CNPD (Luxembourg) - Délibération n° 42FR/2021
From GDPRhub
| CNPD (Luxembourg) - Délibération n° 42FR/2021 | |
|---|---|
 | |
| Authority: | CNPD (Luxembourg) |
| Jurisdiction: | Luxembourg |
| Relevant Law: | Article 37(1) GDPR |
| Type: | Investigation |
| Outcome: | No Violation Found |
| Started: | |
| Decided: | 27.10.2021 |
| Published: | |
| Fine: | None |
| Parties: | n/a |
| National Case Number/Name: | Délibération n° 42FR/2021 |
| European Case Law Identifier: | n/a |
| Appeal: | Not appealed |
| Original Language(s): | French |
| Original Source: | Luxembourg DPA (in FR) |
| Initial Contributor: | Florence D'Ath |
The Luxembourg DPA (CNPD) found that the offering of a loyalty programme by a company to its customers did not amount to a regular and systematic monitoring of the customers pursuant to Article 37(1)(b) GDPR, and that the Company therefore did not need to appoint a Data Protection Officer.
English Summary
Facts
In 2018, the Luxembourg DPA (the CNPD) initiated 25 different audit proceedings both in the private and public sector with regard to the role of the Data Protection Officer (DPO) under Section 4 of Chapter 4 of the GDPR (see in particular Article 37 GDPR to Article 39 GDPR).
One of these audit proceedings concerned a Luxembourg private company (hereafter, the Company). During the audit, it was found by the head of investigation of the CNPD that the Company had failed to appoint a Data Protection Officer (DPO), in line with Article 37(1) GDPR.
Article 37(1) GDPR envisages two situations where private controllers (such as private companies) must appoint a DPO. In particular, a private controller must appoint a DPO when:
- its (i) core activities consist of processing operations which require (ii) regular and systematic monitoring of data subjects (iii) on a large scale; or
- its (i) core activities consist of processing (ii) on a large scale of (iii) sensitive data pursuant to Article 9 GDPR or Article 10 GDPR.
In the case a hand, it was not contested that the Company was not processing sensitive data on a large scale. However, the audit report drafted by the head of investigation had concluded that one of the core activities of the Company was the offering of a loyalty programme to its customers, which included the processing of personal data through loyalty cards, and that such processing had to be considered as a regular and systematic monitoring of its customers on a large scale.
The head of investigation of the CNPD therefore recommended to issue an injunction against that Company to appoint a DPO, and to impose a fine of €80.000 on the Company for failure to appoint a DPO in due time.
Holding
After reviewing the facts of the case and the applicable law, the CNPD decided against the recommendations of the head of investigation.
The CNPD first noted that the Company had completed a documented analysis on the need to appoint a DPO pursuant to Article 37(1) GDPR, and had concluded that it was not bound to do so.
The CNPD then agreed with the conclusion of the audit report that the offering, by the Company, of a loyalty programme to its customers was part of the core activities of the Company. The CNPD also agreed with the conclusion of the audit report that such activities were conducted on a large scale, taking into account, in particular, the number of customers concerned, and the geographical scope of the processing.
As for the third condition however, the CNPD found that the offering by the Company of a loyalty programme to its customers did not constitute a "regular and systematic monitoring of data subjects". The CNPD noted in this respect that the Company was processing the personal data attached to loyalty cards in order to manage its customers' account and offer them rewards, but not for monitoring their purchasing behaviors. In other words, the CNPD considered that the purpose of the processing was the management of the loyalty programme, and not the regular and systematic monitoring of the customers' behaviors.
