CNPD (Luxembourg) - Délibération n° 6FR/2023
From GDPRhub
| CNPD - 6FR/2023 | |
|---|---|
 | |
| Authority: | CNPD (Luxembourg) |
| Jurisdiction: | Luxembourg |
| Relevant Law: | Article 31 GDPR Article 32 GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | 05.07.2023 |
| Published: | 23.08.23 |
| Fine: | 5,330 EUR |
| Parties: | n/a |
| National Case Number/Name: | 6FR/2023 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | French |
| Original Source: | CNPD (in FR) |
| Initial Contributor: | n/a |
A controller and its processor were found to be in breach of Article 32 for the illegal transfers of data to a third company. The Luxembourg DPA fined the controller €5,330.
English Summary
Facts
On 10 March 2021, the Luxembourg DPA received a complaint from the data subject regarding the publication of her data on Company X’s website, despite not being a subscriber of Company X.
In the course of investigating the complaint concerning Company X, it became apparent to the Luxembourg DPA that several other companies were involved – Companies A and B. Company B, who the data subject had been a subscriber of, had transferred the data to Company A, which then transferred it to Company X.
Relationship Between Companies A, B, and X
As a result of these findings, on 1 July 2022, the Luxembourg DPA opened investigations into Companies A and B, as well as Company X. Through this inquiry, it was discovered that Company A was a subcontractor for Company B, responsible for “managing/ modifying/ deleting” Company B’s subscriber list.
While Company A and B did not share a common customer file or computer system, under their subcontracting agreement, members of Company A had access to Company B’s computer system to carry out processing operations. These operations included generating a file on a monthly basis with the customers wishing to appear on Company X’s website.
The Data Subject’s Relationship with Companies A, B, and X
The data subject signed a subscription contract with company B on 27 April 2015, which ended on 30 June 2019.
The data subject first became aware that Company X had access to her data in October 2020. During this time, she received a telephone call for religious canvassing, and was made aware that her data had been transferred from Company B to Company X. Following this, on 19 October 2020, she requested that her data be deleted from their database. Company X confirmed that they would do so. Company X sent a request on the same day to Company A (Company B’s processor) to erase the data subject’s data. However, on 10 March 2021, the data subject’s data was once again made available on Company X’s website. When she objected to this, Company X noted that Company B had once again transferred her data to them. On 29 May 2021, Company X contacted Company A (Company B’s processor) again to inform them of the data subject’s erasure request.
In February 2022, the data subject’s data appeared in a file of Company B’s subscribers on Company X’s website again. In a letter dated 7 October 2022 to the Luxembourg DPA, Company B formally denied having transferred the data subject’s data to Company X in February 2022. It transpired that the transfers were occurring due to an internal IT error, which Company B labelled as an "internal configuration error."
Holding
The Luxembourg DPA determined that Company B was the controller for the purposes of Article 4(7) GDPR, and Company A was the processor for the purposes of Article 4(8) GDPR. The DPA found that both Companies A and B had breached Article 31 GDPR and 32(1) GDPR.
Holding in regard to Company B
Firstly, Company B was the controller for the purposes of the definition in Article 4(7) GDPR as the data subject had signed the initial subscription with them, and they were entity which determined how and for what purposes the data subject’s data was used.
Secondly, Company B was in violation of Article 31 GDPR. Article 31 GDPR imposes a duty upon controllers and processors to cooperate with Supervisory Authorities during investigations. Company B (controller) did not fully cooperate with the Luxembourg DPA during its investigation proceedings. In particular, it provided false information regarding the data transfer of February 2022, in its letter to the Luxembourg DPA on 7 October 2022. This behaviour was in violation of Article 31 GDPR.
Thirdly, Company B was found to be in violation of Article 32(1) GDPR. This provision imposes an obligation upon controllers and processors to implement the appropriate technical and organisational measures to ensure a level of security appropriate to the risk of processing. The Luxembourg DPA found that the transfers between Company B and X (through the intermediary of Company A) did not appear intentional, and were indeed due to insufficient internal security measures. Several measures were adopted by Company B to remedy this issue, but these were only implemented following further investigations into the Company which began in August 2022.
The Luxembourg DPA came to the conclusion that the data subject’s data were transferred unlawfully in 2020, in 2021, as well as in February 2022 because her subscription contract with Company B ended on 30 June 2019. Furthermore, the Luxembourg DPA noted that Company X's requests to delete the Claimant's data dated 19 October 2020 and 29 March 2021 should have led Company B (the controller) to carry out investigations into its security system in accordance with the Article 32 GDPR obligations, which it did not do. For these reasons, Company B was found to be in breach of Article 32 GDPR.
The Luxembourg DPA issued a fine of €5,330 under Article 83(2) GDPR, ordered the Company to cease the processing of the data subject’s data, and ordered Company B to bring its processing operations into compliance with Article 32 GDPR by establishing sufficient technical and organisational measures.
Holding in regard to Company A
The Luxembourg DPA held that Company A, as the processor, was also in breach of Articles 31 and 32 GDPR for the reasons outlined above. As a result, a fine of €2,500 was issued against them, and they were also ordered to cease the processing of the data subject’s personal data and to bring their processing operations into compliance with Article 32 GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
I. Facts and procedure
1. On 10 March 2021, the National Data Protection Commission (hereinafter the "CNPD" or the "National Commission") received a complaint from Ms [...] (hereinafter the "Claimant") concerning the publication of her [data] [on the website] of Company X (hereinafter: "Company X") and notifying the CNPD of potential breaches of the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter: the "GDPR").
