National commission for data protection (Commission nationale pour la protection des données, NCDP, CNPD)

Similar documents
Is information about legal entities personal data? No. The DPA only applies to information about individuals as opposed to legal entities.

DENMARK. FRANET Contractor Ad Hoc Information Report Data protection: Redress mechanisms and their use Danish Institute for Human Rights

Ad hoc information request (FRANET) May Data Protection: Redress mechanisms and their use GERMANY

HUNGARY. FRANET Contractor Ad Hoc Information Report Data protection: Redress mechanisms and their use 2012

Ad hoc information request

Implementation of GDPR and control mechanisms of data protection institutions in Germany

Answers to Questionnaire: Romania

PUBLIC COUNCILOF THEEUROPEANUNION. Brusels,7November /1/13 REV1. InterinstitutionalFile: 2012/0011(COD) LIMITE

ARTICLE 29 DATA PROTECTION WORKING PARTY

ANNEX 1 POWERS OF THE PROFESSIONAL CONDUCT PANEL (PCP)

The Intellectual Property Regulation Board (incorporating The Patent Regulation Board and the Trade Mark Regulation Board)

Ad hoc information request

GDPR: Belgium sets up new Data Protection Authority

The Patent Regulation Board and The Trade Mark Regulation Board. Disciplinary Procedure Rules

European Data Protection Supervisor Your personal information and the EU administration: What are your rights?

Information about the Complaint Process at CPA Nova Scotia

Interinstitutional File: 2012/0011 (COD)

Council of the European Union Brussels, 13 April 2015 (OR. en)

Free and Fair elections GUIDANCE DOCUMENT. Commission guidance on the application of Union data protection law in the electoral context

European College of Business and Management Data Protection Policy

IMMIGRATION ADVISERS LICENSING ACT 2007

IMMIGRATION REGULATIONS INSTRUMENT A. The Financial Conduct Authority makes this instrument in the exercise of:

European Training and Research Centre for Human Rights and Democracy

Summary table of draft transposition of directive 2007/66/EC into Member States law

Rehabilitation and mutual recognition practice concerning EU law on transfer of persons sentenced or awaiting trial

Brussels, 16 May 2006 (Case ) 1. Procedure

Annual Report

Applications for accreditation: Membership. Compilation of membership accreditation assessment received on 9 July 2016

CONSULTATIVE COMMITTEE OF THE CONVENTION FOR THE PROTECTION OF INDIVIDUALS WITH REGARD TO AUTOMATIC PROCESSING OF PERSONAL DATA

Presentation to IAPP November 18, EU Data Protection. Monday 18 November 13

Roumanie Haute Cour de Cassation et de Justice. Romania High Court of Cassation and Justice

Guidelines for making a complaint about the conduct of a member of the Institution of Civil Engineers

RESPECTFUL WORKPLACE AND HARASSMENT PREVENTION

Dismissal under Regulation 36 of the PSC regulations falls squarely within the

Data processing agreement

Information Privacy Act 2000

A 55 PUBLIC ADMINISTRATION ACT PART I DEFINITIONS AND DECLARATION OF PRINCIPLES PART II THE PUBLIC SERVICE

General guidance on EFSA procurements

The Canadian Institute of Actuaries Disciplinary Process

WHY DO LARGE INFRASTRUCTURE TENDERS FAIL?

4 A member shall discharge his obligations to all those with whom he has professional relations faithfully and with integrity.

ICMA Code of Ethics: Rules of Procedure for Enforcement Adopted by the ICMA Executive Board and revised in September 2014

Freedom of Information Act 2000 (FOIA) Decision notice

THE PROCESSING OF PERSONAL DATA (PROTECTION OF INDIVIDUALS) LAW 138 (I) 2001 PART I GENERAL PROVISIONS

Guidance on Complaints and Disciplinary Procedure

DATA PROCESSING AGREEMENT

DISCIPLINARY PROCEDURES

Standard Operating Procedures for R/TA Reconciliation Version 1.1 May,

Model Data Processing Agreement (GDPR)

A Legal Overview of the Data Protection Act By: Mrs D. Madhub Data Protection Commissioner

Data Protection Bill, House of Commons Second Reading Information Commissioner s briefing

The Maldivian Civil Service Act

Appendix 1 Data Processing Agreement

Comments on the proposal for a directive on representative actions for the protection of the collective interests of consumers

The whistleblowing procedure is based on the following principles:

Annex - Summary of GDPR derogations in the Data Protection Bill

Data Processing Agreement

REAL ESTATE. Complaints and Investigation Procedures COVERING:

PARLIAMENTARY ASSEMBLY OF BOSNIA AND HERZEGOVINA 308 LAW ON AMENDMENTS TO THE LAW ON THE PROTECTION OF PERSONAL DATA

Opinion on a notification for Prior Checking received from the Data Protection Officer of the European Ombudsman on verification of telephone bills

EUROPEAN PARLIAMENT COMMITTEE ON CIVIL LIBERTIES, JUSTICE AND HOME AFFAIRS

Consultation on Remedies in Public Procurement

DATA PROCESSING ADDENDUM

Data Protection in the European Union: the role of National Data Protection Authorities Strengthening the fundamental rights architecture in the EU II

DATA PROTECTION LAWS OF THE WORLD. Egypt

CONDITIONS OF PARTICIPATION REGARDING COMMITMENTS BVDW CODE OF CONDUCT PROGRAMMATIC ADVERTISING

CHAPTER 497 PUBLIC ADMINISTRATION ACT

Executive summary Malta Country report on measures to combat discrimination by Tonio Ellul

General guidance on EFSA procurements

I. CMP Disciplinary Policy & Procedures. A. Objectives

BASIC CONDITIONS OF EMPLOYMENT AMENDMENT BILL, [Words in bold type indicate omissions from existing enactments]

Foreshore Development (Amendment) Act 2013

Article 1. Federal Data Protection Act (BDSG)

SAINT CHRISTOPHER AND NEVIS STATUTORY RULES AND ORDERS. No. 10 of 2014 PUBLIC SERVICE CODE OF DISCIPLINE

ROMANIA MINISTRY OF INTERNAL AFFAIRS ANTI-CORRUPTION GENERAL DIRECTORATE

Suppliment tal-gazzetta tal-gvern ta Malta, Nru. 19,525, 22 ta Jannar, 2016 Taqsima B PRODUCT SAFETY ACT (CAP. 427)

Supreme Court of the United States

EVIDENCE ON THE DATA PROTECTION BILL. For the House of Commons Public Bill Committee by Open Rights Group and Chris Pounder

Radio Licensable Content Service Licences. Notes of Guidance for Applicants

Data Protection Policy. Malta Gaming Authority

BERMUDA BAR DISCIPLINARY TRIBUNAL RULES 1997 BR 55 / 1997

ARTICLE 29 Data Protection Working Party

Student and Employee Grievance Policy

LEGAL COMPLAINTS REVIEW OFFICER

European Investment Fund. EIF Procurement Guide

THE EXPERT WITNESS INSTITUTE COMPLAINTS AND DISCIPLINE RULES

Guide to Managing Breaches of the Code of Conduct

Guidance on the RIBA Code of Practice for Chartered Practices - complaint procedures.

Contents 1. OBJECT AND EXECUTIVE BODIES GENERAL PRINCIPLES INVESTIGATION SANCTIONS COMISSION PROCEEDINGS...

Léon Gloden and Katrien Veranneman Elvinger Hoss Prussen, Luxembourg

PROCEDURE RIGHTS OF THE DATA SUBJECT PURSUANT TO THE ARTICLES 15 TO 23 OF THE REGULATION 679/2016

As approved by the Office of Communications for the purposes of Sections 120 and 121 of the Communications Act 2003 on 21 June 2016

Data Processing Addendum

ICMA/NCCCMA Code of Ethics: Rules of Procedure for Enforcement Adopted by the NCCCMA February 8, 2007

STATOIL BINDING CORPORATE RULES - PUBLIC DOCUMENT

Disciplinary Policy and Procedure

Investigations and Compliance Policy and Procedures

Introduction to the Third Amendment of the Trademark Law of China. August 30, 2013

COMMISSION IMPLEMENTING DECISION. of XXX

Council of the European Union Brussels, 22 September 2014 (OR. en)

Transcription:

LUXEMBOURG FRANET Contractor Ad Hoc Information Report Data protection: Redress mechanisms and their use 2012 National commission for data protection (Commission nationale pour la protection des données, NCDP, ) Michel Sinner, Georges Weiland Etudes et Formation Volha Vysotskaya DISCLAIMER: The ad hoc information reports were commissioned as background material for the comparative report on Access to Data Protection Remedies in EU Member States by the European Union Agency for Fundamental Rights (FRA). They were prepared under contract by the FRA s research network FRANET. The views expressed in the ad hoc information reports do not necessarily reflect the views or the official position of the FRA. These reports are made publicly available for information purposes only and do not constitute legal advice or legal opinion. 1