Based on these considerations, the CNPD concluded that the conditions of Article 37(1)(b) GDPR were not fulfilled, and that the Company did not have the obligation to appoint a DPO. As a consequence, the CNPD decided to close the investigation, and not to issue any injunction or impose any fine on the Company.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
Decision of the National Commission sitting in restricted formation on
the outcome of survey no. [...] conducted with Company A
Deliberation n ° 42FR / 2021 of October 27, 2021
The National Commission for Data Protection sitting in a restricted body,
composed of Mrs Tine A. Larsen, president, and Messrs Thierry Lallemang and Marc
Lemmer, commissioners;
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on
the protection of individuals with regard to the processing of personal data
personnel and the free movement of such data, and repealing Directive 95/46 / EC;
er
Having regard to the law of 1 August 2018 on the organization of the National Commission for the Protection
data and the general data protection regime, in particular Article 41 thereof;
Having regard to the internal regulations of the National Commission for Data Protection
adopted by decision n ° 3AD / 2020 dated 22 January 2020, in particular Article 10, point
2;
Having regard to the regulations of the National Commission for Data Protection relating to the
investigation procedure adopted by decision n ° 4AD / 2020 dated 22 January 2020, in particular
its article 9;
Considering the following:
I. Facts and procedure
1. Given the impact of the role of the data protection officer (hereinafter: the "DPO") and
the importance of its integration into the body, and considering that the guidelines
concerning DPOs have been available since December 2016, i.e. 17 months before entry
in application of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27
April 2016 on the protection of individuals with regard to the processing of
1The guidelines concerning DPOs were adopted by the “Article 29” working group on 13
December 2016. The revised version (WP 243 rev. 01) was adopted on April 5, 2017.
________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey no. [...] conducted with Company A
1/13 personal data and the free movement of such data, and repealing the
Directive 95/46 / EC (general data protection regulation) (hereafter: the "GDPR
"), The National Commission for Data Protection (hereinafter: the" Commission
national "or the" CNPD ") has decided to launch a thematic survey campaign on
the function of the DPO. Thus, 25 audit procedures were opened in 2018, involving so many
the private sector than the public sector.
2. In particular, the National Commission decided by deliberation n ° […] of September 14
2018 to initiate an investigation in the form of a data protection audit of
Company A located […], L- […] and registered in the trade and companies register
Luxembourg under the number […] (hereinafter: the “controlled”) and to designate Mr. Christophe
Buschmann as the head of the investigation. The said deliberation specifies that the investigation relates to the
compliance of the inspected with section 4 of chapter 4 of the GDPR.
3. […] the inspected [is active in the retail trade in non-specialized stores in
predominantly food].
4. By letter of September 17, 2018, the head of the survey sent a questionnaire
preliminary to the control to which the latter replied by email of October 8, 2018. A
on-site visit took place on February 27, 2019 and a telephone meeting took place on February 22
February 2021.
5. As part of this audit campaign, in order to verify the organization's compliance with
section 4 of chapter 4 of the GDPR, the head of the investigation defined eleven control objectives
included in the report of the visit of February 27, 2019, namely:
1) Ensure that the body subject to the obligation to appoint a DPO has done so;
2) Make sure that the organization has published the contact details of its DPO;
3) Ensure that the organization has communicated the contact details of its DPO to the CNPD;
4) Ensure that the DPO has sufficient expertise and skills to
carry out its missions effectively;
5) Ensure that the missions and tasks of the DPO do not give rise to a conflict of interest;
6) Ensure that the DPO has sufficient resources to perform effectively
of its missions;
7) Ensure that the DPO is able to carry out his missions to a sufficient degree
autonomy within their organization;
________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey no. [...] conducted with Company A
2/13 8) Ensure that the organization has put in place measures to ensure that the DPO is associated with
all matters relating to data protection;
9) Ensure that the DPO fulfills his mission of information and advice to the
data controller and employee;
10) Ensure that the DPO exercises adequate control over data processing within
of his body;
11) Ensure that the DPO assists the controller in carrying out the
impact analyzes in the event of new data processing.
6. By letter of March 15, 2021 (hereafter: the “statement of objections”), the Chief
investigation informed the control of breaches of obligations under the GDPR
that he noted during his investigation as well as the corrective measures and sanctions that he
proposes to the National Commission sitting in restricted formation (hereafter: the
"Restricted formation") to adopt.
