GDPR fines in Luxembourg for the financial sector: how to prepare for an on-site CNPD investigation?
EU data protection authorities will continue to put pressure on regulated entities and the number of fines will continue to increase. As the CNPD has now a clear framework to conduct investigations, firms need to prepare themselves for active investigations. This article provides you with the key issues to consider during and after an investigation.
Since the entry into force of GDPR in 2018, most EU data protection authorities fined banks, insurers and other regulated players in the financial services industry which breached GDPR. Recent examples include an insurance provider in the Netherlands (900,000 EUR) and a large, European banking subsidiary in Romania (150,000 EUR). While fines remain relatively small, the reputational and regulatory impact for supervised entities and their directors is high.
Luxembourg’s data protection authority, the CNPD, has issued none. We know from the past 18 months that data and privacy breaches occur across all sectors and all organisations, large and small, and are susceptible to running foul of the rules. Data protection authorities are increasingly issuing fines and publishing those across the EU. One possible explanation for the lack of activity in Luxembourg so far may be the CNPD’s lack of appropriate tools to effectively enforce this area but this has recently changed.
On January 22, 2020 the CNPD adopted its regulation which governs the procedure for investigations. Luxembourg’s data protection authority now has a clear framework within which to conduct investigations. For regulated entities, these procedures are similar to on-site investigations carried out by other regulators and supervised entities should update their regulatory investigations policies.
Under the new regulation, the CNPD has the power to conduct investigations with respect to either data controllers or data processors. If your institution has been identified, either as a result of a direct complaint or a broader thematic review, the CNPD may choose to provide advance notice of its investigation or arrive unannounced at the entity’s premises. In both cases, the CNPD must detail in writing the purpose of the investigation, the details of where and when the investigation will take place, and the identity of the CNPD officers who will carry out the investigation. To the extent the data protection regulator has chosen to appear on premises unannounced, it is critical that the compliance officer, head of legal, or other person in charge of regulatory investigations confirm these details (and check the identities of the individuals). Here are the key issues to consider during and after an investigation.
During the investigation
Once an investigation is underway, supervised entities will encounter these key issues:
What documents can the CNPD access?
The powers under this regulation are wide-reaching and include any document necessary for the completion of the investigation (no matter what medium) and the CNPD agents may take copies. In addition, they can access IT systems and arrange transfers of information into a useable format for the purposes of the investigation.
Can I ask my external legal counsel to be present?
Yes. Supervised entities can engage the assistance of their external legal counsel both during the on-site inspection and during any subsequent discussions as the initial report is prepared.
Where can the CNPD look for documents?
During an on-site inspection, the CNPD may access any places, premises, enclosures, installations or establishments used for the processing of personal data. There is, however, an exception for private residences.
Can the CNPD interview employees?
Yes, as part of its investigation the CNPD may interview anyone it deems relevant to the investigation, including staff.
Does banking secrecy apply?
No. Banking secrecy alone is not a sufficient ground to refuse access to information and/or documents during the CNPD’s investigation.
Will the CNPD ask the supervised entity for its version of events?
To the extent a supervised entity wishes to provide explanations to the investigation team, this is only done at the head of the on-site inspection team’s discretion. Financial sector entities are strongly advised to consult with their legal counsel prior to doing so.
After the investigation
The data processor or controller will receive a preliminary report which, if applicable, identifies any potential breaches and whether there is a possibility that the CNPD will take a decision in respect of the entity. Data controllers and processors have 15 calendar days to respond and make objections to or correct the preliminary report. An extension of an additional 15 calendar days can be obtained if the request is reasonable.
Following that period, the CNPD officer in charge of the investigation has a further 15 calendar days to comment on the response received from the entity which is the subject of the investigation. This then triggers a further 15-day response period for the entity. If the investigating officer determines no violations have occurred, the case is closed. If, however, the officer determines a breach has occurred, the file is transferred to the CNPD’s specialised committee for consideration. The officer in charge of the investigation does not participate in this deliberation.
The new regulation provides details about the procedures to be followed at a hearing, including the rights of investigated entities to be heard and to be represented by counsel. Decisions can include:
- administrative fines: up to 20,000,000 EUR, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher;
- penalties: anyone who knowingly prevents or hinders in any way the accomplishment of the tasks incumbent on the CNPD may be punished by imprisonment from eight days to one year and/or a fine of 251 to 125,000 EUR; and
- publication of the CNPD decision: the CNPD may order, at the expense of the sanctioned entity, the complete or partial publication of its decisions, under certain conditions
Binding decisions are rendered by the CNPD and may only be appealed to the Luxembourg administrative courts.
For more information on how to prepare for an on-site investigation of the CNPD or about how to ensure your organisation is compliant with its data protection obligations please contact us.
Michael SchweigerCounsel Attorney at law / Solicitor
Michael Schweiger, counsel, is a member of the Banking & Finance practice group in our Luxembourg office. He leads the Luxembourg financial regulatory team and regularly advises banks, e-money and payment institutions, insurers, and other clients regarding financial regulation.T: +352 466 230 520 E: firstname.lastname@example.org