2. In the course of investigating the complaint, it became apparent that Company B [...] had transferred the Claimant's personal data to Company A, which in turn transferred the said data to Company X. At its deliberation meeting on 1 July 2022, the National Commission for Data Protection sitting in plenary session decided to open an investigation into Company B, Company C and Company A on the basis of Article 38 of the Act of 1 August 2018 on the organisation of the National Commission for Data Protection and the general data protection regime (hereinafter: "Act of 1 August 2018") and to appoint Mr Alain Herrmann as head of the investigation.
3. The said decision specified that the purpose of the investigation carried out by the National Commission was to monitor the application and compliance by the three aforementioned companies "with the provisions of the GDPR, in particular those relating to the basis of lawfulness of processing, the obligation to inform the data subject about the transfer of his or her data to third parties and the right to erasure, in the specific context of the transfer of the claimant's personal data to a third-party company."
4. Company A is registered in the Luxembourg Trade and Companies Register under number [...] and has its registered office at [...], [...] [...] (hereinafter: the "controlled"). It [offers electronic communications services]."
5. The decision of the National Commission sitting in restricted formation (hereinafter: the "Restricted Formation") on the outcome of the investigation will be based :
- on the processing carried out by the data controller in the context of the aforementioned complaint and checked by the CNPD's agents; and
- the legal and regulatory provisions taken into account by the head of the investigation in his statement of objections.
6. The audited party was informed of the opening of the investigation in his respect by letter from the head of the investigation dated 23 August 2022. It appears from this letter that the head of the investigation had defined the following audit objectives:
" - To determine the legal status of the entities audited with regard to the RGPD in order to determine which entity or entities is/are responsible for the processing and/or subcontractor(s);
- Verify the lawfulness of the transfer of the claimant's personal data by Company B to company(ies) A and/or C;
- Verify the lawfulness of the transfer of the claimant's personal data by the entities in question to Company X;
- Verify that the data controller(s) have complied with their obligation to inform the data subject about the transfer of personal data to a third company;
- Verify that the controller(s) has/have complied with the data subject's request for erasure and/or right to object".
7. The letter was accompanied by a document entitled "Initial findings Investigation no. [...]" setting out the initial findings made by CNPD staff on the basis of the documents collected in the context of the complaint and submitted to the present investigation (hereinafter referred to as the "initial findings"). The Head of the Investigation gave the Insured the opportunity to "contest the facts set out in the Initial Findings, or submit any comments, clarifications or additions" by 7 October 2022 at the latest.
8. The auditor replied by letter dated 7 October 2022.
9. At the end of his investigation, on 25 January 2023 the head of the investigation notified the data controller of a statement of objections detailing the failings that he considered to have occurred in this case in relation to the requirements laid down in Article 32.1 of the GDPR (obligation to guarantee appropriate security) and Article 31 of the GDPR (obligation to cooperate with the supervisory authority).
The head of the investigation proposed that the Panel adopt three different corrective measures and impose an administrative fine of €5,330 on the controller.
The audited entity was given the opportunity to comment in writing on the statement of objections. He did not send any comments to the head of the investigation.
10. By letter dated 13 March 2023, the Chairman of the Panel informed the auditee that his case would be included in the Panel's meeting of 27 April 2023 and that he would be given the opportunity to be heard. By e-mail dated 18 April 2023, the claimant confirmed that he would attend the meeting.
At this meeting, the head of the investigation and the audited party, represented by Mr [...], presented their oral observations in support of their written observations and answered the questions asked by the Appointments Panel. The audited party was given the floor last.
II. On the law
II.1 The status of the data controller with regard to the processing in question
1. Principles
12. According to Article 4(7) of the GDPR, the controller is "the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing [...]".
11. Article 4(8) of the GDPR defines a processor as "the natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller".
12. The European Data Protection Committee (hereinafter: "EDPS") has provided further explanation in its guidelines on the concepts of controller and processor (hereinafter: "Guidelines 07/2020") which "have a crucial role to play in the application of the [GDPR], as they determine who is responsible for compliance with the various data protection rules and how data subjects can exercise their rights in practice." It
states that these concepts are "functional concepts in that they aim to allocate responsibilities according to the actual roles played by the parties and autonomous concepts in that they are to be interpreted primarily in accordance with EU data protection law."
13. Furthermore, the EDPS stated in the aforementioned guidelines that a "new and distinct feature of the GDPR is the provisions directly imposing obligations on processors. [...] In this regard, the [EDPS] considers that Article 28(3) of the GDPR, while imposing specific content on the necessary contract to be entered into by the controller and the processor, imposes direct obligations on sub-processors, including the obligation to assist the controller in ensuring compliance."
14. Similarly, it emerges that "both controllers and processors can be fined for non-compliance with the obligations imposed by the GDPR that affect them and both report directly to the supervisory authorities under the obligations to maintain and provide appropriate documents on request, cooperate with investigations and comply with administrative orders. At the same time, it should be remembered that processors must always comply with the controller's instructions and act only in accordance with them."
