CNPD (Luxembourg) - Délibération n° 18/FR/2022

From GDPRhub
Revision as of 16:58, 6 December 2023 by Ar (talk | contribs) (Ar moved page CNPD (Luxembourg) - 18/FR/2022 to CNPD (Luxembourg) - Délibération n° 18/FR/2022)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
CNPD - 18/FR/2022
LogoLU.png
Authority: CNPD (Luxembourg)
Jurisdiction: Luxembourg
Relevant Law: Article 5(1)(b) GDPR
Article 5(1)(a) GDPR
Article 6(1)(c) GDPR
Article 6(1)(f) GDPR
Article 12 GDPR
Article 15 GDPR
Article 58(2) GDPR
Article 83(2) GDPR
Type: Investigation
Outcome: Violation Found
Started: 04.10.2019
Decided: 13.12.2022
Published: 07.02.2023
Fine: 1,500 EUR
Parties: n/a
National Case Number/Name: 18/FR/2022
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): French
Original Source: CNPD (in FR)
Initial Contributor: ls

The Luxembourg DPA fined the building manager of a co-ownership property €1,500 for communicating accounting data and private addresses of some co-owners to the other co-owners to warn them about payment irregularities.

English Summary

Facts

The controller is Company A which was acting as building manager of a residence co-ownership. The data subjects are Mr A and Mr B, some of the co-owners.

On 11 February 2019, the controller sent two emails to the other co-owners. The communication contained, among other things, the following data: the accounting situation of Mr. A and Mr. B vis-à-vis the co-ownership and their private addresses. They were intended to highlight the payment irregularities concerning the two.

The data subjects informed the controller that the disclosure amounted to a data breach and encouraged him to report it within 72 hours. They also requested access to their data and information on the processing operations. The company responded more than a month after these letters, without providing the requested information.

The data subject filed a complaint. On 4 October 2019, the Luxembourg DPA opened an investigation.

In his defense, the controller explained that under applicable national law, as a building manager, it was the cashier and accountant of the co-ownership and, as such, under the co-owners' supervision. For the co-owner to do so, it was crucial to disclose the debtors details. He therefore considered that it had to comply with a legal obligation and that the processing was therefore lawful under Article 6(1)(c). The controller also invoked Article 6(1)(f), explaining that it had a legitimate interest to the processing because it would be liable if it did not recover the debts of the co-ownership.

Holding

In substantial agreement with the head of the investigation, the DPA considered that the accounting obligations to which the controller was subject did not authorise him to communicate and transmit the accounting situation of one of the co-owners to the others. The considered processing was therefore in breach of Article 5(1)(a) and Article 6(1)(c) of the GDPR. The DPA also ruled out Article 6(1)(f) on the grounds of domestic law: the building manager must indeed collect the debts but could take legal action to do so. There was therefore no legitimate interest in disclosing the data to other co-owners.

Finally, with regard to the access request, the DPA considered that the controller did not respond to the access requests within the time limit set out in Article 12(3) nor did he provide information about his inaction, as he should have done under Article 12(4). The DPA also agrees with the opinion of the Head of the investigation regarding the violation of Article 15(1)(b) and (c).

In accordance with Article 58(2) and Article 83(2), the DPA fined Company A €1,500. Since the company was no longer mandated to act as building manager at the time of the decision, the DPA did not take any corrective measures.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

Decision of the National Commission sitting in restricted formation on the outcome

                  of survey no. […] conducted with Company A


                   Deliberation No. 18FR/2022 of December 13, 2022




The National Commission for Data Protection sitting in restricted formation

composed of Ms. Tine A. Larsen, President, and Messrs. Marc Lemmer and Alain

Herrmann, commissioners;


Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016
on the protection of individuals with regard to the processing of personal data

personal character and on the free movement of such data, and repealing Directive

95/46/EC;

               er
Considering the law of August 1, 2018 on the organization of the National Commission for the

data protection and the general data protection regime, in particular
its article 41;


Having regard to the internal regulations of the National Commission for the Protection of

data adopted by decision no. 3AD/2020 dated January 22, 2020, in particular its

section 10.2;

Having regard to the regulations of the National Commission for Data Protection relating to the

inquiry procedure adopted by decision No. 4AD/2020 dated January 22, 2020,

in particular its article 9;


Considering the following:












   _____________________________________________________________

             Decision of the National Commission sitting in restricted formation on the outcome of
                             survey no.[…] conducted with Company A


                                                                                               1/31 I. Facts and procedure


         The National Data Protection Commission (hereinafter: the “CNPD”)

received two complaints filed on February 27, 2019 by Mr. A

and dated February 28, 2019 by Mr. B (hereinafter together: the "complaints"

respectively the “claimants”) with respect to Company A hereinafter referred to as
“Company A” or “the Agency”, in connection with the exercise of its functions as trustee of the

co-ownership of Residence A located at L-[…], […] (hereinafter: “Residence A”).


The claimants accused the latter of "on the one hand the transmission [by] the

responsible for processing personal data to third parties without authorization

prior and without appropriate security and confidentiality measures and, on the other hand, the
                                                                                     1
non-respect by the latter of the right to information and access to their data”.


         During its deliberation session on October 4, 2019, the National Commission
for data protection sitting in plenary session (hereinafter: “Formation

Plenary”) thus decided to open an investigation with Company A on the basis of

article 37 of the law of 1 August 2018 on the organization of the National Commission for

data protection and the general data protection regime (hereinafter:
           er
“law of August 1, 2018”) and to appoint Mr. Thierry Lallemang as head

of investigation.


         According to the decision of the Plenary Formation, the purpose of the investigation was to
monitor the application and compliance with Regulation (EU) 2016/679 of the European Parliament

and of the Council of April 27, 2016 relating to the protection of individuals with regard to the

processing of personal data and the free movement of such data, and
                                                                         er
repealing Directive 95/46/EC (hereinafter: “GDPR”) and the law of 1 August 2018 in the

in the context of the complaint lodged by Mr. A on February 27, 2019. Given

that Mr. B has lodged an almost identical complaint with regard to Company A,
both complaints were investigated by the head of investigation.









1Initial findings (see definition in point 5. of this decision), Finding 3.

   _____________________________________________________________
              Decision of the National Commission sitting in restricted formation on the outcome of
                                survey no.[…] conducted with Company A


                                                                                                      2/31 Company A is registered […] in the Trade and Companies Register of

Luxembourg under the number […], […] at the address L-[…], […] (hereinafter: the “controlled”).
                                                                        2
The object of its business is the operation of a real estate agency.


         The controller was informed of the opening of the investigation in his regard by letter from

head of investigation dated July 28, 2020.


It appears from this letter that the head of investigation had defined two control objectives:

“1. Ensure that the treatment which is the subject of the complaints of the two claimants

respects the principles relating to the processing of personal data such as

defined by Articles 5 (1) and 6 (1) of the GDPR.


