled specified therein that the information also

been put on the intranet site of […] and that the instructions were given to the services to post
information in the premises of the departments concerned. Copies of information notices

intended for delegations and employees were appended to the letter of 17

September 2019.


      22. In addition, the inspected explained in the aforementioned letter of September 17, 2019

that on that date the number of intervention vehicles equipped with a
                                        6 st
geolocation totaled [...] and that for November 1, 2019, thumbnails
signs would be installed in said vehicles with the following content: "...

to inform you that this vehicle is equipped with a geolocation system.

For more information, you can inquire at the following address: ... "


      23. Finally, during the Restricted Training session on November 17, 2020,

as well as in his email of November 18, 2020, the inspected confirmed that

the information notice communicated to the CNPD by the aforementioned letter of September 19

2019 has been transmitted and countersigned individually by all agents of the service
winter of [...].


      24. The Restricted Training first of all wishes to emphasize that Article 13 of the GDPR

refers to the obligation imposed on the controller to "provide" all

information mentioned therein. The word "provide" is crucial here and it "means

that the controller must take concrete measures to provide the

information in question to the data subject or to actively direct the person




6 […] vehicles for the Hygiene department and […] vehicles for the Roads department.

   _____________________________________________________________
              Decision of the National Commission sitting in restricted formation on the outcome of
                     the survey no. […] carried out with the municipal administration of […]


                                                                                                       8/13 regarding the location of said information (for example by means of a link

direct, a QR code, etc.). ”(WP260 rev. 01, paragraph 33).

      25. Furthermore, it would like to point out that Article 12 of the GDPR does not de facto exclude

that the information provided for in Articles 13 and 14 may be provided orally by the

controller to the data subject. On the other hand, the WP260 rev. 01

(paragraph 21) insists that in this case the controller should ensure “to
keep a written record, and ensure that he is able to prove it (for the purposes of

compliance with the responsibility requirement), of: i) oral request for information,

ii) the method by which the identity of the data subject was verified (the case

(see point 20 above), and (iii) the fact that the information has been transmitted to
the person concerned. "


      26. During the on-site visit of CNPD agents, the inspector specifically

mentioned that the persons concerned were only informed orally about the

presence of the geolocation device in the vehicles in question as part of the

work instructions provided.


      27. Nevertheless, the Restricted Formation notes that no documentation

submitted by the inspected does not contain proof that the employees of the inspected have

been validly informed, before the on-site visit by CNPD staff, orally
in accordance with Article 13 of the GDPR.


      28. In view of the above, the Restricted Formation concludes that at the time of the

site visit by CNPD agents, Article 13 of the GDPR was not respected by the

control.


II. 2. On corrective measures


1. The principles


                                                       er
      29. In accordance with article 12 of the law of August 1, 2018, the CNPD has the
power to adopt all the corrective measures provided for in Article 58.2 of the GDPR:





   _____________________________________________________________
              Decision of the National Commission sitting in restricted formation on the outcome of
                    the survey no. […] carried out with the municipal administration of […]


                                                                                                     9/13 "a) notify a controller or processor that data processing operations
treatment envisaged are likely to violate the provisions of these regulations;



b) call to order a controller or a processor when the

processing operations have resulted in a violation of the provisions of this Regulation;


c) order the controller or processor to comply with the requests

presented by the data subject in order to exercise their rights under the

this regulation;


d) order the controller or processor to put the data processing operations

processing in accordance with the provisions of this Regulation, where applicable, of

in a specific way and within a specific timeframe;


e) order the controller to communicate to the data subject a

personal data breach;


f) impose a temporary or permanent restriction, including a ban, of processing;



g) order the rectification or erasure of personal data or the
restriction of processing in application of Articles 16, 17 and 18 and the notification of these

measures to the recipients to whom the personal data have been disclosed

in accordance with Article 17, paragraph 2, and Article 19;


h) withdraw a certification or order the certification body to withdraw a

certification issued in application of Articles 42 and 43, or order the

certification not to issue certification if the requirements for certification

are not or no longer satisfied;


i) impose an administrative fine in application of Article 83, in addition to or

the place of the measures referred to in this paragraph, depending on the characteristics
specific to each case;




   _____________________________________________________________
              Decision of the National Commission sitting in restricted formation on the outcome of
                    the survey no. […] carried out with the municipal administration of […]


                                                                                                    10/13 j) order the suspension of data flows addressed to a recipient located in a
third country or to an international organization. "



      30. These measures also include the power to "impose a fine

administrative pursuant to Article 83 […] ”. However, article 48.1 of the law of August 1
2018 on the organization of the National Commission for Data Protection and

of the general data protection regime specifies that “[t] he CNPD may impose

administrative fines as provided for in Article 83 of [GDPR], except against

state or municipalities. ".

