Today, the CNPD presented its annual report summarising the key figures and main developments of 2022 at a press conference.
2 decades of controls, advice and growth
On 1 December 2022, the CNPD celebrated its 20th anniversary, honouring its history, achievements and agents at an event attended by many guests including Prime Minister and Minister of Communications and Media, Mr Xavier Bettel, Minister of the Interior and Minister for Gender Equality, Ms Taina Bofferding and the Chair of the European Data Protection Board (EDPB), Dr Andrea Jelinek. Mentioning the speed of technological change in an increasingly digital society, Ms Tine A. Larsen, Chair of the CNPD, assured that the National Commission would not lose sight of its core mission: “We will continue to protect your fundamental right to privacy for as long as we exist”. A message that was reiterated by Mr Bettel, who called the CNPD "the guardian of one of our most fundamental rights: the protection of our privacy”. The celebration provided an opportunity to look back at the key moments of the Commission but also review the past year.
No more pandemic, certification at the forefront
As was the case in 2021, the beginning of 2022 was marked by a significant number of requests related to the processing of personal data in the context of the COVID-19 pandemic, in particular surrounding “CovidCheck” and its application in the workplace.
As the end of the pandemic approached, the CNPD announced an important milestone in its history on 13 May 2022: the launch of the “GDPR-CARPA” certification scheme, the first certification scheme under the GDPR at the national and European level. GDPR-CARPA allows companies, administrations, associations and other bodies established in Luxembourg to demonstrate that their personal data processing operations comply with the GDPR. The first certification body authorised to issue the GDPR-CARPA certification was approved by the CNPD in October 2022, followed by 2 other bodies accredited in 2023.
The year also saw the approval by the EDPB of the first ever European Data Protection Label, for which the CNPD has been the competent authority. Valid in all Member States of the European Union, the certification allows controllers and processors in different countries to achieve the same level of compliance for similar data processing operations.
Sharing knowledge and expertise
The previous year, the National Commission continued to be solicited by public actors, companies and individuals concerning data protection and privacy issues.
In 2022, the CNPD issued 32 opinions on draft laws or regulations related to data protection, including the protection of whistle-blowers, affordable housing and the State Intelligence Service. It received 354 data breach notifications (the main cause remained human error) and 482 complaints that mainly were related to the exercise of data subjects’ rights. Of the 589 written requests for information received by the CNPD in 2022, the majority focused on the COVID-19 pandemic, workplace surveillance and data subjects’ rights.
The National Commission has also continued its efforts to raise awareness, in particular by contributing to the development of training courses, by taking part in conferences and workshops, or by publishing information material such as the guidelines on cookies and other tracers.
Cooperation at the European level
In April 2022, the CNPD attended a high-level meeting in Vienna organised by the EDPB. The purpose of the meeting was to discuss and exchange on opportunities to strengthen data protection authorities’ cooperation and to diversify the range of cooperation methods used. Since that meeting, several measures contributing to a better cooperation between European data protection authorities have been implemented.
Apart from its presence at this meeting, the CNPD participated in the EDPB plenary meetings in 2022, as well as in 11 thematic working groups and 3 taskforces on specific subjects of interest set up by the EDPB. In addition, the National Commission continued to play a leading role in advancing the EDPB’s work in the field of certification, in particular as rapporteur for guidelines or by supporting the EDPB in issuing formal opinions on this new topic.
Now more than ever, the subject of personal data protection is regularly featured on the front page of national and international media. Cyberattacks targeting large-scale personal data theft are happening more and more frequently, tech and social media giants are being fined millions of euros for data breaches, and chatbots using artificial intelligence are stirring up controversy.
The CNPD is preparing to adapt its role as regulator, particularly with a view to the new legal framework at the European level on the various aspects of the digital economy. Of particular importance to the CNPD, the Digital Governance Act (DGA) aims to foster data sharing by establishing intermediation structures and the Artificial Intelligence Act (AI Act) sets clear rules and obligations for AI systems regarding transparency, data governance and fundamental rights. The legislative package also includes the Data Act (DA), the Digital Services Act (DSA) and the Digital Markets Act (DMA). The aim of the DA is to ensure a better distribution of the value derived from the use of data, particularly related to the use of connected objects, while the DSA and the DMA plan to limit the economic dominance of large platforms and the online dissemination of illegal content and products. Hence, the National Commission will continue to strengthen its workforce, develop its expertise in line with the technological and legislative developments on the horizon and expand collaborations with other regulators.
One thing is certain: 5 years after the entry into force of the GDPR, the protection of personal data remains a highly relevant and ever-developing topic.
2022 in figures
32 opinions (compared to 33 in 2021) on draft laws or regulations, including opinions on the following topics:
- protection of whistle-blowers
- affordable housing
- criminal chain of Justice (“JU-CHA”).
- e-Wallet (identity card + driver’s license)
- organisation of the electricity and gas market
- « Société Nationale de Circulation Automobile »
- individual housing subsidies
- State Intelligence Service
589 written requests for information (compared to 618 in 2021)
The three main categories of applications concerned:
- the COVID-19 pandemic (contact tracing, body temperature measurement, home office, home schooling, etc.)
- workplace surveillance
- the rights of data subjects (right of access, right of erasure, etc.)
482 complaints (compared to 512 in 2021)
- request for erasure or correction not respected (21%)
- non-compliance with the right of access (15%)
- unlawfulness of the processing (15%)
354 data breach notifications (compared to 333 in 2021)
Main cause: human error (63%)
- audits initiated in the context of investigations into the appointment of a data protection officer in six municipal administrations
- on-site investigations as part of the GDPR compliance analysis of video surveillance devices in a private institution and in a school
24 decisions taken by the restricted panel of the CNPD, 48 375 € in administrative fines