CNPD (Luxembourg) - Délibération n° 3018: Difference between revisions

From GDPRhub
Line 60: Line 60:
2. Did not answer requests to enquire about the Legal basis of processing.
2. Did not answer requests to enquire about the Legal basis of processing.


3. Not selected en EU Representative
3. Has not selected an EU Representative


4. Mass Processing of European Data Subjects
4. Mass Processing of European Data Subjects

Revision as of 13:10, 16 October 2020

CNPD - 3018
LogoLU.png
Authority: CNPD (Luxembourg)
Jurisdiction: Luxembourg
Relevant Law: Article 27 GDPR
Type: Complaint
Outcome: Other Outcome
Started:
Decided: 04.02.2020
Published: 29.05.2020
Fine: None
Parties: n/a
National Case Number/Name: 3018
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): English
Original Source: Zoller Thierry (in EN)
Initial Contributor: Thierry ZOLLER

Luxembourg DPA argues it cannot proceed and is not willing to open an investigation against a company established abroad that has not designated an EU Represenative.

English Summary

Facts

Rocketreach sells access to personal data on EU data subjects, allegedly without any legal basis.

Dispute

1. Deleting the data subject's information when all he solely asked for was access.

2. Did not answer requests to enquire about the Legal basis of processing.

3. Has not selected an EU Representative

4. Mass Processing of European Data Subjects

Holding

Luxembourg DPA argues it cannot proceed against a company established abroad that has not designated an EU Represenative.

Comment

Although thousand of Luxemburgish and hundred thousands of European Data Subjects are Impacted the DPA of Luxemburg refuses to open an inquiry/Investigation.

Further Resources

Part1 : https://blog.zoller.lu/2020/05/how-to-effectively-evade-gdpr-and-reach.html

Part2 : https://blog.zoller.lu/2020/10/how-to-effectively-evade-gdpr-and-reach.html

Although agreeing that Rocketreach is in breach of the GDPR, the CNPD refuses an investigation :

  • The CNPD argues that it doesn't have to follow their Internal Guidelines on "Investigations" as although they talked to Rocketreach they did not officially open an actual investigation in this particular case. They also argue they don't need to follow the Internal Guidelines on "Decisions" as a Decision to not open an investigation is formally not a Decision as defined in their Policies.
  • The CNPD further argues that the Luxemburgish Law on Data Protection does not specify any criteria when or when not the CNPD would need to open an investigation and thus concludes it can do so at will.
  • In the case of Rocket Reach in particular the CNPD argues that it makes no sense to open an investigation as they would not be able to ensure Rocketreach then respects the outcome. In other words, they won't make us benefit from their efforts should we seek judicial redress.

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.