2. In the present case
15. By email dated 21 July 2021 the controller explained that Company B [...]."
16. Following additional questions from the head of the investigation, the audited company informed the latter in a letter dated 6 October 2021 of the existence of a collaboration agreement between Company C and Company A setting out the operating conditions and operations of Company B, as well as the rights and obligations of the parties. The contract states that "Company A's duties include managing/modifying/deleting [...] [subscriber lists] for Company B".
[subscriber lists] of Company B". The controller concluded in the aforementioned letter that "the capacity of controller of personal data is attributed to both parties. Company C and Company A are jointly responsible for processing".
17. On the other hand, in a letter dated 7 October 2022, the controller expressed "surprise at the reply you received in the letter dated 6 October 2021 (exhibit 9) in which the employee asserts that Company A is jointly responsible for processing with Company C. In fact, Company A is a subcontractor on behalf of Company B. We apologise for these dubious answers. [...] . "
Attached to the aforementioned letter was a document entitled "AMENDMENT TO THE SUBCONTRACTING AGREEMENT CONCLUDED BETWEEN COMPANIES "B" AND A" CONCERNING THE PROCESSING OF DATA IN COMPLIANCE WITH THE GENERAL DATA PROTECTION REGULATION (EU) 2016/679 OF 27 APRIL 2016 APPLICABLE FROM 25 MAY 2018" (hereinafter: the "subcontracting agreement").
18. The Panel notes that Article [...] of the said subcontracting agreement describes the tasks of the audited party in its capacity as subcontractor of Company B as follows:
[The audited party] is authorised to process on [Company B's] behalf the personal data necessary for [...] [the audited party] to manage the administrative aspect of the subscriptions generated by [Company B].
The nature of the operations carried out on the data is :
- Consultation/processing of personal data
- Temporary storage of data
- Importing personal data
- Modification of data
- Any other use necessary for the maintenance of the service.
The purpose(s) of the processing are the administrative management of subscriptions generated by [Company B] and the provision of services to [Company B] customers.
The personal data processed are all the identification data of [Company B]'s customers (surname, first name, full address, telephone number, copy of contract) as well as the data required to manage [Company B]'s customer subscription contract.
The categories of persons concerned are all customers who have taken out a [Company B] contract."
19. As the Claimant signed a subscription contract with Company B on 27 April 2015, the latter is to be considered as the controller of the Claimant's personal data under the said contract, while the Controlled acts in this specific context as a subcontractor of Company B with the task of managing/modifying/deleting the [subscriber lists] on behalf of the said company in accordance with the aforementioned subcontracting agreement.
20. At the meeting of the Restricted Panel on 27 April 2023, the inspected party confirmed the aforementioned qualities of Company B and Company A, while specifying that the two entities do not have a common customer file and that each has its own computer system. Nevertheless, under the subcontracting agreement, members of the audited party's staff would have access to Company B's computer system in order to carry out the necessary operations on its behalf, in particular in order to generate a file [...] with the customers wishing to appear [on Company X's website], on the one hand, and to send the said file to Company X on a monthly basis (unless there has been no change compared to the previous month), on the other hand.
II. 2. Reasons for the decision
A. On the breach of the obligation to ensure appropriate security
1. Principles
21. Pursuant to Article 32.1 of the GDPR and "taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing as well as the risks, varying in likelihood and severity, to the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia, as necessary:
a) pseudonymisation and encryption of personal data ;
b) means to ensure the continuing confidentiality, integrity, availability and resilience of processing systems and services;
c) means to restore the availability of and access to personal data within an appropriate timeframe in the event of a physical or technical incident;
d) a procedure for regularly testing, analysing and evaluating the effectiveness of the technical and organisational measures to ensure the security of processing."
22. Note that the EDPS specified in Guidelines 07/2020 that the "GDPR establishes obligations directly and specifically applicable to processors" and that a "processor may be held liable or fined in the event of non-compliance with these obligations or if it exceeds or infringes the legal instructions of the controller." One of these obligations is precisely that a processor must implement appropriate technical and organisational measures in accordance with Article 32 of the GDPR.
2. In the present case
23. The subscription contract entered into on 27 April 2015 between the Claimant and Company B ended on 30 June 2019.
Nevertheless, it is apparent from the initial findings that in October 2020, following a telephone canvassing call for religious purposes, the Claimant became aware that her [data] had been published [...] on Company X's website and that the said [data] had been transferred by the controlled to Company X for publication [on the said site]. On 19 October 2020, Company X confirmed to the claimant that her data would be deleted from its website.
However, on 10 March 2021, the Claimant's [data] was once again available on Company X's website, with Company X stating that the said [data] had once again been transferred to it by the Controlled for publication [on its website].
24. In a letter dated 1 June 2021, the audited party stated that its "mission was to manage/modify/delete the [lists of subscribers] on behalf of Company B", on the one hand, and that Company X had contacted its departments on 29 March 2021 to inform it of the Claimant's wish to no longer appear [on its website], on the other.
Furthermore, in the same letter, the controller explained that, as the claimant had no longer been a subscriber of Company B since 30 June 2019, "her [data] should therefore not have been transferred to Company X [in] 2021. This transfer was the result of an internal parameterisation error and corrective measures have been taken to remedy it."
