CNPD (Luxembourg) - Délibération n° 42FR/2021: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Luxembourg |DPA-BG-Color= |DPAlogo=LogoLU.png |DPA_Abbrevation=CNPD (Luxembourg) |DPA_With_Country=CNPD (Luxembourg) |Case_Number_Name=Délib...")
 
 
(2 intermediate revisions by the same user not shown)
Line 48: Line 48:
}}
}}


The Luxembourg DPA (CNPD) found that a company did not need to appoint a Data Protection Officer under [[Article 37 GDPR#1|Article 37(1) GDPR]]. The Luxembourg DPA therefore did not adopt any injunction against the company, and did not impose any fine on the Company, contrary to what the head of investigation of the CNPD had suggested.
The Luxembourg DPA (CNPD) found that the offering of a loyalty programme by a company to its customers did not amount to a regular and systematic monitoring of the customers pursuant to [[Article 37 GDPR#1|Article 37(1)(b) GDPR]], and that the Company therefore did not need to appoint a Data Protection Officer.


== English Summary ==
== English Summary ==
Line 57: Line 57:
One of these audit proceedings concerned a Luxembourg private company (hereafter, the Company). During the audit, it was found by the head of investigation of the CNPD that the Company had failed to appoint a Data Protection Officer (DPO), in line with [[Article 37 GDPR#1|Article 37(1) GDPR]].
One of these audit proceedings concerned a Luxembourg private company (hereafter, the Company). During the audit, it was found by the head of investigation of the CNPD that the Company had failed to appoint a Data Protection Officer (DPO), in line with [[Article 37 GDPR#1|Article 37(1) GDPR]].


[[Article 37 GDPR#1|Article 37(1) GDPR]] envisages two situations where private controllers (such as private companies) must appoint a DPO. In particular, a private controller must appoint a DPO when:
[[Article 37 GDPR#1|Article 37(1) GDPR]] envisages two situations where private controllers (such as private companies) must appoint a DPO. In particular, a private controller must appoint a DPO when:


- its (i) core activities consist of processing operations which require (ii) regular and systematic monitoring of data subjects (iii) on a large scale; or
* its (i) core activities consist of processing operations which require (ii) regular and systematic monitoring of data subjects (iii) on a large scale; or
* its (i) core activities consist of processing (ii) on a large scale of (iii) sensitive data pursuant to [[Article 9 GDPR]] or [[Article 10 GDPR]].


-its (i) core activities consist of processing (ii) on a large scale of (iii) sensitive data pursuant to [[Article 9 GDPR|Article 9 GDPR]] or [[Article 10 GDPR|Article 10 GDPR]].
In the case a hand, it was not contested that the Company was not processing sensitive data on a large scale. However, the audit report drafted by the head of investigation had concluded that one of the core activities of the Company was the offering of a loyalty programme to its customers, which included the processing of personal data through loyalty cards, and that such processing had to be considered as a regular and systematic monitoring of its customers on a large scale.
 
In the case a hand, it was not contested that the Company was not processing sensitive data on a large scale. However, the audit report drafted by the head of investigation had concluded that the core activities of the companies included the offering of a loyalty programme for its customers, which included the processing of personal data through loyalty cards, and that such processing had to be considered as a regular and systematic monitoring of its customers on a large scale.


The head of investigation of the CNPD therefore recommended to issue an injunction against that Company to appoint a DPO, and to impose a fine of €80.000 on the Company for failure to appoint a DPO in due time.
The head of investigation of the CNPD therefore recommended to issue an injunction against that Company to appoint a DPO, and to impose a fine of €80.000 on the Company for failure to appoint a DPO in due time.
Line 72: Line 71:
The CNPD first noted that the Company had completed a documented analysis on the need to appoint a DPO pursuant to [[Article 37 GDPR#1|Article 37(1) GDPR]], and had concluded that it was not bound to do so.
The CNPD first noted that the Company had completed a documented analysis on the need to appoint a DPO pursuant to [[Article 37 GDPR#1|Article 37(1) GDPR]], and had concluded that it was not bound to do so.


