Several organisations informed the CNPD that they had been contacted by private companies offering data protection consulting and audit services, stating that these services were allegedly executed under the mandate or on behalf of the CNPD.
The CNPD hereby clarifies that, as part of its mission to verify the proper application of GDPR, all investigations are conducted with the CNPD’s own staff. No external company has been mandated to carry out investigations on its behalf or under its mandate.
The following elements may be useful to companies contacted in the course of an investigation:
- in the event of non-announced onsite investigations, the CNPD's agents will always identify themselves using a legitimation card specific to the CNPD;
- in the event of an announced control, the announcement will be done in writing (registered letter with acknowledgment of receipt), and where necessary, CNPD's agents will also identify themselves through the legitimation card;
- in case of doubt, and before giving access to your premises and / or data, we recommend that you contact the CNPD by phone to confirm the existence of the investigation and the identity of the agents carrying it out;
- in case you are contacted by phone by an alleged CNPD agent, you can confirm his identity through the official directory of the state (https://annuaire.public.lu/?idMin=5246 ), by checking that the incoming number corresponds to a legitimate number of the CNPD. Alternatively, you can call yourself CNPD’s main switchboard which will put you through to the relevant officer.
The CNPD remains at your disposal in case of questions.