This blog post will be updated periodically as I come across new practical information and experiences. You can subscribe to my blog if you wish to be kept updated.

This is a post in a series of posts :

Updates : 
  • 24.07.2020: Added number of reported data breaches to Statistics
  • 25.07.2020: Added the Role of the DPA as captured within the GDPR and added Sources
  • 25.07.2020: Added the section "Parliamentary Oversight" showing the efforts of the Luxembourg parliament
  • 26.07.2020: Corrected the part about getting a copy of your original complaint. In fact, I only have received parts of it and am still waiting to receive the rest.
  • 27.07.2020: Due to popular demand I added a section "Legal Procedure".

I thought it is useful for the general audience to summarise my experience working with the CNPD as a Data Subject. I hope you appreciate my effort,  as some of the below information came at a cost. As is with nearly all administrative procedures in Luxembourg: they have a nice appearance at the frontend but are tilted against your interest in the backend.



The Role of DPA :
  • "responsible for monitoring the application of this Regulation, in order to protect the fundamental rights and freedoms of natural persons in relation to processing" (ART 51. #1 GDPR)
  • "shall act with complete independence" (ART 52 - GDPR)
  • "remain free from external influence, whether direct or indirect and shall neither seek nor take instructions from anybody."  (ART 52 -GDPR)
  • "members of each supervisory authority shall refrain from any action incompatible with their duties
  • "Each Member State shall ensure that each supervisory authority is provided with the human, technical and financial resources, premises and infrastructure necessary for the effective performance of its tasks and exercise of its powers"

Complaint procedure :

  • There is a simple online form available to guide you through the process. At the end of the process, you will have formally submitted a complaint and will receive confirmation and a case ID a few days later. Links: DE, EN, FR

  • Make sure to download a copy of the generated complaint (There is a link when you press "submit"). Should you choose not to, you will remain without a copy of your original complaint. I didn't the first time around believing it to be in good hands at the CNPD.  One can ask the CNDP for a copy? Sure you can.  The CNPD made a partial copy available only after more than 3 months of waiting - after multiple emails (which were replied to at first, then subsequently ignored) and finally a registered letter to their Head. To this date (4months and counting) I am still waiting for a 1:1 copy of my original complaint. As a comment - It appears the CNPD uses outlook to track cases, which if true, is not an efficient way of doing so.

Progress and Status updates

  • The CNPD is required by law (Art 8 #6) to update you on progress and status. The CNPD didn't in any of the complaints I submitted. You will have to take the initiative to insist and ask. You will notice that their understanding of your legal right for an update on "progress" and "status" is the following sentence: "Your complaint is currently being investigated". If you choose to ask for more information, maybe an update on progress or an estimate of when they might come to a conclusion, they will answer with the same boilerplate answer. Their answer will not even change after your complaint sits with them for more than 14 months.

  • If you ask the CNPD to have a view of the documents the other party has submitted you will quickly find out that you have no right to. The other party ("Complaigned") has access to your complaint including your name. You on the other side, have no right to look at their responses or reasoning. In other words, you really can't be sure that any decision the CNPD comes up with is based on substantiated information nor can you verify whether or not the answer contains further violations of your rights.

    The decision to not allow the complainant insight into the complainer's filing has not gone through the democratic procedure or a review by parliament. IMHO Luxembourg should introduce legislation that forbids Administrations to make up their own rules without oversight on matters that touch fundamental human rights.
Decisions
  • The CNPD will never tell you in any communication, not even when you complain about the time it takes to come to a decision: The matter of fact is that the CNPD effectively has 3 months to come to a decision. In case the CNPD doesn't the case will be seen as a negative decision giving you grounds for a legal procedure in front of the "Cours Administrative".

    That, however, begs the questions

    1. In light of Art 52 of the GDPR  - Whether the CNPD has enough resources to come to a decision within a 3 months period?
    2. Why doesn't the CNPD inform you about that circumstance anywhere?
    3. Whether or not he CNPD has the willingness to actually enforce the rights of the data subjects it is responsible for within said time frame? Is it even possible to do so?