7. In particular, the head of the investigation noted in the statement of objections a
breach of the obligation to appoint a DPO and proposed to the restricted training
to adopt corrective action as well as to impose an administrative fine of one
amount of 80,000 euros.
8. By letter of April 12, 2021, the inspector sent his observations to the head of the investigation.
as to the statement of objections.
9. By letter of June 2, 2021, the President of the CNPD informed the inspectorate of the date of
the session during which the case concerning him and the faculty which
was offered to be heard there. By letter of June 29, 2021, the inspected informed the
President of the CNPD that he would not attend.
10. The matter was on the agenda for the restricted committee session on July 14, 2021.
In accordance with Article 10.2.b) of the Rules of Procedure of the Commission
national, the head of investigation made oral submissions on the case and responded
to the questions asked by the restricted formation.
2Objective n ° 1
________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey no. […] carried out with Company A 3/13 II. Place
A. On the failure to appoint a DPO
1. On the principles
11. According to article 37.1 of the GDPR, "The controller and the processor designate
in any case, a data protection officer when:
a) the processing is carried out by a public authority or a public body,
the exception of courts acting in the exercise of their judicial function;
b) the core activities of the controller or processor consist of
processing operations which, by virtue of their nature, scope and / or
purposes, require regular and systematic monitoring on a large scale of people
concerned; Where
c) the core activities of the controller or processor consist of
large-scale processing of special categories of data referred to in Article
9 and personal data relating to criminal convictions and
offenses referred to in Article 10. "
12. The Article 29 Data Protection Working Party adopted on 13 December
2016 of the guidelines concerning DPOs which have been taken up and re-approved by
the European Data Protection Board on May 25, 2018. These lines 3
guidelines provide clarifications on the concepts of "core activities" and
"Large scale" which can be found in Article 37.1.b) and c) of the GDPR as well as concerning
the notion of "regular and systematic monitoring" found in Article 37.1.b) of the GDPR.
13. With regard to the concept of "core activities", the guidelines state that
"[T] he 'core activities' can be seen as the core operations
to achieve the objectives of the controller or processor. They
also include all activities for which the data processing is carried out
4
integral part of the activity of the controller or processor ".
3
4WP 243 v.01, revised version and adopted on April 5, 2017
WP 243 v.01, version revised and adopted on April 5, 2017, p. 24
________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey no. [...] conducted with Company A
4/1314. As for the concept of "large scale", it is recommended in the guidelines of
consider the following factors:
"- the number of people concerned, either in absolute value or in relative value by
relation to the population concerned;
- the volume of data and / or the spectrum of data processed;
- the duration, or permanence, of the data processing activities;
5
- the geographical extent of the processing activity ".
15. Finally, with regard to the notion of “regular and systematic monitoring”, the lines
6
The guidelines state that monitoring is not limited to the "online environment". The term
"Regular", according to the guidelines, covers "one or more of the meanings
following:
- continuous or occurring at regular intervals over a given period;
- recurring or repeating at fixed times;
- taking place constantly or periodically. "
As for the term "systematic", it covers "one or more of the meanings
following:
- occurring in accordance with a system;
- pre-established, organized or methodical;
- taking place as part of a general data collection program;
- carried out as part of a strategy. "7
2. In this case
16. As part of this audit campaign, for the head of the investigation to consider the objective
1 as completed by the inspected, it expects the body to have appointed a DPO on 25
May 2018 if its processing falls within the scope of Article 37.1 of the GDPR.
17. It should be noted that the inspected carried out a documented analysis, as is
8
recommended by the DPD guidelines, by which he arrived at the
conclusion that he was not obliged to appoint a DPO. This analysis was
5
WP 243 v.01, version revised and adopted on April 5, 2017, p.25
6WP 243 v.01, version revised and adopted on April 5, 2017, p.25
7WP 243 v.01, version revised and adopted on April 5, 2017, p.26
8WP 243 v.01, version revised and adopted on April 5, 2017, p. 7
________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey no. [...] conducted with Company A
5/13 sent by the inspected with their answers to the preliminary questionnaire by email from the
8 October 2018.
18. It emerges in particular from this analysis that the inspected “considers that if [his] activities
can sometimes include a dimension of large scale or regular monitoring […] [its]
activities do not have the two elements together. »It is also indicated that
the controlled "does not carry out regular monitoring for customer activities (no profiling). The
purchases are sometimes recorded on the customer card (at the customer's discretion) but are not
used for direct marketing purposes. These data are processed only for the purposes
restocking, customer relations when the latter calls or for the calculation of his points and
to fulfill legal obligations. "
19. In the statement of objections, the head of the investigation refers to this analysis on page 5, "[i] l
The investigation shows that [the inspected] did not appoint a DPO. CNPD agents
take note that, in accordance with the guidelines for the DPO of the group
Article 29 working group on data protection [the inspected] documented an analysis
internally in collaboration with its consultants (...) in order to determine whether or not there is
place of appointing a DPO. On the basis of this internal analysis, the position [of the inspected] is
that a DPO does not seem necessary in view of the activities carried out. "
20. The head of the investigation then noted that the inspected "offers a loyalty card service to
its customers and that there are more than [...] active customer cards (i.e. used in
year). As part of the management of these customer cards, [the inspected] performs
data processing including purchase history and loyalty points. The cards
loyalty programs (...) operate in all [controlled] stores, as well as in
other partner stores. "According to the investigator," the proposal of a
loyalty program is an integral part of the activity [of the controlled] "; it would be
consequent of a "basic activity" of the controlled taking into account the details provided
9
in the DPO guidelines on this notion.
21. As to the question of whether the inspected carries out a systematic and regular follow-up on
based on the data collected via the loyalty card, the head of the survey considers that "[i] l
According to the elements of the survey, the [loyalty] card makes it possible to track purchases
of a person through loyalty points. Follow-up is organized, occurs in accordance
9WP 243 v.01, version revised and adopted on April 5, 2017, p. 24
________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
the survey n ° […] carried out with Company A 6/13 to a system ([…]) and is carried out as part of a strategy, here a strategy of
loyalty. The argument that the cardholder uses it "at will" is
inoperative. Indeed, (...) the loyalty program is part of a strategy that encourages the
card holder to use to collect points. As soon as a customer enters
the loyalty program, it is part of a systematic and regular monitoring system. Although
the purpose of "monitoring" may not be pursued as such by the person in charge of
processing, all that remains is to achieve the purposes pursued (restocking,
customer relationship, etc ...), the data controller has set up a monitoring system
systematic and regular. "
22. With regard to the notion of "large scale", the head of the investigation first notes "that he
there are more than […] active [loyalty] cards ”[…]. Then, with regard to the scope
geographic location, he noted that said card "can be used in all stores [of the
controlled] in the country as well as in many other partner brands. " At last,
concerning the duration of the treatment, the head of the investigation noted that the loyalty card
allows "to trace the purchases of its holder over a period of two years". Leader
investigation concludes that "[c] owing to the number of people concerned,
the geographical scope of the processing activity, as well as its duration (...) the card [of
fidelity] must (…) be considered as a large-scale treatment within the meaning of article
37 paragraph (1) of the GDPR. "
23. Taking into account the criteria examined by the head of the investigation in order to determine whether the control
was and remains under the obligation to appoint a DPO, the restricted committee deduces that this
are those of Article 37.1.b) of the GDPR, which is however not explicitly mentioned
in the statement of objections, which only refers to Article 37.1 of the
GDPR. The restricted training also finds that it is essentially on the basis of
the analysis of the "management of customer cards" (or "[loyalty] card") processing that the manager
investigation came to the conclusion that the inspected was and remains under the obligation to
appoint a DPO under Article 37.1.b) of the GDPR.
24. In its position statement of April 12, 2021, the inspected returns in particular to
the treatment in question and maintains that it does not constitute a systematic follow-up,
considering that "the recording of data may possibly be considered
as systematic (after each purchase and presentation of the card) but in no case
follow-up. The purpose of processing the card is not to track purchases or
________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey no. [...] conducted with Company A
7/13 behavior of its customers. (...) a simple recording cannot be considered
as a follow-up. "
25. The inspected further maintains that the treatment is not regular, considering that the
"customer card management" processing does not fall under any of the meanings of the term
“Regular” retained by the guidelines concerning DPOs. 10
26. The inspected also indicates that the identification of the user of the loyalty card is not
not necessary to use this one and that "[i] t is not uncommon for people to share
their card making any follow-up, which is not the case here, inoperative and ineffective. "
27. As mentioned in point 23 of this decision, it is mainly on
the basis of the analysis of the "management of customer cards" (or "[loyalty] card") processing
that the head of the investigation came to the conclusion that the controlled was and remains in
the obligation to appoint a DPO under Article 37.1.b) of the GDPR. It is therefore necessary
to examine whether the processing in question covers each of the criteria set out in Article
37.1.b) of the GDPR.
28. As to the question of whether the “management of customer cards” (or “[loyalty] card”)
constitutes a core activity of the controller, taking into account that the
DPO guidelines state that core activities “include
(…) All activities for which data processing is an integral part of
the activity of the controller ", the limited training is aligned with the assessment
the head of the survey according to which "the proposal for a loyalty program is
integral to the activity [of the controlled] "and therefore constitutes a basic activity of
this last.
29. As to the concept of “large scale”, in the light of the recommendations made
12
in the DPO guidelines on this notion, and in particular
taking into account the fact that the number of people concerned "in relative value by
relative to the population concerned ", that" the geographical extent of the activity of
treatment 'and that the duration of treatment are factors that should be taken
10WP 243 v.01, version revised and adopted on April 5, 2017, p.26
11WP 243 v.01, version revised and adopted on April 5, 2017, p.24
12WP 243 v.01, version revised and adopted on April 5, 2017, p.25
________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey no. [...] conducted with Company A
8/13 in consideration, the restricted formation agrees with the assessment of the head of investigation according to
which “the [loyalty] card must (…) be considered as a high treatment
scale within the meaning of Art.37 para. (1) GDPR. "
30. Finally, it should be examined whether the "management of customer cards" (or "card [of
fidelity] ”) constitutes a“ regular and systematic follow-up ”of the persons concerned.
31. The restricted committee admits that the "management of customer cards" (or "card
[loyalty] ") is carried out" in accordance with a system ". It nevertheless notes,
given in particular the details provided by the inspected in his position paper of 12
April 2021, referred to in points 24, 25 and 26 of this decision concerning the
various aspects of this processing, it does not appear from the investigation file that said
processing would aim at regular monitoring of the data subjects or such monitoring
would actually be carried out by the controlled.
32. Therefore, it should be noted that it does not appear from the investigation file that the inspected
is found, due to the processing "management of customer cards" (or "card [loyalty]"),
in the obligation to appoint a DPO under Article 37.1.b) of the GDPR.
33. In view of the foregoing, the restricted panel concludes that the breach of article 37.1
of the GDPR has not been established.
III. On corrective measures and the fine
A. Principles
34. In accordance with article 12 of the law of 1 August 2018 on the organization of the
National Commission for Data Protection and the General Regime on
data protection, the National Commission has the powers provided for in Article
58.2 of the GDPR:
a) notify a controller or processor that data processing operations
planned treatment are likely to violate the provisions of this
regulation;
________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
investigation no. [...] conducted with Company A 9/13 b) call to order a controller or a processor when the
processing operations have resulted in a violation of the provisions of this
regulation;
c) order the controller or processor to comply with the requests
presented by the data subject in order to exercise their rights under the
this regulation;
d) order the controller or processor to put the data processing operations
processing in accordance with the provisions of these regulations, if applicable,
in a specific manner and within a specified timeframe;
e) order the controller to communicate to the data subject a
personal data breach;
f) impose a temporary or permanent limitation, including a ban, on the
processing;
g) order the rectification or erasure of personal data or the
restriction of processing in application of Articles 16, 17 and 18 and the notification of these
measures to the recipients to whom the personal data have been
disclosed in accordance with Article 17, paragraph 2, and Article 19;
h) withdraw a certification or order the certification body to withdraw a
certification issued in application of Articles 42 and 43, or order the
certification not to issue certification if the requirements applicable to the
certification are not or no longer satisfied;
i) impose an administrative fine in application of Article 83, in addition to or
the place of the measures referred to in this paragraph, depending on the characteristics
specific to each case;
j) order the suspension of data flows addressed to a recipient located in a
third country or to an international organization. "
35. Article 83 of the GDPR provides that each supervisory authority ensures that fines
administrative requirements are, in each case, effective, proportionate and
dissuasive, before specifying the elements that must be taken into account in deciding
________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey no. [...] conducted with Company A
10/13 if an administrative fine is to be imposed and to decide on the amount of this
fine :
(a) the nature, gravity and duration of the breach, taking into account the nature, extent or
the purpose of the processing concerned, as well as the number of data subjects
affected and the level of damage they suffered;
(b) whether the violation was committed willfully or negligently;
c) any measures taken by the controller or processor to mitigate the
damage suffered by the persons concerned;
d) the degree of responsibility of the controller or processor, account
taking into account the technical and organizational measures they have implemented in accordance with the
Articles 25 and 32;
e) any relevant breach previously committed by the controller or
the subcontractor ;
f) the degree of cooperation established with the supervisory authority in order to remedy the violation
and mitigate any negative effects;
g) the categories of personal data affected by the breach;
h) the manner in which the supervisory authority became aware of the breach, in particular whether,
and to what extent the controller or processor has notified the
violation;
(i) where measures referred to in Article 58 (2) have previously been
ordered against the controller or the processor concerned for the
same object, compliance with these measures;
j) the application of codes of conduct approved in accordance with Article 40 or
certification mechanisms approved under Article 42; and
k) any other aggravating or mitigating circumstance applicable to the circumstances of
the species, such as financial benefits obtained or losses avoided, directly or
indirectly, as a result of the violation ”.
________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey no. [...] conducted with Company A
11/13 B. In the present case
1. As to the imposition of an administrative fine
36. In the statement of objections of 15 March 2021, the head of the investigation proposes to the
restricted formation to pronounce against the controlled an administrative fine
relating to the amount of 80,000 euros “for breach of obligations arising from
RGPD in relation to the appointment of the Data Protection Officer ”.
37. As the breach of Article 37.1 of the GDPR has not been established, there is no need to pronounce
against the controlled the administrative fine proposed by the head of the investigation.
2. Regarding the taking of corrective measures
38. In the statement of objections of 15 March 2021, the head of the investigation proposes to the
training to take the following corrective action, specifying that it should
be implemented "within 6 months, under penalty of a fine of 1,000, -
Euros per day of delay ":
"Order the controller to appoint a Data Protection Officer
in accordance with Art.37 (1) GDPR. "
39. As the breach of Article 37.1 of the GDPR has not been established, there is no need to examine
the relevant corrective measure.
In view of the foregoing developments, the National Commission sitting
in restricted formation and deliberating unanimously decides:
- to close the investigation opened by deliberation n ° [...] of September 14, 2018 of the
National Commission for Data Protection at Company A located […], L-
[…] And registered in the Luxembourg trade and companies register under number […], in
the absence of breach held against him.
________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey no. [...] conducted with Company A 12/13 As decided in Belvaux on October 27, 2021.
The National Commission for Data Protection sitting in a restricted body
Tine A. Larsen Thierry Lallemang Marc Lemmer
President Commissioner Commissioner
Indication of remedies
This administrative decision may be the subject of an appeal for reformation within three
months following its notification. This appeal is to be brought before the administrative tribunal and must
must be introduced through a lawyer at the Court of one of the Bar Associations.
________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey no. [...] conducted with Company A 13/13
