On January 22, 2020, the Luxembourg National Data Protection Commission (CNPD) published its much-awaited internal regulations pertaining to its GDPR compliance investigation powers.
The regulations provide details on the CNPD’s various missions; for example, development of tools to assist data controllers in the demonstration of data protection compliance, implementation of complaints management processes, and investigations on data processing compliance.
As far as investigations are concerned, the regulations foresee that, during its weekly meetings, the CNPD may decide to designate a head of investigation to investigate GDPR compliance, be it on the basis of a complaint or not.
This head of investigation and their agents have been granted extensive powers to investigate data processing. Indeed, during the investigation, they are entitled to access all venues, locations etc. dedicated to data processing and can ask for the communication of any material related to data processing within the controlled entity.
The procedure is conducted in several steps:
- Information of the controlled entity: the controlled entity is informed of the opening of the investigation by the head of investigation by registered letter with acknowledgment of receipt. The CNPD may also plan an onsite visit without prior information, in which case the agents may directly inform the controlled entity in person. The controlled entity can also ask for the mission order and a form of identification (titre de légitimation) from the agents during their visit.
- Investigation measures: to perform their investigation, the head of investigation and their agents are entitled to access all premises and facilities used for the processing of data. They can access any material useful to the investigation and make copies. Finally, they can access any software or data processed and their processing transcription in a form deemed useful to the course of the investigation. Every step taken as part of the investigation is included in the investigation report (procès verbal) that will be part of the investigation casefile.
- After the investigation, the head of investigation can decide:
- to propose the closure of the case; or
- to send a relevant and reasonable objections statement to the controlled entity. If the head of investigation finds that the controlled data processing might infringe national or European regulations on data protection, they will inform the controlled entity of the precise infringements. The statement sets out a fixed delay for the controlled entity to respond to these objections, noting that the exchanges between the controlled entity and the CNPD will be incorporated in the investigation casefile. Once these exchanges come to an end, the head of investigation can propose a closure report for the “restricted committee,” which is composed of three Commissioners, including the President of the CNPD, and has power to rule on the case. If the head of investigation does not propose a closure, the case will be ruled by the CNPD after expiry of the time limit for the controlled entity to reply (which depends on the number of exchanges between the controlled entity and the head of investigation). It is worth mentioning that once the objection statement is sent, the controlled entity has the right to access all the documents in the case, except for those that are privileged or confidential.
Eventually, the decision on the case will be taken by a restricted or plenary session of the CNPD with a minimum of three Commissioners (including the President of the CNPD). It is important to point out that deliberations are not public and debates are confidential.
If the head of investigation recommends a closure of the case, the Commissioners can either decide on the closure of the case or ask for additional investigations if the Commissioners do not feel like they have a full understanding of the case.
On the other hand, if the head of investigation sends an objection statement, the controlled entity is informed of the date of the session and can be present or represented, and present some objections. The head of investigation is also heard so they can report on their findings.
The final decision of the CNPD needs to be motivated. It should be noted that the Luxembourg administrative procedure rules are applicable to decisions rendered by the CNPD.
In light of the above, one may now wonder whether the publication of these regulations will entail more stringent enforcement from the CNPD, as well as new types of proceedings before the Luxembourg court to challenge decisions rendered under the new regime.