25. However, following a new telephone canvassing call for religious purposes sent to the Claimant on 5 March 2022, it appeared that her [data] had once again been published [on the website] of Company X, which claimed that this publication had taken place following a transfer of the said [data] by the controlled party to Company X in February 2022.
26. In a letter dated 7 October 2022, the auditor acknowledged that Company X had already asked it to delete the claimant's data "on 19 October 2020 without any response from us, with a reminder on 29 March 2021. We granted the request on that date and the customer's data was no longer sent to Company X thereafter".
In the same letter, the controller also formally denied having transferred the claimant's data to Company X again in February 2022 and insisted "that since 29 March 2021 [the claimant] is no longer on the lists sent by Company A to Company X, as evidenced by the file sent to Company X on 15 April 2021 which we can send you if necessary."
27. Following this challenge, the head of the investigation asked the inspector by letter dated 6 December 2022 "to send us the communications as transmitted, in their exact form and without the slightest alteration, by Company A to Company X of the data of Company B's subscribers to appear [on the site] of Company X, on the following dates: Communications of April and May 2021; Communication of 23 February 2022 and of the months of March, April, May, June, July, August, September and October 2022."
28. The Controlled Party sent the requested documents by e-mail dated 14 December 2022.
29. In the Statement of Objections of 25 January 2023, the Head of Investigation noted that Company X had received the Claimant's data from the Controlled in order to include them [on its website] in 2020 and 2021, whereas the Claimant's Company B subscription had ended on 30 June 2019, "the date from which the Controlled, as a subcontractor of Company B, should have ceased transferring the Claimant's personal data to Company X."
30. Furthermore, he noted that the Claimant's personal data once again appeared in the file containing the data of Company B's subscribers as transmitted in February 2022 by the Controlled to Company X, so that these persons would appear [on the website] of Company X, on the one hand, and that a "Ctrl+f" search in the said file [... However, a "Ctrl+f" search in the said file [...] "shows that the Claimant's data is indeed present among the data of Company B's subscribers to be included [on Company X's] website".
Thus, the head of the investigation found that "the conditions of Article 32(1) of the GDPR had not been met, as the Controlled Party had not implemented the appropriate technical and organisational measures, on the one hand, in order to guarantee the confidentiality of the Claimant's personal data and thus prevent them from being transferred to Company X following the termination of her subscription contract with Company B and, on the other hand, in order to regularly test, analyse and evaluate the effectiveness of the said measures."
31. The Panel notes in this context that since 30 June 2019, the date on which the Claimant terminated the subscription contract with Company B, the Claimant should no longer have been included on the list of subscribers wishing to appear [on the website] that the audited entity sends to Company X, in principle on a monthly basis, on behalf of Company B. However, the audited party sent the claimant's [data] specifically for publication [on the website] in 2020, 2021 and February 2022. In fact, on 14 December 2022, the audited party sent, among other things, the e-mail and file [...] sent on 15 February 2022 to Company X containing the [data] of Company B's subscribers wishing to appear [on Company X's website], including the Claimant's data.
32. In an email dated 1 June 2021, the controller admitted that it should not have transferred the claimant's data to Company X and that it was an "internal configuration error", while in a letter dated 7 October 2022, it "believes that these failings occurred as a result of successive human errors. In fact, the period of litigation was at the heart of the Covid-19 crisis. Our teams were often understaffed during the crisis, due to the large number of work stoppages, isolation and family leave. What's more, given the urgency of the situation, we had to change the way we organised our work and hastily put in place a rota for our presence in the company".
33. In the same letter, the controller acknowledged that Company X had already asked him to delete the claimant's data "on 19 October 2020 without any response from us, with a reminder on 29 March 2021. We granted the request on that date and the customer's data was no longer transmitted to Company X thereafter."
34. At the meeting of the Select Committee on 27 April 2023, the inspected party also confirmed that, contrary to previous assertions, the applicant's [data] did indeed still appear in the file sent to Company X in February 2022. He explained that these irregular transmissions were linked to an internal IT problem, because when the claimant's subscription with Company B had been terminated, i.e. in 2019, the entry in the file of persons wishing to appear [on Company X's website] had not been deleted automatically. According to the claimant, this update in Company B's computer system [...] would not have been made until March 2022.
35. Regardless of the reasons that led to these irregular transmissions of the claimant's [data] to Company X, the Restricted Panel notes, first of all, that it is clear from the above findings that the audited party did not have a specific procedure in place to regularly test and analyse whether the lists of [data] transmitted to Company X did not include subscribers who had either terminated their subscription contract with Company B or requested that they no longer appear [on the website].
36. Secondly, the Panel notes that Company X's requests to delete the claimant's data dated 19 October 2020 and 29 March 2021 should have led the inspected party to carry out investigations into its security system. However, as the Claimant's [data] was once again transferred to Company X on 15 February 2022, the Panel considers that the measures deployed to guarantee data security in this case were insufficient and did not comply with the minimum requirements necessary in terms of security.
37. In view of the foregoing, the Panel agrees with the opinion of the Head of Investigation and concludes that, at the start of the investigation, the controller failed to fulfil its obligation under Article 32.1 of the GDPR.
38. As for the measures taken by the data controller after the start of the investigation, the Panel returns to this point in paragraph 58, as well as in Chapter II.3. Section 2.2. of this decision.
