CNPD on-site inspections and fines
The CNPD (Commission Nationale pour la Protection des données, or “CNPD”) has, until now, adopted a cooperative approach with the entities requesting guidance and has, in particular, met representatives of important sectors in Luxembourg.
On-site inspections have been carried out in relation to DPOs (appointment and means to carry out their activities) and further complaints. The number of complaints have nevertheless been growing exponentially and the CNPD will mainly focus its audits on certain selected topics. To the best of our knowledge, no fines have been yet imposed, but the CNPD has indicated the door is open to this possibility, in particular in the event of poor cooperation of audited entities.
If you want to ensure that your organisation is ready to respond to such an on-site inspection, we strongly advise you to implement an appropriate process, which may be described in dawn-raid guidelines for instance.
In addition to a public consultation, the CNPD presented in October 2018 a certification scheme (“Scheme”) which will provide the opportunity to organisations to demonstrate that a given processing is in line with GDPR requirements on the basis of an official certification (“Certified Assurance Report based Processing Activities”, or “CARPA”). Such CARPA will be delivered after a thorough audit has been carried out by certification bodies accredited by the CNPD.
The CNPD will continue to carry out the work, notably in order to align the Scheme with the EDPB's own guidance on certification , while making it known that it will communicate these criteria to the EDPB after finalising this Scheme - probably towards the beginning of this year.
The challenge of processing for research purposes
The Law of 1 August 2018 relating to the organisation of the CNPD (the “Law”), which implements and complements the GDPR in Luxembourg, introduces specific provisions for personal data processing for scientific or historical research purposes and for statistical purposes .
The Law states that TWELVE additional safeguards shall be implemented by the data controller when carrying such processing. In accordance with the Law for instance, the effectiveness of the technical and organisational measures shall be regularly assessed by an independent audit and the data shall be anonymized or pseudonymised by a trusted third-party which is functionally independent from the data controller.
The Law thus creates a heavy burden for bodies carrying out research from which data controllers may only derogate after having duly documented and justified why a measure or another would not be mandatory in the case at hand.
Monitoring of employees at the workplace
The Law provides for a new Article L. 261-1 of the Luxembourg Labour Code which imposes specific provisions regarding the processing of personal data for monitoring purposes in the context of the employment relationship.
Following the GDPR's abolition of the administrative formalities, employers no longer need to ask for the prior authorisation of the CNPD to put in place a monitoring activity of their employees in the workplace. Employers do, nonetheless, need to inform the staff representative bodies (or in the absence thereof the Luxembourg Labour Inspectorate) in advance of this monitoring activity. Thereafter, the concerned staff body may ask the CNPD for prior advice on the compliance of the monitoring project (such advice having suspensive effect).
In addition, a data protection impact assessment should, in principle, be carried out before starting the processing and the monitoring shall be appropriately documented in the record of processing activities.