2. Ensure that the right of access of data subjects has been respected (information

on the processing operations listed in points (a) to (d) of paragraph 1 of Article 15 of the GDPR as

as requested by the persons concerned). »


The letter was accompanied by the document entitled “Initial findings Survey No.[…]”

setting out the initial findings made by the CNPD officials in this case (hereinafter:
“initial findings”). The head of the investigation offered the ability to the person checked to "dispute

the facts included in the initial findings, or to share […] [his] possible remarks,

clarifications or additions” for September 7, 2020 at the latest.


         The controller replied by letter dated July 29, 2020. He informed that he

was no longer "trustee of Residence A since [...] 2019".


         The head of investigation informed the person checked by letter dated August 3, 2020 that

the fact that he no longer acted as trustee of Residence A since […] 2019, “does not
can cancel […] [his] role as data controller for the facts observed

prior to this change. He invited the controller to respond to the requests that he

had been sent by his letter dated July 28, 2020 mentioned above within the deadlines

allotted. The controller did not send any written observations to the CNPD. 3






2 Requisition form (Registration) filed with the Trade Register and
Luxembourg companies on […].
3 Statement of Objections, point 18.
   _____________________________________________________________
              Decision of the National Commission sitting in restricted formation on the outcome of
                                survey no.[…] conducted with Company A


                                                                                                      3/31 At the end of his investigation, the head of investigation notified the person inspected on

July 12, 2021 a Statement of Objections (hereinafter: the "Statement of Objections")

detailing the shortcomings that he considered constituted in this case, and more specifically a

non-compliance with the requirements of Article 5.1.a), b) and c) (principles of legality, limitation of

purposes and minimization of data) and Article 6.1 of the GDPR (lawfulness of processing),4

as well as non-compliance with the obligations arising from article 12.3 and 4 of the GDPR

(methods for exercising the data subject's rights) and Article 15.1.b) and c)
                                                      5
of the GDPR (right of access of the person concerned).


In that Statement of Objections, the Head of Investigation proposed to the Commission

national authority for data protection sitting in restricted formation on the outcome of
the investigation (hereinafter: "Restricted Training") to impose a fine on the controlled

administrative in the amount of 2,500 (two thousand five hundred) euros. He did not offer to

corrective measures because he was of the opinion that the fact that the controlled no longer had

mandate to act as trustee of Residence A, the latter would not be in

able, either in fact or in law, to implement them. 7


         The head of the investigation offered the ability to the person checked "to take a position in writing by

relation to the grievances upheld and the corrective measures and/or sanctions proposed by the

head of investigation, as soon as possible and no later than September 8, 2021”. 8

The controller did not send any written observations to the CNPD.


          The president of the Restricted Formation informed the controller by mail in

date of December 2, 2021 that his case would be registered for the session of the Formation

Restricted on January 17, 2022. The controller did not respond to this letter either.


          During this session, the head of the investigation presented his oral observations to

support of his written observations and answered the questions posed by the Panel

Restraint.


          The decision of the Restricted Panel will be limited to the processing and obligations

at issue in the aforementioned initial findings and to the legal provisions and


4 Statement of Objections, point 28.
5 Statement of Objections, point 35.
6 Statement of Objections, point 39.
7
8 Statement of Objections, point 40.
 Co_____________________________________________________________

              Decision of the National Commission sitting in restricted formation on the outcome of
                                survey no.[…] conducted with Company A


                                                                                                        4/31regulatory for which the head of investigation found a breach in his
statement of objections.


II. Place


II. 1. On the reasons for the decision


A. On the breach related to the principles of lawfulness, limitation of purposes and

data minimization

1. On the principles


          Article 5.1 of the GDPR requires, among other things, that personal data

have to be


“a) processed in a lawful, fair and transparent manner with regard to the data subject

(lawfulness, fairness, transparency);

b) collected for specified, explicit and legitimate purposes, and not to be processed

subsequently in a manner incompatible with those purposes; further processing to

archival purposes in the public interest, for scientific or historical research purposes

or for statistical purposes is not considered, in accordance with Article 89(1),
as incompatible with the initial purposes (limitation of purposes);


c) adequate, relevant and limited to what is necessary in relation to the purposes for

which they are processed (data minimization); […]”.


          Article 6.1 of the GDPR provides that


“1. Processing is only lawful if and insofar as at least one of the conditions
following is fulfilled:


a) the data subject has consented to the processing of his or her personal data

for one or more specific purposes;


b) the processing is necessary for the performance of a contract to which the data subject

is a party or to the execution of pre-contractual measures taken at the latter's request;


   _____________________________________________________________

              Decision of the National Commission sitting in restricted formation on the outcome of
                                survey no.[…] conducted with Company A


                                                                                                       5/31c) processing is necessary for compliance with a legal obligation to which the controller
treatment is submitted;


d) the processing is necessary to protect the vital interests of the person

concerned or of another natural person;


e) processing is necessary for the performance of a task carried out in the public interest or falling within the
the exercise of official authority vested in the controller;


f) processing is necessary for the purposes of the legitimate interests pursued by the controller

processing or by a third party, unless the interests or freedoms and rights

fundamentals of the data subject which require data protection to be
personal nature, in particular when the person concerned is a child.


Point (f) of the first paragraph does not apply to processing carried out by the authorities

public in the performance of their duties. »


2. In this case

          It appears from the initial findings of the CNPD agents


    - that on February 11, 2019, the auditee "acting as trustee of the

        condominium Residence A […], sent an email to Mrs A and an email to

        Mr and Mrs B, all three co-owners of the residence, within the framework
        of a reminder of receivables.


        These two emails contained the following personal data:


           - Details of the accounting situation of Mr. and Mrs. A and of

               Mr and Mrs B vis-à-vis the co-ownership from January 2018 to February
               2019;


           - The private addresses of Mrs A and Mr and Mrs B.


        These two emails were sent to the other co-owners of Residence A

        as well as to a former co-owner in order to highlight payment irregularities




   _____________________________________________________________
              Decision of the National Commission sitting in restricted formation on the outcome of
                               survey no.[…] conducted with Company A


                                                                                                     6/31 9
        from Mrs A and Mr and Mrs B”. Copies of emails

        of the audit dated February 11, 2019 are part of the documents submitted in
        the species;0



    - that on February 13, 2019, Mr A and Mr B had each sent

        an email to the controller, in which they stated, among other things, "that the email
        sent by Company A on […] 2019 to the other co-owners and the former

        co-owner constitutes a violation of personal data and

        represents a breach of confidentiality as well as an infringement of the rights of

        data subjects”, and “as such […] “strongly encourage” the

        controller to "report" this data breach

        staff at the CNPD within 72 hours of its occurrence”. The copies

        emails from the claimants are part of the exhibits tendered in this case; 12


    - that "concerning the reasons justifying the transmission of a letter addressed to a

        co-owner (also containing his address) and listing his situation

        individual accountant to other co-owners and a former co-owner, the

        controller has taken a position in several letters addressed to the

        CNPD of 04/04/2019; 04/23/2019 and 07/22/2019 […]”. Copies of letters

        of the auditee are part of the documents tendered in this case. 14


          As the Claimants had not yet received a position paper from the

checked, following the submission of their complaints on February 27 and 28, 2019, the

legal department of the CNPD wrote to the control on March 21, 2019 and asked to

the latter "to take a position on the reasons justifying the communication of the letters

initially sent to claimants and listing their individual accounting situation

detailed to other co-owners and former co-owners of Residence A”. He has








9Initial findings, finding 1.
10Initial findings, point “1. Documents added to this investigation”.
11Initial findings, finding 2.
12
  Initial findings, point “1. Documents added to this investigation”.
13Initial findings, finding 5.
14Initial findings, point “1. Documents added to this investigation”.