B. On the breach of the duty to cooperate with the supervising authority
1. Principles
39. According to Article 31 of the GDPR, "[t]he controller and the processor and, where appropriate, their representatives shall cooperate with the supervisory authority, at the latter's request, in the performance of its tasks."
40. As mentioned in point 14 of this Decision, the EDPS specified in its guidelines 07/2020 that "a processor may be held liable or fined for failure to comply with these obligations or for exceeding or infringing the controller's legal instructions." One of these obligations is precisely that a processor must cooperate "with the supervisory authority, at the latter's request, in the performance of its tasks" as required by the aforementioned Article 31 of the RGPD.
2. In the present case
41. It appears from the statement of objections that in the context of the complaint lodged by the claimant on 10 March 2021, the CNPD had to contact the supervised party on several occasions in 2021 and 2022 and even sent him reminder letters, as he "did not reply within the time limits to the questions put to him. This was notably the case for a letter from the CNPD dated 28 July 2021, which was the subject of a reminder dated 10 September 2021, as well as a letter from the CNPD dated 20 January 2022, which was the subject of a reminder dated 9 March 2022 and remained unanswered. The Contrôlé's failure to respond to the latter letter, which raised a number of issues, was part of the reason for opening this investigation."
42. Furthermore, the head of the investigation noted that "many of the comments made by the Controlled Party in the Complaint were subsequently refuted in the Controlled Party's letter of 7 October 2022 in response to the Initial Findings (PIECE 4). The controlee explained that the replies had been drawn up by one or more employees and had not been validated by management before being sent to the CNPD.
43. Finally, although the audited party had assured the CNPD in its letter of 7 October 2022 in response to the initial findings that measures had been taken as of 29 March 2021, the head of the investigation noted that the claimant's data had once again been transferred by the audited party to Company X in February 2022. According to the head of the investigation, "it is surprising that the Controlled did not implement the simplest measures, such as a "Ctrl+f" search action in its files, in order to provide an accurate response to the questions raised by the CNPD officers in charge of the investigation. Such inaction may suggest that the Controlled Party intentionally sought to conceal from the CNPD officers in charge of the investigation the fact that the Claimant's personal data had once again been transferred to Company X on 23 February 2022."
For the foregoing reasons, the Head of Investigation held "that the conditions of Article 31 of the GDPR had not been complied with, the Controlled having, on the one hand, ceased to answer the CNPD's questions in the context of the processing of the Complaint lodged by the Claimant and, on the other hand, given false answers although they were easily verifiable in the context of the present investigation."
44. The Panel recalls that both data controllers and subcontractors "report directly to the supervisory authorities under the obligations to maintain and provide appropriate documents on request, to cooperate with investigations and to comply with administrative orders."
45. In this context, it notes that some of the CNPD's letters and even emails sent to the supervised entity in connection with the management of the complaint have remained unanswered.
46. In his letter of 7 October 2022 following the dispatch of the initial findings by the head of the investigation, the audited party explained that "exhibits 10 and 14 refer to emails sent by your departments to our address [...], which have remained unanswered by us. We are aware of these shortcomings on reading the file that you have sent us and wish to apologise for them. After internal analysis, this situation is the result of successive resignations within our legal department. The department is made up of two lawyers. One of them left our staff [at the end] of 2021 and the other, responsible for taking over the case, left our staff [at the beginning] of 2022."
47. At the meeting of the Select Committee on 27 April 2023, the Inspector even formally contested the Head of Investigation's allegation that he had not wanted to cooperate with the CNPD or that he had tried to hide something, while confirming that the Claimant's [data] was again in the file sent to Company X in February 2022 due to an internal computer problem.
48. The Panel considers, first of all, that a company that uses a generic e-mail address such as "[...]" for its legal department, which is also indicated in the footer of letters from the controller, must ensure that e-mails to that address are read regularly, even in the event of the resignation of a person who has worked in the department in question.
49. She was surprised that the audited party had not checked that the claimant's [data] no longer appeared in the file sent to Company X in February 2022, before formally contesting this allegation in his letter of 7 October 2022, while confirming "that since 29 March 2021 Mrs [...] is no longer on the lists sent by Company A to Company X". However, as the audited party itself transmitted, only one week after the request of the head of the investigation, in particular the said file of February 2022 proving that the Claimant's [data] was once again on it, the Panel does not share the opinion of the head of the investigation that the audited party "intentionally sought to conceal from the CNPD agents in charge of the investigation the fact that the Claimant's personal data had once again been transferred to Company X on 23 February 2022". However, it considers this to be negligence on its part.
50. As regards the erroneous interpretation of the quality of the audited party with regard to the processing in question expressed by an employee in a letter dated 6 October 2021 and rectified by the audited party in its letter dated 7 October 2022, the Panel considers that this misunderstanding reflects a lack of internal communication and not a lack of cooperation on the part of the audited party with the CNPD.
51. Nevertheless, as the CNPD had to contact the data subject on several occasions in 2021 and 2022 and even sent him reminder letters without any reply, the Panel agrees with the opinion of the head of the investigation on this point and concludes that, at the start of the investigation, Article 31 of the GDPR was not complied with by the data subject, as he failed in his obligation to cooperate with the supervisory authority, namely the CNPD.
