This is a follow-up to my previous blog post entitled "How to effectively evade the GDPR  and the reach of the DPA ". Feel free to read it before reading further.

In a recent letter, the CNPD further clarified as to why they don't investigate the several breaches of Data Protection Law (Legal Basis, Purpose, Transfer, EU Representative) for thousands of Luxemburgish (and hundred thousands of European) citizens. Highlights are mine.


The letter is in French, here is a rough  synopsis in English :
  • The CNPD argues that it doesn't have to follow their Internal Guidelines on "Investigations" as although they talked to Rocketreach they did not officially open an actual investigation in this particular case. They also argue they don't need to follow the Internal Guidelines on "Decisions" as a Decision to not open an investigation is formally not a Decision as defined in their Policies. 
  • The CNPD further argues that the Luxemburgish Law on Data Protection does not specify any criteria when or when not the CNPD would need to open an investigation and thus concludes it can do so at will.
  • In the case of Rocket Reach in particular the CNPD argues that it makes no sense to open an investigation as they would not be able to ensure Rocketreach then respects the outcome. In other words, they won't make us benefit from their efforts should we seek judicial redress.