   _____________________________________________________________

              Decision of the National Commission sitting in restricted formation on the outcome of
                                survey no.[…] conducted with Company A


                                                                                                       7/31 requested details from the control by letters dated June 3 and 21, 2019.
                                                                      15
Copies of these letters form part of the exhibits tendered in this case.


          The auditee for its part, by letter dated April 4, 2019, took a position by

report to the letter from the CNPD's legal department dated March 21, 2019. A copy
of this letter is part of the exhibits tendered in this case. 16


With regard to the disputed communication, he gave "to consider that the situations

of the co-owners' accounts indicate the total amount of cash advances

made by each and of its balance towards the co-ownership".


He also indicated that “no other document likely to show the total amount

cash advances and the balance towards the co-ownership is established by the trustee so
that only this document is available to the trustee”.


Thus, it “consequently seemed to him with regard to Articles 24, 25 and 26 of the provisions

ducales of June 13, 1975 prescribing the measures of execution of the law of May 16, 1975

relating to the status of the co-ownership of the buildings, that the account situation of each

owner, insofar as it shows the total amount of its advances of

cash and its balance towards the co-ownership, could be communicated".


          By letter dated April 23, 2019, and following a telephone conversation
with an agent of the CNPD, the controller provided the following details:


“The syndic is the accountant and the cashier of the co-ownership.


As such, it is bound by a triple obligation in accounting terms:


    - He must first keep separate accounts for each syndicate, each syndicate

        constituting an autonomous legal person.


    - This separate accounting must make it possible to clearly identify the situation of

        cash in particular to put the syndicate and, through it, the co-owners,

        faced with their responsibilities in the event of a cash shortage, to detect




15Idem.
16Idem.
   _____________________________________________________________
              Decision of the National Commission sitting in restricted formation on the outcome of
                                survey no.[…] conducted with Company A



                                                                                                       8/31 possibly the union in pre-difficulty, or even in difficulty and also for

        facilitate the transfer of funds in the event of a change of trustee.


    - This accounting must make it possible to determine the accounting position of each

        co-owner with regard to the syndicate. More precisely, it must show
        clearly the identification of debtor co-owners and the assessment of their debt,

        both to take recovery action and to implement

        sureties.


For its part, it is up to the syndicate of co-owners to control the management carried out

by the trustee.


This control mainly concerns the management aspects of the syndic, in particular the
accounting of the syndicate, the development and monitoring of the provisional budget, the distribution of

expenses, the conditions under which contracts are awarded, perform the

contracts...


Consequently, within the framework of the control of the accounts made by the syndicate, it is up to the

syndicate to communicate the identification of the debtor co-owners, and the assessment of

their debts.


Indeed, it is necessary to recall that under penalty of invoking its responsibility
contractual with regard to the syndicate of co-owners, the trustee must proceed with the

possible recovery of co-ownership debts in the event that the co-owners

debtors do not pay their debt.


Therefore, with regard to both the obligations of the trustee and that of the syndicate of

co-owners, the communication of the personal account situation of the
co-owner[s] does not constitute a violation of the regulations on the protection of

data. »


A copy of the aforementioned letter from the controller is part of the documents submitted in this case. 17


          Finally, by letter dated July 22, 2019, a copy of which is part of the

documents submitted in this case, and following two reminders from the CNPD's legal department in


17Idem.
18Idem.
   _____________________________________________________________
              Decision of the National Commission sitting in restricted formation on the outcome of
                                survey no.[…] conducted with Company A



                                                                                                        9/31date of June 21, 2019 and July 15, 2019, the control took a position with regard to the mail

of the CNPD's legal department dated June 3, 2019. He referred to the position paper

in its letter of April 4, 2019 relating to the question of the legality of the communication
of the individual accounting situation of co-owners to other co-owners or to

former co-owners.


2.1. Lawfulness of processing


          The head of investigation in his statement of objections first noted that he

“it emerges from the investigation that the data controller [the controlled party] sent two

emails to the other co-owners of Residence A as well as to a former co-owner
in order to highlight payment irregularities on the part of Mrs A and Mr and

Mrs B in the context of a reminder of debts. and that "these two emails

contained the following personal data:


     Details of the accounting situation of Mr. and Mrs. A and of Mr. and

        Madame B vis-à-vis the co-ownership from January 2018 to February 2019;


     The private addresses of Mrs A and of Mr and Mrs B”. 19


          Then, the head of the investigation observed that the controlled invoked "different

legal provisions […] in his letter to the CNPD, dated 04/04/2019, to justify the
lawfulness of the processing carried out”. He noted that the controller invoked "the Grand-

of June 13, 1975 prescribing the measures for the execution of the law of May 16, 1975 on

status of the co-ownership of the buildings” to justify “the lawfulness of the processing in question

as follows: "It therefore seemed to me with regard to Articles 24, 25 and 26 of the provisions

of 13 June 1975 prescribing the measures for implementing the law of
May 16, 1975 on the status of the co-ownership of buildings, that the account situation

of each owner, insofar as it shows the total amount of its

cash advances and its balance towards the co-ownership, could be

communicated. » » . 20


          The head of the investigation considered that article 14 of the amended law of 16 May 1975

on the status of the co-ownership of buildings (hereinafter: "law of 16 May 1975")


19 Statement of Objections, point 23.
20 Statement of Objections, point 24.
   _____________________________________________________________
              Decision of the National Commission sitting in restricted formation on the outcome of
                                survey no.[…] conducted with Company A



                                                                                                      10/31" could be invoked by the data controller by allowing the trustee to bring

a legal action (debt collection action)”, noting that “this one has

that "the syndic cannot bring a legal action in the name of the union without having been
authorized by a decision of the general meeting, except in the case of an action in

debt collection even by way of forced execution or when there is an emergency

not allowing the convening of a general meeting within the time limits. On the occasion of

all disputes brought before a court and which concern the operation of a trade union

or in which the syndicate is a party, the trustee notifies each co-owner of the existence
and the subject of the proceeding. ".