The CNPD then agreed with the conclusion of the audit report that the offering, by the Company, of a loyalty programme to its customers was part of the core activities of the Company. The CNPD also agreed with the conclusion of the audit report that scuh activities were conducted on a large scale, taking into account, in particular, the number of customers concerned, and the geographical scope of the processing.
The CNPD then agreed with the conclusion of the audit report that the offering, by the Company, of a loyalty programme to its customers was part of the core activities of the Company. The CNPD also agreed with the conclusion of the audit report that such activities were conducted on a large scale, taking into account, in particular, the number of customers concerned, and the geographical scope of the processing.


As far as the third condition is concerned however, the CNPD found that the offering of a loyalty programme did not constitute a "regular and systematic monitoring of data subjects". The CNPD noted in this respect that the Company was processing the personal data attached the loyalty card in order to manage its customers' account, and offer them rewards, but not for monitoring their purchasing behaviors. In other words, the CNPD considered that the purpose of the processing was the management of the loyalty programme, and not the monitoring of the customers.
As for the third condition however, the CNPD found that the offering by the Company of a loyalty programme to its customers did not constitute a "''regular and systematic monitoring of data subjects''". The CNPD noted in this respect that the Company was processing the personal data attached to loyalty cards in order to manage its customers' account and offer them rewards, but not for monitoring their purchasing behaviors. In other words, the CNPD considered that the purpose of the processing was the management of the loyalty programme, and not the regular and systematic monitoring of the customers' behaviors.


Based on these considerations, the CNPD concluded that the conditions of [[Article 37 GDPR#1b|Article 37(1)(b) GDPR]] were not fulfilled, and that the Company did not have the obligation to appoint a DPO. As a consequence, the CNPD decided to close the investigation, and to not issue any injunction, or impose any fine on the Company.
Based on these considerations, the CNPD concluded that the conditions of [[Article 37 GDPR#1b|Article 37(1)(b) GDPR]] were not fulfilled, and that the Company did not have the obligation to appoint a DPO. As a consequence, the CNPD decided to close the investigation, and not to issue any injunction or impose any fine on the Company.


== Comment ==
== Comment ==

Latest revision as of 10:52, 2 December 2021

CNPD (Luxembourg) - Délibération n° 42FR/2021
LogoLU.png
Authority: CNPD (Luxembourg)
Jurisdiction: Luxembourg
Relevant Law: Article 37(1) GDPR
Type: Investigation
Outcome: No Violation Found
Started:
Decided: 27.10.2021
Published:
Fine: None
Parties: n/a
National Case Number/Name: Délibération n° 42FR/2021
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): French
Original Source: Luxembourg DPA (in FR)
Initial Contributor: Florence D'Ath

The Luxembourg DPA (CNPD) found that the offering of a loyalty programme by a company to its customers did not amount to a regular and systematic monitoring of the customers pursuant to Article 37(1)(b) GDPR, and that the Company therefore did not need to appoint a Data Protection Officer.

English Summary

Facts

In 2018, the Luxembourg DPA (the CNPD) initiated 25 different audit proceedings both in the private and public sector with regard to the role of the Data Protection Officer (DPO) under Section 4 of Chapter 4 of the GDPR (see in particular Article 37 GDPR to Article 39 GDPR).

One of these audit proceedings concerned a Luxembourg private company (hereafter, the Company). During the audit, it was found by the head of investigation of the CNPD that the Company had failed to appoint a Data Protection Officer (DPO), in line with Article 37(1) GDPR.

Article 37(1) GDPR envisages two situations where private controllers (such as private companies) must appoint a DPO. In particular, a private controller must appoint a DPO when:

  • its (i) core activities consist of processing operations which require (ii) regular and systematic monitoring of data subjects (iii) on a large scale; or
  • its (i) core activities consist of processing (ii) on a large scale of (iii) sensitive data pursuant to Article 9 GDPR or Article 10 GDPR.