Mapping of Redress mechanisms in the area of data protection Redress Mechanism Number 1. Lawfulness check/complaint 2. Investigative powers 3. Access right 4. Right to object 5. Right to object Type of possible outcomes of procedure Cf. outcomes of redress mechanisms numbers 3 to 13 Cf. outcomes of redress mechanisms numbers 3 to 13 Access/refusal of access to data Rectification, deletion or blocking of data Data cannot be processed Marketing data cannot be processed First Instance Total Number of times this procedure was initiated in 2009 (please provide source of information in footnote) Total Number of times this procedure was initiated in 2010 (please provide source of information in footnote) Total Number of times this procedure was initiated in 2011 (please provide source of information in footnote) DPA 133 1 145 2 115 3 DPA 10 4 5 5 6 6 DPA 40 7 43 8 25 9 DPA 0 10 0 11 0 12 DPA 8 13 12 14 11 15 1 Annual Report 2009, Luxembourgish DPA (), p. 14 2 Annual Report 2010,, p. 12 3 Annual Report 2011,, p. 19 4 5 6 7 9 10 11 12 13 14 15 2

6. Sanctions 7. Sanctions 8. Sanctions 9. Sanctions 10. sanctions (telecom sector) 11. sanctions (telecom sector) 12. Access right 13. Right to object Written notice or reprimand Rectification, deletion or blocking of data Temporary or definite interdiction of processing Publication of the interdiction decision DPA 0 16 1 17 0 18 DPA 0 19 0 20 0 21 DPA 0 22 1 23 0 24 DPA 0 25 0 26 0 27 Reprimand DPA 0 28 0 29 0 30 Fine DPA 0 31 0 32 0 33 Imprisonment 8 days to 1 year and/or fine 251 Imprisonment 8 days to 1 year and/or fine 251 Criminal court Criminal court available 34 available 37 available 35 available 38 available 36 available 39 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 3

14. sanctions (telecom sector) 15. Action to restrain/stop 16. Action to restrain/stop 17. Compensation Imprisonment 8 days to 1 year and/or fine 251 Stop of processing of data Publication of the order to restrain/stop Criminal court Civil court Civil court 0 40 0 41 0 42 available 43 available 46 Civil compensation Civil court available 49 available 44 available 47 available 50 available 45 available 48 available 51 40 41 42 43 44 45 46 47 48 49 50 51 4

Detailed information Ad Redress Mechanism Number 1 (Lawfulness check/complaint): Range of possible outcomes: cf. redress mechanisms 1 to 13 hereafter (i.e. in case of a lawfulness check, the DPA has powers to take diverse actions, as set out hereafter) Legal basis: Art. 32 para. (5) Burden of proof: data controller needs to prove respect of the legal provisions Cost of procedure: free Outcomes for 2009, 2010, 2011: 133 complaints have been handled and solved by the DPA in 2009, 145 in 2012 and 115 in 2011. Ad Redress Mechanism Number 2 (Investigative powers): Range of possible outcomes: Procedure based either on a complaint or a self-initiated procedure ( auto-saisine ) by the DPA. Outcomes: cf. redress mechanisms 1 to 13 hereafter (i.e. in case of its investigative powers, the DPA can take diverse actions, as set out hereafter) Legal basis: Art. 39 para. (7) Burden of proof: data controller needs to prove respect of the legal provisions Is there free legal advice/representation available from a public body : no data available Cost of procedure: free Outcomes for 2009, 2010, 2011: the DPA used its investigative powers in 10 cases in 2009, 5 in 2010 and 6 in 2011. Investigations have been carried out either via on-thespot investigations or via a written procedure, depending on the case. Ad Redress Mechanism Number 3 (Access to data through the DPA): Range of possible outcomes: In case a complainant is not granted access to his data by the data controller or if there appears to be non-compliance to the provisions of the law, the complainant can seize the DPA, which shall proceed to all the necessary verifications in that matter. Data may be (if applicable) rectified, deleted or blocked, through a decision taken by the DPA. Legal basis: Art. 28 para. (5) ; art 32 paras. (3) to (7) of the law. in case the DPA takes a decision towards the data controller Burden of proof: refusal of access / non-compliance 5