However, he was of the opinion that “this article cannot justify such a transmission of

personal data ". He specified that “indeed, a simple reminder of receivables cannot

constitute a legal action. Moreover, even if a legal action for

debt collection would have been initiated, the trustee would not have needed to obtain

the prior authorization of the general meeting of co-owners and therefore no need
proactively transmit the details of the individual accounting situation and the

personal addresses of co-owners to other co-owners and to former

co-owners”.21


          Furthermore, the head of investigation, after noting that article 24 of the regulations

Grand-Ducal of 13 June 1975 prescribing the measures for implementing the law of 16 May 1975

on the status of co-ownership of buildings (hereinafter: “Grand-Ducal regulation of the
June 13, 1975) “provides that “The trustee holds, for each syndicate of co-owners,

separate accounts such as to show the accounting position of each

co-owner with regard to the syndicate. He prepares the provisional budget which is voted by

general meeting", expressed the opinion that "these regulatory provisions

do not authorize the proactive transmission of the details of the accounting situation
individual and personal addresses of co-owners to other co-owners and to

former co-owners. 22


          The Head of Investigation also noted that Article 25 of the Grand-

of June 13, 1975 “provides that “The trustee may demand the payment: 1° Of the advance

permanent cash provided for in the co-ownership regulations; 2° At the beginning of each


21 Statement of Objections, point 24.a.
22 Statement of Objections, point 24.b.
   _____________________________________________________________
              Decision of the National Commission sitting in restricted formation on the outcome of
                                survey no.[…] conducted with Company A



                                                                                                      11/31 fiscal year, of a provision which, subject to the stipulations of the co-ownership regulations

or, failing that, of the decisions of the general meeting, cannot exceed either a quarter of the

provisional budget voted for the financial year in question, i.e. half of this budget, if the

co-ownership regulations do not provide for the payment of a cash advance

permed; 3° During the financial year, either an amount corresponding to the reimbursement
expenses regularly incurred and actually paid, or provisions

quarterly, each of which cannot exceed a quarter of the provisional budget for

the financial year in question; 4° Special provisions intended to enable the execution of

decisions of the general meeting, such as those to carry out the work

provided for in articles 26 to 32 of the law of May 16, 1975, under the conditions set by

decisions of the said assembly. The general meeting decides, if necessary, on the method of
investment of the funds thus collected. » and that article 26 of the Grand-Ducal regulation of the

June 13, 1975 “provides that “Unless otherwise stipulated in the co-ownership regulations, the

sums due under the preceding article bear interest for the benefit of the syndicate. This interest,

fixed at the legal rate in civil matters, is due from the formal notice sent by

the syndic to the defaulting co-owner”.


In this regard, it noted that the provisions of Articles 25 and 26 of the Grand-

ducal of June 13, 1975 "do not authorize the proactive transmission of the details of the

individual accounting situation of each co-owner and their personal addresses
to other co-owners and former co-owners". 23


          In view of the foregoing, the head of the investigation held that the person inspected in his

letter to the CNPD dated April 4, 2019 "did not invoke any legal basis likely

to establish and justify the processing of data carried out in this case, namely the transmission

data to unauthorized third parties. He was of the opinion that the controlled did not respect the

condition of lawfulness of Article 5.1.a) of the GDPR "in the context of data processing
          25
accomplished ".


          In addition, the head of investigation found that the control stated "other

arguments […] to justify such processing in his letter of 23/04/2019 indicating



23 Statement of Objections, point 24.c.
24
25 Statement of Objections, point 24.
  Same.

   _____________________________________________________________
              Decision of the National Commission sitting in restricted formation on the outcome of
                                survey no.[…] conducted with Company A


                                                                                                     12/31that: “in the context of the control of the accounts made by the syndicate, it is up to the

syndicate to communicate the identification of the debtor co-owners, and the assessment of

their debts. » » .


          In this context, he identified similarities with Article 16.2 of the Regulation

Grand-Ducal of 13 June 1975. Indeed, he retained that "this article allows the council

union (taken over by the data controller under the name “union”, if

the interpretation of the head of investigation is correct) to control the management of the trustee (taken over by

the controller under the name "syndicate", if the interpretation of the controller
investigation is correct), in particular the accounts of the latter. It states that: "He [the

union council] controls the management of the trustee, in particular the accounts of the latter,

the breakdown of expenses, the conditions under which the contracts are awarded and executed

markets and all other contracts. » » .27


          He further stated that "however, the legal and regulatory provisions

invoked do not apply to the processing under review. On the one hand, the communication of

detail of the individual accounting situation of each co-owner and their addresses

personal to the co-owners and to a former co-owner was at the initiative of the trustee

only and does not respond to a request for access to these documents by members
of the trade union council specially authorized by the latter within the framework of its control of

the management of the co-ownership by the trustee. On the other hand, and even if the advice

union would have wanted to access the accounts, this information should not have been

proactively forwarded to all co-owners and a former co-owner.

Indeed, the union council is an optional body, which is not necessarily composed

of all the co-owners or former co-owners (According to article 14 of the law
                                                            28
of May 16, 1975 and Article 13 of the GDPR of June 13, 1975)”.


          In view of the foregoing, he retained that the control in his letter to the CNPD

dated April 23, 2019 "has not invoked any relevant argument allowing him to be linked
to a legal obligation or for the purposes of the legitimate interests pursued by the person responsible for the

treatment or by a third party”.9




26 Statement of Objections, point 25.
27
28Idem.
  Same.
29Idem.
   _____________________________________________________________
              Decision of the National Commission sitting in restricted formation on the outcome of
                                survey no.[…] conducted with Company A


                                                                                                       13/31 Therefore, the head of the investigation was of the opinion that the control did not respect the

conditions of lawfulness of articles 5.1.a) and 6.1 of the GDPR "in the context of the processing of

data carried out in this case, namely the transmission of data to third parties not
            30
permitted”.


          The Restricted Committee notes that the facts set out in the two complaints

with regard to the disputed communication of personal data are almost
identical.


It notes in particular that the e-mail from the controller to the co-owners and to a former

co-owner dated February 11, 2019 31 had been sent to six email addresses

different, including those of the claimants. The controller had indicated in this e-mail to do

“follow account situations” and complained that two co-owners had taken

delay in the payment of their monthly advances. He demanded payment of

these delays, and threatened to garnish wages in the event of non-payment.


Letters containing the individual accounting situation of spouses B as well as that of

Madame A, dated the same day, were attached to this email. These annexes were
appear, among other things, the names of the recipients and the respective private addresses of the

spouse, the monthly movements (sums debited and credited) for the years 2018

and 2019 and debit balances, amounts for which payment was requested.


          The Restricted Committee notes that the person checked in the letters he sent

to the CNPD during the complaint procedures, invoked two legal bases for

justify the lawfulness of its processing, namely compliance with a legal obligation (article 6.1.c)

of the GDPR) and the legitimate interest (article 6.1.f) of the GDPR).