In the case a hand, it was not contested that the Company was not processing sensitive data on a large scale. However, the audit report drafted by the head of investigation had concluded that one of the core activities of the Company was the offering of a loyalty programme to its customers, which included the processing of personal data through loyalty cards, and that such processing had to be considered as a regular and systematic monitoring of its customers on a large scale.

The head of investigation of the CNPD therefore recommended to issue an injunction against that Company to appoint a DPO, and to impose a fine of €80.000 on the Company for failure to appoint a DPO in due time.

Holding

After reviewing the facts of the case and the applicable law, the CNPD decided against the recommendations of the head of investigation.

The CNPD first noted that the Company had completed a documented analysis on the need to appoint a DPO pursuant to Article 37(1) GDPR, and had concluded that it was not bound to do so.

The CNPD then agreed with the conclusion of the audit report that the offering, by the Company, of a loyalty programme to its customers was part of the core activities of the Company. The CNPD also agreed with the conclusion of the audit report that such activities were conducted on a large scale, taking into account, in particular, the number of customers concerned, and the geographical scope of the processing.

As for the third condition however, the CNPD found that the offering by the Company of a loyalty programme to its customers did not constitute a "regular and systematic monitoring of data subjects". The CNPD noted in this respect that the Company was processing the personal data attached to loyalty cards in order to manage its customers' account and offer them rewards, but not for monitoring their purchasing behaviors. In other words, the CNPD considered that the purpose of the processing was the management of the loyalty programme, and not the regular and systematic monitoring of the customers' behaviors.

Based on these considerations, the CNPD concluded that the conditions of Article 37(1)(b) GDPR were not fulfilled, and that the Company did not have the obligation to appoint a DPO. As a consequence, the CNPD decided to close the investigation, and not to issue any injunction or impose any fine on the Company.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

 Decision of the National Commission sitting in restricted formation on

            the outcome of survey no. [...] conducted with Company A

                         Deliberation n ° 42FR / 2021 of October 27, 2021



The National Commission for Data Protection sitting in a restricted body,

composed of Mrs Tine A. Larsen, president, and Messrs Thierry Lallemang and Marc

Lemmer, commissioners;



Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on
the protection of individuals with regard to the processing of personal data

personnel and the free movement of such data, and repealing Directive 95/46 / EC;


              er
Having regard to the law of 1 August 2018 on the organization of the National Commission for the Protection

data and the general data protection regime, in particular Article 41 thereof;


Having regard to the internal regulations of the National Commission for Data Protection

adopted by decision n ° 3AD / 2020 dated 22 January 2020, in particular Article 10, point

2;



Having regard to the regulations of the National Commission for Data Protection relating to the
investigation procedure adopted by decision n ° 4AD / 2020 dated 22 January 2020, in particular

its article 9;



Considering the following:



    I. Facts and procedure


1. Given the impact of the role of the data protection officer (hereinafter: the "DPO") and

    the importance of its integration into the body, and considering that the guidelines

    concerning DPOs have been available since December 2016, i.e. 17 months before entry

    in application of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27

    April 2016 on the protection of individuals with regard to the processing of



1The guidelines concerning DPOs were adopted by the “Article 29” working group on 13
December 2016. The revised version (WP 243 rev. 01) was adopted on April 5, 2017.
    ________________________________________________________________________

              Decision of the National Commission sitting in restricted formation on the outcome of
                                survey no. [...] conducted with Company A
                                                                                                       1/13 personal data and the free movement of such data, and repealing the

    Directive 95/46 / EC (general data protection regulation) (hereafter: the "GDPR

    "), The National Commission for Data Protection (hereinafter: the" Commission
    national "or the" CNPD ") has decided to launch a thematic survey campaign on

    the function of the DPO. Thus, 25 audit procedures were opened in 2018, involving so many

    the private sector than the public sector.


