CNPD (Luxembourg) - Délibération n°43FR/2021

From GDPRhub
Revision as of 09:15, 3 December 2021 by FD (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Luxembourg |DPA-BG-Color= |DPAlogo=LogoLU.png |DPA_Abbrevation=CNPD (Luxembourg) |DPA_With_Country=CNPD (Luxembourg) |Case_Number_Name=Délib...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
CNPD (Luxembourg) - Délibération n°43FR/2021
LogoLU.png
Authority: CNPD (Luxembourg)
Jurisdiction: Luxembourg
Relevant Law: Article 37(1) GDPR
Type: Investigation
Outcome: No Violation Found
Started:
Decided: 27.10.2021
Published:
Fine: None
Parties: n/a
National Case Number/Name: Délibération n°43FR/2021
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): French
Original Source: Luxembourg DPA (in FR)
Initial Contributor: Florence D'Ath

The Luxembourg DPA found that a non-profit association, forming part of a confederation of entities providing social services, had wrongfully concluded that it was obliged to appoint a DPO pursuant to Article 37(1) GDPR. In the absence of any violation, however, the CNPD closed the case.

English Summary

Facts

In 2018, the Luxembourg DPA (the CNPD) initiated 25 different audit proceedings both in the private and public sector with regard to the role of the Data Protection Officer (DPO) under Section 4 of Chapter 4 of the GDPR (see in particular Article 37 GDPR to Article 39 GDPR).

One of these audit proceedings concerned a not-for-profit association (Association Sans But Lucratif) established under Luxembourg law (hereafter, the ASBL). The ASBL is part of a confederation specialised in the provision of social services. In that context, the ASBL has established different partnerships with various entities providing social services in Luxembourg (the Patner Entities). The core activities of the ASBL is therefore not to provide social services, but rather to manage the funding of the partner entities, validate common strategies for the confederation, and determine which Partner Entities are responsible for their implementation.

During the audit, it was found by the head of investigation of the CNPD that the ASBL had appointed a DPO pursuant to Article 37(1) GDPR. No violation of the obligations relating to the role and position of the DPO was found.

Holding

Based on the findings of the audit report, the CNPD concluded that there has been no violation of Article 37 to 39 GDPR. The CNPD questionned however the necessity for the ASBL to appoint a DPO in the first place. The CNPD therefore invited the head of investigation to get complementary information on that point.

Taking into account the managerial role of the ASBL within the confederation, and in particular the fact that the ASBL itself was not processing health data for the provision of social services, the CNPD found that the ASBL had wrongfully concluded that it was under an obligation to appoint a DPO under Article 37(1) GDPR. The CNPD further pointed out that the investigation should have covered the processing activities of the Partner Entities of the confederation.

Based on these considerations, the CNPD concluded to the absence of violations by the ASBL and closed the case.

Comment

Even when the GDPR does not specifically require the appointment of a DPO pursuant to Article 37(1) GDPR, organisations may designate a DPO on a voluntary basis. Such practice is encouraged by the Article 29 Working Party (the predecessor of the EDPB). If a DPO is appointed on a voluntary basis however, the requirements under Articles 37 to 39 will apply. In this case, however, the CNPD did not analyse in details whether these requirements had been fulfilled by the ASBL, pointing that the investigation should have rather covered the activities of the Partner Entities providing the social services.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

 Decision of the National Commission sitting in restricted formation on

        the outcome of survey no. [...] conducted with the Association without

                                         profit A.

                         Deliberation n ° 43FR / 2021 of October 27, 2021



The National Commission for Data Protection sitting in a restricted body,

composed of Mrs Tine A. Larsen, president, and Messrs Thierry Lallemang and Marc

Lemmer, commissioners;


Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on

the protection of individuals with regard to the processing of personal data

personnel and the free movement of such data, and repealing Directive 95/46 / EC;


              er
Having regard to the law of 1 August 2018 on the organization of the National Commission for the Protection
data and the general data protection regime, in particular Article 41 thereof;



Having regard to the internal regulations of the National Commission for Data Protection

adopted by decision n ° 3AD / 2020 dated 22 January 2020, in particular Article 10, point

2;


Having regard to the regulations of the National Commission for Data Protection relating to the

investigation procedure adopted by decision n ° 4AD / 2020 dated 22 January 2020, in particular

its article 9;



Considering the following:


    I. Facts and procedure


1. Given the impact of the role of the data protection officer (hereinafter: the "DPO") and

the importance of its integration into the body, and considering that the guidelines
                                                                 1
concerning DPOs have been available since December 2016, i.e. 17 months before entry into
application of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016




1The guidelines concerning DPOs were adopted by the “Article 29” working group on 13
December 2016. The revised version (WP 243 rev. 01) was adopted on April 5, 2017.
________________________________________________________________________

              Decision of the National Commission sitting in restricted formation on the outcome of
                       the survey n ° [...] carried out with the non-profit association A
                                                                                                        1/7 relating to the protection of natural persons with regard to the processing of personal data

personal data and the free movement of such data, and repealing Directive 95/46 / EC

(general data protection regulation) (hereafter: the "GDPR"), the Commission
National Data Protection Authority (hereinafter: the "National Commission" or the

"CNPD") has decided to launch a thematic survey campaign on the function of the DPO.