          With regard to compliance with a legal obligation, it takes note of the

regulatory provisions that the controller invoked in his letter dated
April 4, 2019 (see point 17 of this decision) to justify the communication of






30 Statement of Objections, points 25 and 28.
31
32Initial findings, point “1. Documents added to this investigation”.
  That is to say the monthly movements from […] 2018 to […] 2019 with regard to the annex
addressed to Mr and Mrs B, and those from […] 2018 to […] 2019 with regard to the appendix
addressed to Mrs A.
   _____________________________________________________________
              Decision of the National Commission sitting in restricted formation on the outcome of
                                survey no.[…] conducted with Company A


                                                                                                      14/31individual account situations of co-owners to other co-owners, current or
old, namely Articles 24, 25 and 26 of the Grand-Ducal Regulation of 13 June 1975:


" Art. 24. The trustee keeps, for each syndicate of co-owners, accounts

separated in such a way as to show the accounting position of each co-owner at

towards the union. He prepares the provisional budget which is voted by the assembly
general.


Art. 25. The syndic may require the payment:


1° The permanent cash advance provided for in the co-ownership regulations;


2° At the beginning of each financial year, a provision which, subject to the stipulations of the
co-ownership regulations or, failing that, the decisions of the general meeting, cannot

exceed either a quarter of the estimated budget voted for the financial year in question, or half

of this budget, if the co-ownership regulations do not provide for the payment of an advance of
permanent cash;


3° During the financial year, either an amount corresponding to the reimbursement of

expenses regularly incurred and actually paid, either provisions

quarterly, each of which cannot exceed a quarter of the provisional budget for
the year in question;


4° Special provisions intended to allow the execution of decisions of the meeting

general, such as carrying out the work provided for in Articles 26 to

32 of the law of May 16, 1975, under the conditions set by decisions of the said meeting.

The general meeting decides, if necessary, on the method of investment of the funds as well as

collected.


Art. 26. Unless otherwise stipulated in the co-ownership regulations, the sums due under

of the previous article bear interest for the benefit of the syndicate. This interest, fixed at the legal rate in
civil matters, is due from the formal notice sent by the trustee to the

defaulting co-owner. »


          The Restricted Committee considers that if these provisions determine

accounting and treasurer obligations to which the audit is subject, they do not authorize

   _____________________________________________________________
              Decision of the National Commission sitting in restricted formation on the outcome of
                               survey no.[…] conducted with Company A


                                                                                                    15/31not the communication by transmission to other co-owners, current or former, of a
e-mail having as an appendix letters addressed to a co-owner and resuming his

individual accounting situation, neither for information nor as a reminder of debt. By

moreover, the auditee did not demonstrate to what extent the disputed communication was
necessary for compliance with the duties incumbent on the trustee under these provisions,

so that the controlled could not base this treatment on these.


It considers in particular that the assertions of the audited according to which the situations

of the co-owners' individual accounts would be the only "document capable of making
statement of the total amount of cash advances and the balance towards the co-ownership” drawn up by

the trustee and at his disposal cannot disturb these findings.


          It also notes that in its letter to the CNPD dated April 23, 2019

(see point 18 of this decision), the control to found the disputed communication,
further invoked control obligations of the syndicate of co-owners concerning

the management of the syndic and the accounts of the syndicate. However, the audit cannot establish

the processing in question on legal obligations incumbent on the syndicate of
co-owners.


          With regard to the legitimate interest, the controlled, in its aforementioned letter to the

CNPD dated April 23, 2019 to found the disputed communication, also invoked

that he would bring into play his contractual liability with regard to the syndicate of
co-owners, if he would not proceed "to the possible recovery of the debts of the

co-ownership in the event that the debtor co-owners do not discharge their debt”.


          However, in view of the trustee's obligation to recover debts under

of article 14.5 of the law of May 16, 1975, which stipulates that "the trustee may not bring
legal action on behalf of the union without having been authorized to do so by a decision of

the general meeting, except in the case of an action for the recovery of debt even

by way of forced execution […]”, the Restricted Panel cannot retain this
justification to legitimize the processing in question.


          In view of the foregoing, the Restricted Formation agrees with the opinion of the Chief

investigation and concludes that Articles 5.1.a) and 6.1 of the GDPR have not been complied with by the

checked in the context of the communication at issue.


   _____________________________________________________________
              Decision of the National Commission sitting in restricted formation on the outcome of
                                survey no.[…] conducted with Company A


                                                                                                       16/312.2 Purpose limitation


          The head of investigation in the statement of objections also held that

“the data initially collected and processed (detail of the accounting situation of

co-owners vis-à-vis the co-ownership and private addresses) for initial purposes
determined, explicit and legitimate for a trustee in the context of his activities

regular (reminder of receivables to the debtor) were then subsequently processed from a

manner incompatible with these purposes (willingness to harm certain co-owners). In

effect, the data controller has carried out processing incompatible with these purposes,

namely the deliberate transmission of the financial situation of the co-owners concerned
to unauthorized third parties with a view to harming the debtor co-owners. The will of

controller to harm is proven in his initial email dated 02/11/2019.

Indeed, in this email, the data controller specifies that "it is a shame to see

that 2 co-owners [indicating their names and financial situation] do not pay
                                33
their monthly advances”.


He believed that the controlled "used the personal data of the co-owners
debtors for a purpose incompatible with the purposes for which the trustee could

legitimately process them, which constitutes a misuse of purpose”. Thus, he was of the opinion

that the controlled has violated Article 5.1.b) of the GDPR. 34


          Given that the Restricted Formation does not recognize a will to harm

as a specific purpose on the part of the audited, it cannot agree with the opinion of the
head of investigation, and therefore cannot conclude that Article 5.1.b) of the GDPR has been violated

by the controlled party in the context of the disputed communication.


2.3 Data minimization


          In his statement of objections, the head of investigation finally held that he

considered "that a reminder of debts could not justify the proactive transmission of

personal data to other co-owners and former co-owners”. Leaving, he

was of the opinion that “the data, by communicating them to unauthorized third parties, have been




33 Statement of Objections, point 26.
34 Statement of Objections, points 26 and 28.

   _____________________________________________________________
              Decision of the National Commission sitting in restricted formation on the outcome of
                                survey no.[…] conducted with Company A



                                                                                                        17/31excessively used and processed, so that article 5.1.c) of the GDPR has been
       35
violated”.


          However, in view of the lack of lawfulness of the processing in question under Article 6.1 of the
GDPR, the Restricted Committee considers that there is no need to rule on this point.


B. On the breach related to the obligation to comply with the terms and conditions of the exercise of

data subject rights


1. On the principles


          With regard firstly to the procedures for exercising the rights of the

data subject, Article 12 of the GDPR provides, among other things, that:


“[…] 3. The controller shall provide the data subject with information
on the measures taken following a request made pursuant to Articles 15 to

22, as soon as possible and in any case within one month from

of receipt of the request. If necessary, this period may be extended by two months,

given the complexity and number of requests. The controller
inform the person concerned of this extension and the reasons for the postponement within a period

one month from receipt of the request. When the person concerned

submits its request in electronic form, the information is provided electronically

electronically where possible, unless the data subject requests

let it be otherwise.