      31. In addition, the Restricted Training would like to point out that the facts taken into account

in the context of this decision are those found at the start of the investigation. The

any changes relating to the processing of data subject to the investigation

intervened subsequently, even if they make it possible to fully establish or
partially compliance, do not allow retroactive cancellation of a breach

found.



      32. Nevertheless, the steps taken by the inspected to get into
compliance with the GDPR during the investigation process or to remedy

shortcomings identified by the head of investigation in the statement of objections, are taken

taken into account by the Restricted Training in the context of any corrective measures
to pronounce.



2. In this case


      33. The adoption of the following corrective measures was proposed by the Chief

of investigation to the Restricted Training in its complementary mail to the communication

grievances of August 3, 2020:


      "A) Order the controller to complete the information measures

      intended for people affected by geolocation, in accordance with

      provisions of article 13, paragraphs (1) and (2) of the GDPR by informing

      in particular the identity of the controller, the purposes of the processing and its
      legal basis, the categories of data processed, the legitimate interests pursued

   _____________________________________________________________
             Decision of the National Commission sitting in restricted formation on the outcome of
                    the survey no. […] carried out with the municipal administration of […]


                                                                                                 11/13 by the inspected, the recipients, the retention period of the data as well as
      indication of human rights and how to exercise them.



      b) To issue a call to order against the controller for

      cause of violation of the provisions of the GDPR. "

      34. The Restricted Training takes into account the steps taken by the

controlled, following the visit of CNPD agents, in order to comply with the provisions of

Article 13 of the GDPR, as detailed in his letter of August 24, 2020. More

in particular, it takes note of the following facts, which were confirmed by the inspected
during the Restricted Training session of November 17, 2020, as well as in its

e-mail of November 18, 2020:


     The information notice regarding the geolocation of intervention vehicles,

       communicated to the CNPD by letter of September 19, 2019, has been sent and

       individually countersigned by all the agents of the Hygiene Service and
       Roads service providing the winter service of [...].


     Signage stickers have been installed in the intervention vehicles

       with the following content: "... would like to inform you that this vehicle is

       equipped with a geolocation system. For more information, you
       can get information at the following address: ... "


      35. Under Article 58.2.b) of the GDPR, the CNPD may call to order a

controller or a processor when the processing operations have

resulted in a violation of the provisions of the GDPR.

      36. Taking into account the fact that at the time of the site visit of the CNPD agents,

no documentation submitted by the inspected contained proof that the

employees of the inspected have been validly informed in violation of Article 13 of the GDPR, the

Restricted Training considers it justified to issue a call to order to
against the controlled.







   _____________________________________________________________
             Decision of the National Commission sitting in restricted formation on the outcome of
                    the survey no. […] carried out with the municipal administration of […]


                                                                                                 In view of the foregoing developments, the National Commission sitting

in restricted formation and deliberating unanimously decides:


     to pronounce against the municipal administration of [...] a call to order

       for violating Article 13 of the GDPR.


So decided in Belvaux on April 21, 2021.



For the National Commission for Data Protection sitting in formation

restraint




Tine A. Larsen Thierry Lallemang Marc Lemmer

  President Commissioner Commissioner




                           Indication of remedies


This administrative decision may be the subject of an appeal for reformation in the

three months following its notification. This appeal is to be brought before the administrative court.

and must be introduced through a lawyer at the Court of one of the Orders of

lawyers.





















   _____________________________________________________________
             Decision of the National Commission sitting in restricted formation on the outcome of
                   the survey no. […] carried out with the municipal administration of […]


                                                                                               13/13