Today, the CNPD presented its activity report summarising the key figures and developments for 2023 at a press conference.
Half a decade of GDPR
2023 marked the fifth anniversary of the entry into force of the General Data Protection Regulation (GDPR), a legal text which has had a profound impact on the CNPD's missions, and which remains exceedingly relevant. The almost ubiquitous collection and other use of data - often of a personal nature - leads the CNPD to resolutely pursue its mission as a supervisory authority, providing information and raising awareness about the protection of personal data and privacy.
In 2023, the CNPD published 44 opinions relating to draft or proposed legislation or regulatory measures. The subjects of the opinions ranged from the register of beneficial owners, the Digital Mobility Observatory, and the rental of affordable housing, to the juvenile criminal procedure, the use of bodycams by the Grand Ducal Police and the shared healthcare file.
Most requests for information sent to the CNPD in 2023 concerned either surveillance in the workplace or the rights of data subjects (right of access, right to erasure, etc.), demonstrating public awareness of and even marked concern about data protection. At the same time, the main reasons for the complaints received the previous year included questions about the lawfulness of data processing, failure to respect the right of access and data breaches.
Speaking of data breaches, the 434 breach incidents reported to the National Commission in 2023 took a variety of forms, including hacking, disclosure of personal data to the wrong person, or personal data sent to the wrong person. The main cause of data breaches remained human error.
CNPD officers also continued their investigative work, conducting 21 investigations in 2023 and analysing 32 cases. The formation restreinte of the CNPD took 15 decisions over the past year.
Concerned people of all ages and backgrounds
Nowadays, it would be hard to find a person who has not been subjected to some form of data processing. The CNPD is constantly developing a variety of informative content and communication channels in order to offer educational opportunities to as many people as possible, regardless of their age or experience in the field.
In 2023, the Commission published guidelines on data protection during elections, protection against ransomware, geolocation of professional vehicles and artificial intelligence, among other topics.
The National Commission has decided to continue organising the ‘Data Protection Basics’ training course, a free 5-hour course that provides the general public with an introduction to the key principles of personal data protection. The CNPD’s 2023 educational offer further included introductory courses on personal data protection for civil servants, evening classes organised in collaboration with the Chamber of Employees (Chambre des salariés), and contributions to the BTS ‘Cybersecurity’ degree offered by the Lycée Guillaume Kroll in Esch-sur-Alzette.
The previous year, the National Commission also took part in the ‘Matinée des experts’ organised by the Luxembourg School of Business and Management (ECG), a workshop entitled ‘Cybersecurity at primary school’ organised by the National Education Training Institute (IFEN), and the second edition of TN'Teens, a Digital Learning Hub event held in the Terres Rouges building in Esch-Belval.
A certified expertise
The CNPD, currently the only European supervisory authority to have developed a certification system under the GDPR, shared its expertise and observations on the subject at a workshop organised by its Spanish counterpart, the AEPD, in Madrid. Then in November, it took on the role of host when it organised a three-day workshop in Luxembourg about the certification of data processing operations under the GDPR, bringing together representatives of data protection authorities and GDPR certification professionals from all over Europe.
Prepared for the challenges ahead
In 2023, the CNPD assumed its role of guiding individuals and data controllers (companies, associations, public authorities, etc.) in understanding and implementing privacy and personal data protection rules with dedication and professionalism.
The National Commission has also developed and prepared for the launch of several innovative educational and technological initiatives, such as DAAZ (‘Data Protection from A to Zen’), an e-learning platform to help comply with the GDPR, and Sandkëscht, a regulatory sandbox dedicated to artificial intelligence.
Its remit will be complemented by new responsibilities, particularly in view of the new European legal framework for the digital economy: the Digital Governance Act (DGA), the Artificial Intelligence Act (or AI Act), the Data Act (DA), the Digital Services Act (DSA) and the Digital Markets Act (DMA).
In the years ahead, the CNPD will resolutely pursue its missions to strengthen the protection of everyone's privacy in an ever-changing digital environment.