Thus, 25 audit procedures were opened in 2018, concerning both the private sector and the

public sector.

2. In particular, the National Commission decided by decision no. […] Of 14

September 2018 to initiate an investigation in the form of a data protection audit

with the non-profit association A located at […], L- […] and registered in the register of

Luxembourg trade and companies under the number […] (hereinafter: the “controlled”) and
appoint Mr. Christophe Buschmann as head of the investigation. Said deliberation specifies that

the investigation relates to the compliance of the inspected with section 4 of chapter 4 of the GDPR.



3. According to Article 3 of its statutes, the purpose of the inspected is [to provide social services].


4. By letter of September 17, 2018, the head of the survey sent a questionnaire

preliminary to the control to which the latter replied by email of October 15, 2018.
on-site visits took place on January 28, 2019 and March 13, 2019. Following these discussions, the

Chief Investigator drew up the audit report no. […] (hereafter: the "audit report").



5. It emerges from the audit report that in order to verify the compliance of the organization with the
section 4 of chapter 4 of the GDPR, the head of the investigation defined eleven control objectives,

know :


    1) Ensure that the body subject to the obligation to appoint a DPO has done so;

    2) Make sure that the organization has published the contact details of its DPO;

    3) Ensure that the organization has communicated the contact details of its DPO to the CNPD;
    4) Ensure that the DPO has sufficient expertise and skills to

        carry out its missions effectively;

    5) Ensure that the missions and tasks of the DPO do not give rise to a conflict of interest;
    6) Ensure that the DPO has sufficient resources to perform effectively

        of its missions;

    7) Ensure that the DPO is able to carry out his missions to a sufficient degree

        autonomy within their organization;
________________________________________________________________________


              Decision of the National Commission sitting in restricted formation on the outcome of
                      survey no. [...] conducted with the non-profit association A 2/7 8) Ensure that the organization has put in place measures so that the DPO is associated with

        all matters relating to data protection;

    9) Ensure that the DPO fulfills his mission of information and advice to the

        data controller and employee;
    10) Ensure that the DPO exercises adequate control over data processing within

        of his body;

    11) Ensure that the DPO assists the controller in carrying out the

        impact analyzes in the event of new data processing.


6. By letter of 28 October 2019 (hereinafter: the “statement of objections”), the Chief
investigation informed the inspector of breaches of obligations under the GDPR that it

noted during its investigation. The audit report was attached to the letter.



7. In particular, the head of the investigation noted in the statement of objections a
                                                       2
breach relating to the DPD's control mission.


8. By letter of November 18, 2019, the inspector sent the head of the investigation

position regarding the failure noted in the statement of objections.



9. On December 3, 2020, the head of the investigation sent the inspectorate a letter
complementary to the statement of objections by which he informs the inspectorate that,

given the position taken by the latter of November 18, 2019, "it is appropriate to lift the grievance

relating to compliance with the requirements relating to the missions of the DPO and in particular

control "and that" [i] t therefore no longer has any grievance against you
regarding this investigation. "



10. By email of December 7, 2020, the head of the investigation forwarded the investigation file to

the National Commission sitting in a restricted formation (hereinafter: the "formation

restricted "), indicating that it has not accepted any grievance or breach against the inspected,
when the latter had met the expectations set in the survey or presented

elements of mitigation that it considers sufficient in relation to the control objectives adopted

in point 5 of this decision. For these reasons, the investigator proposed to the training

restricted, in its communication of December 7, 2020, the closure of the file.




2Objective 10
________________________________________________________________________

              Decision of the National Commission sitting in restricted formation on the outcome of

                       the survey n ° […] carried out with the non-profit association A 3/711. The restricted committee examined the case during its session on February 5, 2021,

in accordance with Article 10.2.a) of the Rules of Procedure of the National Commission.


12. During the said session, the restricted committee considered that it was not sufficient

enlightened on the point of knowing whether the controlled, taking into account its structure, within which

several member entities are grouped together, and the predominance of said entities for

the management and exercise of its activities, is obliged to appoint a delegate to
data protection under Article 37 (1) of the General Regulation on

Data protection.


13. The restricted committee therefore asked the head of the investigation, by letter from

25 March 2021, to proceed, in accordance with Article 10.2.a) of the internal regulations of

the National Commission, to further investigation on this point.


14. By email of May 25, 2021, the head of the investigation asked the control of him

communicate additional information and documents, in particular concerning

activities of the inspectorate and its decision-making structure, in order to be able to inform the training

limited on whether the inspected is obliged to appoint a delegate
to data protection under Article 37 (1) of the General Regulation on

Data protection.