2. In particular, the National Commission decided by deliberation n ° […] of September 14

    2018 to initiate an investigation in the form of a data protection audit of

    Company A located […], L- […] and registered in the trade and companies register
    Luxembourg under the number […] (hereinafter: the “controlled”) and to designate Mr. Christophe

    Buschmann as the head of the investigation. The said deliberation specifies that the investigation relates to the

    compliance of the inspected with section 4 of chapter 4 of the GDPR.


3. […] the inspected [is active in the retail trade in non-specialized stores in

    predominantly food].



4. By letter of September 17, 2018, the head of the survey sent a questionnaire
    preliminary to the control to which the latter replied by email of October 8, 2018. A

    on-site visit took place on February 27, 2019 and a telephone meeting took place on February 22

    February 2021.


5. As part of this audit campaign, in order to verify the organization's compliance with

    section 4 of chapter 4 of the GDPR, the head of the investigation defined eleven control objectives

    included in the report of the visit of February 27, 2019, namely:


    1) Ensure that the body subject to the obligation to appoint a DPO has done so;
    2) Make sure that the organization has published the contact details of its DPO;

    3) Ensure that the organization has communicated the contact details of its DPO to the CNPD;

    4) Ensure that the DPO has sufficient expertise and skills to

        carry out its missions effectively;
    5) Ensure that the missions and tasks of the DPO do not give rise to a conflict of interest;

    6) Ensure that the DPO has sufficient resources to perform effectively

        of its missions;
    7) Ensure that the DPO is able to carry out his missions to a sufficient degree

        autonomy within their organization;
    ________________________________________________________________________


              Decision of the National Commission sitting in restricted formation on the outcome of
                               survey no. [...] conducted with Company A
                                                                                                    2/13 8) Ensure that the organization has put in place measures to ensure that the DPO is associated with

        all matters relating to data protection;

    9) Ensure that the DPO fulfills his mission of information and advice to the

        data controller and employee;

    10) Ensure that the DPO exercises adequate control over data processing within
        of his body;

    11) Ensure that the DPO assists the controller in carrying out the

        impact analyzes in the event of new data processing.



6. By letter of March 15, 2021 (hereafter: the “statement of objections”), the Chief
    investigation informed the control of breaches of obligations under the GDPR

    that he noted during his investigation as well as the corrective measures and sanctions that he

    proposes to the National Commission sitting in restricted formation (hereafter: the

    "Restricted formation") to adopt.


7. In particular, the head of the investigation noted in the statement of objections a

    breach of the obligation to appoint a DPO and proposed to the restricted training

    to adopt corrective action as well as to impose an administrative fine of one

    amount of 80,000 euros.


8. By letter of April 12, 2021, the inspector sent his observations to the head of the investigation.

    as to the statement of objections.



9. By letter of June 2, 2021, the President of the CNPD informed the inspectorate of the date of

    the session during which the case concerning him and the faculty which
    was offered to be heard there. By letter of June 29, 2021, the inspected informed the

    President of the CNPD that he would not attend.


10. The matter was on the agenda for the restricted committee session on July 14, 2021.

    In accordance with Article 10.2.b) of the Rules of Procedure of the Commission

    national, the head of investigation made oral submissions on the case and responded

    to the questions asked by the restricted formation.






2Objective n ° 1
    ________________________________________________________________________

              Decision of the National Commission sitting in restricted formation on the outcome of

                               survey no. […] carried out with Company A 3/13 II. Place


    A. On the failure to appoint a DPO


        1. On the principles


11. According to article 37.1 of the GDPR, "The controller and the processor designate
    in any case, a data protection officer when:



        a) the processing is carried out by a public authority or a public body,

        the exception of courts acting in the exercise of their judicial function;

        b) the core activities of the controller or processor consist of

        processing operations which, by virtue of their nature, scope and / or

        purposes, require regular and systematic monitoring on a large scale of people
        concerned; Where

        c) the core activities of the controller or processor consist of

        large-scale processing of special categories of data referred to in Article

        9 and personal data relating to criminal convictions and

        offenses referred to in Article 10. "



12. The Article 29 Data Protection Working Party adopted on 13 December
    2016 of the guidelines concerning DPOs which have been taken up and re-approved by

    the European Data Protection Board on May 25, 2018. These lines 3

    guidelines provide clarifications on the concepts of "core activities" and

    "Large scale" which can be found in Article 37.1.b) and c) of the GDPR as well as concerning

    the notion of "regular and systematic monitoring" found in Article 37.1.b) of the GDPR.