  • According to their answers given to the EDPB they have enough budget and resources and the data controllers react swiftly. Why is it then, that complaints stay open for years? More on that below.

  • If you happen to have the CNPD on the phone, they will make sure to let you know that even if their decision is negative you can of course still sue in front of a court. N.B they will make it clear, not against them, but against whoever your complaint was against. While nobody told me directly, I have a feeling that this is a way to appear business-friendly (no negative decisions against a company) while at the same time pointing people towards the courts. Which then begs the question - Why do we need a DPA at all?
Stats and EDPB Survey

In their answer to a parliamentary question the CNPD responded with the following details for the timespan between 2018 and February 2020 :
  • 665 complaints from Luxemburgish Data Subjects
  • 318 complaints where the CNPD acted as lead DPA
  • 26 complaints initiated as a concerned supervisory authority (Src EDPB Survey)
  • 137 OSS cases (Where it declared itself lead under One-stop-shop)
  • 498 data breach notifications between 25 May 2018 and 1 December 2019
  • 0 fines
In their answers to the EDPB Survey the CNPD states :
  • "Data controllers are responsive and answer quickly"
  • That "Decisions taken by the CNPD [...] are considered as per the Luxembourg national law as administrative decisions [...]." 
  • "As to the allocation of internal resources, the CNPD has one employee who is working full-time on all matters relating to the EDPB and eight thematic experts working (approximatively 20% of the working time) on the matters related to the ESG they usually attend."
  • On the question whether the CNPD has enough resources: "The Luxembourg government has provided the CNPD with all the requested resources, which has allowed the CNPD to grow constantly and substantially over the past five years."
  • Staff :
    • 2016: 19 
    • 2017: 25 
    • 2018: 38 
    • 2019: 43 
    • 2020: 48 
  • Budget :
    • 2016: 2.050.922€
    • 2017: 2.499.348€
    • 2018: 4.415.419€
    • 2019: 5.442.416€
    • 2020: 6.691.562€
  • On the question of how many fines the CNPD has issued, the answer is: N/A

Parliamentary Oversight: 
  • When responding to the question of the EDPB The CNPD argues that SMBs represent >90% of LU based companies. (Source: EDPB Survey of the CNPD). I am afraid to tell you that this is nothing else than a smokescreen to justify that the CNPD largely only emphasizes, coaching, consulting, and educating companies as their major activity.  No mention of Large multinationals having their European HQ in Luxembourg, such as Amazon, Goodyear, Microsoft, etc.  If you have an in-house team of over 45 Lawyers sitting in Kirchberg (not to mention the number across Europe), you do not need education, you need a strong DPA willing to enforce.

  • It speaks to itself that the Luxembourg Parliament has limited it's questions to simple statistics. It has to this day not followed up on the simple realization that there are 0 fines. While fundamental human rights are a regular topic in parliament, it seems that data protection (or anything that weakens the competitive advantage of Luxembourg) is  "Thema non grata". Personally, I am not sure parliament grasps the impacts that their "laissez-faire" attitude has on the rights of the people that voted for them, myself included.

  • The Powerhouse that was behind the creation of the GDPR as a European Commissioner and European MEP (Vivian Reding) is now a member of parliament of Luxembourg.  An email addressed to her on the topic remains unanswered as of today. There is no record of any Data Privacy related question by Reding as of today. On the 25thof May 2018, Reding took it to twitter to celebrate the GDPR as "Giving back power to the citizens".

Legal Procedure
  • If you want to challenge a decision of the CNPD (or force them to take one) you can ask the "Court Administrative" to take a look. You'll need a lawyer to ask the "Court Administrative". You can not engage this process as an individual. Legal counsel registered at the BAR can be found here.

Sources





0 comments

Post a Comment