CNPD annual activity report 2018
- Articles and memoranda
- Posted 29.01.2020
On 18 September 2019, the Luxembourg data protection authority (the "CNPD") published its annual activity report for 2018 and presented its key figures regarding the following topics:
INFORMATION REQUESTS:
The CNPD received 1,112 information requests in 2018. Many of them concerned compliance with the new legislation, video-surveillance, the data protection officer (DPO) as well as data subjects’ rights. Other recurring questions include the territorial scope of the GDPR, certifications, consent, image rights, cookies, data breaches, drones, data retention periods and marketing.
COMPLAINTS :
In 2018, the CNPD received twice the number of complaints of 2017. A quarter of the 450 complaints received were motivated by controllers’ non-compliance with access rights.
In 15% of cases, data subjects asked the CNPD to check the lawfulness of certain commercial and administrative practices. In particular, they questioned general terms and conditions of online services, excessive and illicit collection of data, taking pictures without the knowledge of the individual and regarding surveillance at work; they also challenged video surveillance and illicit use of geo-tracking systems by employers. There have been complaints also on the use of data for purposes other than those for which they were initially collected as well as non-authorised transmission of data to third parties or complaints concerning e-mails sent to people they were not intended for or sending confidential e-mails distributed collectively and which were visible to all recipients.
In order to ensure consistent protection of individuals’ data protection rights throughout the European Union, supervisory authorities are cooperating, including via the Internal Market Information System (IMI), which is the IT platform that ensures the proper implementation of the GDPR at European level. In 2018, 74 complaints were transmitted to the CNPD via this system.
DATA BREACHES
In 2018, 172 data breaches were notified to the CNPD. The main cause of personal data breach is human error and occurs in particular when an existing process is not followed, when an existing rule of security is circumvented, due to an error of inattention or when the staff are not sufficiently aware of the confidentiality rules to be applied.
A quarter of notified data breaches are external malicious acts. In many cases, these acts target the access or obtaining of data, which permit financial transactions to be carried out without the knowledge of the persons concerned (e.g. interception of bank payment card data, phishing to obtain connection information to a payment service, identity theft to make a financial transaction, etc.).
The CNPD has also listed risky periods where internal malicious acts usually occurred: cessation of business, merger and acquisition of companies as well as voluntary or involuntary employee departure.
Regarding timing of notification, controllers are supposed to notify the competent supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it. More than half of the notifications were made within 48 hours but 18% of data breaches were discovered at least one month after they occurred.
The CNPD reminds organisations that they should not communicate the personal data concerned as well as the personal information of the individuals involved in the data breach notification form.
In addition, the CNPD underlines that the above figures only concern data breaches notified to the CNPD and that controllers must document all the security incidents involving personal data, whether or not it has been notified to the CNPD.
DATA PROTECTION IMPACT ASSESSEMENT ("DPIA")
If an organisation has identified processing of personal data that is likely to result in a high risk for the rights and freedoms of data subjects, it must conduct a DPIA for each of these processes. In 2018, the CNPD did not receive any request for prior consultation meeting the criteria as stipulated in the GDPR. The CNPD plans to carry out a communication in the coming months in relation to the DPIAs in order to support the organisations in their implementation of the analyses.
CONTROL AND SANCTIONS
In 2018, few claims have been followed by corrective measures such as warnings and reprimands, orders to comply with data subjects’ requests to exercise their rights as well as orders to bring processing operations into compliance. The CNPD did not impose any administrative fines.
The CNPD exercised its investigation power through two interventions: on-site inspections and audits.
The CNPD is conducting these proactive or reactive on-site inspections based on incidents, complaints, information relayed in the media or following a previous inspection. In 2018, 12 investigations took place in the video surveillance, geo-tracking, advertising and marketing fields.
The CNPD performed audits on various organisations to assess their level of compliance with the GDPR. In 2018, 25 audit procedures were opened in order to verify compliance with respect to designations, missions and functions of DPOs. The results of such campaigns will be anonymised and published in the form of guidelines with examples to follow or to avoid.
The above key figures highlight the fact that individuals are becoming more aware of their rights and the related obligations in terms of personal data processing since the GDPR became applicable and show the importance for businesses to continue the ongoing efforts to comply with the many requirements imposed by the GDPR.