II.3 On the fine and corrective measures
1. Principles
52. In accordance with Article 12 of the Law of 1 August 2018, the National Commission has the powers provided for in Article 58.2 of the RGPD:
"(a) warn a controller or processor that the processing operations envisaged are likely to infringe the provisions of this Regulation;
b) call a controller or processor to order where the processing operations have led to a breach of the provisions of this Regulation;
c) order the controller or processor to comply with requests made by the data subject with a view to exercising his or her rights under this Regulation;
(d) order the controller or processor to bring the processing operations into conformity with the provisions of this Regulation, where appropriate, in a specific manner and within a specific period;
e) order the controller to notify the data subject of a personal data breach;
f) impose a temporary or definitive restriction, including a ban, on processing;
g) order the rectification or erasure of personal data or the restriction of processing pursuant to Articles 16, 17 and 18 and the notification of such measures to the recipients to whom the personal data have been disclosed pursuant to Article 17(2) and Article 19;
(h) withdraw a certification or order the certification body to withdraw a certification issued pursuant to Articles 42 and 43, or order the certification body not to issue a certification if the requirements applicable to the certification are not or are no longer met;
i) impose an administrative fine pursuant to Article 83, in addition to or instead of the measures referred to in this paragraph, depending on the characteristics of each case;
j) order the suspension of data flows to a recipient in a third country or to an international organisation.
53. Pursuant to Article 48 of the Act of 1 August 2018, the CNPD may impose administrative fines as provided for in Article 83 of the RGPD, except against the State or municipalities.
54. Article 83(1) of the GDPR provides that each supervisory authority shall ensure that the administrative fines imposed are, in each case, effective, proportionate and dissuasive.
55. Article 83.2 specifies the factors that must be taken into account in deciding whether to impose an administrative fine and in deciding the amount of that fine:
"(a) the nature, seriousness and duration of the breach, taking into account the nature, scope or purpose of the processing concerned, as well as the number of data subjects affected and the level of damage they have suffered ;
b) whether the breach was committed deliberately or through negligence;
c) any measures taken by the controller or processor to mitigate the damage suffered by the data subjects;
d) the degree of responsibility of the controller or processor, taking into account the technical and organisational measures they have implemented pursuant to Articles 25 and 32 ;
e) any previous relevant breaches committed by the controller or processor;
(f) the degree of cooperation established with the supervisory authority with a view to remedying the breach and mitigating any adverse effects;
g) the categories of personal data affected by the breach;
(h) the manner in which the supervisory authority has become aware of the breach, in particular whether and to what extent the controller or processor has notified the breach;
(i) where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned in relation to the same matter, compliance with those measures ;
(j) the application of codes of conduct approved pursuant to Article 40 or certification schemes approved pursuant to Article 42; and
k) any other aggravating or mitigating circumstances applicable to the circumstances of the case, such as the financial benefits obtained or losses avoided, directly or indirectly, as a result of the breach".
56. The imposition of administrative fines was made explicit by the Article 29 Working Party in its "Guidelines on the application and setting of administrative fines for the purposes of Regulation (EU) 2016/679" adopted on 3 October 2017. These guidelines have been taken up and re-approved by the EDPS . The Restricted Panel points out that these guidelines were supplemented by the EDPS's "Guidelines 04/2022 on the calculation of administrative fines under the GDPR", version 2.0 of which was adopted on 24 May 2023.
57. The Panel wishes to make it clear that the facts taken into account in this decision are those established at the start of the investigation. Any changes made subsequently to the data processing operations under investigation, even if they make it possible to establish compliance in full or in part, do not make it possible to retroactively cancel an established breach.
58. Nevertheless, the steps taken by the supervised party to comply with the GDPR during the investigation procedure or to remedy the shortcomings identified by the head of the investigation in the statement of objections are taken into account by the Select Committee in the context of any corrective measures to be imposed and/or in setting the amount of any administrative fine to be imposed.
2. In the present case
2.1 Imposition of an administrative fine
59. In the statement of objections, the head of the investigation proposed that the Panel impose an administrative fine of EUR 5,330 on the supervised entity.
2.1.1 The appropriateness of imposing an administrative fine
60. In order to decide whether an administrative fine should be imposed, the Panel will analyse the criteria set out in Article 83.2 of the GDPR.
61. As regards the nature and seriousness of the breach (Article 83(2)(a) of the RGPD), it points out, with regard to the breach of Article 32(1) of the RGPD, that in view of the risks represented by personal data breaches, the European legislator intended to strengthen the obligations of data controllers with regard to the security of processing. According to recital 83 of the RGPD, in order to "guarantee security and prevent any processing carried out in breach of this Regulation, it is important that the controller or processor assess the risks inherent in the processing and implement measures to mitigate them, such as encryption. These measures should ensure an appropriate level of security, including confidentiality, taking into account the state of the art and the costs of implementation in relation to the risks and the nature of the personal data to be protected. [...]. "
Now, as the claimant's personal data was transferred unlawfully in 2020, 2021 and in February 2022 by the controller to Company X, the Panel considers that the controller did not measure the importance of securing the personal data contained in the controller's computer system to which it has access in order to process the claimant's data on its behalf.
