A Primer on dealing with the CNPD - The DPA of Luxembourg

This blog post will be updated periodically as I come across new practical information and experiences. You can subscribe to my blog if you wish to be kept updated.

Updates : 

• 24.07.2020: Added number of reported data breaches to Statistics
• 25.07.2020: Added the Role of the DPA as captured within the GDPR and added references
• 25.07.2020: Added the section "Parliamentary Oversight" capturing parlamentary enquiries
• 26.07.2020: Corrected the part about getting a copy of your original complaint. In fact, I only have received parts of it and am still waiting to receive the rest.
• 27.07.2020: Due to popular demand I added a section "Legal Procedure".
  
  

I thought it is useful for the general audience to summarise my experience working with the CNPD as a Data Subject. Aligned with many other administrative procedures in Luxembourg: they have a nice appearance at the frontend but are tilted against your interest in the backend.

The Role of DPA :

• "responsible for monitoring the application of this Regulation, in order to protect the fundamental rights and freedoms of natural persons in relation to processing" (ART 51. #1 GDPR)
• "shall act with complete independence" (ART 52 - GDPR)
• "remain free from external influence, whether direct or indirect and shall neither seek nor take instructions from anybody."  (ART 52 -GDPR)
• "members of each supervisory authority shall refrain from any action incompatible with their duties" 
• "Each Member State shall ensure that each supervisory authority is provided with the human, technical and financial resources, premises and infrastructure necessary for the effective performance of its tasks and exercise of its powers"

Complaint procedure :

• There is a simple online form available to guide you through the process. At the end of the process, you will have submitted a complaint and will receive confirmation and a case ID a few days later. Links: DE, EN, FR .  The User interface does not tell you it has been filed and is confusing to say the least.


• Make sure to download a copy of the generated complaint (There is a link when you press "submit"). Should you choose not to, you will remain without a copy of your original complaint. I didn't the first time around believing it to be in good hands at the CNPD.  One can ask the CNDP for a copy? Sure you can.  The CNPD made a partial copy available only after more than 3 months of waiting - after multiple emails (which were replied to at first, then subsequently ignored) and finally a registered letter to their Head. To this date (4months and counting) I am still waiting for a 1:1 copy of my original complaint. 

Progress and Status updates

• The CNPD is required by law (Art 8 #6) to update you on progress and status.  You will have to take the initiative to insist and ask. You will notice that their understanding of your legal right for an update on "progress" and "status" is the following sentence: "Your complaint is currently being investigated". If you choose to ask for more information, maybe an update on progress or an estimate of when they might come to a conclusion, they will answer with the same boilerplate answer. The answer will not even change after your complaint sits with them for more than 17 months.


• If you ask the CNPD to have a view of the documents the other party has submitted you will quickly discover that you have no right to. The other party ("Complaigned") has access to your complaint, you on the other hand, have no right to look at their responses or positions.
  
  In other words, you really can't be sure that any feedback provided by the CNPD  is based on substantiated information nor can you verify whether or not the answer contains further violations of your rights.
  
  

Decisions

• In case the CNPD doesn't come to a decision or that you disagree with the decision you can take it in front of a court called "Cours Administrative".
  
  
• According to their answers given to the EDPB the CNPD has enough budget and resources and the data controllers react swiftly. 

Stats and EDPB Survey

In their answer to a parliamentary question the CNPD responded with the following details for the timespan between 2018 and February 2020 :

• 665 complaints from Luxemburgish Data Subjects
• 318 complaints where the CNPD acted as lead DPA
• 26 complaints initiated as a concerned supervisory authority (Src EDPB Survey)
• 137 OSS cases (Where it declared itself lead under One-stop-shop)
• 498 data breach notifications between 25 May 2018 and 1 December 2019
• 0 fines

In their answers to the EDPB Survey the CNPD states :

• "Data controllers are responsive and answer quickly"
• That "Decisions taken by the CNPD [...] are considered as per the Luxembourg national law as administrative decisions [...]." 
• "As to the allocation of internal resources, the CNPD has one employee who is working full-time on all matters relating to the EDPB and eight thematic experts working (approximatively 20% of the working time) on the matters related to the ESG they usually attend."
• On the question whether the CNPD has enough resources: "The Luxembourg government has provided the CNPD with all the requested resources, which has allowed the CNPD to grow constantly and substantially over the past five years."
• Staff :
  • 2016: 19 
  • 2017: 25 
  • 2018: 38 
  • 2019: 43 
  • 2020: 48 
• Budget :
  • 2016: 2.050.922€
  • 2017: 2.499.348€
  • 2018: 4.415.419€
  • 2019: 5.442.416€
  • 2020: 6.691.562€
• On the question of how many fines the CNPD has issued, the answer is: N/A

Parliamentary Oversight: 

• When responding to the question of the EDPB The CNPD argues that SMBs represent >90% of LU based companies. (Source: EDPB Survey of the CNPD).  No mention of Large multinationals having their European HQ in Luxembourg, such as Amazon, Goodyear, Microsoft, etc.  If you have an in-house team of over Lawyers  you do not need education, you need a strong DPA willing to enforce.
  
  
• It speaks to itself that the Luxembourg Parliament has limited it's questions to simple statistics. It has to this day not followed up on the simple realization that there are 0 fines. While fundamental human rights are a regular topic in parliament, it seems that data protection (or anything that weakens the competitive advantage of Luxembourg) is  "Thema non grata". 
  
  
• The Powerhouse that was behind the creation of the GDPR as a European Commissioner and European MEP (Vivian Reding) is now a member of parliament of Luxembourg.  An email addressed to her on the topic remains unanswered as of today. There is no record of any Data Privacy related question by Reding as of today. On the 25th of May 2018, Reding took it to twitter to celebrate the GDPR as "Giving back power to the citizens".

Legal Procedure

• If you want to challenge a decision of the CNPD (or force them to take one) you can ask the "Court Administrative". You'll need a lawyer to proceed with the "Court Administrative". You will pay all fees. You can not engage this process as an individual. Legal counsel registered at the BAR can be found here.

Sources

• Law of the 1 August of 2018   [Legilux] Transposition of the "regulation" into local law) 
• Réglement d'Ordre Intérieur / Geschäftsordnung/ Internal Rules [CNPD] 
• Internal procedures on investigations [CNPD] 
• Evaluation Survey of the CNPD in 2019 [EDPB]
• Role of a DPA - [GDPR] 
• Vivian Reding [Wikipedia]  | Parliament Information about  Vivian Reding
• Vivian Reding [Interview]
• Vivian Reding on Twitter on the 25th May of 2018  "A historic Day for Europe / We give back the control to our citizens"