13. With regard to the concept of "core activities", the guidelines state that

    "[T] he 'core activities' can be seen as the core operations

    to achieve the objectives of the controller or processor. They

    also include all activities for which the data processing is carried out
                                                                                           4
    integral part of the activity of the controller or processor ".






3
4WP 243 v.01, revised version and adopted on April 5, 2017
 WP 243 v.01, version revised and adopted on April 5, 2017, p. 24
     ________________________________________________________________________

               Decision of the National Commission sitting in restricted formation on the outcome of
                                 survey no. [...] conducted with Company A
                                                                                                           4/1314. As for the concept of "large scale", it is recommended in the guidelines of

    consider the following factors:

    "- the number of people concerned, either in absolute value or in relative value by

    relation to the population concerned;

    - the volume of data and / or the spectrum of data processed;

    - the duration, or permanence, of the data processing activities;
                                                               5
    - the geographical extent of the processing activity ".


15. Finally, with regard to the notion of “regular and systematic monitoring”, the lines
                                                                                            6
    The guidelines state that monitoring is not limited to the "online environment". The term

    "Regular", according to the guidelines, covers "one or more of the meanings

    following:

    - continuous or occurring at regular intervals over a given period;
    - recurring or repeating at fixed times;

    - taking place constantly or periodically. "

    As for the term "systematic", it covers "one or more of the meanings

    following:

    - occurring in accordance with a system;

    - pre-established, organized or methodical;

    - taking place as part of a general data collection program;

    - carried out as part of a strategy. "7



        2. In this case



16. As part of this audit campaign, for the head of the investigation to consider the objective

    1 as completed by the inspected, it expects the body to have appointed a DPO on 25

    May 2018 if its processing falls within the scope of Article 37.1 of the GDPR.



17. It should be noted that the inspected carried out a documented analysis, as is
                                                                       8
    recommended by the DPD guidelines, by which he arrived at the
    conclusion that he was not obliged to appoint a DPO. This analysis was





5
 WP 243 v.01, version revised and adopted on April 5, 2017, p.25
6WP 243 v.01, version revised and adopted on April 5, 2017, p.25
7WP 243 v.01, version revised and adopted on April 5, 2017, p.26
8WP 243 v.01, version revised and adopted on April 5, 2017, p. 7

     ________________________________________________________________________

               Decision of the National Commission sitting in restricted formation on the outcome of
                                  survey no. [...] conducted with Company A
                                                                                                              5/13 sent by the inspected with their answers to the preliminary questionnaire by email from the

    8 October 2018.



18. It emerges in particular from this analysis that the inspected “considers that if [his] activities

    can sometimes include a dimension of large scale or regular monitoring […] [its]
    activities do not have the two elements together. »It is also indicated that

    the controlled "does not carry out regular monitoring for customer activities (no profiling). The

    purchases are sometimes recorded on the customer card (at the customer's discretion) but are not

    used for direct marketing purposes. These data are processed only for the purposes

    restocking, customer relations when the latter calls or for the calculation of his points and
    to fulfill legal obligations. "



19. In the statement of objections, the head of the investigation refers to this analysis on page 5, "[i] l

    The investigation shows that [the inspected] did not appoint a DPO. CNPD agents

    take note that, in accordance with the guidelines for the DPO of the group
    Article 29 working group on data protection [the inspected] documented an analysis

    internally in collaboration with its consultants (...) in order to determine whether or not there is

    place of appointing a DPO. On the basis of this internal analysis, the position [of the inspected] is

    that a DPO does not seem necessary in view of the activities carried out. "


20. The head of the investigation then noted that the inspected "offers a loyalty card service to

    its customers and that there are more than [...] active customer cards (i.e. used in

    year). As part of the management of these customer cards, [the inspected] performs

    data processing including purchase history and loyalty points. The cards

    loyalty programs (...) operate in all [controlled] stores, as well as in
    other partner stores. "According to the investigator," the proposal of a

    loyalty program is an integral part of the activity [of the controlled] "; it would be

    consequent of a "basic activity" of the controlled taking into account the details provided
                                                                                9
    in the DPO guidelines on this notion.


