The Luxembourg Data Protection Authority (CNPD) has published its first decisions following investigations of non-compliance with the General Data Protection Regulation (GDPR). The decisions relate to the role of the DPO, the geolocation of employees and video surveillance. This newsflash sets out the key takeaways on these three topics.
Data protection officer (DPO)
In the event the function of DPO is combined with another role within the organisation, it must be clearly demonstrated that this combination of functions does not lead to a conflict of interest.
In one decision, the CNPD found that combining the roles of chief compliance officer, a position involved in AML/KYC matters, and DPO was problematic. The CNPD concluded that even when the CCO acts as a “second line of defence” in reviewing the KYC process, the role of CCO in principle conflicts with the role and responsibilities of the DPO, who can only review data processing activities over which (s)he has no decision-making power. This decision will have significant consequences for the financial sector where the role of the DPO is often combined with a compliance role.
In another decision, the CNPD imposed a fine of EUR 18,000 on the Luxembourg subsidiary of a corporate group that had appointed a single DPO at group level for the various group entities. This possibility is explicitly provided for by the GDPR provided the group DPO is easily accessible for each establishment. The group had a data protection office composed of the DPO, data protection lawyers and a project manager. At the local level, the Luxembourg undertaking's (sole) lawyer was appointed the local point of contact for the group DPO. Although there was a GDPR committee within the Luxembourg undertaking, the group DPO was not a member of this committee and was only involved indirectly, via the minutes of the committee's meetings or questions raised by the local point of contact. According to the CNPD member leading the investigation, the DPO must participate in a formal way and on a regular basis in the management and security committees. In this case, the DPO should have made regular formal visits to the Luxembourg undertaking to discuss data protection issues with senior management of this undertaking and the DPO should have directly assessed these issues. The local point of contact was moreover not part of the group DPO's team (i.e., the data protection office at group level). Therefore, the DPO was considered not to have been informed and consulted at the earliest possible stage.
The CNPD concluded that the (group) DPO (i) was not directly involved in all issues related to personal data protection and as a result (ii) fell short in his or her information and advisory role. Finally, the CNPD found that the organisation did not provide the DPO with the necessary resources at local level since data protection resources were centralised at group level and the Luxembourg undertaking had not documented the time required for the local lawyer's data protection tasks with a view to allocating the required resources.
In a third decision relating to the DPO's professional qualifications and specialised knowledge in relation to data protection, the head of investigation for the audit took the view that the DPO should have at least three years of professional experience in data protection.
Geolocation of employees
The first decision concerns a Luxembourg company that had installed a geolocation system in some of its vehicles used by employees. The company was found to have breached the GDPR due to:
- non-compliance with the storage limitation principle. The oldest geolocation data had been kept for two years and four months at the date of the investigation, thus beyond the maximum duration allowed by the CNPD for the data processing purpose relied on by the company (pre-GDPR CNPD authorisations are useful indicators of the CNPD's requirements and recommendations in this respect);
- the provision of insufficient information to data subjects. The CNPD emphasised the need to actively provide information to data subjects; a layered approach is recommended for this type of processing. It also stated that, pursuant to the accountability principle, a controller stating that data subjects were already in possession of mandatory information must be able to prove this statement "by documenting it"; and
- failure to implement adequate security measures as required by Article 32 of the GDPR given that basic security requirements were not met at the time of the investigation.
This decision resulted in an order to bring the processing operations into compliance with the GDPR within a period of two months as well as a fine of EUR 2,800.
The second decision concerns a Luxembourg municipal administration (commune) that had installed a geolocation system in some of its vehicles used by the administration's employees and agents. The audited administration was found to have breached its obligation to provide adequate information to the data subjects pursuant to Article 13 of the GDPR and received a reprimand as a result. The municipal administration was ordered to provide the data subjects with additional information about geolocation.
In the four published decisions on video surveillance, the CNPD found that the audited companies had not complied with the principle of data minimisation, which requires that the controller only film what appears to be strictly necessary to achieve the purposes pursued by the video surveillance. In particular, the CNPD held that:
- video surveillance of areas in the workplace reserved for employees' private use (e.g. canteens, smoking areas, changing rooms and rest areas) must always be considered disproportionate to the intended purposes of the surveillance, including the protection of company assets and ensuring the security of access to the employer's premises and the safety of employees. The field of view of the cameras must therefore be adapted accordingly and restricted to the area(s) strictly necessary to achieve the stated purpose(s);
- cameras intended to monitor an access area or the surroundings of a building must be configured (i.e. by means of masking or blurring techniques) to exclude public highways and surrounding lands and buildings from their field of view.
Two of the audited companies were also found to have breached the principle of storage limitation. In this respect, the CNPD stated that the retention of video footage for the purpose of protecting the company's assets or ensuring access security for a period in excess of 30 days was disproportionate.
In two of the decisions, the CNPD found that the audited companies had not provided sufficient information to data subjects. In respect of video surveillance too, a layered approach is strongly recommended. Moreover, simply informing the staff delegation is not considered sufficient to ensure that the company's employees have been individually informed in accordance with Article 13 of the GDPR.
These findings led the CNPD to impose fines ranging from EUR 1,000 to EUR 2,600.
These decisions show that the CNPD is starting to show its teeth by conducting formal investigations, some of which have led to the imposition of corrective measures and fines. These newly published decisions are in addition to the 235 and 168 corrective measures (imposed in the context of, respectively, national cases and cases opened through the international cooperation mechanism) which the CNPD has ordered without opening a formal investigation.
A second takeaway is that so-called thematic (or targeted) investigations are not simply a kind of stakeholder or market consultation on best practices but rather a formal investigation leading to an official CNPD decision.
In some cases, the CNPD has sanctioned actions on grounds which do not unequivocally stem from the GDPR but rather based on what the CNPD considers to be good practice. This means that, contrary to principles of criminal law, which also apply in administrative proceedings, the sanctioned offence is not always based on clear texts. This is unfortunate given the heavy fines that may be issued for non-compliance with the GDPR.
It follows from these decisions that it is of the utmost importance for organisations to document the measures and steps they take to comply with the GDPR. It is necessary not only to meet the GDPR requirements but also to be able to demonstrate compliance and to have in place the necessary policies and procedures to ensure an effective level of compliance.
It has recently been reported in the press that the CNPD intends to impose a EUR 349 million fine on Amazon, just a few days after the Luxembourg data protection authority released its first batch of decisions. This is a clear indication that other investigations and sanctions are forthcoming.
Vincent Wellens | Partner | +352 26 12 29 34
Carmen Schellekens | Counsel | +352 26 12 29 74 06
Lindsay Korytko | Senior Associate | +352 26 12 29 74 22
Sigrid Heirbrant | Associate | +352 26 12 29 74 50
Antoine Pétronin | Associate | +352 26 12 29 74 51