62. As regards the criterion of duration (Article 83.2.a) of the GDPR), the Panel notes that the controller confirmed at the Panel meeting of 27 April 2023 that the irregular transmissions of the Claimant's [data] to Company X were linked to
to an internal IT problem and that this update in Company B's IT system [...] would have been made in March 2022.
However, none of the documentation submitted to the Panel contains any evidence that the audited company has now implemented appropriate technical and organisational measures to avoid transferring the Claimant's data to Company X, so that the breach has been ongoing since the Claimant's contract was terminated on 30 June 2019. From that date, the Controlled Party, as a subcontractor of the Controlled Party, should have stopped transferring the Claimant's personal data to Company X.
63. As to the number of data subjects affected and the level of damage they have suffered (Article 83(2)(a) of the GDPR), the Panel notes that the Claimant is the only person known to the CNPD to have been affected by the breaches of the GDPR by the Controlled.
64. As regards the damage suffered by the Claimant, recital (75) of the GDPR states that it is not just a question of physical and material damage, but also moral damage. By frequently and unlawfully transmitting the Claimant's data to Company X for publication [on its site], any Internet user had access to her [data], without her consent. The claimant was even contacted on several occasions as part of religious telephone canvassing.
65. As to whether the breaches were committed deliberately or through negligence (Article 83.2. (b) of the GDPR), the Select Committee points out that "intention", i.e. an infringement committed deliberately, includes both knowledge and intent in relation to the characteristics of an infringement, whereas "not deliberately" (by negligence) means that there was no intention to commit the infringement, even though the controller or processor did not comply with its duty of care under the legislation.
The Panel notes in this case that irregular transmissions of the claimant's data by the controller on behalf of Company B to Company X for publication [on its website] took place in 2020, 2021 and February 2022.
While the Panel is of the opinion that the facts and breaches found do not reflect a deliberate intention to breach the GDPR on the part of the audited party, it nevertheless considers that the breaches were committed through negligence.
66. As regards the measures taken by the auditee to mitigate the damage suffered by the data subjects (Article 83.2.c), the Panel takes account of the measures taken by the auditee and refers to Chapter II.3, Section 2.2 of this decision for the relevant explanations.
67. It also notes that although several measures were put in place by the inspected party in order to remedy certain failings in whole or in part, these were only adopted following the launch of the investigation by CNPD staff on 23 August 2022 (see also point 57 of this decision).
68. As regards the degree of responsibility of the processor, in view of the technical and organisational measures it implemented pursuant to Articles 25 and 32 (Article 83(2)(d) of the GDPR), the Select Committee takes into account that the Claimant's data were not only transferred unlawfully in 2020, but also in 2021, as well as in February 2022. Furthermore, it noted that Company X's requests to delete the Claimant's data dated 19 October 2020 and 29 March 2021 should have led the Controller to carry out investigations into its security system in accordance with Article 32 of the GDPR, which it did not do.
69. As regards the degree of cooperation established with the supervisory authority (Article 83.2 f) of the RGPD), the Panel takes account of the statement by the head of the investigation "that it was necessary, on several occasions in the course of the investigation, to send the Controlled Party reminder letters and emails in order to obtain answers to its questions."
70. As for the categories of personal data affected by the breach (Article 83.2. g) of the GDPR), this concerns [the data] of the Claimant transferred unlawfully and on several occasions by the Controlled on behalf of Company B to Company X in order to appear [on its website].
71. As to the manner in which the CNPD became aware of the breach (Article 83.2(h) of the GDPR), the CNPD was informed of the facts constituting the breach in the context of the complaint lodged by the Claimant.
72. The Select Committee notes that the other criteria of Article 83.2 of the GDPR are neither relevant nor likely to influence its decision as to the imposition of an administrative fine and its amount.
73. Consequently, the Restricted Panel considers that the imposition of an administrative fine is justified in the light of the criteria set out in Article 83.2 of the RGPD for failure to comply with Articles 31 and 32.1 of the RGPD.
2.1.2. The amount of the fine
74. The Controlled Party has indicated that it has achieved a turnover of € [...] for the year 2021, and a net result of € [...] for the year 2021. It has more than [...] employees [...], and more than [...] private and professional customers.
75. As regards the amount of the administrative fine, the Restricted Panel would point out that Article 83.3 of the GDPR provides that in the event of multiple breaches, as is the case here, the total amount of the fine may not exceed the maximum amount set for the most serious breach. Insofar as a breach of Articles 31 and 32.1 of the GDPR is alleged against the Controlled Party, the maximum fine that may be imposed is EUR 10 million or 2% of annual worldwide turnover, whichever is higher, in accordance with Article 83.5 of the GDPR.
76. In view of the responsibility of the supervised party, its financial capacity and the relevant criteria of Article 83.2 of the RGPD referred to above in section "2.1.1 On the appropriateness of imposing an administrative fine", the Restricted Formation considers that imposing a fine of two thousand five hundred (2,500) euros appears to be effective, proportionate and dissuasive, in accordance with the requirements of Article 83.1 of the RGPD.