4. If the controller does not comply with the request made by the

person concerned, he shall inform the latter without delay and at the latest within one month

from receipt of the request, the reasons for its inaction and the possibility

to lodge a complaint with a supervisory authority and to lodge an appeal

jurisdictional. […]”

          With regard then to the data subject's right of access, Article

15 GDPR provides the following:






35 Statement of Objections, points 27 and 28.
   _____________________________________________________________
              Decision of the National Commission sitting in restricted formation on the outcome of

                               survey no.[…] conducted with Company A


                                                                                                    18/31“1. The data subject has the right to obtain from the controller the
confirmation that personal data relating to him or her is or is not

processed and, when they are, access to said personal data as well as

the following information:


a) the purposes of the processing;

b) the categories of personal data concerned;


c) the recipients or categories of recipients to whom the personal data

personnel have been or will be communicated, in particular recipients who are established

in third countries or international organisations;

d) where possible, the retention period of the personal data

envisaged or, where this is not possible, the criteria used to determine this

duration ;


e) the existence of the right to request from the controller the rectification or
the erasure of personal data, or a limitation of the processing of

personal data relating to the data subject, or the right to oppose

to this treatment;

f) the right to lodge a complaint with a supervisory authority;


g) when the personal data is not collected from the

data subject, any available information as to their source;


h) the existence of automated decision-making, including profiling, referred to in Article
22, paragraphs 1 and 4, and, at least in such cases, useful information concerning the

underlying logic, as well as the significance and intended consequences of such processing

for the person concerned.


2. When the personal data is transferred to a third country or to a
international organization, the data subject has the right to be informed of the guarantees

appropriate, under Article 46, with respect to this transfer.


3. The controller provides a copy of the personal data

undergoing treatment. The controller may require payment of
   _____________________________________________________________
              Decision of the National Commission sitting in restricted formation on the outcome of
                                survey no.[…] conducted with Company A


                                                                                                     19/31reasonable fee based on administrative costs for any additional copies

requested by the data subject. When the person concerned presents his

request electronically, the information is provided in an electronic form

commonly used, unless the data subject requests otherwise.


4. The right to obtain a copy referred to in paragraph 3 does not affect the rights and

freedoms of others. »


2. In this case


          It appears from the initial findings of the CNPD agents


    - that on February 13, 2019, Mr A and Mr B had each sent

        an email to the controller, in which they declared, among other things, "that they have not

        been informed of how their data has been processed” and that “as such,

        they request, within 5 days, a copy of the data protection policy
        Agency data and access to information specified in Article 15 (1) (a)

        to (d) GDPR”. The copies of the claimants' emails are part of the exhibits

        paid in this case; 37


    - that a response that the audit provided to Mr. B on February 26, 2019 does not

        did not contain the information requested by the latter, and that no response

        had not been provided to Mr. A. 38A copy of the aforementioned letter from the
                                                 39
        part of the documents paid in this case;


    - that "on 16/04/2019, the data controller sends two letters

        registered with acknowledgment of receipt to Mr A and Mr B. These

        letters contain a "data protection information notice

        personal”. In a letter dated 19/06/2019, the data controller
        confirms that the aforementioned letter of 16/04/2019 constitutes a "response to

        requests for access from Messrs. A and B concerning information relating to the

        processing of their data corresponding to those provided for in Article 15



36Initial findings, finding 2.
37Initial findings, point “1. Documents added to this investigation”.
38Initial findings, finding 6.
39Initial findings, point “1. Documents added to this investigation”.


   _____________________________________________________________
              Decision of the National Commission sitting in restricted formation on the outcome of
                                survey no.[…] conducted with Company A


                                                                                                     20/31 paragraph 1 a (h) (sic) of the general regulation on the protection of

        data " " . The copies of the letters of the control are part of the documents paid

        in this case.41


          As the Claimants had not yet received a position paper from the

checked following the submission of their complaints on February 27 and 28, 2019, the

CNPD's legal department in its letter dated March 21, 2019 asked the

controlled information on the follow-up given to their access requests, or failing that

on the reasons that would justify refusing to exercise their right of access. He asked
details to the control by mail dated June 3, 2019. The copy of this mail is

part of the documents paid in this case. 42


          The auditee for its part, by letter dated April 4, 2019, took a position by

report to the letter from the legal department of the CNPD dated March 21, 2019. With regard to

concerning the exercise of the right of access by the complainants, he indicated that he had “responded to the

statements of Mr. B dated February 26, 2019", and that Mr. A would not have

made an access request. A copy of the aforementioned letter from the controller, with the

attaches, among other things, a copy of his email to Mr B dated February 26, 2019,
                                            43
is one of the exhibits tendered in this case.


          Finally, the controller specified in his letter to the CNPD dated
June 19, 2019 that a response to the access requests would have been sent to Messrs. A and

B by registered letter dated April 16, 2019. He attached to his letter to the CNPD

the copies of these two letters which were addressed to "Mr. and Mrs. B"

respectively to "Madame A", as well as copies of deposit receipts for a shipment

of Post Luxembourg of the same day and the corresponding acknowledgments of receipt. Control

had indicated in the registered letters that it had attached the “information note on the

personal data protection policy”. However, he did not append

this document to his mail at the CNPD.







40Initial findings, finding 7.
41
42Initial findings, point “1. Documents added to this investigation”.
  Same.
43Idem.
   _____________________________________________________________
              Decision of the National Commission sitting in restricted formation on the outcome of
                                survey no.[…] conducted with Company A


                                                                                                     21/31 A copy of this information notice was provided to the CNPD by each of the claimants

on request, namely by email from Mr B dated February 15, 2020 and by email

of Mr. A dated February 11, 2020 (hereinafter: the “information note”).


A copy of the control letter of June 19, 2019 with the above-mentioned annexes as well

that copies of the documents provided by the claimants are part of the documents submitted
             44
in this case.


          The head of investigation in his statement of objections noted “that it appears from

investigation that the claimants, Mr. A and Mr. B, each send an email to the

data controller dated 02/13/2019, in order to make an access request
to their personal data” and that they “request, within 5 days, a copy of the

Agency's data protection policy and access to specified information

in Section 15.1. a) to d) of the GDPR » .5


          Then, he noted that the control provided two answers to the claimants, to

know :


    - “a first response was provided […] within one month of receipt

        of the request to Mr B (on 02/26/2019). This response did not contain any

        information requested by Mr. B. No response was provided to

        Mr A”;


    - "a second response with an information note relating to the protection of

        personal data was sent on 04/16/2019 […] by mail to Mr.
                                                                                       46
        B and A, i.e. more than two months after the initial request of 13/02/2019”;


He noted that "these responses were therefore sent more than a month from receipt

access requests from Messrs A and B and without explanation on the extension of the deadline
response beyond one month nor on the possibility of lodging a complaint with a

control authority » .7





44Idem.
45 Statement of Objections, point 32.
46 Statement of Objections, point 33.
47
  Same.