Is there free legal advice/representation available from a public body: DPA Cost of procedure: free Outcomes for 2009, 2010, 2011: there were 40 cases in 2009 where the DPA had to intervene in case of access right, 43 in 2010 and 25 in 2011. In each case, the problem was resolved after intervention of the DPA. Ad Redress Mechanism Number 4 (Non-respect of access right leading to criminal prosecution): Range of possible outcomes: Imprisonment of 8 days to 1 year and/or fine of 251 to Legal basis: art. 28 para. (2); art. 28 para. (7). Type of procedure: criminal procedure (judicial instance) Possibilities of appeal: 2 nd instance (court of appeals) and 3 rd instance (supreme court of appeals) Burden of proof: non-respect of access right OR non-compliance to the law (proven by the public ministry) Requirement of legal representation: complainant initiates procedure through his criminal complaint or the DPA forwards the case to the Public Ministry. But the Public Ministry has the opportunity to pursue the case or not. Is there free legal advice/representation available from a public body: no may intervene as party (if DPA continued the complaint to the public ministry) Cost of procedure: no data available Average duration of procedure: no data available Outcomes for 2009, 2010, 2011: no data available Ad Redress Mechanism Number 5 (Right to object): Range of possible outcomes: if objection is justified, those data cannot be processed anymore by the data controller Legal basis: art. 30 para. (1). in case the DPA takes a decision towards the data controller Burden of proof: prove the compelling and legitimate reasons relating to the complainants special situation Is there free legal advice/representation available from a public body: DPA Cost of procedure: free at DPA level Outcomes for 2009, 2010, 2011: 0 6

Ad Redress Mechanism Number 6 (Right to object): Range of possible outcomes: if objection is justified, marketing data cannot be processed anymore by the data controller Legal basis: art. 30 para. (2). in case the DPA takes a decision towards the data controller Burden of proof: the data processor must prove that he has informed the concerned persons of their objection right Is there free legal advice/representation available from a public body: DPA Cost of procedure: free at DPA level Outcomes for 2009, 2010, 2011: the DPA handled 8 cases of objections to marketing in 2009, 12 in 2010 and 11 in 2011. Ad Redress Mechanism Number 7 (Non-respect of right to object leading to criminal prosecution): Range of possible outcomes: Imprisonment of 8 days to 1 year and/or fine of 251 to Legal basis: art. 31 para. (2). Type of procedure: criminal procedure (judicial instance) Possibilities of appeal: 2 nd instance (court of appeals) and 3 rd instance (supreme court of appeals) Burden of proof: non-respect of opposition right Requirement of legal representation: complainant initiates procedure through his criminal complaint or the DPA forwards the case to the Public Ministry. But the Public Ministry has the opportunity to pursue the case or not. Is there free legal advice/representation available from a public body: no may intervene as party (if DPA continued the complaint to the public ministry) Cost of procedure: no data available Average duration of procedure: no data available Outcomes for 2009, 2010, 2011: no data available Ad Redress Mechanism Number 8 (/disciplinary sanctions): Range of possible outcomes : Written notice (i.e. warning) or reprimand through a decision of the DPA Legal basis: Art. 33 para. (a) Burden of proof: decision by the DPA to apply the administrative sanction or not 7

Cost of procedure: DPA procedure is free, but if an administrative recourse is chosen, Outcomes for 2009, 2010, 2011: there was one case in 2010 where a reprimand was pronounced by the DPA, after being informed that a data has been wrongly disclosed to a third party. Ad Redress Mechanism Number 9 (/disciplinary sanctions): Range of possible outcomes : Rectification, deletion or blocking of data through a decision of the DPA Legal basis: Art. 33 para. (b) Burden of proof: decision by the DPA to apply the administrative sanction or not Cost of procedure: DPA procedure is free, but if an administrative recourse is chosen, Outcomes for 2009, 2010, 2011: 0 Ad Redress Mechanism Number 10 (/disciplinary sanctions): Range of possible outcomes : Temporary or definite interdiction of processing through a decision of the DPA Legal basis: Art. 33 para. (c) Burden of proof: decision by the DPA to apply the administrative sanction or not Cost of procedure: DPA procedure is free, but if an administrative recourse is chosen, Outcomes for 2009, 2010, 2011: the DPA pronounced one interdiction to process data on the entire national territory in 2010. Ad Redress Mechanism Number 11 (/disciplinary sanctions): Range of possible outcomes : Order to publish the interdiction decision at the expense of the infringer through a decision of the DPA Legal basis: Art. 33 para. (d) Burden of proof: decision by the DPA to apply the administrative sanction or not 8