21. As to the question of whether the inspected carries out a systematic and regular follow-up on

    based on the data collected via the loyalty card, the head of the survey considers that "[i] l

    According to the elements of the survey, the [loyalty] card makes it possible to track purchases

    of a person through loyalty points. Follow-up is organized, occurs in accordance


9WP 243 v.01, version revised and adopted on April 5, 2017, p. 24
     ________________________________________________________________________

              Decision of the National Commission sitting in restricted formation on the outcome of

                                the survey n ° […] carried out with Company A 6/13 to a system ([…]) and is carried out as part of a strategy, here a strategy of

    loyalty. The argument that the cardholder uses it "at will" is

    inoperative. Indeed, (...) the loyalty program is part of a strategy that encourages the
    card holder to use to collect points. As soon as a customer enters

    the loyalty program, it is part of a systematic and regular monitoring system. Although

    the purpose of "monitoring" may not be pursued as such by the person in charge of
    processing, all that remains is to achieve the purposes pursued (restocking,

    customer relationship, etc ...), the data controller has set up a monitoring system

    systematic and regular. "


22. With regard to the notion of "large scale", the head of the investigation first notes "that he

    there are more than […] active [loyalty] cards ”[…]. Then, with regard to the scope

    geographic location, he noted that said card "can be used in all stores [of the

    controlled] in the country as well as in many other partner brands. " At last,
    concerning the duration of the treatment, the head of the investigation noted that the loyalty card

    allows "to trace the purchases of its holder over a period of two years". Leader

    investigation concludes that "[c] owing to the number of people concerned,

    the geographical scope of the processing activity, as well as its duration (...) the card [of
    fidelity] must (…) be considered as a large-scale treatment within the meaning of article

    37 paragraph (1) of the GDPR. "



23. Taking into account the criteria examined by the head of the investigation in order to determine whether the control
    was and remains under the obligation to appoint a DPO, the restricted committee deduces that this

    are those of Article 37.1.b) of the GDPR, which is however not explicitly mentioned

    in the statement of objections, which only refers to Article 37.1 of the
    GDPR. The restricted training also finds that it is essentially on the basis of

    the analysis of the "management of customer cards" (or "[loyalty] card") processing that the manager

    investigation came to the conclusion that the inspected was and remains under the obligation to

    appoint a DPO under Article 37.1.b) of the GDPR.


24. In its position statement of April 12, 2021, the inspected returns in particular to

    the treatment in question and maintains that it does not constitute a systematic follow-up,

    considering that "the recording of data may possibly be considered
    as systematic (after each purchase and presentation of the card) but in no case

    follow-up. The purpose of processing the card is not to track purchases or

    ________________________________________________________________________


              Decision of the National Commission sitting in restricted formation on the outcome of
                               survey no. [...] conducted with Company A
                                                                                                      7/13 behavior of its customers. (...) a simple recording cannot be considered

    as a follow-up. "


25. The inspected further maintains that the treatment is not regular, considering that the

    "customer card management" processing does not fall under any of the meanings of the term

    “Regular” retained by the guidelines concerning DPOs. 10



26. The inspected also indicates that the identification of the user of the loyalty card is not

    not necessary to use this one and that "[i] t is not uncommon for people to share

    their card making any follow-up, which is not the case here, inoperative and ineffective. "



27. As mentioned in point 23 of this decision, it is mainly on

    the basis of the analysis of the "management of customer cards" (or "[loyalty] card") processing
    that the head of the investigation came to the conclusion that the controlled was and remains in

    the obligation to appoint a DPO under Article 37.1.b) of the GDPR. It is therefore necessary

    to examine whether the processing in question covers each of the criteria set out in Article

    37.1.b) of the GDPR.



28. As to the question of whether the “management of customer cards” (or “[loyalty] card”)

    constitutes a core activity of the controller, taking into account that the

    DPO guidelines state that core activities “include

    (…) All activities for which data processing is an integral part of
    the activity of the controller ", the limited training is aligned with the assessment

    the head of the survey according to which "the proposal for a loyalty program is

    integral to the activity [of the controlled] "and therefore constitutes a basic activity of

    this last.



29. As to the concept of “large scale”, in the light of the recommendations made
                                                                                   12
    in the DPO guidelines on this notion, and in particular

    taking into account the fact that the number of people concerned "in relative value by

    relative to the population concerned ", that" the geographical extent of the activity of
    treatment 'and that the duration of treatment are factors that should be taken




10WP 243 v.01, version revised and adopted on April 5, 2017, p.26
11WP 243 v.01, version revised and adopted on April 5, 2017, p.24
12WP 243 v.01, version revised and adopted on April 5, 2017, p.25

     ________________________________________________________________________

               Decision of the National Commission sitting in restricted formation on the outcome of
                                 survey no. [...] conducted with Company A
                                                                                                            8/13 in consideration, the restricted formation agrees with the assessment of the head of investigation according to

    which “the [loyalty] card must (…) be considered as a high treatment

    scale within the meaning of Art.37 para. (1) GDPR. "


30. Finally, it should be examined whether the "management of customer cards" (or "card [of

    fidelity] ”) constitutes a“ regular and systematic follow-up ”of the persons concerned.


31. The restricted committee admits that the "management of customer cards" (or "card

    [loyalty] ") is carried out" in accordance with a system ". It nevertheless notes,

    given in particular the details provided by the inspected in his position paper of 12

    April 2021, referred to in points 24, 25 and 26 of this decision concerning the

    various aspects of this processing, it does not appear from the investigation file that said
    processing would aim at regular monitoring of the data subjects or such monitoring

    would actually be carried out by the controlled.



32. Therefore, it should be noted that it does not appear from the investigation file that the inspected
    is found, due to the processing "management of customer cards" (or "card [loyalty]"),

    in the obligation to appoint a DPO under Article 37.1.b) of the GDPR.



33. In view of the foregoing, the restricted panel concludes that the breach of article 37.1
    of the GDPR has not been established.



    III. On corrective measures and the fine


            A. Principles



34. In accordance with article 12 of the law of 1 August 2018 on the organization of the

    National Commission for Data Protection and the General Regime on
    data protection, the National Commission has the powers provided for in Article

    58.2 of the GDPR:


    a) notify a controller or processor that data processing operations

        planned treatment are likely to violate the provisions of this

        regulation;



    ________________________________________________________________________


              Decision of the National Commission sitting in restricted formation on the outcome of
                                investigation no. [...] conducted with Company A 9/13 b) call to order a controller or a processor when the

        processing operations have resulted in a violation of the provisions of this

        regulation;

    c) order the controller or processor to comply with the requests

        presented by the data subject in order to exercise their rights under the

        this regulation;


    d) order the controller or processor to put the data processing operations
        processing in accordance with the provisions of these regulations, if applicable,

        in a specific manner and within a specified timeframe;


    e) order the controller to communicate to the data subject a

        personal data breach;


    f) impose a temporary or permanent limitation, including a ban, on the
        processing;


    g) order the rectification or erasure of personal data or the

        restriction of processing in application of Articles 16, 17 and 18 and the notification of these

        measures to the recipients to whom the personal data have been
        disclosed in accordance with Article 17, paragraph 2, and Article 19;


    h) withdraw a certification or order the certification body to withdraw a

        certification issued in application of Articles 42 and 43, or order the

        certification not to issue certification if the requirements applicable to the
        certification are not or no longer satisfied;


    i) impose an administrative fine in application of Article 83, in addition to or

        the place of the measures referred to in this paragraph, depending on the characteristics

        specific to each case;


    j) order the suspension of data flows addressed to a recipient located in a
        third country or to an international organization. "


35. Article 83 of the GDPR provides that each supervisory authority ensures that fines

    administrative requirements are, in each case, effective, proportionate and

    dissuasive, before specifying the elements that must be taken into account in deciding

    ________________________________________________________________________


              Decision of the National Commission sitting in restricted formation on the outcome of
                                survey no. [...] conducted with Company A
                                                                                                      10/13 if an administrative fine is to be imposed and to decide on the amount of this

fine :


(a) the nature, gravity and duration of the breach, taking into account the nature, extent or
the purpose of the processing concerned, as well as the number of data subjects

affected and the level of damage they suffered;


(b) whether the violation was committed willfully or negligently;


c) any measures taken by the controller or processor to mitigate the

damage suffered by the persons concerned;

d) the degree of responsibility of the controller or processor, account

taking into account the technical and organizational measures they have implemented in accordance with the

Articles 25 and 32;


e) any relevant breach previously committed by the controller or
the subcontractor ;


f) the degree of cooperation established with the supervisory authority in order to remedy the violation

and mitigate any negative effects;


g) the categories of personal data affected by the breach;


h) the manner in which the supervisory authority became aware of the breach, in particular whether,
and to what extent the controller or processor has notified the

violation;


(i) where measures referred to in Article 58 (2) have previously been

ordered against the controller or the processor concerned for the
same object, compliance with these measures;


j) the application of codes of conduct approved in accordance with Article 40 or

certification mechanisms approved under Article 42; and


k) any other aggravating or mitigating circumstance applicable to the circumstances of

the species, such as financial benefits obtained or losses avoided, directly or
indirectly, as a result of the violation ”.



 ________________________________________________________________________


          Decision of the National Commission sitting in restricted formation on the outcome of
                            survey no. [...] conducted with Company A
                                                                                                 11/13 B. In the present case



    1. As to the imposition of an administrative fine


36. In the statement of objections of 15 March 2021, the head of the investigation proposes to the

    restricted formation to pronounce against the controlled an administrative fine

    relating to the amount of 80,000 euros “for breach of obligations arising from
    RGPD in relation to the appointment of the Data Protection Officer ”.


37. As the breach of Article 37.1 of the GDPR has not been established, there is no need to pronounce

    against the controlled the administrative fine proposed by the head of the investigation.


    2. Regarding the taking of corrective measures


38. In the statement of objections of 15 March 2021, the head of the investigation proposes to the

    training to take the following corrective action, specifying that it should

    be implemented "within 6 months, under penalty of a fine of 1,000, -

    Euros per day of delay ":


"Order the controller to appoint a Data Protection Officer
in accordance with Art.37 (1) GDPR. "


39. As the breach of Article 37.1 of the GDPR has not been established, there is no need to examine

    the relevant corrective measure.




In view of the foregoing developments, the National Commission sitting
in restricted formation and deliberating unanimously decides:



- to close the investigation opened by deliberation n ° [...] of September 14, 2018 of the

National Commission for Data Protection at Company A located […], L-
[…] And registered in the Luxembourg trade and companies register under number […], in

the absence of breach held against him.








    ________________________________________________________________________


              Decision of the National Commission sitting in restricted formation on the outcome of
                               survey no. [...] conducted with Company A 12/13 As decided in Belvaux on October 27, 2021.




The National Commission for Data Protection sitting in a restricted body






Tine A. Larsen Thierry Lallemang Marc Lemmer
  President Commissioner Commissioner






                              Indication of remedies



This administrative decision may be the subject of an appeal for reformation within three
months following its notification. This appeal is to be brought before the administrative tribunal and must

must be introduced through a lawyer at the Court of one of the Bar Associations.































    ________________________________________________________________________


             Decision of the National Commission sitting in restricted formation on the outcome of
                              survey no. [...] conducted with Company A 13/13