   _____________________________________________________________
              Decision of the National Commission sitting in restricted formation on the outcome of
                                survey no.[…] conducted with Company A


                                                                                                        22/31 Thus, the head of investigation was of the opinion that the conditions of article 12.3 and 4 of the GDPR

had not been respected by the controller “in the context of the responses made […] to the
                                                         48
requests for access submitted by Messrs. A and B”.


          The head of investigation also noted that if the information note

mentioned above that the control sent to the claimants by registered letter in
dated April 16, 2019 "contained information on the treatments listed in the article

15.1. a), b), c) and d) of the GDPR […] information was missing in the note

information on the following points:


     Point b) of Article 15.1. of the GDPR (relating to the categories of personal data

        staff concerned): it appears from the investigation that the financial data

        were not included in the description of the categories of personal data

        personnel processed by the trustee (e.g. RIB or bank account number,
        fund movements).


     Point c) of Article 15.1. of the GDPR (relating to the recipients or categories of

        recipients to whom the personal data have been or will be

        communicated, in particular recipients who are established in third countries

        or international organizations): the information note did not mention

        recipients or categories of recipients to whom the personal data

        personnel have been or are being communicated. It is only made
        mention of the potential recipients (e.g.: "he can call on subcontractors

        external"). If applicable, the category of recipients should be specified (the

        formulation "external subcontractors" is not sufficient) and mention should be

        made if recipients are established in third countries or organizations
                          49
        international”.


Thus, the head of investigation was of the opinion that the control had not complied with the conditions of
Article 15.1.b) and c) of the GDPR “in the context of responses made […] to requests

of access introduced by Messrs A and B". 50






48 Statement of Objections, paragraphs 33 and 35
49 Statement of Objections, point 34.
50 Statement of Objections, paragraphs 34 and 35.
   _____________________________________________________________
              Decision of the National Commission sitting in restricted formation on the outcome of
                                survey no.[…] conducted with Company A


                                                                                                      23/31 With regard to Mr. B's request for access, the Restricted Panel

notes that in his email to the controller dated 13 February 2019, the latter had asked

to the controlled to provide him with his "privacy policy" as well as access to the
information specified in Article 15.1.a) to d) of the GDPR.


She also notes that in her response to Mr B dated February 26, 2019 the

controlled had not sent the latter's request for access, and that the controlled did not

communicated the prospectus only with its registered letter dated

April 16, 2019, i.e. more than a month after receipt of the request.


          With regard to Mr. A's request for access, the Restricted Training
notes that he had expressly referred to the right of access conferred on him by the

GDPR 51 in his email to the controller dated February 13, 2019 by which he had

asked the latter to provide it with its privacy policy as well as access to the

information specified in Article 15.1.a) to d) of the GDPR, so that the assertion of the

controlled that Mr. A did not make an access request is false.


It also notes that the auditee did not communicate the information note to it.
only with his registered letter dated April 16, 2019, that is to say more than a month

after receipt of the request.


          The Restricted Formation considers that the controlled neither responded to the requests

of access for claimants within the period provided for in Article 12.3 of the GDPR, nor informed the

claimants of a possible reason for its inaction as required by article 12.4 of the GDPR.


          It also considers that the information note communicated with the letter

recommended by the audit dated April 16, 2019, and which had for “the objective […]
to inform the various co-owners about the processing and transfer of their

personal data by the trustee", was unsuitable for responding to requests

access for claimants.


Indeed, it did not mention all the categories of personal data

personnel concerned (article 15.1.b) of the GDPR), nor all the recipients or categories



51Excerpt from the original English text: “Pursuant to our rights of access as data subjects under the
General Data Protection Regulation, please provide us with the following information […]”.
52Point “[…]” of the information note.
   _____________________________________________________________
              Decision of the National Commission sitting in restricted formation on the outcome of
                               survey no.[…] conducted with Company A



                                                                                                   24/31 of recipients to whom the personal data have been or will be
communicated (article 15.1.c) of the GDPR).


          In view of the foregoing, the Restricted Formation agrees with the opinion of the Chief

investigation and concludes that Articles 12.3 and 4 as well as Article 15.1.b) and c) of the GDPR

had not been complied with by the controller with regard to access requests
brought by the claimants.


II. 2. On the fine and corrective measures


1. Principles


           In accordance with article 12 of the law of August 1, 2018, the CNPD has the

power to adopt all the corrective measures provided for in Article 58.2 of the GDPR:


"(a) notify a controller or processor of the fact that the operations of the
envisaged processing are likely to violate the provisions of this Regulation;


(b) call a controller or processor to order when the

processing operations have resulted in a breach of the provisions of this Regulation;


(c) order the controller or processor to comply with requests
submitted by the data subject with a view to exercising their rights under this

these regulations;


d) order the controller or the processor to put the operations of

processing in accordance with the provisions of this Regulation, where applicable, of
specific manner and within a specified time;


(e) order the controller to communicate to the data subject a

personal data breach;


f) impose a temporary or permanent restriction, including prohibition, of processing;


g) order the rectification or erasure of personal data or the
limitation of processing pursuant to Articles 16, 17 and 18 and the notification of these

measures to the recipients to whom the personal data have been disclosed

pursuant to Article 17, paragraph 2, and Article 19;
   _____________________________________________________________

              Decision of the National Commission sitting in restricted formation on the outcome of
                               survey no.[…] conducted with Company A


                                                                                                    25/31h) withdraw a certification or order the certification body to withdraw a
certification issued pursuant to Articles 42 and 43, or order the body to

certification not to issue certification if the requirements applicable to the certification

are not or no longer satisfied;


(i) impose an administrative penalty under section 83, in addition to or in addition to
instead of the measures referred to in this paragraph,function of characteristics

specific to each case;


j) order the suspension of data flows addressed to a recipient located in a

third country or an international organisation. »

                                                      er
          In accordance with article 48 of the law of August 1, 2018, the CNPD may impose
administrative fines as provided for in Article 83 of the GDPR, except against

of the state or the municipalities.


          Article 83 of the GDPR provides that each supervisory authority shall ensure that the

administrative fines imposed are, in each case, effective, proportionate and
deterrents, before specifying the elements that must be taken into account to decide

whether an administrative fine should be imposed and to decide on the amount of this

fine :


“(a) the nature, gravity and duration of the breach, taking into account the nature, scope
or the purpose of the processing concerned, as well as the number of data subjects

affected and the level of damage they suffered;


b) whether the breach was committed willfully or negligently;


c) any action taken by the controller or processor to mitigate the

damage suffered by the persons concerned;

d) the degree of responsibility of the controller or processor, account

given the technical and organizational measures they have implemented under the

sections 25 and 32;


e) any relevant breach previously committed by the controller or
the subcontractor ;

   _____________________________________________________________

              Decision of the National Commission sitting in restricted formation on the outcome of
                               survey no.[…] conducted with Company A


                                                                                                    26/31f) the degree of cooperation established with the supervisory authority with a view to remedying the breach
and to mitigate any negative effects;


g) the categories of personal data affected by the breach;


h) the manner in which the supervisory authority became aware of the breach, in particular whether,

and to what extent the controller or processor notified the breach;


(i) where measures referred to in Article 58(2) have previously been
ordered against the controller or processor concerned for the

same purpose, compliance with these measures;


(j) the application of codes of conduct approved pursuant to Article 40 or

certification mechanisms approved under Article 42; And


k) any other aggravating or mitigating circumstance applicable to the circumstances of
the species, such as the financial advantages obtained or the losses avoided, directly or

indirectly, as a result of the breach”.