Cost of procedure: DPA procedure is free, but if an administrative recourse is chosen, at DPA level Outcomes for 2009, 2010, 2011: 0 Ad Redress Mechanism Number 12 (Action to restrain/stop): Range of possible outcomes: judicial order to stop a data processing and/or judicial order pertaining to a temporary suspension or closing-down of activity. The concerned person, the DPA or the Public Ministry can each launch this procedure. Legal basis: Art. 39 Type of procedure: judicial (civil) Possibilities of appeal: : 2 nd instance (court of appeals) and 3 rd instance (supreme court of appeals) Burden of proof: if complainant is the DPA, the non-respect of an administrative sanction taken by the DPA needs to be proven Requirement of legal representation: legal representation is necessary depending on who brought the case before court Is there free legal advice/representation available from a public body : no data available Cost of procedure: no data available Average duration of procedure: no data available Outcomes for 2009, 2010, 2011 : 0 Ad Redress Mechanism Number 13 (Action to restrain/stop): Range of possible outcomes: judicial order to publish the decision to restrain/stop the processing. Legal basis: Art. 39 para. (5) Type of procedure: judicial (civil) Possibilities of appeal: 2 nd instance (court of appeals) and 3 rd instance (supreme court of appeals) Burden of proof: if complainant is the DPA, the non-respect of an administrative sanction needs to be proven Requirement of legal representation: : legal representation is necessary depending on who brought the case before court Is there free legal advice/representation available from a public body : no data available Cost of procedure: no data available Average duration of procedure: no data available Outcomes for 2009, 2010, 2011 : 0 Ad Redress Mechanism Number 14 (/disciplinary sanctions telecommunications sector only): Range of possible outcomes : Reprimand Legal basis: Art. 3 para. 3 of the modified law of 2005, laying down specific provisions for the protection of persons with regard to the processing of personal data in the 9

electronic communications sector and amending articles 88-2 and 88-4 of the Code of criminal procedure ( the law of 2005 ) Burden of proof: proof that no data breach did occur Requirement of legal representation: no Cost of procedure: DPA procedure is free, but if an administrative recourse is chosen, Outcomes for 2009, 2010, 2011: those provisions were added in July 2011. As these provisions are quite recent, there are no cases yet. Ad Redress Mechanism Number 15 (/disciplinary sanctions telecommunications sector only): Range of possible outcomes: Fine of max. 50.000 EUR (only in case of a second repetition of a breach) Legal basis: Art. 3 para 3 of the modified law of 2005 Burden of proof: proof that no data breach did occur or that it was the first data breach Requirement of legal representation: no Cost of procedure: DPA procedure is free, but if an administrative recourse is chosen, Outcomes for 2009, 2010, 2011: those provisions were added in July 2011. As these provisions are quite recent, there are no cases yet Ad Redress Mechanism Number 16 (Non-respect of administrative/disciplinary sanctions leading to criminal prosecution): Range of possible outcomes: Imprisonment of 8 days to 1 year and/or fine of 251 to Legal basis: Art. 3 para. 5 of the modified law of 2005 Type of procedure: criminal procedure (judicial instance) Possibilities of appeal: 2 nd instance (court of appeals) and 3 rd instance (supreme court of appeals) Burden of proof: non-respect of administrative/disciplinary sanctions Requirement of legal representation: DPA forwards to Public Ministry or self-initiated procedure by Public Ministry (complaint) Is there free legal advice/representation available from a public body: no may intervene as party (if DPA continued the complaint to the public ministry) Cost of procedure: no data available Average duration of procedure: no data available Outcomes for 2009, 2010, 2011: 0 10

N.B.: Please note that in case of a judicial procedure based on the Luxembourgish data protection laws, the DPA is not mandatorily involved as a party to the case. As there is no compulsory feedback on such cases from the respective tribunals and courts to the DPA, we are unfortunately not able to provide any statistics in that respect. We would also like to underline the fact that the modified law of 2002 contains close to twenty criminal sanctions. We did not consider these sanctions as each being a redress mechanism on its own, as for each sanction, a prior procedure is necessary (i.e. a complaint or a forwarding of the case by the DPA to the Public Ministry) in order to open a judicial procedure. The same note applies to the provisions of the modified law of 2005 (telecom sector). Finally, we would like to add that under our national law, it is always possible to sue (on a civil basis) for damages if the conditions set out by the civil code are met (cf. art 1382 ff. Code Civil) 11

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback