CNPD - 3018

From GDPRhub
CNPD - 3018
LogoLU.png
Authority: CNPD (Luxembourg)
Jurisdiction: Luxembourg
Relevant Law: Article 27 GDPR
Type: Complaint
Outcome: Other Outcome
Decided: 04.02.2020
Published: 29.05.2020
Fine: None
Parties: n/a
National Case Number/Name: 3018
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): English
Original Source: Zoller Thierry (in EN)
Initial Contributor: Thierry ZOLLER

Luxembourg DPA argues it cannot proceed and is not willing to open an investigation against a company established abroad that has not designated an EU Represenative.

English Summary[edit | edit source]

Facts[edit | edit source]

Rocketreach sells access to personal data on EU data subjects, allegedly without any legal basis.

Dispute[edit | edit source]

1. Deleting the data subject's information when all he solely asked for was access.

2. Did not answer requests to enquire about the Legal basis of processing.

3. Has not selected an EU Representative

4. Mass Processing of European Data Subjects

Holding[edit | edit source]

Luxembourg DPA argues it cannot proceed against a company established abroad that has not designated an EU Represenative.

Comment[edit | edit source]

Although thousand of Luxemburgish and hundred thousands of European Data Subjects are Impacted the DPA of Luxemburg refuses to open an inquiry/Investigation.

Further Resources[edit | edit source]

Part1 : https://blog.zoller.lu/2020/05/how-to-effectively-evade-gdpr-and-reach.html

Part2 : https://blog.zoller.lu/2020/10/how-to-effectively-evade-gdpr-and-reach.html

Although agreeing that Rocketreach is in breach of the GDPR, the CNPD refuses an investigation :

  • The CNPD argues that it doesn't have to follow their Internal Guidelines on "Investigations" as although they talked to Rocketreach they did not officially open an actual investigation in this particular case. They also argue they don't need to follow the Internal Guidelines on "Decisions" as a Decision to not open an investigation is formally not a Decision as defined in their Policies.
  • The CNPD further argues that the Luxemburgish Law on Data Protection does not specify any criteria when or when not the CNPD would need to open an investigation and thus concludes it can do so at will.
  • In the case of Rocket Reach in particular the CNPD argues that it makes no sense to open an investigation as they would not be able to ensure Rocketreach then respects the outcome. In other words, they won't make us benefit from their efforts should we seek judicial redress.

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the English original. Please refer to the English original for more details.