          The Restricted Committee would like to point out that the facts taken into account in the

context of this decision are those found at the start of the investigation. The possible
changes relating to the data processing under investigation

subsequently, even if they make it possible to establish in whole or in part the

conformity, do not make it possible to retroactively cancel a breach noted.


          Nevertheless, the steps taken by the controller to put themselves in
compliance with the GDPR during the investigation process or to remedy the

shortcomings noted by the head of investigation in the statement of objections, are taken

taken into account by the Restricted Training in the context of any corrective measures

to pronounce and/or the setting of the amount of a possible administrative fine to be
pronounce.










   _____________________________________________________________

              Decision of the National Commission sitting in restricted formation on the outcome of
                               survey no.[…] conducted with Company A


                                                                                                    27/312. In this case


2.1 Regarding the imposition of an administrative fine


          In the statement of objections, the head of investigation proposes to the Panel
Restricted to impose an administrative fine on the person controlled in the amount of 2,500 (two

one thousand five hundred) euros.53


          In order to decide whether to impose an administrative fine and to decide,

where applicable, the amount of this fine, the Restricted Panel takes into account
the elements provided for in Article 83.2 of the GDPR:


- As to the nature and seriousness of the violation (Article 83.2.a) of the GDPR), it is

    that with respect to breaches of Article 5.1.a) and Article 6.1 of the GDPR, they

    constitute breaches of a fundamental principle of the GDPR (and of the right to

    data protection in general), namely the principle of lawfulness enshrined in the
    Chapter II “Principles” of the GDPR.


    It also notes that compliance with the right of access provided for in Article 15 of the GDPR

    is one of the major requirements of the right to data protection, because it constitutes

    the "gateway" allowing the exercise of the other rights that the GDPR confers on the
    data subject, such as the rights to rectification and erasure provided for by

    GDPR Articles 16 and 17.


    In addition, in the present case, the breaches found do not relate solely to the right

    of access, but also the procedures for exercising this right provided for in Articles

    12.3 and 4 of the GDPR which have not been complied with by the controller.

- As for the duration criterion (article 83.2.a) of the GDPR), the Restricted Panel finds

    that the breaches of the claimants' rights of access have lasted over time,

    at least since February 13, 2019, the date of their access requests, and until the

    receipt of the information note communicated by the controller with his letter

    recommended on April 16, 2019. Furthermore, it does not have any
    documentation that proves that the auditee has in the meantime responded in full to the




53
  VS_____________________________________________________________

              Decision of the National Commission sitting in restricted formation on the outcome of
                               survey no.[…] conducted with Company A


                                                                                                    28/31 requests for access from claimants by sending them all the data to
    personal nature processed by him as required by Article 15.1 a) to d) of the GDPR.


- As for the number of data subjects (article 83.2.a) of the GDPR), the Training

    Restreinte finds that the breaches noted in Articles 5.1.a) and 6.1 of the

    GDPR concern the two claimants, their wives and the other co-owners,
    old and current, while the breaches noted in Articles 12.3 and 4 as well as

    that Article 15.1 b) and c) of the GDPR only concern the two claimants.


- As to whether the breaches were committed deliberately or
    not (by negligence) (article 83.2.b) of the GDPR), the Restricted Panel recalls that

    "not deliberately" means that there was no intention to commit the violation,

    although the controller or processor has not complied with the obligation

    due diligence required by law.

    In this case, it is of the opinion that the facts and breaches observed do not reflect

    not a deliberate intention to violate the GDPR on the part of the controller.


          The Restricted Committee notes that the other criteria of article 83.2 of the

GDPR are neither relevant nor likely to influence its decision on the taxation
an administrative fine and its amount.


          Therefore, the Restricted Committee considers that the pronouncement of a fine

administrative is justified with regard to the criteria laid down by article 83.2 of the GDPR for

breach of Articles 5.1.a), 6.1, 12.3 and 4 as well as Article 15.1.b) and c) of the GDPR.

          As regards the amount of the administrative fine, it recalls that the

paragraph 3 of Article 83 of the GDPR provides that in the event of multiple infringements, such as

this is the case here, the total amount of the fine may not exceed the amount set for
the most serious violation. To the extent that a breach of Articles 5, 6, 12 and 15

of the GDPR is reproached to the controlled, the maximum amount of the fine that can be retained

amounts to 20 million euros or 4% of worldwide annual turnover, whichever is the greater

high being retained.

          With regard to the relevant criteria of Article 83.2 of the GDPR mentioned above, the

Restricted Formation considers that the imposition of a fine in the amount of 1,500


   _____________________________________________________________
              Decision of the National Commission sitting in restricted formation on the outcome of
                               survey no.[…] conducted with Company A


                                                                                                    29/31 (one thousand five hundred) euros appears to be both effective, proportionate and dissuasive, in accordance

the requirements of Article 83.1 of the GDPR.

2.2 Regarding the taking of corrective measures


          In the statement of objections, the head of investigation did not propose to the

Restricted training to adopt the corrective measures. Indeed, "given that the

subject of this investigation […] no longer has a mandate to act as

as syndic of Residence A since […] 2019" the head of the investigation was of the opinion "that he
does not make sense to propose additional corrective measures to the fine

administrative proposed above, given that the control will not be able, nor
                                                                    54
in fact, nor in law, to implement corrective measures”.





In view of the foregoing developments, the National Commission sitting
in restricted formation, after having deliberated, decides:


- to retain the breaches of Articles 5.1.a), 6.1, 12.3 and 4 as well as Article 15.1b)

    and c) GDPR; And


- to pronounce against Company A, an administrative fine of an amount

    of 1,500 (one thousand five hundred) euros, with regard to breaches of articles
    5.1.a), 6.1, 12.3 and 4 as well as in article 15.1.b) and c) of the GDPR.


Belvaux, December 13, 2022.





For the National Data Protection Commission sitting in formation

restraint




Tine A. Larsen Marc Lemmer Alain Herrmann

 President Commissioner Commissioner



54
  VS_____________________________________________________________

              Decision of the National Commission sitting in restricted formation on the outcome of
                               survey no.[…] conducted with Company A


                                                                                                    30/31 Indication of remedies


This administrative decision may be the subject of an appeal for review in the
three months following its notification. This appeal is to be brought before the administrative court.

and must be introduced through a lawyer at the Court of one of the Orders of

lawyers.


















































   _____________________________________________________________

               Decision of the National Commission sitting in restricted formation on the outcome of
                                 survey no.[…] conducted with Company A


                                                                                                         31/31