2.2 With regard to corrective measures
77. In the statement of objections, the head of the investigation proposed that the Restricted Panel adopt the following corrective measures "within 1 month of the Controlled Party being notified of the decision taken by the Restricted Panel, subject to a penalty payment of 50 euros per day of delay:
" - Order the Inspected Party to definitively prohibit the processing of the Claimant's personal data, consisting of the transfer of said data to Company X;
- Order the Controlled Party to put in place sufficient technical and organisational measures to ensure the confidentiality of personal data, as well as a procedure to regularly test, analyse and evaluate the effectiveness of said measures; - Call the Controlled Party to order regarding its obligation to cooperate with the CNPD."
78. As for the corrective measures proposed by the head of the investigation and with reference to point 58 of this decision, the Panel takes into account the steps taken by the Controlled Party to comply with the provisions of Articles 32.1 and 31 of the GDPR, as detailed in its letters of 7 October 2022 and 14 December 2022. More specifically, it notes the following facts:
- With regard to the corrective measure proposed by the head of the investigation set out in the first indent of point 77 of this decision concerning the definitive ban on the processing of the claimant's personal data consisting of a transfer of said data to Company X, the controller indicated in its letter of 14 December 2022 that it had taken into account Company X's request to remove the claimant from the lists [...] and that as a result, the claimant "was indeed removed from our lists as of 28 May 2021".
The Appointments Panel notes, however, as mentioned in point 31, that in this same letter of 14 December 2022, the inspected party sent, among other things, the e-mail and file [...] sent on 15 February 2022 to Company X, again containing the claimant's [data].
At the meeting of the Panel on 27 April 2023, the Inspector confirmed that, contrary to previous assertions, the file sent to Company X in February 2022 did indeed still contain the Claimant's [data]. He explained that these irregular transmissions were linked to an internal IT problem, because when the claimant's subscription with Company B was terminated in 2019, the entry in the customer file [...] was not automatically deleted. According to the auditor, this update in Société B's computer system [...] was not made until March 2022.
Indeed, it notes that attached to the letter from the audited party dated 14 December 2022 is an e-mail from Company X dated 8 March 2022 asking the audited party to no longer include the claimant's [data] in the [...] lists, on the one hand, and the files sent by the audited party to Company X from April to October 2022, which no longer contain the claimant's [data], on the other.
However, none of the documentation submitted to the Restricted Panel contains evidence that the controlled party has now implemented appropriate technical and organisational measures enabling it to verify compliance with the provisions of the GDPR in order to avoid transferring the Claimant's data to Company X again on behalf of Company B.
In view of the insufficient compliance measures taken by the controller in this case and of point 58 of this decision, the Panel therefore considers that the corrective measure proposed by the head of the investigation in this respect and set out in the first indent of point 77 of this decision should be ordered.
- As regards the corrective measure proposed by the head of the investigation and set out in the second indent of point 77 of this decision concerning the implementation of sufficient technical and organisational measures to ensure the confidentiality of personal data and a procedure for testing, analyse and regularly evaluate the effectiveness of said measures, the controller confirmed at the meeting of the Select Committee on 27 April 2023 that the irregular transmissions of the claimant's [data] to Company X were linked to an internal IT problem and that this update in Company B's IT system [... ] was not made until March 2022.
However, none of the documentation submitted to the Restricted Panel contains any evidence that the Controller has put in place a specific procedure to regularly test and analyse whether the lists of [data] that it sends to Company X on behalf of Company B do not include subscribers who have either terminated their subscription contract with Company B or asked to no longer appear [on the site] in order to guarantee data security and comply with the minimum necessary security requirements.
In view of the insufficient compliance measures taken by the controller in this case and of point 58 of this decision, the Restricted Formation therefore considers it appropriate to impose the corrective measure proposed by the head of the investigation in this respect and set out in the first indent of point 77 of this decision.
- As for the corrective measure proposed by the head of the investigation and set out in the third indent of point 77 of this decision concerning the reminder to the audited entity of its obligation to cooperate with the CNPD, the Restricted Panel noted that the CNPD had had to contact the audited entity on several occasions in 2021 and 2022 and had even sent it reminder letters without any response. It was therefore of the opinion that, at the start of the investigation, Article 31 of the GDPR had not been complied with by the auditee, as it had failed in its obligation to cooperate with the supervisory authority, namely the CNPD.
For these reasons, the Panel considers that the corrective measure proposed by the head of the investigation in this respect and set out in the third indent of paragraph 77 of this decision should be ordered and that the data controller should be called to order for having breached Article 31 of the GDPR.
- The Panel also considers that there is no reason to impose a penalty payment on the audited entity to compel it to comply with these corrective measures.
In view of the foregoing, the National Commission sitting in restricted formation, after deliberation, decides :
- to uphold the breaches of Articles 31 and 32.1 and of the GDPR;
- to impose an administrative fine of two thousand five hundred (2,500) euros on "Company A" in respect of the breaches of Articles 31 and 32.1 of the GDPR;
- to order "Company A" to impose a definitive ban on the processing of the claimant's personal data, consisting of the transfer of said data to Company X ;
- to issue an injunction against "Company A" to bring processing into compliance with the obligations resulting from Article 32.1 of the RGPD, within two months of notification of the decision of the Select Committee, and, in particular, to implement sufficient technical and organisational measures to ensure the confidentiality of the claimant's personal data as well as a procedure to regularly test, analyse and evaluate the effectiveness of said measures.
- to issue a warning to "Company A" for having breached Article 31 of the GDPR.
Belvaux, 5 July 2023.