15. The inspected responded to this request by letter of June 15, 2021. The inspected there
indicates in particular that he carried out an analysis that led him to consider that he is in

the obligation to appoint a DPO and that this analysis has been updated

given the questions raised by the restricted committee in this regard.


16. Following this exchange, the head of the investigation informed the restricted party, by email from the

June 22, 2021, from its conclusion on the item for further investigation, according to

which the inspected is indeed subject to the obligation to appoint a DPO. The head of inquiry has by
elsewhere again proposed to the restricted committee to close the file, considering that it

There is no reason to hold any breach with regard to the inspected.



17. The restricted committee examined the case again at its meeting on October 27.
2021, in accordance with Article 10.2.a) of the Commission's Rules of Procedure

national.

________________________________________________________________________


              Decision of the National Commission sitting in restricted formation on the outcome of
                      the survey n ° […] carried out with the non-profit association A 4/718. Taking into account the elements communicated by the inspected within the framework of the supplement

investigation, the small group finds that it does not share the chief's conclusion
investigation according to which the inspected is indeed subject to the obligation to appoint a delegate to

Data protection.



19. It should first be noted that the inspected is an entity [...] "which brings together the
activities organized for its service provider members ”and that, as mentioned in

point 12 of this decision, these entities have a preponderant place for the management and

the exercise of its activities.


20. As for the activities of the inspected, the restricted formation notes that if the chief

investigation rightly noted in its email of June 22, 2021 that "[t] he core activities

[of the controlled] are [to provide social services] and that, as part of these activities, the
controlled processes data relating to health, the head of the investigation also noted

that “[i] n the framework of its basic activities, [the controlled] does not have any collaborators.

All the activities are carried out by another entity, member of the network [of the controlled], to

the account [of the controlled]. "


21. In this regard, it should be noted that in its response of 15 June 2021, the inspected

only identified a single "own operational activity", the other activities mentioned

being on the one hand "Operational activities delegated" to one of its member entities
and on the other hand, "Administrative and support activities" delegated to two entities

members.



22. With regard to the decision-making structure, the elements communicated by the
controlled confirm that its member entities, which sit in its Assembly

general, occupy a prominent place, it being specified "that an activity is recognized

as an activity [of the controlled] if it was set up by decision of the board
of directors ", this board of directors being" composed of at least [...] members and

of [...] members at most, taken from among the active members and elected by the general assembly

ordinary and annual ruling by a simple majority of the votes of the active members present. "


23. The inspected also indicates that this board of directors (hereinafter: CA) "is

responsible for the general management [of the controlled] and for the strategy of the network. Since [the

________________________________________________________________________


              Decision of the National Commission sitting in restricted formation on the outcome of
                      the survey n ° [...] carried out with the non-profit association A 5/7 controlled] has a very limited activity of its own, the Board of Directors focuses on agreements

    strategic between the partners forming the network. It validates common strategies

    proposed by the partners, determines where applicable their funding and the entity (ies)
    responsible for their operationalization. "



    24. Finally, the controlled indicates that it is "[in] summary (...) a confederation bringing together the

    members, actors and drivers of a common idea in order to determine common policies
    and organize their application at the level of field activities. Thus any daily management

    (also that [of the controlled itself]) is entrusted to operational entities, in

    occurrence to partners. "


    25. In view of the above, the restricted committee considers that it was not established by the

    further investigation that the controlled, namely the non-profit association A, was

    in the obligation to appoint a DPO.


26. In addition, taking into account the objectives defined by the CNPD within the framework of the

    thematic survey on the function of the DPO, and in particular the criteria used for

    selection of entities, the restricted committee considers that the investigation opened by deliberation
    No. […] of September 14, 2018 should also have covered, given their activities and

    data processing, on other operational entities, members providing

    the non-profit association A.


    27. In these circumstances, the restricted committee considers that the case should be closed,

    in accordance with Article 10.2.a) of the Rules of Procedure of the National Commission.



    In view of the foregoing developments, the National Commission sitting in
    restricted formation and deliberating unanimously decides:


    - to close the investigation opened by deliberation n ° [...] of September 14, 2018 of the

    National Commission for Data Protection with the Non-Profit Association

    A located at […], L- […] and registered in the Luxembourg trade and companies register
    under the number […]







    ________________________________________________________________________


                  Decision of the National Commission sitting in restricted formation on the outcome of
                          the survey n ° [...] carried out with the non-profit association A 6/7 As decided in Belvaux on October 27, 2021.



The National Commission for Data Protection sitting in a restricted body








Tine A. Larsen Thierry Lallemang Marc Lemmer
  President Commissioner Commissioner





                              Indication of remedies



This administrative decision may be the subject of an appeal for reformation within three
months following its notification. This appeal is to be brought before the administrative tribunal and must

must be introduced through a lawyer at the Court of one of the Bar Associations.


































________________________________________________________________________


             Decision of the National Commission sitting in restricted formation on the outcome of
                     the survey n ° [...] carried out with the non-profit association A 7/7